STM User Manual www.allo.com Version 1.0 1
Contents
1. 8 Glossary Term Definition DoS Denial of DoS are an attempt to make a machine or network resource unavailable to Service its intended users DDos Distributed DDOS is a type of DOS attack where multiple compromised systems which Denial of Service are usually infected with a Trojan are used to target a single system causing a Denial of Service DoS attack RTP Real Time RTP defines a standardized packet format for delivering audio and video Transport Protocol over IP networks RTCP Real time The RTP Control Protocol RTCP is a sister protocol of the Real time control protocol Transport Protocol RTP Its basic functionality and packet structure is defined in RFC 3550 RTCP provides out of band statistics and control information for an RTP session BPS Bit Per Its abbreviated bps or bit sec is a common measure of data speed for Second computer modems and transmission carriers SSH Secure It s a UNIX based command interface and protocol for securely getting access SHell to a remote computer DSCP DSCP is a field in an IP packet that enables different levels of service to be Differentiated Services Code Point network with a DSCP code and appropriating to it the corresponding level of assigned to network traffic This is achieved by marking each packet on the service QoS Quality of QoS is the idea that transmission rates error rates and other Service characteristics can be measured improved and to2. LED 4 Alert Status LED 3 DPI Status LED 2 Interface Status LED 1 System Status Power Indicator LED Figure 1 Front Panel LED Notifications www allo com Version 1 0 8 STM User Manual Q a Oo The STM package includes gt 1STM Appliance gt 1USB Power Adapter gt 1Serial Console Cable gt 2 Ethernet Cables 1 1 2 STM Rear View LAN Port Reset Button WAN Port USB Power Plug USB Storage Plug Console Port Figure 2 STM Rear View 1 1 3 STM Deployment Considerations The STM has been made to protect the SIP based PBX Gateway Servers against SIP based network threats and anomalies Thus it is recommended to deploy the STM along with the PBX Gateway deployment as given in the following scenarios based on what is applicable in the user s setup Deployment Scenario 1 Public Cloud SIP PBX Gateway STM Appliance Figure 3 Scenario 1 www allo com Version 1 0 9 STM User Manual Q a Oo a Some of the PBX Gateway devices may have an exclusive LAN Mgmt Interface for device management purpose other than the Data Interface also referred as WAN Public Interface In such cases LAN Port of the STM should be connected to the Data Interface WAN Public Interface Deployment Scenario 2 In the case of IPPBX deployed in the LAN Setup the following setup is recommended as it would help to protect against the threats from both Internal Network as well as the threats from the
3. Max_content_len Max_content_len specifies the maximum content length of the message body The Default is set to 1024 The allowed range for this option is 1 65535 SIP Ports Configuration SIP Transport User can select SIP transport type either TCP or UDP or any which are related to SIP communication from GUI SIP Ports User can configure SIP ports which are related to the SIP communication from GUI E g 5060 5061 5070 SIP Methods User can select options from the SIP method lists SIP Media Ports Configuration www allo com Version 1 0 34 STM User Manual Q d l Oo It allows users to configure SIP Media port configuration It is used to store and deliver information or data over communication medium Media may be TCP based or UDP based communications STM media settings allows user to choose the communication medium of the SIP traffic It supports TCP UDP or Both as communication media for SIP Communications Media ports allow user to configure media ports like 1024 65535 SIP Media Ports Configuration SIP Transport It allows user to select the type of Media Transport EX TCP UDP or any SIP Ports User can specify a value for SIP ports E g 5060 5061 Media Transport It allows user to select the type of Media Transport EX TCP UDP or any Media Ports User can configure SIP Media ports which are related to SIP communication media Ex 1024 65535 4 3 Call Blocker Rules Navigate through
4. www allo com Version 1 0 44 C allo STM User Manual Status 5 Status 5 1 Security Alerts Navigate through Status gt Security Alerts The status alerts page shows the list of alerts pertaining to the SIP attacks detected the STM Deep packet inspection engine at any instant The administrator can choose to set log viewer page refresh interval in this page It also chooses to configure the device to send email notifications summary about the security alerts generated by the device The option to download the security alerts shown in this page in CSV format is available on the page Security Alerts 300 Update Refresh Interwal Refresh Download Logs E mail Server Settings a Security Alerts Search Sig To header cum 09 26 05 37 26 70030046 7003 Sip Anomaly Attacks format string 192 168 0177 5061 192 166 0 47 5060 UDP Blacklist attempt Sig To 09 26 05 37 28 70030036 7003 Sip Anomaly Attacks Ba To 192 168 0177 5061 192 168 0 47 5060 UDP Blacklist headers Sig From 09 26 05 37 26 70030058 7003 Sip Anomaly Attacks a 192 168 0 177 5061 192 168 0 47 5060 UDP Blacklist iy format string A Figure 31 Security Alerts N security alerts are not persisted permanently on the device The logging buffer location will be flushed at the predefined interval not configurable will once the logging threshold criteria met However if the administrator wants to persist the alerts i
5. SIP Threat Manager User Manual Q allo STM User Manual Q d l Oo Copy Right Copyright 2014 Allo com All rights reserved No part of this publication may be copied distributed transmitted transcribed stored in a retrieval system or translated into any human or computer language without the prior written permission of http www allo com This document has been prepared for use by professional and properly trained personnel and the customer assumes full responsibility when using it Proprietary Rights The information in this document is Confidential to Allo com and is legally privileged The information and this document are intended solely for the addressee Use of this document by anyone else for any other purpose is unauthorized If you are not the intended recipient any disclosure copying or distribution of this information is prohibited and unlawful Disclaimer Information in this document is subject to change without notice and should not be construed as a commitment on the part of http www allo com And does not assume any responsibility or make any warranty against errors It may appear in this document and disclaims any implied warranty of merchantability or fitness for a particular purpose www allo com Version 1 0 2 STM User Manual Q a l Oo About this manual This manual describes the Allo product application and explains how to work and use it major features It serves as a means
6. Phone Extension Prefix User can block the SIP communication by specifying prefix of phone extensions E g O www allo com Version 1 0 36 STM User Manual Q a Oon 5 IP Address User can block the SIP communication which is coming from configured IP in GUI E g192 168 0 58 User Agent Each phones having their unique user agents They can block the SIP communication by configuring user agent in GUI E g eyebeam release 1003s stamp 31159 User can specify the value of Call blocker types like IP address Phone number user agent etc E g Phone number 9988776655 IP Address 192 168 0 58 Comments User can specify the comments in the length of 64 chars optional CallBlocker Rules Call Blocker Type IP_ADDRESS 192 168 100 1 r EyeBeamUserAgent USER_AGENT eyeBeam release 10035 stamp 31159 Fil JohnPhoneNumber PHONE_NUMBER 9008365683 F RajExtension F SandyExtP retix PHONE_EXTENSION_PREFIX PHONE_EXTENSION 50001 SHO88REes F SidPhoneExtPrefix PHONE_NUMBER_PREFIX zalete Selected Figure 21 Call Blocker Rules Result 4 4 Firewall Rules Navigate through Security Settings gt Firewall Rules The firewall rules configuration will allow the administrator in configuring what traffic should be allowed to protect SIP PBX Gateway network from an untrusted wan zone besides DPI enabled SIP traffic and RTP traffic The administrator needs to specify the source and destination networks and port
