CCA - Toll-Fraud Protection

danplacek · ‎03-04-2013

I have noticed something that does not really make sense -- CCA always disables the toll-fraud protection feature recently added to IOS.

Even if you configure a list of allowed IPs in the SIP config in CCA, it still inserts the wildcard address of 0.0.0.0/0.

Worse yet, if I manually configure TFP to the correct settings, CCA will undo it and re-add the wildcard address - EVEN when making changes that have NOTHING to do with SIP. I have CLI postview on in CCA, and honestly -- I will configure something like paging, and I will see it re-adding the wildcard to TFP -- REALLY annoying.

I really like to have this in place as I have had CCA *repeatedly* remove the ACL from the WAN interface for no apparent reason...

Has anyone else had issues with this? Any idea why this is?

Thanks.

Alexander Maroukian · ‎03-04-2013

Hello Daniel,

Could you please specify where exactly the CCA is adding 0.0.0.0/0?

What is happening with the WAN ACL and when, is it possible to attach the logs from the CCA after the sensitive information.

Best regards,

Alex

danplacek · ‎03-04-2013

I've never caught CCA "in the act" for removing the WAN ACL -- always noticed it later.

That said -- I would NEVER remove that ACL manually, and it has happened at least 10 times now... so not sure it can be anything other than CCA.

In regards to the TFP:

voice service voip

ip address trusted list

ipv4 0.0.0.0 0.0.0.0

CCA includes that by default, and if you remove it... it re-adds it when doing all sorts of operations.

Just remove it, turn on CLI postview in CCA, and make some changes.

Alexander Maroukian · ‎03-04-2013

Hello Daniel,

I have not seen the CCA to remove the ACL from the WAN when applying TFP if you can get the logs from CCA when this has happened it will be helpful so that we can identify the reason.

The method you mention used for TFP in CCA is voice source-group.

The access-lists attached to these groups are the server ip addresses you enter in the TFP window in CCA for the SIP provider, the CUE and the internal users.

HTH,

Alex

danplacek · ‎03-04-2013

1. The removing of the WAN ACL is not related to configuring TFP. This has happened randomly... I am not sure what the trigger is, and as I said -- I have not "caught" it.

2. CME has a few different methods of TFP: cor lists, ACLs, voice source groups, after-hours, and the ip address trusted list. CCA *deliberately* disables (by adding a wildcard) the ip address trusted list, even if you manually force it otherwise. I am asking why this is as that list is a powerful tool for preventing toll-fraud. We have also found the ip address trusted list easier to manage than the voice source group, especially when mixing in things like SIP phones.

Alexander Maroukian · ‎03-04-2013

Hello Daniel,

If you happen to see that WAN ACL removal again it is good to check the logs of the CCA for that day. I do understand that it is not easy to catch it but will be really useful if we can find the reason if it is caused by the CCA.

I agree with you about the TFP. You can submit feature request using the CCA.

If I find a way to use this TFP under voice service voip and CCA I will update you.

Best regards,

Alex

Kris Thompson · ‎10-11-2013

My customer just got hit by this. We are told we must use CCA. However, it opens the system up to toll fraud by adding this.

voice service voip

ip address trusted list

ipv4 0.0.0.0 0.0.0.0

This is not a feature request. It is a severe defect.

Alexander Maroukian · ‎10-11-2013

Hello Kris,

Actually CCA is using other technique for Toll Fraud protection.

It is using voice source groups when you add the toll fraud prevention under sip trunk settings.

Also there are number of other methods used also for different scenarios.

Best regards,

Alex

Kris Thompson · ‎10-14-2013

Under SIP Trunk Settings > Advanced Options, the "Enable Toll Fraud Protection" was checked, but yet the customer's phone system was attacked and calls were made to East Timor, Bosnia, etc. So whatever CCA is doing is NOT working.

Here is a more helpful link: http://www.voip.co.uk/ciscoccatoolsecurity/

We see this in the config:

voice source-group CCA_SIP_SOURCE_GROUP_CUE_CME

access-list 2

translation-profile incoming SIP_Incoming

!

voice source-group CCA_SIP_SOURCE_GROUP_EXTERNAL

access-list 3

What we see here is that the calls coming in from the CUE get tagged with ABCD, then the Dial Peer looks for that:

dial-peer voice 1003 voip

description ** Passthrough Inbound Calls for PSTN from CUE **

translation-profile incoming SIP_Passthrough

b2bua

session protocol sipv2

session target ipv4:10.1.10.1

incoming called-number ABCDT

dtmf-relay rtp-nte

codec g711ulaw

no vad

However, this does nothing to protect the SIP Trunk from the SIP provider. The ABCD prefix is only added on the calls coming in from the CUE.

What remains is the fact that disabling the "ip trusted address list" mechanism is causing Toll-Fraud on our trunks. We have added a WAN Access List (on an external Firewall) and we have setup the "ip trusted address list" to NOT be open to any IP address.

As it stands, the CCA is creating an insecure configuration, and as a result the system is subject to Toll Fraud.

Regards,

Kris Thompson, P.Eng., CCIE#1226

Alexander Maroukian · ‎10-14-2013

Hello Kris,

Thank you for your input.

When you use CCA with toll fraud enable it will allow the connection to 5060 if this is the SIP port only from the servers mentioned in this window - these will be added in the access-list assigned to the wan interface of the UC (if you have removed this access list from WAN or you are using another link to Internet this is another case and it is not created by the CCA).

If you receive a call from sources outside of the list mentioned in the voice source-group the voice calls will not not be allowed.

This toll fraud method is supported in previous version of the IOS including 12.4 and early 15 while the other (ip address trusted list) is available after 15.1(2)T.

HTH,

Alex