SBC session border controllers 97
SIP flood
– Enable SIP flood defense — protection against brute-forcing user passwords and flooding with requests to
the forbidden direction.
– Hits to block — after exceeding the number of attempts, the user will be blocked. You can set from 1 to 32
attempts;
– Short-time blocks before long-time one — the number of temporary blocks that will be applied to the user.
Once this limit is exceeded, long-time blocking will be applied. You can set from 1 to 10 blocks;
– Short block time, s — subscriber blocking time, can be from 600 to 3600 seconds;
– Forget or long block time, hr — long block time. This is also the forgiveness time — after which the access
attempts counter will be reset. You can set from 12 to 48 hours.
4.1.8.8 SBC network protection operation scheme
The following order of dynamic and static firewall rules, list of forbidden addresses and access restriction
from network interfaces works on SMG:
1. The dynamic firewall rules are worked out (section 4.1.8.3). This step resets requests from addresses that
are on the blacklist and temporary block list;
2. The access restrictions configured in the Network interfaces -> Services4.1.4.3 and White addresses
list4.1.8.6 sections are worked out. When the list of allowed IP addresses is inactive, rules are generated that allow
management access to the addresses of SMG network interfaces that have access permission in the «Services»
block. When the list of allowed IP addresses is active, the rules are complemented by the source IP address control
— only connections from addresses specified in the list are allowed;
3. The rules of SIP destination protection are worked out (section 4.1.3.2). Protection rules for SIP destination
are formed automatically. By default, it is checked that the UDP can only be accessed from a specified remote
address and port. For TCP (and for UDP with the «Ignore source port for incoming calls» option) only the remote
address is checked. If the «Allow redirection» option is set, the remote address is not controlled — you should use
a static firewall to limit access;
4. Allow other access to network interfaces that do not have static firewall rules bound to them;
5. The static firewall rules (section 4.1.8.5) are worked out on those network interfaces to which the rules are
bound.
If one of the list rules worked, the remaining rules will not be applied to the request.
4.1.8.9 Providing typical SBC network protection tasks
Restrict management access via WEB/Telnet/SSH/SNMP protocols.
To restrict management access, use the settings in Network Interfaces -> Services 4.1.4.3 and White
addresses list 4.1.8.6. First, on the network interfaces where it is necessary to grant access, you set the flags of the
protocols that you want to grant access. This will expose the destination address restriction. After that, the list of
allowed IP addresses is configured, which will additionally limit the source address to the addresses from the list.
Restrict access to SIP interfaces to specific addresses and/or geographic locations.
By default, SIP destination security rules are created automatically. However, when the «Allow redirects»
option is checked, no rules will be created. In addition, rules are not automatically created for a SIP trunk. To protect
a SIP trunk, you need to configure static firewall (section 4.1.8.5).
Example of configuring access with these restrictions:
- Allow access from Russia;
- Allow access from subnet 34.192.128.128/28;
- Restrict access from other addresses.
To Next Page
Loading...