7. Verify the IP address set to STM from the dashboard page Once the user assigns the STM Device IP Address successfully he can access the device using that IP address further Now he can disconnect the PC and connect the LAN Port to the PBX PBX Network that needs to be protected TEn I a The WebUl has been made accessible only via HTTPS The recommended browser for accessing STM WebUI is Mozilla Firefox TN JNJ a The UI allows the administrator to configure the management Vlan IP addresses In case if the user has changed the management Vlan IP address he needs to assign the corresponding network address to his PC for the management access subsequently www allo com Version 1 0 13 STM User Manual Q a lOc On launching the STM WebUI the web application will prompt to enter the administrator credentials to login 3 Alternatively the user can access the device via the static IP 10 0 0 1 and configure the network settings during first time installation Connect a PC to the LAN port of the STM and assign the IP address 10 0 0 100 255 255 255 0 to the PC Now you can access the device from the browser using the URL https lt 10 0 0 1 gt If the device is not accessible after configuring the new network configuration Try rebooting the device and check the device dashboard accessing via Management Vlan SIP Threat Management 1 E C Figure 6 Login Page The WebUl login session has been made to tim
8. It allows the user to either enable or disable ICMP Management Vlan Addr Mask_ It specifies the management Vlan IP address and Netmask of STM device A The UI connectivity may be lost after changing the device IP Please login with the new IP address again www allo com Version 1 0 20 STM User Manual Q a Oo 3 2 Time Settings Navigate through Device gt Time Settings The administrator can choose to set the manual time settings on the device or configure the device to sync the time settings from an NTP server Appropriate time settings time zone should be set on the device to the correct timestamp to appear on the SIP security alerts generated by the device Date Time Settings General Date Tirne Settings Configuration Type NTP Ne Date Time 17 la 17 O38 Js OF fa 201 Time Zone AfricafAbidjan G NTP Server Add sites Delete Cancel Figure 13 Date Time Settings Configuration Type User can configure either Manual or NTP from the drop down list Date Time User can configure Date Time in the format hh mm D MM YYYY User can select time zones from the drop down list NTP Server Enter the NTP server name to synchronize the time of a computer or server E g 3 in pool ntp org 3 3 Management Access Navigate through Device gt Management Access The access the STM Device management SSH CLI WebUI Access can be restricted with the management
9. Security Settings gt Call Blocker Rules A user can block the calls statically by making use of Call Blocker Rules feature in STM This feature will block the calls by various viable options such as Phone number Phone number prefix Phone Extension Phone Extension Prefix IP address and User Agent It allows you to configure multi rules to block different calls It displays the Call Blocker Rules along with name Caller Block type Value Comments Enabled and Options www allo com Version 1 0 35 STM User Manual Create CallBlocker Rule Name ALLO Phone Enabled i Call Blocker Type PHONE_NUMBER JE value 9988776655 Comments Blocking the communication that is coming from phone number Figure 20 Create Call Blocker Rule Specify the name for the Call Blocker Rule for user s reference The user can choose any name to recognize the Call Blocker Rules Call Blocker Type User can select the appropriate Call Blocker type from the drop down list It allows user to block the calls that reaching to PBX system i e protected by the STM E g 1 Phone number User can block the SIP communication which is originated from any phone number E g 9988776655 Phone number prefix User can block the SIP communication which is originated from any phone number by specifying phone extensions E g O or 91 Phone Extension User can block the SIP communication by specifying phone extensions E g 100 101 3004
10. User Manual Contents Table of Contents POO UI CIs Mila a i NEE E A EEEE 3 Document CONVENON S caries cen anie ce TE a EEE e a EOR 3 S ppart MLOrnat ON sonr n n S 3 T IVER OCUCCION sos E E 6 is OV VIEN aeea E ee ee eee re ee eee 6 1 1 1 Notification LEDs On the Front Panel of the STM uu ccc cecccceeecseseeeseseeeesseeness 8 Meds SIMRE WUC WU eaa ee tee sean esie eee tie ee eee set 9 1 1 3 STM Deployment Considerations ccccccccccsscccseccenececesccceuceeeuseseeceeeeseeenseeeueetens 9 2 Initial Setup amp Configuration sesesesesessesecsesesssssosoesesssseoecesssssosoecesssssososcssssssosoessesees 12 24 Defaut Configuratii ON eesis o aE 12 ZZ x ACCessine the WV CO ier spetscdecesdic oceri bncaatutandndoottsedudetadenacednigeceteant aN a aT as 13 2 3 WWEDUT Session TIMICO UU acsex casiesscanscnrantncutsscsndexnentuenasiaansceranercuantssudenzantsenaviesesesteacteeencee 15 24A NV SO SOUS a E E E EEA E E E E AN 15 2s DP DO aO ooa E E E E A dee eecanceuresgues 16 3 Device Configuration sssesesesessssesececesssosoesecssssosoesesssssoeoeossssoeoecesssososososessssoeoessesees 18 LOES N ea E A N AA NOA 19 o PA EE EA E baton E E totem tata E E A E E Macaw areaeaes 21 3 3 Management ACCESS ccc asiacconcsncacmsicinscmatincatensimenaseniesneuesanboneininapssmalnecngemaccnnemnnmbanenieentin 21 34 SC ee eC GA Ossie oiccras ce enses n oneness eects an geu es oneenauansesdnantenanemebsoneeanes 23 SAS Pa LOTEI sar en
11. from that same extension His goal is to crash the PBX resulting in disrupted communication The SBC can block log or blacklist the IP for a period of time if it exceeds the authorized number of trials second This kind of attacks refers to use of some kind of automated tool like SIPP to generate false script where some of the most important fields of SIP headers and body can body can be modified in terms of their length like From header length To Header length Contact length It can also be useful in handling the correct use of Maximum Dialog within a session SIP Ports and its Protocol The SIP Deep packet inspection engine running the STM appliance has been made to inspect the SIP traffic with the SIP Security Compliance rules in built into the SIP DPI engine The anomalies in the SIP Message headers can result to various erroneous conditions SIP parser failures amp malformed packets which will lead to SIP applications vulnerable to attacks The Default parameters will be used by the SIP deep packet engine for identifying the different Version 1 0 O allo Attempts Duration No of Anonymous Invite Responses Duration 28 STM User Manual SIP Dos Attacks SIP DDos Attacks SIP Cross site scripting Attacks www allo com protocol anomaly conditions and take the action configured by the administrator Configuring inappropriate values for these parameters can resu
12. via DHCP The page also allows to enable disable the SSH Access to the device The Allow ICMP option will configure the device to respond to the ICMP ping messages sent to STM appliances or not By the SSH Access and ICMP Ping messages are allowed to the STM appliance www allo com Version 1 0 19 STM User Manual Q a Oon sib General Setti ngs A The Ul connectivity may be lost after changing the device IP Please login with the new IP Address again Refer to the user manual gt General Settings Device Settings Time Settings Host Name sip_secure Management IP Configuration Static Yoo IP AdduMack 192 168 0232 255 255 255 0 Signature Update Gateway 192 168 0 254 Logging Dns Server 192 168 0 5 Security Settings Enable SSH Security Alerts SSH Port 22 Allow ICMP Mgmt Vian AddwMask 192 168 100 1 255 255 255 0 Save Cancel Figure 12 General Settings Host Name It allows user to specify the Host name for general settings IP Configuration User can configure IP to be static or DHCP IP Addr Mask It specifies the IP address and Netmask of STM General Gateway It specifies the Gateway IP of the STM device E g een 10 0 0 254 or 10 0 0 1 Dns Server It helps for domain name resolutions and it stores the DNS records for a domain name E g 10 0 0 5 Enable SSH It allows the user to either enable or disable SSH port SSH Port User can specify a particular range of SSH port numbers Allow ICMP
13. AlAccess ANY Default rule that al m A x MomtVianAccess IP_NET WORK 192 168 100 0 24 Access from Mgmt Vila x e E Add New Delete Selected Figure 15 Management Access Results 3 4 Signature Update Navigate through Device gt Signature Update To enable the automatic signature update select the checkbox enable update on the device and configure the signature update schedule The valid subscription key and correct signature update URL should be configured for the signature update to happen To update the signatures on the device instantaneously Click Update Signatures now button Signature Update Signature Update Settings i Enable Update Time Schedule 2 o0 am Daily Sunday E Signature Apply Cancel Update Signatures now Update Logg im g Security Settings Security Alerts Figure 16 Signature Update www allo com Version 1 0 23 STM User Manual Q a Oo Enable Update It allows the user to either enable or disable Signature Update Time Schedule It schedule signature update at Configured time in Ul When the user buys the STM appliance the device will be shipped with the SIP signatures that will help in protecting against the SIP based attacks known as of date However if the user wants to ensure their SIP deployments get the protection against the newest attack vectors it is recommended to enable the signature update on the device Pl
