AudioCodes Mediant 4000 SBC User Manual page 171

CHAPTER 14 Security
■ Limit traffic to a user-defined rate (blocking the excess)
■ Limit traffic to specific protocols and specific port ranges on the device
For each packet received on the network interface, the device searches the table from top to
bottom until the first matching rule is found. The matched rule can permit (allow) or deny (block) the
packet. Once a rule in the table is located, subsequent rules further down the table are ignored. If
the end of the table is reached without a match, the packet is accepted.
●
●
●
●
●
●
●
The following procedure describes how to configure firewall rules through the Web interface. You
can also configure it through ini file [AccessList] or CLI (configure network > access-
list).
➢
To configure a firewall rule:
1. Open the Firewall table (Setup menu > IP Network tab > Security folder> Firewall).
2. Click New; the following dialog box appears:
The rules configured by the Firewall table apply to a very low-level network layer
and overrides all other security-related configuration. Thus, if you have configured
higher-level security features (e.g., on the Application level), you must also
configure firewall rules to permit this necessary traffic. For example, if you have
configured IP addresses to access the device's Web and Telnet management
interfaces in the Access List table (see
you must configure a firewall rule that permits traffic from these IP addresses.
Only users with Security Administrator or Master access levels can configure
firewall rules.
The device supports dynamic firewall pinholes for media (RTP/RTCP) traffic
negotiated in the SDP offer-answer of SIP calls. The pinhole allows the device to
ignore its firewall and accept the traffic on the negotiated port. The device
automatically closes the pinhole once the call terminates. Therefore, it is
unnecessary to configure specific firewall rules to allow traffic through specific
ports. For example, if you have configured a firewall rule to block all media traffic in
the port range 6000 to 7000 and a call is negotiated to use the local port 6010, the
device automatically opens port 6010 to allow the call.
Setting the 'Prefix Length' field to 0 means that the rule applies to all packets,
regardless of the defined IP address in the 'Source IP' field. Thus, it is highly
recommended to set the parameter to a value other than 0.
It is recommended to add a rule at the end of your table that blocks all traffic and to
add firewall rules above it that allow required traffic (with bandwidth limitations). To
block all traffic, use the following firewall rule:
✔
Source IP: 0.0.0.0
✔
Prefix Length: 0 (i.e., rule matches all IP addresses)
✔
Start Port - End Port: 0-65535
✔
Protocol: Any
✔
Action Upon Match: Block
If the device needs to communicate with AudioCodes OVOC, you must also add
rules to allow incoming traffic from OVOC. For more information, see
Firewall Rules to Allow Incoming OVOC Traffic
If you are using the High Availability feature and you have configured "block" rules,
ensure that you also add "allow" rules for HA traffic. For more information, see
Configuring Firewall Allowed
Configuring Web and Telnet Access
on page 142.
Rules.
- 138 -
Mediant 4000 SBC | User's Manual
List),
Configuring