Internal Firewall - AudioCodes Mediant 1000 User Manual

14.5

Internal Firewall

The Mediant 1000 accommodates an internal access list facility, allowing the security
administrator to define network traffic filtering rules. The access list provides the following
features:
Block traffic from known malicious sources
Only allow traffic from known friendly sources, and block all others
Mix allowed and blocked network sources
Limit traffic to a predefined rate (blocking the excess)
Limit traffic to specific protocols, and specific port ranges on the device
The access list consists of a table with up to 50 ordered lines. For each packet received on
the network interface, the table is scanned from the top until a matching rule is found (or
the table end is reached). This rule can either block the packet or allow it; however it is
important to note that subsequent rules aren't scanned. If the table end is reached without
a match, the packet is accepted.
Each rule is composed of the following fields (described in
IP address (or DNS name) of source network
IP network mask
Destination UDP/TCP ports (on this device)
Protocol type
Maximum packet size, byte rate per second, and allowed data burst
Action upon match (allow or block)
Figure 14-15
Figure 14-15: Example of an Access List Definition via ini File
[ ACCESSLIST ]
FORMAT AccessList_Index = AccessList_Source_IP, AccessList_Net_Mask,
AccessList_Start_Port, AccessList_End_Port, AccessList_Protocol,
AccessList_Packet_Size, AccessList_Byte_Rate, AccessList_Byte_Burst,
AccessList_Allow_Type;
AccessList 10 = mgmt.customer.com, 255.255.255.255, 0, 80, tcp, 0, 0, 0, allow ;
AccessList 15 = 192.0.0.0, 255.0.0.0, 0, 65535, any, 0, 40000, 50000, block ;
AccessList 20 = 10.31.4.0, 255.255.255.0, 4000, 9000, any, 0, 0, 0, block ;
AccessList 22 = 10.4.0.0, 255.255.0.0, 4000, 9000, any, 0, 0, 0, block ;
[ \ACCESSLIST ]
Explanation of the example access list:
Rule #10: traffic from the host 'mgmt.customer.com' destined to TCP ports 0 to 80, is
always allowed.
Rule #15: traffic from the 192.xxx.yyy.zzz subnet, is limited to a rate of 40 Kbytes per
second (with an allowed burst of 50 Kbytes). Note that the rate is specified in bytes,
not bits, per second; a rate of 40000 bytes per second, nominally corresponds to 320
kbps.
Rule #20: traffic from the subnet 10.31.4.xxx destined to ports 4000 to 9000 is always
blocked, regardless of protocol.
Rule #22: traffic from the subnet 10.4.xxx.yyy destined to ports 4000 to 9000 is always
blocked, regardless of protocol.
All other traffic is allowed.
More complex rules may be defined, relying on the 'single-match' process described
above:
SIP User's Manual
shows an example of an access list definition via ini file:
Table 5-35
360
Mediant 1000
on page 174):
Document #: LTRT-83301