14. ID header field in SIP message acts as a unique identifier that relates to sequence of messages exchanged between SIP client and server Max_call_id_len specifies the maximum Call ID field size The Default is set to 256 The allowed range for this option is 1 65535 Max_requestName_len Max _requestName_len specifies the maximum request name size that is part of the CSeq ID The Default is set to 20 The allowed range for this option is 1 65535 www allo com Version 1 0 33 STM User Manual Q a Oon Max_from_len The From header field indicates the identity of the initiator of the SIP request Max_from_len specifies the maximum from field size The allowed range for this option is 1 65535 Max_to_len The to header field specifies the desired recipient of the SIP request Max_to_len specifies the maximum to field size The Default is set to 256 The allowed range for this option is 1 65535 Max_via_len The Via header field indicates the transport used for the SIP transaction amp identifies the location where the SIP response is to be sent Max_via_len specifies the maximum via field size The Default is set to 1024 The allowed range for this option is 1 65535 Max_contact_len The Identifier used to contact that specific instance of the SIP client server for subsequent requests Max_contact_len specifies the maximum Contact field size The Default is set to 256 The allowed range for this option is 1 65535
15. Public Cloud penetrated the Non SIP aware Corporate Firewall qP SIP PBX Gateway Adhi i i J Corporate Firewall Figure 4 Scenario 2 Deployment Scenario 3 In the case of multiple IPPBX VOIP Gateways are deployed in the LAN Setup the following setup is recommended as it would help to protect against the threats from both Internal Network as well as the threats from the Public Cloud penetrated the Non SIP aware Corporate Firewall www allo com Version 1 0 10 STM User Manual Q a lOa PBX 1 PBX 2 PBX 3 ALLO STM i Switch Hub Corporate Cloud Corporate Firewall Figure 5 Scenario3 www allo com Version 1 0 11 Callo STM User Manual Setup 2 Initial Setup amp Configuration 1 Unpack the items from the box 2 Check that you have all the items listed in the package content 3 Connect the WAN port of the STM to the untrusted public network 4 Connect the LAN port of the STM to the PBX VOIP Gateway 5 Connect the appliance to the power socket using the USB power cable 6 The device will take about a minute to boot up amp will be fully functional with the default configuration N management purpose other than the Data Interface also referred as WAN public Interface In Some of the PBX Gateway devices may have an exclusive LAN Mgmt Interface for device such cases LAN port of the STM should be connected to the Data Interface WAN Public Interfa
16. STM User Manual 6 Tools 6 1 Administration Navigate through Tools gt Administration The Administration user interface page provides the option for running a factory reset on the device restarting the device device reboot device shutdown amp Configuration backup restore Running factory reset on the device requires reboot thus the administrator will be redirected wait notification page on clicking the factory reset button and will be prompted login once the device comes up with the default configuration The STM appliances support taking the configuration backup and restore the configuration later Dashboard Administration Security Settings Security Alerts z gt J Restart STM Services a Administration Shutdown Diagnostics Config Back up Ping onng Dac up Traceroute Select configuration file No file selected Config Restore Requires Reboot Troubleshooting Firmware Upgrade Logs Archive Figure 33 Administration The configuration backup will contain the lastly persisted configuration if there are any transient changes that are yet to be applied while taking the backup those configuration changes will not be included in the configuration backup archive www allo com Version 1 0 47 STM User Manual Q a lOc 6 2 Diagnostics Navigate through Tools gt Diagnostics The diagnostics page will allow the administrator to gather the troubleshooting logs which wi
17. Spam amp War Dialing www allo com Version 1 0 6 STM User Manual Q a l Oon Attack response includes the option for quietly dropping malicious SIP packets to help prevent continued attacks e Dynamic Blacklist Update service for VOIP SIP PBX Gateway Threats e Configurability of Blacklist White list Firewall rules e Support for Geo Location based blocking e Provide the option to secure against PBX Application vulnerabilities e Operate at Layer 2 device thus transparent to existing IP infrastructure no changes required to add the device to your existing network e Web SSL based Device Management Access which will allow managing the device anywhere from the Cloud e Ability to restrict the device management access to specific IP Network e Provide System Status Security events logging option to a remote Syslog server e Provides the SIP throughput up to 10Mbps e Support for Signature update subscription and automated signature update mechanism e The device has been made to operate with default configuration with just powering on the device No administrator intervention is required to operate the device with default configuration e USB based power supply e Optional support for security events logging on the USB based storage www allo com Version 1 0 7 STM User Manual Q a Oo Technical Specifications 1 1 1 Notification LEDs On the Front Panel of the STM STATUS 1234 Power ON OFF Button
18. User can select the action either block or action from the drop down www allo com Version 1 0 38 STM User Manual C allo Dashboard Security Settings SIP Attacks Detection Oo SIP Protocol Compliance O gt Firewall Rules O C Firewall Settings O Whitelist IP d Oy Dhcp Access Dns Access ICMP Access NTP Access SSH Access Telnet Access Web Access Firewall Rules ANY ANY ANY ANY ANY ANY ANY ANY ANY ANY ANY ANY any icmp 67 66 53 Allow Allow Allow Allow Allow Allow Allow Dynamic Blacklist IP Add New 4 5 Firewall Settings Delete Selected Navigate through Security Settings gt Firewall Settings Figure 23 Firewall Rules Search Hee DO Se eK KKK XK Firewall Settings allows user to configure TCP Flood Rate TCP Flood Burst UDP Flood rate and UDP Flood Burst in Global firewall settings Dashboard SIP Protocol Compliance Firewall Rules Firewall Settings whitelist IP Dynamic Blacklist IP epee sses Seo IP Filters Security www allo com Alerts Firewall Settings Global Settings TCP Syn Flood Rate 1024 TCP Syn Flood Burst 128 TCP Flood Rate 4096 TCP Flood Burst 96 UDP Flood Rate 8192 7 UDP Flood Burst 198 ICMP Flood Rate ICMP Flood Burst 128 64 Save Cancel Version 1 0 Figure 24 Firewall Se
19. access filters By default the access has been allowed to any global address and www allo com Version 1 0 21 C allo STM User Manual management Vlan network configurations on the device The administrator can override these settings Create Management Access Rule Name Default IP Type IP_NETWORK Address 192 168 0 0 Enable Comments Access from Management vlan Network eve o Figure 14 Create Management Access Rule Enter the name of the Management access for user reference IP Type User can select the appropriate IP type from the drop down list Specify IP Address Netmask or IP range or MAC address Enable It allows the user to either enable or disable Management access rule User can specify the comments in the length of 64 char s optional The administrator needs to configure the IP Address or the IP Network or the Range of IP Addresses from with management access to the device should be allowed in the management access filter rule The IP Type ANY indicates global networks Any network IP address The search option in the management access filters table will help in selectively viewing the management access filter rules whose name address values that match with the search criteria www allo com Version 1 0 22 STM User Manual Q a lOa Management Access Search j il OT O Default IP_HOST 192 168 0 24 Access from Manageme M C Xx O Default
