Table of Contents OVERVIEW ........................4 WEB UI ACCESS ......................5 UCM HTTP Server Access ........................5 Protocol Type ............................5 User Login .............................. 6 Login Settings ............................8 User Management Levels ........................9 EXTENSION SECURITY ....................11 SIP/IAX Password ..........................11 Strategy of IP Access Control ......................
Page 3
Fail2ban ............................... 28 AMI ..........................31 P a g e UCM Security Manual...
Page 4
Table of Figures Figure 1: UCM6202 Web UI Login ........................ 6 Figure 2: Default Random Password ......................7 Figure 3: Login Settings ..........................8 Figure 4: Creating Custom Privilege Levels ....................10 Figure 5: Strategy – Local Subnet Only ...................... 12 Figure 6: Registration Failed from Subnet Not Allowed for Registration ............
Reproduction or transmittal of the entire or any part, in any form or by any means, electronic or print, for any purpose without the express written permission of Grandstream Networks, Inc. is not permitted. P a g e UCM Security Manual...
WEB UI ACCESS UCM HTTP Server Access The UCM embedded web server responds to HTTP/HTTPS GET/POST requests. Embedded HTML pages allow users to configure the device through a web browser such as Microsoft IE, Mozilla Firefox, Google Chrome and etc. This is the most important tool to configure all the settings on the UCM. It’s also the immediate interface for the administrator to access configurations, user status and all the system information.
User Login UCM web UI access is restricted by user login. Username and password are required when logging in to web UI. Figure 1: UCM6202 Web UI Login The factory default value of “Username” is “admin” while the default random password can be found on the sticker at the back of the unit.
Note: Units manufactured starting January 2017 have a unique random password printed on the sticker. Older units and UCM6100 series have default password “admin”. Figure 2: Default Random Password It is highly recommended to change the default password after login for the first time. To change the password for the default user “admin”, go to web GUISettingsChange Password page.
Login Settings An authenticated user of the UCM web UI may log in the system and then leave the active session on a terminal unattended without intentionally logging-off from the system. An adversary with access to the terminal could then have access to the UCM, meaning all the configuration and status information could be exposed and changed intentionally or unintentionally.
User Management Levels On UCM, Four privilege levels for web UI users are supported: • Super Admin: high priority. • Admin: low priority. • Custom level: custom priority. • Consumer: Low Priority Super administrator can access all pages on UCM web UI, change configuration for all options and execute all the operations, while normal administrator created by super administrator has limited access.
To create a new custom privilege level, navigate to the web UI menu MaintenanceUser ManagementCustom Privilege, the name the new custom user level and assign the desired modules as shown on the figure below. Figure 4: Creating Custom Privilege Levels From the security perspective, this feature can be helpful by giving each person the level of access that they just need, no more nor less.
EXTENSION SECURITY SIP/IAX Password When creating a new SIP/IAX extension, the UCM administrator is required to configure “SIP/IAX Password” which will be used for account registration authentication. If “Enable Random Password” (on web GUIPBX SettingsGeneral Settings) is enabled, “SIP/IAX Password” is automatically filled with a randomly generated secure password when creating the extension on the UCM.
Figure 5: Strategy – Local Subnet Only 3. Save and Apply changes. Now if the SIP end device is in subnet other than 192.168.40.x, e.g., 172.18.31.x subnet, the UCM will not allow registration using this extension. The following figure shows the SIP device IP address is 172.18.31.17. The UCM on IP 192.168.40.171 replies 404 Not Found for the registration request.
Figure 6: Registration Failed from Subnet Not Allowed for Registration Once moving this device to 192.168.40.x subnet, registration will be successful. The following figure shows the IP address for the same SIP end device is 192.168.40.190. The UCM on IP address 192.168.40.171 replies 200 OK for the registration request.
SRTP SRTP is supported on UCM to secure RTP audio stream during the call. By default, it’s disabled. To use it, please configure under extension configuration dialog“Media” tab when creating/editing an extension. If SRTP is enabled, RTP data flow will be encrypted. Figure 8: Enabling SRTP As shown above, users have two options while enabling SRTP under extension parameters: ▪...
TRUNK SECURITY A potential risk for trunks is that unwanted users may gain the authority to make international or long- distance calls. This will result in unexpected high charges before the UCM administrator notices this. Usually this high cost is due to improper configurations on the UCM. Therefore, administrators must be extremely cautious when configuring those trunks that will be charged by placing certain calls, for example, PSTN trunks or SIP trunks with international call capability.
Please configure the privilege for the outbound rule high enough to restrict the extensions allowed to call external numbers via this trunk. Source Caller ID Filter Instead of using privilege level, UCM administrator could specify the extensions/extension groups that are allowed to use the outbound rule.
