Network components such as routers, which can be reached directly over the Internet (WAN), are under attack on a daily basis. LANCOM routers are no exception.
Attempts will be made to access the configuration of the device, or to monitor or manipulate the communications between the device and others connected to it. Similarly, there are attacks on the VoIP functionality in the router.
Attackers from the Internet attempt to initiate phone calls. These are often foreign connections or special services, which can lead to considerable expense to the operator of the router.
If telephony on a LANCOM router is set up using the Setup Wizard, the necessary settings are automatically put in place to protect against such attacks.
If the telephony is set up manually, the feature described in section 1 needs to be activated manually.
Security can be further enhanced by adjusting the features mentioned in section 2. However, some SIP providers do not support them, some tariffs do not include them, or there are scenarios where they simply cannot be operated. For this reason, LANCOM Systems recommends that you contact the SIP provider beforehand.
This article describes the settings that are required to secure the VoIP functionality of a LANCOM router against attacks from the Internet.
For routers with LCOS version up to and including 9.0, the only option is to block the authentication of SIP users from the Internet (WAN).
1) Mandatory security settings when configuring a SIP line manually:
1.1) Open the configuration for the router in LANconfig and switch to the menu item Voice Call Manager -> Lines -> SIP lines.
1.2) Edit the SIP line and switch to the Security tab.
1.3) Make sure the checkmark is set to Allow SIP messages only from registrar.
With this feature enabled, incoming packets are only accepted from the registrar (usually the SIP provider). Packets from other sources are dropped.
For security reasons, LANCOM Systems recommends that you activate this feature at all times.
When you run the telephony Setup Wizard, this feature is enabled automatically.
2) Further settings for increased security:
Although these settings improve security, some SIP providers do not support them, some tariffs do not include them, or there are scenarios where they simply cannot be operated. If necessary, contact your SIP provider for details.
2.1) Allow inbound UDP packets:
This feature controls which interfaces accept inbound UDP packets.
If you operate a SIP line to a SIP provider on the Internet, you have to allow UDP packets from the WAN.
If you operate a SIP line to a SIP PBX in the local network of the VoIP router, we recommend that you restrict this feature to via LAN or via LAN and VPN and thus to block lines from the WAN.
If the signaling encryption (see step 2.2) is set to No (TCP) or TLS 1.x, this feature takes no effect.
2.2) Signaling encryption:
If you set this feature to No (UDP), call signaling uses the connectionless protocol UDP. As this permits signaling from any source, you have to use other means to prevent this (see step 1.3 and optionally step 2.1).
If you set this feature to No (TCP), call signaling uses the connection-oriented protocol TCP. During registration, a TCP connection is established to the SIP provider and is maintained for as long as the registration lasts. Signaling can only be performed by the SIP provider (except for during man-in-the-middle attacks) and therefore offers an additional security gain over signaling via UDP. In general, a TCP connection is only supported on a SIP trunk.
By setting the feature to TLS 1.x, a TCP connection is also established to the SIP provider. Additionally, communications to the SIP provider are encrypted. Only the SIP provider is able to perform signaling, except in the case of man-in-the-middle attacks where the attacker additionally injects a fake certificate into the attack target. This option offers an additional security gain over signaling via TCP.
2.3) Verify server cert. acc. to:
This setting controls whether the Voice Call Manager verifies server certificates, and which certificate is used to do this. Verification of the server certificate should be performed if possible.
With the setting No verification the server certificate is not checked and any certificate is accepted.
With the setting All trusted CAs, all of the certificates stored in the device are used to verify the server certificate.
For the SIP cert. slots 1 - 3 settings, certificates from SIP providers can be uploaded and used to verify the server certificate.
Using the Telekom Shared Business CA4 CA option accepts certificates that were signed by the Telekom Shared Business CA4 Certificate Authority (CA). This entry has to be used with a Telekom SIP trunk.
3) Security options when using a SIP PBX line:
3.1) Navigate to the menu Voice Call Manager -> Lines -> SIP PBX lines.
3.2) Make sure the checkmark is set to Allow SIP messages only from registrar.
This operates in the same way as for a SIP line (see step 1.3).
3.3) Restrict the feature Allow inbound UDP packets to the interface that you are actually using.
As a rule, the SIP PBX will be accessible via LAN or VPN and not via WAN. For security reasons, a direct connection via WAN is also not recommended.