20. allo command prompt on the terminal 4 Type help to view the list of troubleshooting commands available www allo com Version 1 0 58 C allo STM User Manual 10 Appendix B Configuring STM IP Address via Console The user can choose to view set the IP address of the STM device allo gt show IP Now you can access the device from the browser using the URL https lt device ip gt N j y Sj If you are not running the DHCP server in your deployment OR device fails to acquire the IP address set the IP address from the console CLI using the command line Allo gt Set IP lt IP address gt lt mask gt lt gateway gt Verify the address using the show IP command Then use this IP address to access the WebUI SSH to configure the device for further configuration f EA ay Any Technical assistance required Kindly contact the support at http support allo com www allo com Version 1 0 59 Thank you for choosing Q allo Adarsh Eco Place 176 Ground Floor EPIP Industrial Area Kundalahalli KR Puram Hobali Whitefield Bangalore 560066 Email globalsales allo com indiasales allo com Phone 91 80 67080808
21. anoj 192 168 0 127 8 836 ms 0 892 ms 0 871 ms Diagnostics Ping Traceroute Troubleshooting Firmware Upgrade Logs 4rchive Figure 37 Trace route 6 5 Troubleshooting Navigate through Tools gt Troubleshooting This page will allow disable enable the DPI on the STM appliance for troubleshooting purposes Troubleshooting Disable DPI Administration Diagnostics Ping Traceroute Troubleshooting Firmware Salsi g is Logs Archive Figure 38 Troubleshooting www allo com Version 1 0 50 STM User Manual Q a Oon 6 6 Firmware Upgrade Navigate through Tools gt Firmware Upgrade The STM appliance supports the manual upgrade on the STM firmware running on the appliance The firmware upgrade page shows the currently running STM firmware version and allows the administrator to upload the firmware update package onto the device and install To in stall the firmware Download the STM firmware update package from allo website and keep it your local system From the browser on your local system login to STM WebUl and launch the STM firmware upgrade page Click the Browse in the firmware page and select the STM firmware update package file that you saved on your local system After selecting the file click the Upgrade button The device will verify the firmware uploaded and install After install the device will reboot and administrator will be redire
22. ce 2 1 Default Configuration The device operates as a transparent bridging firewall with Deep Packet Inspection enabled on the SIP traffic By default the appliance has been configured with static IP of 10 0 0 1 Net mask 255 255 255 0 The device has been made to be fully functional with the default configuration However if the user needs to tune the device settings amp the DPI policies user can tune the configuration via the Device WebUl The device all provides the command line interface accessible via SSH which will allow to configure the basic settings and view device status www allo com Version 1 0 12 STM User Manual Q a l Oo Management Access Login Credentials WebUl admin admin Management Vlan IP 192 168 100 1 255 255 255 0 Default Device IP 10 0 0 1 255 255 255 0 2 2 Accessing the WebUI The user can connect to the device via management Vlan to access WebUl during initial setup The management Vlan configured on the device is accessible via the LAN WAN ports amp is made assigned to the default IP address 192 168 100 1 Use the procedure given below to access the WebUI 1 Connect the LAN port of the STM to a PC 2 Assign the IP Address 192 168 100 2 to the PC Set the Net mask as 255 255 255 0 Now you can access the device from the browser using the URL https lt 192 168 100 1 gt Configure the STM Device IP Address from the Device Settings Page as per your local network range
23. ch other Together TCP and IP are the basic rules defining the Internet It is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol IP UDP is an alternative to the Transmission Control Version 1 0 56 STM User Manual Q a lOa Term Definition Protocol TCP and together with IP is sometimes referred to as UDP IP TCP IP This is the suite of communications protocols used to connect hosts on the Transmission Control Protocol Internet Protocol LAN Local Area This is a group of computers and associated devices that share a common Internet TCP IP uses several protocols the two main ones being TCP and IP Network communications line or wireless link Typically connected devices share the resources of a single processor or server within a small geographic area WAN Wide Area It s a geographically dispersed telecommunications network The term Network distinguishes a broader telecommunication structure from a local area network www allo com Version 1 0 57 STM User Manual C allo Appendix 9 Appendix A Using Console Access 1 Connect the serial console the serial port of STM device 2 Use the following serial console settings to access the allo CLI i Speed 38400 ii Parity None iii Data 8 iv Stop bits gil v Flow control No 3 The user should see the
24. ck The dynamic blacklist IP addresses will allow the administrator to see the dynamic blacklist rules currently configured on the device at any instant In case if the administrator wants to override and allow the traffic from particular blacklisted IP he can delete the rule from the dynamic blacklist IP addresses page www allo com Version 1 0 42 STM User Manual Q a lOc Dashboard Dynamic Blacklist IP Addresses Security Settings nd SIP Attacks isha Detection C 192 168 0177 SIP Protoco Compliance Firewall Rules Firewall Settings whitelist IP Delete Selected a Dynamic Blacklist IP Addresses Geo IP Filters Security Alerts Figure 29 Dynamic Blacklist IP Addresses 4 9 Geo IP Filters Navigate through Security Settings gt Geo IP Filters The administrator can choose to block the traffic originating from the specific countries towards the protected SIP network by configuring the GeolP filter rules in STM www allo com Version 1 0 43 STM User Manual Q a lOa Dashboard Geo IP Filters 2 Security Settings Allow All Countries Block All Countries Update Geo IP SIP Attacks Search SIP Protocol NIGERIA f A Compliance KOREA REPUBLIC OF M Py Firewall Rules CHINA f Firewall Sends UKRAINE m Whitelist IP ALGERIA K UZBEKISTAN f AFGHANISTAN e ALBANIA Iv Pa Dynamic Blacklist IP Figure 30 Geo IP Filters
25. cker Rules CEEA Media Port 1024 65535 Firewall Rules Max Reqrestiane kagt 20 Firewall Settings abs k Max From kigi 256 Whitelist IP Mar To kigti 256 Addresses gt Mar Via kigti 1024 Blacklist IP Mar Contact kigti 1024 Mar Comeitkagt 2048 Save cancel Figure 19 SIP Protocol Compliance www allo com Version 1 0 32 STM User Manual Q d l Oo SIP Protocol Compliance Settings Max_sessions A SIP session is the application level connection setup created between the SIP server and SIP client for exchanging the audio video messages with each other The max_sessions parameter defines the maximum number session that SIP deep packet inspection engine can keep track of The default value has been set at 4096 Max Dialogs per Session Max_Dialogs_per_session specifies the maximum number of SIP message transaction that can happen between the SIP server and client Methods This specifies on what methods to check for SIP messages Following are the SIP messages that SIP DPI Engine can identify 1 invite 2 cancel 3 ack 4 bye 5 register 6 options 7 refer 8 subscribe 9 update 10 join 11 info 12 message 13 notify 14 prack Max_uri_len The Uri identifies the user or service to which SIP request is being addressed Max_uri_len specifies the maximum Request URI field size The Default is set to 256 The allowed range for this option is 1 65535 Max_call_id_len The Call
26. cted the login page shit Upgrade Firmware Current Firmware Version STM 1 0 00 Fri_Sep 12 _11 01 18_IST 2014 Choose the filepath of the new firmware PS Tools Filename SIP Firewall Quick Installation Guide Final Version allo docx Tools gt Need Reboot Administration Diagnostics Upgrade Ping Traceroute Troubleshooting Firmware Upgrade Logs 4rchive Figure 39 Upgrade Firmware www allo com Version 1 0 51 STM User Manual Q a Oo 6 7 Logs Archive Navigate through Tools gt Logs Archive If the USB storage device attached to STM the device will attempt to archive older logs in the USB storage device The summary information on the logs stored on the archive will be shown on the Logs Archive Page Dashboard Logs Archive Security Alerts 4dministration Diagnostics Ping Traceroute Troubleshooting Firmware Upgrade gt Logs Archive Figure 40 Logs Archive The Administration user interface page provides the option for running a factory reset on the device restarting the device device reboot device shutdown amp Configuration backup restore Running factory reset on the device requires reboot thus the administrator will be redirected wait notification page on clicking the factory reset button and will be prompted login once the device comes up with the default configuration The STM appliances support taking the configuration backup and rest
