Grandstream Networks UCM6100 Manual Manual
Hide thumbs
Also See for UCM6100:
- User manual (418 pages) ,
- Configuration (19 pages) ,
- Cdr and rec api manual (18 pages)
Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Subscribe to Our Youtube Channel
Related Manuals for Grandstream Networks UCM6100
Summary of Contents for Grandstream Networks UCM6100
- Page 1 Grandstream Networks, Inc. UCM6100 Security Manual...
-
Page 2: Table Of Contents
TLS ......................14 FIREWALL ....................16 STATIC DEFENSE ..........................16 STATIC DEFENSE EXAMPLE: BLOCKING TCP CONNECTION FROM A SPECIFIC HOST ..17 STATIC DEFENSE EXAMPLE: BLOCKING SSH CONNECTION TO UCM6100 ......18 DYNAMIC DEFENSE .......................... 20 FAIL2BAN ............................20 AMI ......................23... - Page 3 Reproduction or transmittal of the entire or any part, in any form or by any means, electronic or print, for any purpose without the express written permission of Grandstream Networks, Inc. is not permitted. UCM6100 Security Manual Page 2 of 23...
-
Page 4: Overview
OVERVIEW This document presents a summary of security concerns on UCM6100. It covers the security risks and related configurations that users need to consider when deploying the UCM6100. The following sections are covered in this document: Web UI access Web UI is secured by user login and login timeout mechanism. -
Page 5: Web Ui Access
Microsoft IE, Mozilla Firefox, Google Chrome and etc. This is the most important tool to configure all the settings on the UCM6100. It’s also the immediate interface for the administrator to access configurations, user status and all the system Therefore, it’s crucial to understand that directly placing the UCM6100 on public network could... -
Page 6: Login Timeout
LOGIN TIMEOUT An authenticated user of the UCM6100 web UI may log in the system and then leave the active session on a terminal unattended without intentionally logging-off from the system. An adversary with access to the terminal could then have access to the UCM6100, meaning all the configuration and status information could be exposed and changed intentionally or unintentionally. - Page 7 Settings->User Management->Operation Log A “Super Admin” user with username “admin” is innately configured in the UCM6100 at the factory setting. It is the only allowed “Super Admin” account and cannot be deleted and changed. This super administrator could create, edit and delete new user accounts with lower privilege “Admin”.
-
Page 8: Extension Security
“Local Subnet Only”: allows register requests from local IPs only. By default the local subnet where the UCM6100 is location is allowed. User could also add more local subnets where devices are allowed to register to this extension. ... -
Page 9: Figure 2: Strategy - Local Subnet Only
Figure 2: Strategy – Local Subnet Only 3. Save and Apply changes. Now if the SIP end device is in subnet other than 192.168.40.x, e.g., 172.18.31.x subnet, the UCM6100 will not allow registration using this extension. The following figure shows the SIP device IP address is 172.18.31.17. -
Page 10: Figure 3: Registration Failed From Subnet Not Allowed For Registration
Figure 3: Registration Failed From Subnet Not Allowed For Registration Once moving this device to 192.168.40.x subnet, registration will be successful. The following figure shows the IP address for the same SIP end device is 192.168.40.190. The UCM6100 on IP address 192.168.40.171 replies 200 OK for the registration request. -
Page 11: Srtp
SRTP SRTP is supported on UCM6100 to secure RTP during the call. By default it’s disabled. To use it, please configure under extension configuration dialog->“Media” tag when creating/editing an extension. If SRTP is enabled, RTP data flow will be encrypted. -
Page 12: Trunk Security
PSTN trunks or SIP trunks with international call capability. OUTBOUND RULE PERMISSIONS Two methods are supported on UCM6100 to control outbound rule permissions and users can apply one of them to the outbound rule. 1. Privilege Level 2. -
Page 13: Source Caller Id Filter
SOURCE CALLER ID FILTER Instead of using privilege level, UCM6100 administrator could specify the extensions/extension groups that are allowed to use the outbound rule. This can be done by selecting extension/extension groups or defining pattern for the source caller ID in “Custom Dynamic Route”... -
Page 14: Allow Guest Calls
NOT to turn on this option for any deployments. Enabling “Allow Guest Calls” will stop the PBX from authenticating incoming calls from unknown or anonymous callers. In that case, hackers get the chance to send INVITE to UCM6100 and the UCM6100 will place the call without authentication. This can result in high toll charges. -
Page 15: Tls
TLS Self-Signed CA This is used when UCM6100 acts as a client, to authenticate the server. If the server the UCM6100 connecting to uses a self-signed certificate, you should have their certificate installed UCM6100 Security Manual... - Page 16 TLS Do Not Verify This is effective when UCM6100 acts as a client. If set to “Yes”, the server’s certificate (sent to the client during TLS Handshake) won’t be verified. Considering if two UCM6100s are peered, since the default certificate built in UCM6100 at the factory has “common name” equaling “localhost”...
-
Page 17: Firewall
2. SYN-Flood Defense Once enabled, UCM6100 can response to the SYN flood denial-of-service (DOS) attack. 3. Ping-of-Death defense Once enabled, UCM6100 can response to the Ping packet that is greater than 65,536 bytes. UCM6100 Security Manual Page 16 of 23... -
Page 18: Static Defense Example: Blocking Tcp Connection From A Specific Host
Figure 9: Firewall Rule Custom Configuration Figure 10: Static Defense Blocking Host 192.168.40.142 Using TCP Connection After saving and applying the change, host 192.168.40.142 will not be able to access UCM6100 web UI anymore. UCM6100 Security Manual Page 17 of 23... -
Page 19: Static Defense Example: Blocking Ssh Connection To Ucm6100
Figure 11: Host blocked by UCM6100 STATIC DEFENSE EXAMPLE: BLOCKING SSH CONNECTION TO UCM6100 The UCM6100 can be accessed via SSH connection by default. The SSH access provides device status information, reboot, reset and limited configuration capabilities. It is recommended to disable it once the UCM6100 is deployed for security purpose. -
Page 20: Figure 13: Block Ssh Connection
Service: SSH. Figure 13: Block SSH Connection 3. Save and apply changes. Now SSH connection to the UCM6100 will not be allowed anymore from any host. Figure 14: Putty Setup for SSH Connection UCM6100 Security Manual Page 19 of 23... -
Page 21: Dynamic Defense
If a host initiates attempts which exceed maximum retry times, it will be banned by UCM6100 for a certain amount of time. User can also add a whitelist for the host that will not be punished by this defensive mechanism. -
Page 22: Figure 16: Fail2Ban Default Configuration
10 mins (600s). Max Retry Duration: This specifies the amount of time one IP host can connect to the UCM6100. If in this period the host connection exceeds the maximum connection limit, it will be banned for the “Banned Duration”. -
Page 23: Figure 17: Asterisk Service Fail2Ban Setting
“MaxRetry” which will override the "MaxRetry" value under "Global Settings". “Max Retry” specifies the number of authentication failures during "Max Retry Duration" before the host is banned and the default value is 5. UCM6100 Security Manual Page 22 of 23... -
Page 24: Ami
Please do not enable AMI on the UCM6100 if it is placed on a public or untrusted network unless you have taken steps to protect the device from unauthorized access. It is crucial to understand that AMI access can allow AMI user to originate calls and the data exchanged via AMI is often very sensitive and private for your UCM6100 system.
Need help?
Do you have a question about the UCM6100 and is the answer not in the manual?
Questions and answers