Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9155
Views
10
Helpful
34
Replies

Urgent!!!! Voice Gateway was hacked, were made thousand of L.D Calls

dmendoza
Level 1
Level 1

‎11-22-2008 02:36 PM

I have several 2800 Voice Gateways in several regions. How can I protect my H.323 GW? these Gateways have public IP addresses. Can I control or Authenticate my VOIP Gateways in order to eliminate a rogue Gateway can connect to my Gateway and they can make calls?

Labels:
0 Helpful
34 Replies 34

wong.jason
Level 1
Level 1

‎11-23-2008 04:10 PM

You need to at a minimum create an ACL to prevent H323 traffic that originate from the internet from going into your gateway and only allow those from your sites.

0 Helpful

heshengchun
Level 1
Level 1
In response to wong.jason

‎11-23-2008 06:21 PM

As far as I know. GK is the only solution. Access-list can not prevent Dial peer hacking

0 Helpful

tim.giles
Level 4
Level 4

‎11-24-2008 03:02 AM

Hi,

I don't know whether this is a possibility but you could add a gatekeeper to authenticate requests via AAA? That way all the gateways would have to securely register with the gatekeeper.

This can also be intergrated with a radius server (i.e. ACS) if you have one?

0 Helpful

dmendoza
Level 1
Level 1
In response to tim.giles

‎11-24-2008 07:23 AM

I appreciate you response, would you have a link with a example of how integrate the GK with CSACS in what version of CSACS is?

0 Helpful

daniel.fuchs
Level 1
Level 1

‎11-24-2008 07:54 AM

Do you know the IP address of all gateways authorize to send calls (signaling) to the other one? if so, you may consider an access-list.

if the answer is yes, you may consider somthing limiting access per port per IP address for example. here is some port information to assist you:

H.323/H.225 = TCP 1720

H.323/H.245 = TCP 11xxx (Standard Connect)

H.323/H.245 = TCP 1720 (Fast Connect)

H.323/H.225 RAS = TCP 1719

SCCP = TCP 2000-2002 (CM Encore)

ICCP = TCP 8001-8002 (CM Encore)

MGCP = UDP 2427, TCP 2428 (CM Encore)

SIP= UDP 5060, TCP 5060 (configurable)

I get it from http://www.cisco.com/en/US/tech/tk652/tk698/technologies_configuration_example09186a0080094af9.shtml

regards,

daniel

0 Helpful

heshengchun
Level 1
Level 1
In response to daniel.fuchs

‎11-24-2008 08:07 AM

Daniel,

Access-list is not good idea to prevent dial peer hacking. Here is one scenario - Both A and B need send H.323 calls to C, how can you use access-list to prevent A hacks B's account in C?

0 Helpful

daniel.fuchs
Level 1
Level 1
In response to heshengchun

‎11-24-2008 08:44 AM

Jack,

I was considering an outside attacker and not someone from the company. not someone from this cloud of Cisco Gateways.

if the problem is inside the network, what do you think about AAA (radius)?

0 Helpful

heshengchun
Level 1
Level 1
In response to daniel.fuchs

‎11-24-2008 08:54 AM

Daniel,

The scenario I mentioned is indeed for hacking from outside. I thought AAA is not power enough to prevent such attack. Could you advise how to use AAA in such scenario?

0 Helpful

isahonen
Level 1
Level 1
In response to heshengchun

‎11-25-2008 01:28 AM

HI

You can use source-ip based dial-peer to using voice source-group, access-list and translation rules.

Example:

voice source-group customer1

access-list 50

translation-profile incoming 50

voice source-group customer2

access-list 40

translation-profile incoming 40

rgds,

Ismo

0 Helpful

dmendoza
Level 1
Level 1
In response to isahonen

‎11-25-2008 08:15 AM

I was looking for a complete example of this command voice source-group, but I dont find it. So this command is for using a ACL where you specify the IP of Remote Gateway in order to ensure only this Gateway can do calls for the translation profile?

Could send me more details how use this command, by the way I have a CS ACS for AAA.

The challenge is be able to identified or permit the uses of the prefix for client but only from a known ip address of GW.

0 Helpful

isahonen
Level 1
Level 1
In response to dmendoza

‎11-26-2008 12:48 AM

Below are simple example, where prefix 7 or 8 are added to using that feature.

access-list 1 permit 1.2.3.4 0.0.0.255

access-list 2 permit 3.4.5.6 0.0.0.255

voice source-group 1234

access-list 1

disconnect-cause invalid-number

translation-profile incoming 1

voice source-group 3456

access-list 2

disconnect-cause invalid-number

translation-profile incoming 2

voice translation-profile 1

translate called 1

voice translation-profile 2

translate called 2

voice translation-rule 1

rule 1 /^1\(.*\)/ /81\1/ type any subscriber plan any isdn

voice translation-rule 2

rule 1 /^1\(.*\)/ /71\1/ type any subscriber plan any isdn

dial-peer voice 1 voip

destination-pattern 8T

dial-peer voice 2 voip

destination-pattern 7T

daniel.fuchs
Level 1
Level 1
In response to isahonen

‎11-26-2008 04:05 AM

Ismo,

Very good example.

Daniel

0 Helpful

heshengchun
Level 1
Level 1
In response to isahonen

‎11-26-2008 06:00 AM

I think this solution is good for IP2IP scenario, what about IP->TDM?

Suppose ISDN T1-A must take calls from IP 1.2.3.4/24 and ISDN T1-B must take calls from IP 3.4.5.6/24.

0 Helpful

daniel.fuchs
Level 1
Level 1
In response to heshengchun

‎11-26-2008 06:14 AM

sir,

you can send calls from these gateways with different tech prefixes and strip in the correct E1 to deliver the calls.

Regards,

Daniel

0 Helpful
Customers Also Viewed These Support Documents