27. e out and if the user does not enter the login credentials for 30 seconds and will redirect to the informational page The user can click the hyperlink named as login appearing on the information page to visit the login page again www allo com Version 1 0 14 STM User Manual Q a LO den SIP Threat Management Your login attempt has timed out Please click to login again Copyright 2013 2015 SIP Threat Management Web Panel Al Rights Reserved Figure 7 Timeout Message If somebody is already logged in to STM WebUl session the subsequent attempts to login will notify the details previous login session as illustrated below and will prompt the user to override the previous session and continue OR to discard the attempt the login SIP Threat f Management An administrator is already logged in from the host 192 168 0 177 If you continue to log in the Configuration Management Ul that administrator s session will be dropped Currently you are trying to login as administrator from 192 168 0 148 Click Continue to preempt that user and continue to log in Click Not Now to cancel your login attempt Continue Not Now Copyright 2013 2015 Shield SIP Threat tanagement Web Panel Al Rights Reserved Figure 8 Select Login Attempt 2 3 WebUI Session timeout After logging into the WebUI if there is no activity until the WebUI session timeout period By default the WebUI session tim
28. ease check with an allo Sales representative about getting the details of purchasing the STM signature subscription key 3 5 Logging Navigate through Device gt Logging The administrator can configure the STM appliance to send the security alerts generated on detecting the SIP based attacks to the remote SYSLOG server The logging page will allow enable disable the remote logging of security alerts and to which SYSLOG server the security alerts are to be forwarded Dashboard Logging 2 Time Settings Remote Logging Management Syslog server 1 92 168 0 109 Signature Update Save Cancel Logging Security Settings Security Alerts Figure 17 Logging www allo com Version 1 0 24 Callo STM User Manual com Remote Logging It allows user to configure Remote Log Server settings Syslog Server User can configure the remote Syslog server where it gets log from the STM device www allo com Version 1 0 25 Callo STM User Manual Security Settings 4 Configuring the SIP Security Policies 4 1 SIP Attacks Detection Navigate through Security gt SIP Attacks Detection The SIP Attack Detection page allows to configure the SIP Deep packet Inspection rules categories The administrator can enable disable the inspection against a particular category of rules action to be taken on detecting attacks matching the rules in the categories The possible actions that the STM can execute are
29. eout is set to 900 seconds then the login session will automatically terminated and browser will be redirected to login page again 2 4 WebUI Settings To change the WebUI settings click the settings icon that appears top right corner below the Apply Changes button The WebUI settings dialog will be displayed in the browser and allow the administrator to configure WebUI session timeout amp WebUI login password To configure the WebUI login password the user needs to enter the previously set administrator password www allo com Version 1 0 15 STM User Manual Q a lOc Web Settings Session Timeout User Name admin C Old Admin Password G New Admin Password Confirm Admin Password Figure 9 Web Settings 2 5 Dashboard SIP Threat b Management 03 January 00 05 16 36 pm STM 1 0 00 Fri_Sep_12_11 01 18_IST_2014 Q Welcomeadmin A aiin Dashboard i Jey iC z f f Security Alerts Up Time STM Signatures 1 0 00 Disabled O Running f 4 day E p Memory Usage Total Memory 64MB Spout Wet NNA a E iya p ig i g Flash Usage Flash Size 16MB Top 10 Signatures Top 10 Categories in Top Sre Top Dest L CPU Usage D 100 Last 10 Alerts 01 03 00 34 01 70030058 7003 Sig From header format 192 169 0 04 03 00 34 01 70030046 7003 Sig To header format s 192 169 0 177 a Network Info 04 03 00 34 09 70030058 7003 Sig Fr
30. es or ports are active on the live IP addresses From this information the intruder queries the ports to determine the type and version of the application and operating system running on the target host The attacker often uses port scanning for example to discover any vulnerable ports After a port scan an attacker usually exploits known vulnerabilities of services associated with open ports that were detected The intruder will scan the PBX ports to see what devices are connected to it With that info he can exploit 3rd party vulnerabilities The SBC will not respond to his query The intruder will ask the PBX to divulge the range of the extension numbers With that info he can try different passwords to take control of these extensions The SBC will not respond to that query The intruder will try to log in with different user names and passwords multiple times Once he Version 1 0 O allo User Configurable options Invalid SIP User Registration Attempts Duration Failed Authentication 27 STM User Manual Failures Brute force password Attempt Ghost calls Attempt SIP Protocol Compliance SIP Anomaly Attacks www allo com succeeds he will have control of that extension The SBC can block log or blacklist the IP for a period of time if it exceeds the authorized number of trials second The intruder will generate calls to an extension and it will look like the calls come
31. ing an encrypted link between a web server and a browser This link ensures that all data passed between the web server and browsers remain private and integral It s a set of rules governing the format of data sent over the Internet or other network The Internet Protocol IP is the method or protocol by which data is sent from one computer to another on the internet Each computer known as a host on the Internet has at least one IP address that uniquely identifies it from all other computers on the Internet This is one of two sub layers of the Data Link Control layer and is concerned with sharing the physical connection to the network among several computers It is one of the main protocols of the Internet Protocol Suite It is used by network devices like routers to send error messages indicating for example that a requested service is not available or that a host or router could not be reached IMAP is a protocol for e mail retrieval and storage It s a standard protocol for retrieving e mail The POP3 protocol controls the connection between a POP3 e mail client and a server where e mail is stored The POP3 service uses the POP3 protocol for retrieving e mail from a mail server to a POP3 e mail client It is a standard that defines how to establish and maintain a network conversation via which application programs can exchange data TCP works with the Internet Protocol IP which defines how computers send packets of data to ea
32. ion 31 STM User Manual Q a Oo 4 2 SIP Protocol Compliance Navigate through Security Settings gt SIP Protocol Compliance The SIP Deep packet inspection engine running the STM appliance has been made to inspect the SIP traffic with the SIP Security Compliance rules in built into the SIP DPI engine The anomalies in the SIP Message headers can result to various erroneous conditions SIP parser failures amp malformed packets which will lead to SIP applications vulnerable to attacks The following parameters will be used by the SIP deep packet engine for identifying the different protocol anomaly conditions and take the action configured by the administrator al Configuring inappropriate values for these parameters can result to the disruptive impact in the VOIP deployment Administrators with more in depth understanding with the SIP protocol can choose to tune these parameters for their specific deployment needs Otherwise recommended to use the default settings for these parameters SIP Protocol Compliance 8 A Please make sure to refer to the user manual before making changes in this configuration page SIP Protocol Compliance Settings i 8 1PYM EDIA Ports Configuration i SIP Methods Heack rs FRR Security Settings gt SIP Attacks Detection iad Seek ies 40000 lE SIP Trasport any SIP Protocol Max Dlakgs per sess bon Pen PETN SOSU SE Compliance ee medla Transport udp Call Blo
