cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9201
Views
10
Helpful
34
Replies

Urgent!!!! Voice Gateway was hacked, were made thousand of L.D Calls

dmendoza
Level 1
Level 1

I have several 2800 Voice Gateways in several regions. How can I protect my H.323 GW? these Gateways have public IP addresses. Can I control or Authenticate my VOIP Gateways in order to eliminate a rogue Gateway can connect to my Gateway and they can make calls?

34 Replies 34

wong.jason
Level 1
Level 1

You need to at a minimum create an ACL to prevent H323 traffic that originate from the internet from going into your gateway and only allow those from your sites.

As far as I know. GK is the only solution. Access-list can not prevent Dial peer hacking

tim.giles
Level 4
Level 4

Hi,

I don't know whether this is a possibility but you could add a gatekeeper to authenticate requests via AAA? That way all the gateways would have to securely register with the gatekeeper.

This can also be intergrated with a radius server (i.e. ACS) if you have one?

I appreciate you response, would you have a link with a example of how integrate the GK with CSACS in what version of CSACS is?

daniel.fuchs
Level 1
Level 1

Do you know the IP address of all gateways authorize to send calls (signaling) to the other one? if so, you may consider an access-list.

if the answer is yes, you may consider somthing limiting access per port per IP address for example. here is some port information to assist you:

H.323/H.225 = TCP 1720

H.323/H.245 = TCP 11xxx (Standard Connect)

H.323/H.245 = TCP 1720 (Fast Connect)

H.323/H.225 RAS = TCP 1719

SCCP = TCP 2000-2002 (CM Encore)

ICCP = TCP 8001-8002 (CM Encore)

MGCP = UDP 2427, TCP 2428 (CM Encore)

SIP= UDP 5060, TCP 5060 (configurable)

I get it from http://www.cisco.com/en/US/tech/tk652/tk698/technologies_configuration_example09186a0080094af9.shtml

regards,

daniel

Daniel,

Access-list is not good idea to prevent dial peer hacking. Here is one scenario - Both A and B need send H.323 calls to C, how can you use access-list to prevent A hacks B's account in C?

Jack,

I was considering an outside attacker and not someone from the company. not someone from this cloud of Cisco Gateways.

if the problem is inside the network, what do you think about AAA (radius)?

Daniel,

The scenario I mentioned is indeed for hacking from outside. I thought AAA is not power enough to prevent such attack. Could you advise how to use AAA in such scenario?

HI

You can use source-ip based dial-peer to using voice source-group, access-list and translation rules.

Example:

voice source-group customer1

access-list 50

translation-profile incoming 50

voice source-group customer2

access-list 40

translation-profile incoming 40

rgds,

Ismo

I was looking for a complete example of this command voice source-group, but I dont find it. So this command is for using a ACL where you specify the IP of Remote Gateway in order to ensure only this Gateway can do calls for the translation profile?

Could send me more details how use this command, by the way I have a CS ACS for AAA.

The challenge is be able to identified or permit the uses of the prefix for client but only from a known ip address of GW.

Below are simple example, where prefix 7 or 8 are added to using that feature.

access-list 1 permit 1.2.3.4 0.0.0.255

access-list 2 permit 3.4.5.6 0.0.0.255

voice source-group 1234

access-list 1

disconnect-cause invalid-number

translation-profile incoming 1

voice source-group 3456

access-list 2

disconnect-cause invalid-number

translation-profile incoming 2

voice translation-profile 1

translate called 1

voice translation-profile 2

translate called 2

voice translation-rule 1

rule 1 /^1\(.*\)/ /81\1/ type any subscriber plan any isdn

voice translation-rule 2

rule 1 /^1\(.*\)/ /71\1/ type any subscriber plan any isdn

dial-peer voice 1 voip

destination-pattern 8T

dial-peer voice 2 voip

destination-pattern 7T

Ismo,

Very good example.

Daniel

I think this solution is good for IP2IP scenario, what about IP->TDM?

Suppose ISDN T1-A must take calls from IP 1.2.3.4/24 and ISDN T1-B must take calls from IP 3.4.5.6/24.

sir,

you can send calls from these gateways with different tech prefixes and strip in the correct E1 to deliver the calls.

Regards,

Daniel