Access control based on IP address

From Bizfon Wiki

Contents 1 Motivation 2 How it works 3 Configuration 4 Example

Motivation

There are several reasons why a system administrator might want to define who has access to the PBX:

• Protection against denial of service attacks. If you are operating the PBX on publicly available addresses, there is always the risk that someone tries to interrupt the service. Although the PBX has several protections against such attacks, it might be easier to rule such attacks out right from the beginning.
• Limiting the service to authorized addresses. You might also want to limit the service only to specific IP addresses. For example, while you might allow users to register their IP phones in the office, you might allow only selected users with their associated IP addresses to register their phones from home.

The motivation for the list is to have an inner firewall inside the application that reduces the chance that an unauthorized request makes it into the inner part of the processing.

How it works

When a packet reaches the PBX, it will check the list of enabled and disables addresses for a match. If the result is that the request is ignored, then the PBX will just discard this packet without answer.

The PBX checks a list for matches. A match occurs if a source address matches a check address with the mask. More specific addresses are checked first; this makes it possible to define exceptions to the general rule. Also, the PBX checks IPv4 and IPv6 addresses separately.

If there is a match, the PBX checks for the type. If the type is "Allow" then the PBX accepts the packet. If the type is "Block" then the PBX blocks that request. If there is no match in the list, then the request is accepted.

If the list is empty, the access control is disabled. This is the default behavior after the installation of the product.

For UDP-based requests this is relatively easy. The request is just not answered. However, because the UDP port is open, there is no ICMP request sent to the origin. That means, someone who wants to attack the system might be able to figure out that there is an open port. However, as the PBX just discards these messages, the damage is limited.

For TCP ports, the situation is more complicated. In Linux, there is no way for an application to find out where a TCP connection is coming from until the connection is accepted. That is why the PBX first accepts the connection and then examines if the connection was allowed or not. If the connection was not allowed, then it is turned down immediately. In Windows, there is a special system call that first checks where the connection is coming from. If the source is not enabled, then the PBX does not accept the connection. However, the operating system already did answer the TCP connection request with an acknowledge, so that also in Windows there will be obvious that there is a application running on the ports.

The access control is not only limited to SIP. It also applies to all other protocols on the system, including HTTP, TFTP, SNMP and the other protocols used on the system. When the PBX acts as a client (for example, when performing DNS requests), the rules do not apply.

The behavior is to a certain extend similar to a firewall. However, especially for TCP a firewall will be able to keep the traffic completely out; someone testing the system out will not get any response back for a TCP request if the source IP address is not listed.

Configuration

In order to add a match entry, you can use the form at the bottom of the page. Just enter the IP address together with the net mask and the access type and hit the "Create" button. You should enter only as much information as needed by the net mask, for example "192.168.0.0" if the net mask is "255.255.0.0".

In order to delete an entry, just click on the delete button.

Changing the entry does not require a restart of the system. The changes take effect immediately.

Example

In this example, you want to give everyone in the LAN access, but rule out access from the public Internet, except for two employees working from home and for a trunk that comes from a service provider with a small range of IP addresses.

First entry: Address "127.0.0.1", net mask "255.255.255.255", type "Allow". This will make sure that you can always access the HTTP interface from the local computer.

Next entry: Address "192.168.0.0", net mask "255.255.0.0", type "Allow". This will make sure that everyone in the LAN can access the PBX.

Next entry: Address "0.0.0.0", net mask "0.0.0.0", type "Block". This entry will disable all packets by default (enter this as last, otherwise you will not be able to access the system any more).

Next entry: Address "213.1.2.3", net mask "255.255.255.255", type "Allow". This will give the remote worker access the PBX. Repeat the same entry for other IP addresses.

Next entry: Address "12.23.34.45", net mask "255.255.255.248", type "Allow". This entry is intended for the IP addresses of the ITSP.