33. ll help allo Support team in debugging any issues faced with STM deployment setup To run the utility on the device the administrator needs to click the Run diagnostics button The device will run the diagnostics task in the backend and display the results once the task is complete The administrator can download the reports by clicking the Get Report button and send the report to allo Support team Note You can submit through support ticket http support allo com Dashboard Diagnostics Run Diagnostics Get Report HHRSERHHAHAEREEHHHHAERESHAHEARESHARHEAESEAHHESRSEEREHESREEHHE EH REEHARERARERERES Security Alerts PEBHAHHAHHAHHEHHEEHEHREAHEASHAHHEHHEHHAEHEEREHREHSEREEHEEHEEHHAHHAEHEEHEEHEEHE BERHEHHEHHSHHSHREHRSHHEAREEAHEGHEHEHHEHHEHASHRSHRSERBERBERBAHHEEAHHEEHEHRBERS F s p_secure Administration E BERHESBEREHHAREERSHHESBERSHHEBERSHHABERSHHEBERSAHERBERSAHEBEREAHERBEREAHERS Diagnostics Time Fri sep 26 04 26 45 GMT 2014 v Ping Traceroute Troubleshooting Firmware Upgrade Logs 4rchive Figure 34 Diagnostics Click the above link to download the diagnostics Download Report Download Report Click above link to download the diagnostics OK Figure 35 Download Report www allo com Version 1 0 48 STM User Manual Q a Oo 6 3 Ping Navigate through Tools gt Ping The administrator can troubleshoot the network connectivity issues with running
34. logging the alert block the packets containing the attack vector and blacklist the attacker IP for the given duration The blocking duration of how long the attacker up needs to be blocked is also configured per category level Dashboard SIP Attacks Detection z z aw Reconnaissance Attacks Lo none SIP Attacks 0O Detection Sip Devices Scanning Block 120 SIP Protocol SIP Extensions Discovery Block 120 Compliance Multiple Authentication Failures Bruteforce password cracking Attempt Block 1800 f Firewall Rules Ghost calls Attempt Block 1800 Firewall sree T i SIP Protocol Compliance Log none f Whitelist IP Sip Anomaly Attacks Log none Sip Dos Attacks Block 1800 Sip DDos Attacks Block 1800 f Sip Cross site scripting Attacks Block 1800 Mi Figure 18 SIP Attacks Detection The table given below lists the SIP Deep packet Inspection rules categories supported in STM and configuration parameters in each category www allo com Version 1 0 26 STM User Manual Category Reconnaissance Attacks SIP Devices Scanning SIP Extensions Discovery Multiple Authentication www allo com Description This can be considered as the first step of attacking any system or a network In this a hacker tries to learn information about our network typically conducts a ping sweep of the target network to determine which IP addresses are alive Then the intruder determines which servic
35. lt to the disruptive impact in the VOIP deployment Administrators with more in depth understanding with the SIP Protocol can choose to tune these parameters for their specific deployment needs Otherwise it is recommended to use the default settings for these parameters Flooding attempts using various SIP messages Distributed flooding attempts using various SIP messages Cross Site Scripting also known as XSS or CSS is one of the most common application layer hacking techniques In general cross site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application allow an attacker to send malicious content from an end user and collect some type of data from the victim The use of XSS might compromise private information manipulate or steal cookies create requests that can be mistaken for those of a valid user or execute malicious code on the end user systems It can be used to steal data about From Header To Header Call ID CONTACT Extension Password and other such confidential Version 1 0 O allo No of SIP Request Messages Duration No of SIP Response Messages Duration 29 STM User Manual Buffer overflow Attacks 3 Party Vendor Vulnerabilities TCP Syn Flood TCP Flood TCP Distributed Flood www allo com data This refers to illegally trying to access the resources of the SIP device like its
36. memory address for which it does not have the authenticate permissions leading to data corruption of this address along with its adjacent address This attack refers to any malicious activities from 3 party like DIGIUM Asterisk channel driver DOS attempt and other such attack It s a kind of DOS attack in which a large number of TCP SYN packets are sent to the victim s device Each of these packets will try to establish a new session thus consuming the victim s device resources Such attack is also called open half connection as these new sessions are not terminated and finally the legitimate users are barred from availing the Device resources This refers to flooding the device with general TCP packet on any port where legitimate users are barred from availing the Device resources after some interval of time In a TCP DDos attack the incoming TCP traffic flooding the victim originates from many different sources potentially hundreds of thousands or more This effectively makes it impossible to stop the attack simply by blocking a single IP address plus it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin Version 1 0 C allo No of TCP Syn Packet within specified duration No of TCP Packet within specified duration No of TCP Packet within specified duration 30 STM User Manual UDP Flood UDP Distributed Flo
37. nto an USB storage they can connect the USB storage to the USB data port of STM appliance The rotated logs will be automatically archived in CSV format into USB storage by the STM appliance Unless the user configures to forward the security alerts to remote SYSLOG server the www allo com Version 1 0 45 STM User Manual Q a Oo Email Server Settings Navigate through Security Alerts gt Email Server Settings This feature allows user to send the generated alerts in STM to the specified user Edit E mail Server Settings Enable E mail Notification Server IP Port 10 0 0 100 6541 Sender E mail ID test allo com Ja Receiver E mail ID testina allo com Authentication Auth_plain v Username Password Notify once in every 1 2 Hour v Figure 32 Edit Email Server Settings Enable User can either enable or disable this email notification Notification Sender Email ID The user can extends the verification process to include professed responsible addresses Eg test allo com Authentication User can select authentication from the drop down list If authentication is required by the End point Username Username of endpoint e g Testing will use to authenticate with the Email server settings Enter the Password and its authenticating Email server settings Notify once in every User can notify the alerts in email for every week every day etc www allo com Version 1 0 46 C allo
38. numbers and protocol that will be used as the matching criteria in the filtering rules and action to be taken on matching the filtering rule The possible actions are to block the www allo com Version 1 0 37 STM User Manual Q a Oo traffic and allow the traffic on matching the filtering rule The rules precedence will be in the order in which the rules configured on firewall rules table Create Firewall Rule Name DHCP Access Enabled Src Type ANY vi 6 Src Address Dst Type ANY w Dst Address Protocol any Port 67 65 Action Allow W Figure 22 Create Firewall Rule Specify the name for the Firewall Rules for user s reference The user can choose any name to recognize the Firewall Rules Enabled It allows the user to either enable or disable Firewall Rules Src Type User can select the appropriate Src type from the drop down list Src Address User can configure and apply the Firewall rule to particular Source Address Src Address E g 10 0 0 3 Dst Type User can select the appropriate Dst type from the drop down list Dst Address User can configure and apply the Firewall rule to particular destination Address Dst Address E g 192 168 0 8 Protocol Protocols specify interactions between the communicating entities User can select the type of protocol whether it is TCP or UDP from the drop down list Port User can configure and apply the Firewall rule to particular port ee number E g 5060 Action
