I set up a SIP-SIP gateway on a C2821, this C2821 routes all outbound calls from CUCM to an ITSP (both over SIP trunk), C2821 itself does
not act a CME, i.e, there are no SCCP or SIP clients registered to it, in fact I do not have any configuration that would allow a SCCP/SIP
phone to register/authenticate, however, I found that a software SIP phone that has IP connectivity to this C2821 can register to it with random username/direcotry number/password and therefore make outbound phone calls. I am puzzled, did I miss anything obvious?
I would look at using ACLs to protect the solution from the network side. I would also look at implementing the security guidelines outlined in the following doc:
There is a way to restrict registration from phones (primarily SCCP).
With CME 4.x and later you can also enable Digest Authentication. I would think that using ACLs as the primary defence, configuring digest auth as a secondary, and then turning off/blocking/disabling other sub-features in CME would be the path you should look into.
Registering and making calls are two different things.
The phone probably is not registering, but yes it is normal that if you do not put an ACL on the interface, anyone on the interned will be able to toll-fraud yourself.