sipXcom provides comprehensive firewalling integrated into the system. Best practices however should still be followed and we recommend that your unified communications system be placed behind a standard firewall and commercial SBC when connecting to the Internet.
The firewall Rules page contains a list of all of the ports required to operate the system. Rules marked for group 'PUBLIC' are used by User Agents, System Users or other network services (such as SNMP). Rules marked for group 'CLUSTER' are used for intra-cluster (server to server) communications.
The Prioritize check box marks packets with DSCP 46 so that network switching and routing equipment can prioritize that traffic.
For administrators connecting their communications systems to the internet, consider which ports will be required by your remote users before blindly passing all traffic from the Internet into your unified communications system. Not all ports labeled 'PUBLIC' are required to be available to the Internet.
System Groups allow the administrator to specify custom groups of IP addresses to be allowed access to the sipXcom services defined on the Rules page.
Click on 'Add Group' to add a custom group.
Specify a name for your group and a space delimited list of source IP addresses (using ip addresses or subnets).
The Call Rate Limit settings allow sipXcom to detect Denial of Service (DoS) and other attacks (intended or not) and prevent it from crashing the system. The Call Rate Limit functionality can be configured from config UI by navigating to System -> Firewall -> Call Rate Limit.
The limits are simple IPTables rules that limit the rate at which particular SIP Message types will be accepted to the system.
Call Rate Limits should be used in conjunction with the system security settings (System -> Security). System Security settings can automatically block offending IP's whereas Call Rate Limits simply limit the rate at which packets are allowed in.
Call Rate Limits are set on IP Address ranges. An administrator might want different call rate limits for their internal IP networks vs. the Internet.
To add a new Call Rate Limit, click on the 'Add Call Rate Limit' link in the top right of the Call Rate Limit table.
Give the new limit a name, description and start/stop IP addresses.
Once you have done that, click on 'Add Limit' to specify rates for different SIP messages.
To enable logging and control the rate limit settings click on the settings tab (System -> Firewall -> Settings) in the left side menu. The 'Show Advanced Settings' link at the top of the page reveals even more options.
There are instances when predictive dialers for call centers are deployed within the network and might be misinterpreted by the ratelimit procedure as a DoS attacker. To allow friendly rate violators from ever getting jailed, a white list is also provided by the config to tell sipXcom who the friendlies are and would be granted immunity.
If that is not enough, a black list is also provided so that you can simply copy and paste IP addresses of known attackers to permanently ban them from ever sending packets to sipXcom.
Enables rules that block the 'friendly-scanner' attack signature.
Enables rules that block the 'sipvicious' attack signature.
Enables rules that block the 'sundayddr' attack signature.
Enables rules that block the 'iWar' attack signature.
Enables rules that block the 'sip-scan' attack signature.
Enables rules that block the 'sipsak' attack signature.
Allows the administrator to block SIP packets that contain any of the comma separated values in this list. This is very useful to block user agents that the administrator might not want to allow.
Configures the firewall to ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast.
Enables syn cookies to counteract the common 'syn flood attack'.
All dropped packets will be logged in the firewall-drop.log file (in /var/log/sipxpbx/firewall/firewall-drop.log). Useful when looking for user and user agent connectivity issues.
Packets matching the canned attack signatures above will be logged in /var/log/sipxpbx/firewall/firewall-sipdos.log before they are dropped. (Needed by System -> SIP Security)
Rate limited packets that are dropped will be logged in /var/log/sipxpbx/firewall/firewall-ratedrop.log before they are dropped.
If enabled all SIP REGISTER packets will be logged in /var/log/sipxpbx/firewall/firewall-sip.log. (Needed by System -> SIP Security)
If enabled all SIP INVITE packets will be logged in /var/log/sipxpbx/firewall/firewall-sip.log. (Needed by System -> SIP Security)
If enabled all SIP ACK packets will be logged in /var/log/sipxpbx/firewall/firewall-sip.log. (Needed by System -> SIP Security)
If enabled all SIP OPTIONS packets will be logged in /var/log/sipxpbx/firewall/firewall-sip.log. (Needed by System -> SIP Security)
To prevent log flooding the administrator can decide to limit the maximum number of similar dropped packets to be logged. This value should be greater than or equal to 2 or -1 for no limit.
The time span over which similar packets will be considered for packet matching.
Enable this only if you don't want the system to manage the IPTables configuration. Note that sipXcom utilizes IPTables rules for marking packets for QoS.
The algorithm is a simple packet rate counter that measures the number of packets received per second. A certain threshold can be set via the web UI on what the threshold limit is. The current default is 100 packets per second.
This can be adjusted based on the actual traffic intensity or lack thereof in a particular deployment. A threshold violation triggers an Alarm to be raised so that administrators get a notification when the threshold is reach and if they need to increase it.
On top of the rate counter, the transport layer also maintains a dynamic map of the IP addresses that sent packets to sipXcom. If a threshold violation is reached, this map will be consulted and see if a certain IP is responsible for a certain percentage of the total packets received. The current default for this is 50 packets. Thus, we can say that the rate limit ratio is 50/100.
If the transport pinpoints a particular IP sends more than or equal to 50, the particular IP will be banned from ever sending any packets to sipXcom until such time it is granted a parole by the system.
The lifetime by which a particular IP is banned from the system is also configurable. The current default is 3600 seconds or 1 hour. After an IP address is banned, it will be released from the transport jail and would be allowed again to send traffic to sipXcom until such time it again violates the rate ratio.