39. od Generic Attacks www allo com This refers to flooding the device with general UDP packet on any port where legitimate users are barred from availing the Device resources after some interval of time In a UDP DDos attack the incoming UDP traffic flooding the victim originates from many different sources potentially hundreds of thousands or more This effectively makes it impossible to stop the attack simply by blocking a single IP address plus it is very difficult to distinguish legitimate user traffic from attack traffic when spread across so many points of origin Some of the common attacks under this category are Bye Teardown Registration Hijack Registration Adder and Registration Eraser 1 Bye Teardown attack disrupts a call that is in session between two users 2 Registration Hijack The first step in hijacking a registration is to find register able addresses and it hijacks the already registered extension 3 Registration Adder This tool attempts to bind another SIP address to the target effectively making a phone call ring in two places the legitimate user s desk phone and the attacker s phone 4 Registration Eraser This tool will effectively cause a denial of service by sending a spoofed SIP REGISTER message to convince the proxy that a phone user is unavailable Version 1 0 O allo No of UDP Packet within specified duration No of UDP Packet within specified durat
40. om header format 192 168 0 177 01 03 00 34 09 70030046 7003 Sig To header format s 192 168 0 177 ue 00 17 F7 008E 38 01 03 00 34 09 70030035 7003 Sig To header multiple 192 168 0 177 Gateway PE ASA A 01 03 00 40 46 70030046 7003 Sig To header format s 192 168 0 177 n eee 0103 00 41 03 70030058 7003 Sig From header format 192 168 0 177 01 03 00 41 03 70030046 7003 Sia To header format s 192 168 0 177 Mi Copyright 2013 2015 Shield SIP Threat twianagement Web Panel Al Rights Reserved Figure 10 Dashboard On logging into the STM WebUI the dashboard will be shown The user can visit the dashboard page from the any configuration page in the STM WebuUI by clicking the STM Product Icon that appears in the left corner of the Top panel The status panel that appears below the top panel shows the time settings on the device and STM firmware version Page refresh icon and Setting icon On clicking the page refresh button the main content area in the current page will be refreshed www allo com Version 1 0 16 STM User Manual Q a Oo On clicking the settings icon the pop menu which contains menu options logout WebUI settings will be shown System Status Panel shows Device up time Memory Usage Flash Usage amp CPU Usage Sig Update Version Panel shows the STM Signature version and Release State Network Status Panel shows IP LAN MAC WAN MAC and Gateway of the device Security Alert Summary Panel show
41. ore the configuration later www allo com Version 1 0 52 STM User Manual Q a Oan FAQs 7 Frequently Asked Questions FAQs What are SIP Threat Management STM devices SIP threat management STM is an approach to security management that allows an administrator to monitor and manage a wide variety of security related applications and infrastructure components through a single management console SIP Threat Management STM devices combine an Intrusion Prevention System IPS Firewall into a single hardware platform What is a Network Security How STM gives security to Network Network security consists of the provisions and policies adopted by a network administrator It is to prevent monitor unauthorized access misuse modification or denial of a computer network and network accessible resources STM gives security to internal network by making use of Firewall IPS Intrusion Prevention System etc What are the advantages of SIP Threat Management SIP Threat Management is a cost effective solution to integrate multiple features into a single appliance I Easy to configure Il Less time used for maintenance Il Better performance V Cost Effective What does SIP Threat Management Include SIP Threat Management includes the following features 1 Firewall 2 IPS Intrusion Prevention System 3 Network QoS 4 Bandwidth Control www allo com Version 1 0 53 STM User Manual Q a lOa Glossary
42. ping from the STM device The administrator needs to enter the IP address that needs to be pinged from the STM appliance ping count and click the Ping button to run the task The ping results will be displayed in the text area once the ping task is complete Dashboard Ping 2 Host 192 168 0 127 Count 1 4 4 Security Alerts Ping Reset Tools gt SS C pe Tools gt PING 192 168 0 127 192 168 0 127 56 data bytes 64 bytes from 192 168 0 127 icmp_seq 0 ttl 64 time 10 5 ms 192 168 0 127 ping statistics 1 packets transmitted l packets received 0 packet loss round trip min avg max 10 5 10 5 10 5 ms Administration Diagnostics Traceroute Troubleshooting Firmware Upgrade Logs Archive Figure 36 Ping Result 6 4 Trace route Navigate through Tools gt Trace route The administrator can troubleshoot the network connectivity issues with running a trace route from the STM device The administrator needs to enter the IP address to which the route needs to be traced from the STM appliance hop count and click the Trace route button to run the task The trace route results will be displayed in the text area once the trace route task is complete www allo com Version 1 0 49 STM User Manual Q a lOc Dashboard Tra ceroute 2 Host 192 168 0 127 Hop Count 3 la Security Alerts ICMP F Administration 1 pc m
43. re nee arene Tn eevee ee een ve ee ne ee eee ee eee ee 24 4 Configuring the SIP Security POlicies csccscscsscscsscsccccsccccsceccsceccscsceccnceccscecscssecees 26 Mes SUP Pe CRS Doroci OF oenn EEE E EE E 26 4 2 SIP Protocol Compan E enorer E N E AEEA NAT 32 43 Call Blocker RULES sctcce ts ceseetapencunctsceast eesaeaenatscesustapahecs ices ae EE E A ia 35 AA FE WV all RUES sunerien rirorio ir EE EOE EO EROA EREE REE 37 www allo com Version 1 0 4 STM User Manual Q a l Oon Be DIPS WY AiO INE e E E E E E EE E A E ES 39 4 6 Whitelist IP AROOPOSSES sacccusccnassadassacossecenarsceaseaouscceannehesacseavecsnospasancesanecsaneeaanamandieesaaasecest 40 4 7 Blacklist IP POON CSSES sostanacadesvcntacestuansdeanaseadssenasngnteentadesdauee dusnbetads inane a atsaedededdamcabacatoned 41 4 8 Dynamic Blacklist IP AGOlESSCS diirei enan aAA EENET 42 Ao Geor FO S orn E E aecenat ssuneaseraudasc 43 Fe IU Se E E E E E S 45 S AES a EE E E vivcsuenanarenetaseseaessacce awe stucuaeezaeieect 45 G TOO ana A EN 47 GLANS O e E AS 47 ARD TE in e E o o E E E E EE E E E E E T 48 OPINE e A E E A E E E E 49 EE WC SFOS EEE E EE E E A A A E 49 oo TOU CS NOOLE ere E AA 50 6 6 Firmware Upgrade xs icc acinnadsicadeanavcdedera deen iene Ean a Ra N Eaa TE naria naai 51 OF LOES AT NIVE re EE E EO 52 7 Frequently Asked Questions FAQS sesssssesessososososososososososososososososososososososososososossso 53 8 GOSS IN aea E E E 54 9 Appendix A U
44. s hyperlinks for viewing of Top 10 Signatures hit Top 10 Categories hit Top Attacker IP Addresses amp Top 10 target destinations www allo com Version 1 0 17 Callo STM User Manual Device Settings 3 Device Configuration Configuration pages of the STM WebUI have been made as self intuitive and easy to configure All the configuration pages have been made to work with the two phase commit model settings In these settings the changes will be applied directly by clicking the Apply in the content The two phase commit model is not applicable to time settings and signature update area of the configuration editor l e When the administrator changes the settings in the configuration pages and click the Save button the settings will be saved in a temporary buffer location on the device On saving the configuration changes the Apply Changes button that appears in the right top corner will be enabled amp the Ignore Changes button will appear next Updates List Firewall Rules 1 Firewall rule edited SIP Security Device Settings 1 SIP Settings updated CANCEL Figure 11 Device Configuration The number of configuration changes will appear on the immediate left to the Apply Changes button To view the details of the configuration changes the user can click the number icon which will open the configuration changes listing The user can apply the configuration changes to
45. sing Console ACCeSS ssesesessecessecescecessscessscessececescesessecesoesesoesesseseeseo 58 10 Appendix B Configuring STM IP Address via COnsole cscscscsscscscsccscscececcecscscecs 59 www allo com Version 1 0 5 Callo STM User Manual Introduction 1 Introduction 1 1 Overview This User manual describes the steps involved in setting up the allo STM Appliance Allo STM is an appliance based VolP threat prevention solution dedicated to protect the SIP based PBX Telecom Gateway IP Phones Mobile device deployments The appliance runs the Real time Deep Packet Inspection on the SIP traffic to identify the VOIP attack vectors and prevents the threats impacting the SIP based devices The appliance has been made to seamlessly integrate with the existing network infrastructure and reduces the complexity of deployment The appliance feature set includes e Analyze SIP packets using the Realtime Deep Packet inspection engine e SIP Protocol Anomaly detection with configurability of detection parameters e Detection and Prevention of the following categories of SIP based Attacks gt Reconnaissance attacks SIP Devices Fingerprinting User enumeration Password Cracking Attempt gt Dos DDos Attacks gt Cross Site Scripting based attacks gt Buffer overflow attacks gt SIP Anomaly based attacks gt 3 Party vendor vulnerabilities gt Toll Fraud detection and prevention gt Protection against VOIP
