Security; Configuring Firewall Settings - AudioCodes Mediant 1000B User Manual

User's Manual
13

Security

This section describes the VoIP security-related configuration.
13.1

Configuring Firewall Settings

The Firewall table lets you configure up to 50 firewall rules, which define network traffic
filtering rules (access list) for incoming traffic. The access list offers the following firewall
possibilities:

Block traffic from known malicious sources

Allow traffic only from known "friendly" sources, and block all other traffic

Mix allowed and blocked network sources

Limit traffic to a user-defined rate (blocking the excess)

Limit traffic to specific protocols, and specific port ranges on the device
For each packet received on the network interface, the device searches the table from top
to bottom until the first matching rule is found. The matched rule can permit (allow) or deny
(block) the packet. Once a rule in the table is located, subsequent rules further down the
table are ignored. If the end of the table is reached without a match, the packet is
accepted.
Note:
•
The rules configured by the Firewall table apply to a very low-level network layer
and overrides all other security-related configuration. Thus, if you have configured
higher-level security features (e.g., on the Application level), you must also
configure firewall rules to permit this necessary traffic. For example, if you have
configured IP addresses to access the device's Web and Telnet management
interfaces in the Access List table (see ''Configuring Web and Telnet Access List''
on page 82), you must configure a firewall rule that permits traffic from these IP
addresses.
•
Only users with Security Administrator or Master access levels can configure
firewall rules.
•
The device supports dynamic firewall pinholes for media (RTP/RTCP) traffic
negotiated in the SDP offer-answer of SIP calls. The pinhole allows the device to
ignore its firewall and accept the traffic on the negotiated port. The device
automatically closes the pinhole once the call terminates. Therefore, it is
unnecessary to configure specific firewall rules to allow traffic through specific
ports. For example, if you have configured a firewall rule to block all media traffic
in the port range 6000 to 7000 and a call is negotiated to use the local port 6010,
the device automatically opens port 6010 to allow the call.
•
Setting the 'Prefix Length' field to 0 means that the rule applies to all packets,
regardless of the defined IP address in the 'Source IP' field. Thus, it is highly
recommended to set the parameter to a value other than 0.
•
It is recommended to add a rule at the end of your table that blocks all traffic and
to add firewall rules above it that allow required traffic (with bandwidth limitations).
To block all traffic, use the following firewall rule:
√
√
√
√
√
Version 7.2
Source IP: 0.0.0.0
Prefix Length: 0 (i.e., rule matches all IP addresses)
Start Port - End Port: 0-65535
Protocol: Any
Action Upon Match: Block
171 Mediant 1000B Gateway & E-SBC
13. Security