Allworx Technical Support Forum

We have an Allworx 6x, and the WAN is directly connected to the ISP (no other firewall in front). We had an incident with a sip account with a weak password and someone tried to call an international number, that wasn't on our phone system. I could see, because in the system events it was blocked (international calls are disabled at our sip carrier), and you could tell from the allworx call reports nobody tried to make the call. The passwords were all updated so it's not an issue anymore, and we don't use international calling, so not a big problem.

I presume there are people out out there just scanning IP ranges and trying a telnet against every IP sip port, and when they find a connection they just try multiple usernames and passwords to place a sip call.

I'm wondering....since we don't need remote allworx phones.... and the only outbound or inbound calls come from a range of IP's at our SIP provider.... is there anyway to configure/harden the security on the Allworx to stop attempts to use our Allworx as a proxy from the outside? Or is it possible to say only allow incoming/outgoing requests with our SIP carrier IP's?

Perhaps the only option is to put a firewall in front of the Allworx to beef up security and have a firewall rule that only allows connections from the SIP IP's. Just wondering what is standard practice with others on this forum? We're on a pretty old version of Allworx (7.2.x) so perhaps some of you are aware of any updates in later versions that harden security?

ryano - there are definitely some updates that are geared toward improving security on the phone system regarding SIP, SMTP, and protection against DDoS attacks.

I was recently on 7.2.x myself, and upgraded to 7.5.x, and found that information in the release notes. I was upgrading to try fixing a non-security related issue.

My upgrade introduced some new "strange" behavior from an IP protocol perspective, something I'm still trying to find the root cause of and fix, but it's not a system-down issue. Suffice to say, depending on the firewall you have between your Allworx and the rest of the world, your firewall starts logging traffic denial events where the traffic is originating from the Allworx. I have a 24x, and thus far, Allworx tech support has not shed any light on the subject.

I would highly recommend you put some kind of firewall between your phone switch and the internet. This is just common and best network design practice.

Case in point: In another thread on this forum, I just found that a DoS attack against the port 25 of the Allworx is causing software corruption and requiring a rebuild of the phone system. Allworx Support's only fix is to change the port to a different high-port and reboot the phone switch.

I don't know if your 6x comes with the "Firewall" feature built in, but if it does, then to answer your question, you should be able to create rules that only allow SIP traffic (TCP/UDP 5060, UDP 2088, UDP 15000-15511) to/from your SIP carrier's IP Addresses. If you put a firewall in between your 6x and the internet, you'd do the same on that firewall.

Disclaimer: I'm not an Allworx Rep/Employee; I'm just an admin for an Allworx phone system. I do not have the firewall feature on my phone switch, so I can't guarantee my comments regarding the functionality of said feature on the Allworx platform.

Regards,
Mark

ONCOEngineer - Thanks so much for your detailed response.

Our Allworx 6x does act as a firewall in NAT/Firewall with DMZ mode, and allows you to for example configure which LAN ports are exposed to the internet.... but it does not provide the option to only allow SIP traffic from specific source IP Addresses. At least not with the firmware I'm on. Just curious, do you see that option for your 24x on 7.5.x?

We're working on configuring a 3rd party firewall and will test that out with the Allworx. Thanks for your tip about the DoS attack on port 25...and that some firewalls deny certain events coming from the Allworx. I wonder if those might be sip registration events, since a lot of those may be sent to the carrier.