46. some extent guaranteed in advance HTTP Hyper Text It works on TCP protocol amp Port number is 80 It s an application protocol for Transport Protocol distributed collaborative hypermedia information systems HTTP is the foundation of data communication for the World Wide Web Hypertext is www allo com Version 1 0 54 STM User Manual HTTPS Hyper Text Transport Protocol over Secure Socket Layer NTP Network Time Protocol DNS Domain Name Server SIP Session Initiation Protocol DHCP Host Protocol Dynamic Control FTP File Transfer Protocol TFTP Trivial File Transfer Protocol SMTP Mail Protocol Simple Transfer www allo com C allo Definition structured text that uses logical links hyperlinks between nodes containing text It makes more difficult for hackers the NSA and others to track users The protocol makes sure the data isn t being transmitted in plain text format which is much easier to eaves drop on It is a networking protocol for clock synchronization between computer systems over packet switched variable latency data networks DNS are the Internet s equivalent of a phone book They maintain a directory of domain names and translate them to Internet Protocol IP addresses This is necessary because although domain names are easy for people to remember computers or machines access websites based on IP addresses It is a signaling communications protocol widely
47. te Selected Dynamic Blacklist IP Figure 26 White list IP Addresses 4 7 Blacklist IP Addresses Navigate through Security Settings gt Blacklist IP Addresses This page allows to configure the blacklisted IP addresses in the untrusted wan zone from which the access to communicate with the protected SIP network will be blocked by the STM This page will also allow configuring whether the white rules take precedence over the blacklist rules both static and dynamic configured on the device at any instant Create Blacklist Rule Name Kalitest l IP Type IP_HosT wa Address 192 168 10 79 Enable m Comments Kali blocked l E oo Figure 27 Create Blacklist Rules www allo com Version 1 0 41 STM User Manual Q a Oon Dashboard Blacklist IP Addresses Search gt racks etection o kali test IP_HOST 192 168 10 79 Kali blocked x SIP Protocol Compliance Security Settings Firewall Rules Firewall Settings Whitelist IP Blacklist IP Addresses Add New Delete Selected Figure 28 Blacklist IP Addresses 4 8 Dynamic Blacklist IP Addresses Navigate through Security Settings gt Dynamic Blacklist IP Addresses The dynamic blacklist IP Addresses are the blocking rules added by the STM deep packet inspection engine to block the traffic from attacker IP addresses for the blocking duration configured in the rules category on detecting the atta
48. the device by clicking Apply Changes button On clicking the Apply Changes button the configuration changes will be applied to the system and updated configuration will be persisted permanently onto the device www allo com Version 1 0 18 STM User Manual Q a Oo In case if the user wants to abandon the configuration changes made he can click the Ignore Changes button On clicking the Ignore Changes button the configuration changes stored in the temporary buffer location will be discarded To apply the configuration changes the Ignore Changes button will be displayed and they cannot choose to ignore configuration changes The Ignore Changes button will be disabled only when there are pending configuration changes that need to be applied yet to the device If the administrator tries to configure a configuration element to the inappropriate value the tooltip icon that appears next to each configuration element will provide the details on the error On clicking the help icon that appears next to the configuration title the help section corresponds the current configuration page will be launched 3 1 General Settings Navigate through Device gt General Settings The General settings page will allow configuring the host network settings of the STM appliance The device that has been made to work in bridging mode can either choose to work with static IP assignment or to acquire the device IP
49. to describe the user interface and how to use it to accomplish common tasks This manual also describes the underlying assumptions and users make the underlying data model Document Conventions In this manual certain words are represented in different fonts typefaces sizes and weights This highlighting is systematic different words are represented in the same style to indicate their inclusion in a specific category Additionally this document has different strategies to draw User attention to certain pieces of information In order of how critical the information is to your system these items are marked as a note tip important caution or warning Icon Purpose Note Tip Best Practice K Important Caution A Warning e Bold indicates the name of the menu items options dialog boxes windows and functions e The color blue with underline is used to indicate cross references and hyperlinks e Numbered Paragraphs Numbered paragraphs are used to indicate tasks that need to be carried out Text in paragraphs without numbering represents ordinary information e The Courier font indicates a command sequence file type URL Folder File name e g http www allo com Support Information Every effort has been made to ensure the accuracy of the document If you have comments questions or ideas regarding the document contact online support http support allo com www allo com Version 1 0 3 Callo STM
50. ttings 39 C allo STM User Manual 4 6 Whitelist IP Addresses Navigate through Security Settings gt Whitelist IP Addresses This page allows to configure the white listed IP addresses in the untrusted wan zone from which the access to communicate with the protected SIP network will be allowed by the STM This page will also allow configuring whether the white rules take precedence over the blacklist rules both static and dynamic configured on the device at any instant Create Vvhitelist Rule Name Kalitest Ip Type IP_HOST N Address 192 168 10 79 Enable Comments Kali blocked Figure 25 Create White list Rule Name Specify the name for the White list Rules for user s reference The user can choose any name to recognize the White list Rules IP Type User can select the appropriate IP type from the drop down list Specify IP Address Netmask or IP range or MAC address It allows the user to either enable or disable White list Rules User can specify the comments in the length of 64 char s www allo com Version 1 0 40 C allo STM User Manual sii Whitelist IP Addresses Security Settings Whitelist IP Rules Precedes over Blacklist IP Rules E Search SIP Attacks SIP Protocol E Kalitest IP_HOST 192 168 10 79 Kali blocked A Xx Compliance Firewall Rules Firewall Settings Whitelist IP Addresses Blacklist IP Add New Dele
51. used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol IP networks It is a standardized network protocol used on Internet Protocol IP networks for dynamically distributing network configuration parameters such as IP addresses for interfaces and services It is a standard network protocol used to transfer computer files from one host to another host over a TCP based network such as the Internet FTP is built on client server architecture and uses separate control and data connections between the client and the server It s a simple lock step file transfer protocol which allows a client to get from or put a file onto a remote host One of its primary uses is in the early stages of nodes booting from a Local Area Network A protocol for sending e mail messages between servers Most e mail systems that send mail over the Internet use SMTP to send messages from one server to another the messages can then be retrieved with an e mail client using either POP or IMAP Version 1 0 55 STM User Manual SSL Socket Secure Layer IP Internet Protocol MAC Access Media Control ICMP Control Protocol Internet Message IMAP Internet Message Access Protocol POP3 Post office Protocol version 3 TCP Transmission Control Protocol UDP User datagram protocol www allo com C allo Definition This is the standard security technology for establish
Download Pdf Manuals
Related Search