Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Urgent!!!! Voice Gateway was hacked, were made thousand of L.D Calls

I have several 2800 Voice Gateways in several regions. How can I protect my H.323 GW? these Gateways have public IP addresses. Can I control or Authenticate my VOIP Gateways in order to eliminate a rogue Gateway can connect to my Gateway and they can make calls?

34 REPLIES
New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

You need to at a minimum create an ACL to prevent H323 traffic that originate from the internet from going into your gateway and only allow those from your sites.

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

As far as I know. GK is the only solution. Access-list can not prevent Dial peer hacking

Silver

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Hi,

I don't know whether this is a possibility but you could add a gatekeeper to authenticate requests via AAA? That way all the gateways would have to securely register with the gatekeeper.

This can also be intergrated with a radius server (i.e. ACS) if you have one?

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

I appreciate you response, would you have a link with a example of how integrate the GK with CSACS in what version of CSACS is?

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Do you know the IP address of all gateways authorize to send calls (signaling) to the other one? if so, you may consider an access-list.

if the answer is yes, you may consider somthing limiting access per port per IP address for example. here is some port information to assist you:

H.323/H.225 = TCP 1720

H.323/H.245 = TCP 11xxx (Standard Connect)

H.323/H.245 = TCP 1720 (Fast Connect)

H.323/H.225 RAS = TCP 1719

SCCP = TCP 2000-2002 (CM Encore)

ICCP = TCP 8001-8002 (CM Encore)

MGCP = UDP 2427, TCP 2428 (CM Encore)

SIP= UDP 5060, TCP 5060 (configurable)

I get it from http://www.cisco.com/en/US/tech/tk652/tk698/technologies_configuration_example09186a0080094af9.shtml

regards,

daniel

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Daniel,

Access-list is not good idea to prevent dial peer hacking. Here is one scenario - Both A and B need send H.323 calls to C, how can you use access-list to prevent A hacks B's account in C?

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Jack,

I was considering an outside attacker and not someone from the company. not someone from this cloud of Cisco Gateways.

if the problem is inside the network, what do you think about AAA (radius)?

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Daniel,

The scenario I mentioned is indeed for hacking from outside. I thought AAA is not power enough to prevent such attack. Could you advise how to use AAA in such scenario?

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

HI

You can use source-ip based dial-peer to using voice source-group, access-list and translation rules.

Example:

voice source-group customer1

access-list 50

translation-profile incoming 50

voice source-group customer2

access-list 40

translation-profile incoming 40

rgds,

Ismo

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

I was looking for a complete example of this command voice source-group, but I dont find it. So this command is for using a ACL where you specify the IP of Remote Gateway in order to ensure only this Gateway can do calls for the translation profile?

Could send me more details how use this command, by the way I have a CS ACS for AAA.

The challenge is be able to identified or permit the uses of the prefix for client but only from a known ip address of GW.

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Below are simple example, where prefix 7 or 8 are added to using that feature.

access-list 1 permit 1.2.3.4 0.0.0.255

access-list 2 permit 3.4.5.6 0.0.0.255

voice source-group 1234

access-list 1

disconnect-cause invalid-number

translation-profile incoming 1

voice source-group 3456

access-list 2

disconnect-cause invalid-number

translation-profile incoming 2

voice translation-profile 1

translate called 1

voice translation-profile 2

translate called 2

voice translation-rule 1

rule 1 /^1\(.*\)/ /81\1/ type any subscriber plan any isdn

voice translation-rule 2

rule 1 /^1\(.*\)/ /71\1/ type any subscriber plan any isdn

dial-peer voice 1 voip

destination-pattern 8T

dial-peer voice 2 voip

destination-pattern 7T

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Ismo,

Very good example.

Daniel

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

I think this solution is good for IP2IP scenario, what about IP->TDM?

Suppose ISDN T1-A must take calls from IP 1.2.3.4/24 and ISDN T1-B must take calls from IP 3.4.5.6/24.

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

sir,

you can send calls from these gateways with different tech prefixes and strip in the correct E1 to deliver the calls.

Regards,

Daniel

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Daniel,

Be patient. what you described is exact what I called dial-peer hacking. Do you know how much money IDT lost due to the dial-peer ( tech prefix ) hacking?

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Sir,

Maybe I'm missing something here but if you combine the tech prefix match with the voice source-group command (or access list), you will limit the access to the gateways only to IP addresses that belong to your company and tech prefix will be used not to block calls but to deliver it correctly in a specific E1 or T1.

regards,

Daniel

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

In fact we only need one POTS dial-peer to terminate VOIP->TDM call, therefore simple access-list and tech prefix open hole for the dial-peer hacker. As for how to use voice source-group to prevent such attack, I do need advise.

