1. Manuals
  2. Brands
  3. Snom Manuals
  4. Telephone System
  5. ONE IP
  6. Technical manual

Snom ONE IP Technical Manual page 93

Hide thumbs
Table of Contents

Advertisement

Chapter 2: System Settings
73
The motivation for the list is to provide the firewall type of functionality within the
system application and reduce the chance of unauthorized access to the system.
The access control is not limited to SIP only, but it also applies to all other protocols on
the system, including HTTP, TFTP, and SNMP. When the system acts as a client (for
example, when performing DNS requests), the rules do not apply. Using 0.0.0.0 in the
IP field specifies that everything will be accepted. In addition, if you are getting a lot of
requests from a particular source, the system will automatically add them to the access
control list and block them.
How the Access List Functions
When a packet reaches the system, the system checks the list of enabled and disabled
addresses for a match. If the request is ignored, the system discards the packet without
answering. When the system checks the list for matches, a match occurs if a "source
address" matches a "check address" with the mask. More specific addresses are checked
first, making it possible to define exceptions to the general rule. Also, the system checks
IPv4 and IPv6 addresses separately. If there is a match, the system checks for the type.
If the type is Allow, then the system accepts the packet. If the type is Block, then the
system blocks that request. If there is no match in the list, then the request is accepted.
If the list is empty, the access control is disabled. This is the default behavior after the
installation of the product.
For UDP-based requests, this is relatively easy—the request is just not answered. But
because the UDP port is open, there is no ICMP request sent to the origin, which
means if someone wants to attack the system, it might be possible for the attacker to
figure out that there is an open port. But since the system just discards these messages,
the damage is limited.
For TCP ports, the situation is more complicated. In Linux, there is no way for an
application to determine where a TCP connection is coming from until the connec-
tion is accepted. This is why the system first accepts the connection and then examines
whether the connection was allowed or not. If the connection was not allowed, then it
is turned down immediately. In Windows, there is a special system call that first checks
where the connection is coming from. If the source is not enabled, then the system does
not accept the connection. However, because the operating system has already answered
the TCP connection request with an acknowledge, in Windows it will be obvious that
an application is running on the ports.

Advertisement

Table of Contents
loading

Related Manuals for Snom ONE IP

Related Products for Snom ONE IP

Table of Contents