Figure 11: Password Protection PIN Groups In some cases, multiple users do share same phone (ex: phone on public mode with user login), and the shared phone can be used to make outbound calls, the administrator on this case can set the outbound rule protection mode to PIN groups where each user should enter his PIN code in order to be allowed to make outbound calls through trunks.
3. Save and apply, then on your outbound routes you can select the created group and each time one the PIN group members tries to make outbound call, he/she will be requested to enter their PIN code as a security protection. Figure 13: Outbound route with PIN group P a g e UCM Security Manual...
IVR Dial Trunk When creating/editing an IVR, the administrator could decide whether to allow the calls entering the IVR to make outbound calls through trunks by configuring “Dial Trunk” and “Permission”. If “Dial Trunk” option is enabled, the caller calling into the IVR will be able to dial external numbers through a trunk if the IVR’S permission is higher than or equal to the privilege of the trunk.
Allow Guest Calls “Allow Guest Calls” option can be found on web GUIPBX SettingsSIP SettingsGeneral page. highly recommend NOT to turn on this option for any deployments. Enabling “Allow Guest Calls” will stop the PBX from authenticating incoming calls from unknown or anonymous callers. In that case, hackers get the chance to send INVITE to UCM and the UCM will place the call without authentication.
The UCM administrators may consider securing SIP packets sent across an untrusted network. Using TLS could be a solution. It will authenticate servers and clients, and then encrypt SIP messages between the authenticated parties. TLS can be configured under UCM web GUIPBX SettingsSIP SettingsTCP/TLS page. Figure 15: PBX SettingsSIP SettingsTCP/TLS 1.
Page 23
• TLS Self-Signed CA This is used when UCM acts as a client, to authenticate the server. If the server the UCM connecting to uses a self-signed certificate, you should have their certificate installed here so authenticity of their certificate can be verified. If the server uses a certificate that is signed by one of the larger CAs, you should install a copy of server CA certificate here.
FIREWALL The firewall functionality provided by UCM model consists of Static defense, Dynamic defense and Fail2ban. User could manually configure each of the three options to block certain malicious attack. Static Defense It can be configured from Web UISystem SettingsSecurity SettingsStatic Defense. One main purpose of static defense is using pre-configured filtering rules.
Static Defense Example: Blocking TCP Connection from a Specific Host This example demonstrates how to set up a new rule to block a host with a specific IP address to connect to UCM using TCP connection. In the following figure, 192.168.40.142 is the host IP address and 192.168.40.131 is the UCM’s IP address.
Figure 18: Host blocked by UCM Static Defense Example: Blocking SSH Connection to UCM The UCM can be accessed via SSH connection by default. The SSH access provides device status information, reboot, reset and limited configuration capabilities. It is recommended to disable it once the UCM is deployed for security purpose.
Figure 19: UCM SSH Access Configuration steps: 1. In UCM web UISystem SettingsSecurity SettingsStatic Defense page, click on “Create New Rule”. 2. In the prompt window, configure the following parameters: Rule Name: Configure a name to identify this rule. Action: Reject. Type: IN.
Figure 20: Block SSH Connection 3. Save and apply changes. Now SSH connection to the UCM will not be allowed anymore from any host. Figure 21: Putty Setup for SSH Connection P a g e UCM Security Manual...
Figure 22: SSH Connection Blocked by UCM Dynamic Defense Dynamic defense is supported on UCM6102/UCM6202/UCM6204/UCM6208 and UCM6510 when LAN mode is set to “Route”. It can be configured from Web UISystem SettingsSecurity SettingsDynamic Defense. Once enabled, it will try to blacklist massive connection attempts or brute force attacks made by individual host.
Figure 23: Fail2Ban Default Configuration Enable Fail2Ban: Check it to enable Fail2Ban on the UCM. Banned Duration: This specifies the amount of time the IP address will be blocked by UCM. By default, it is set to 10 mins (600s). Max Retry Duration: This specifies the amount of time one IP host can connect to the UCM.
Figure 24: Asterisk Service Fail2Ban setting If Fail2Ban is enabled under “Global Settings”, user must select “Asterisk Service” under “Local Settings” in order for it to take effect. Starting from firmware version 1.0.15.13, UCM Fail2ban feature works on all type of ports (UDP, TCP and TLS). Users can then define the value for “MaxRetry” which will override the "MaxRetry"...
Page 32
Asterisk Manager Interface (AMI) is supported on UCM with restricted access. The documentation can be found in the following link: http://www.grandstream.com/products/ucm_series/UCM/documents/UCM_ami_guide.pdf Please do not enable AMI on the UCM if it is placed on a public or untrusted network unless you have taken steps to protect the device from unauthorized access.
Need help?
Do you have a question about the UCM Series and is the answer not in the manual?
Questions and answers