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

I try this command in a similar equipment and it works like this:

to block a specific IP, returning to these calls user-busy, and allow all other IPs to send calls, you can build an access list like this:

access-list 1 deny x.x.x.x

access-list 1 permit any

than using the command suggested by our colegue, we include the access list reference and the disconnection cause desired for the block calls:

voice source-group secured

access-list 1

disconnect-cause user-busy

you can invert the access list and allow just some specific IP addresses to send calls.

I hope this can be useful for the subject.

regards,

daniel

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

let me repeat -

Suppose ISDN T1-A(for long distance) should only take calls from IP 1.2.3.4/24 and ISDN T1-B(for local) should only take calls from IP 3.4.5.6/24. How can you do to prevent calls from 3.4.5.6 to dial long distance call?

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

suppose the termination gateway IP is 9.9.9.9

at gateway 1.2.3.4, dial-peer should be something like:

dial-peer voice 100 voip

destination-pattern 0T ! if numbers start with 0 for example

session target ipv4:9.9.9.9

tech-prefix 100#

at gateway 3.4.5.6, dial-peer should be something like:

dial-peer voice 200 voip

destination-pattern .T ! if numbers start with any digit for example

session target ipv4:9.9.9.9

tech-prefix 200#

at local gateway we will put

! secure to just receive calls from these classes of IP:

access-list 1 permit 1.2.3.4 255.255.255.0

access-list 1 permit 3.4.5.6 255.255.255.0

access-list 1 deny any

voice source-group secured

access-list 1

disconnect-cause user-busy

! each dial-peer to each e1:

translation-rule 100

rule 0 100#0 0

! this is in a very extended way and not allowing 0

translation-rule 200

rule 0 200#1 1

rule 1 200#2 2

rule 2 200#3 3

rule 3 200#4 4

rule 4 200#5 5

rule 5 200#6 6

rule 6 200#7 7

rule 7 200#8 8

rule 8 200#9 9

rule 9 200#1 1

! terminate in ISDN T1-A

dial-peer voice 100 pots

translate-outgoing called 100

port 1 (should replace by correct port identification)

! terminate in ISDN T1-B

dial-peer voice 200 pots

translate-outgoing called 200

port 2 (should replace by correct port identification)

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

suppose I can access 3.4.5.6 and I want to dial free long distance, so I add this dial-peer

in 3.4.5.6

dial-peer voice 300 voip

destination-pattern .T

session target ipv4:9.9.9.9

tech-prefix 100#0

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Jack,

This was in the supposition that you have gateways proteceted but even with that, if you go back to "isahonen" example, you can do to different voice source-group, associate a different access list with each of them and than associate different voice translation-profile with each one:

access-list 1 permit 1.2.3.4 0.0.0.255

access-list 2 permit 3.4.5.6 0.0.0.255

voice source-group 1234

access-list 1

disconnect-cause invalid-number

translation-profile incoming 1

voice source-group 3456

access-list 2

disconnect-cause invalid-number

translation-profile incoming 2

voice translation-profile 1

translate called 1

voice translation-profile 2

translate called 2

voice translation-rule 1

rule 1 /^1\(.*\)/ /81\1/

voice translation-rule 2

rule 1 /^1\(.*\)/ /71\1/

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Daniel,

Did you really test "isahonen" example before drawing conclusion? BTW, 3.4.5.6 is my GW and I'd like to test security of 9.9.9.9

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

yes, I test the following exact configuration:

voice translation-rule 100

rule 1 /^100#81/ /81/

rule 2 /^.*/ /8888888/

voice translation-rule 200

rule 1 /^200#81/ /81/

rule 2 /^.*/ /88888888/

voice translation-profile 100

translate called 100

voice translation-profile 200

translate called 200

access-list 1 permit 1.2.3.4 0.0.0.0

access-list 1 deny any

access-list 2 permit 3.4.5.6 0.0.0.0

access-list 2 deny any

voice source-group secured

access-list 1

disconnect-cause invalid-number

translation-profile incoming 100

voice source-group secured2

access-list 2

disconnect-cause invalid-number

translation-profile incoming 200

this example is based on calls to country code 81 and if it's not 81, I block it, translating it to 888888.

regards,

daniel

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Interesting, you can test without building POTS dial-peer.

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

I will test source-group as well. Again, simple access-list and tech-prefix combination without voice source-group definitely has security issue.

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

if you can not guarantee that your gateways will not be invade and have it's configurations changed, I agree with you.

let me know your tests.

regards,

daniel

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

When we talk about security of GW 9.9.9.9, GW 3.4.5.6 could be any 'innocent' or 'bad' individual. Therefore in security discussion of termination GW, we should consider all potential scenarios.

Regards,

New Member

Re: Urgent!!!! Voice Gateway was hacked, were made thousand of L

Jack,

I agree. I mention that because based on the problem description I was considering it as an enterprise network and not a voice wholesaler like us.

Regards,

Daniel

4464
Views
10
Helpful
34
Replies