UCM Security Manual
UCM Security Manual
OVERVIEW ..................................................................................................................... 4
SIP/IAX Password................................................................................................................................ 11
SRTP.................................................................................................................................................... 14
TRUNK SECURITY....................................................................................................... 15
TLS ............................................................................................................................... 21
FIREWALL .................................................................................................................... 23
Static Defense Example: Blocking TCP Connection from a Specific Host ................................... 24
Dynamic Defense................................................................................................................................. 28
Page | 1
UCM Security Manual
Fail2ban ............................................................................................................................................... 28
AMI................................................................................................................................ 31
Page | 2
UCM Security Manual
Table of Figures
Figure 6: Registration Failed from Subnet Not Allowed for Registration .................................................... 13
Figure 18: Static Defense Blocking Host 192.168.40.142 Using TCP Connection .................................... 24
Page | 3
UCM Security Manual
OVERVIEW
This document presents a summary of security concerns on UCM. It covers the security risks and related
configurations that users need to consider when deploying the UCM.
• Web UI access
Web UI is secured by user login and login timeout mechanism. Two-level user management is
configurable. Admin with limited access can be created by the default super administrator.
• Extension security
This includes SIP/IAX password for authentication, IP access control and SRTP.
• Trunk security
Trunk security is achieved mainly by setting the privilege level, configuring source caller ID filter to filter
out outbound call requests from unwanted source
• TLS
This is to secure the SIP signaling.
• Firewall mechanism
Three types of firewall mechanism can be configured to protect UCM against malicious attacks: Static
Defense, Dynamic Defense (UCM6510 and UCM6102/UCM6202/UCM6204/UCM6208 only) and
Fail2ban.
• AMI
Using AMI feature comes with security concerns for UCM administrators to consider.
This document is subject to change without notice. The latest electronic version of this document is available
for download here:
http://www.grandstream.com/support
Reproduction or transmittal of the entire or any part, in any form or by any means, electronic or print, for
any purpose without the express written permission of Grandstream Networks, Inc. is not permitted.
Page | 4
UCM Security Manual
WEB UI ACCESS
The UCM embedded web server responds to HTTP/HTTPS GET/POST requests. Embedded HTML pages
allow users to configure the device through a web browser such as Microsoft IE, Mozilla Firefox, Google
Chrome and etc. This is the most important tool to configure all the settings on the UCM. It’s also the
immediate interface for the administrator to access configurations, user status and all the system
information. Therefore, it’s crucial to understand that directly placing the UCM on public network could
expose the domain name / IP address of the UCM and pose serious security concerns.
Protocol Type
HTTP and HTTPS web access are supported to access the UCM web UI. It can be configured under web
UISettingsHTTP Server. The protocol type is also the protocol used for zero config when the endpoint
device downloads the config file from the UCM. Therefore, it’s recommended to use HTTPS instead of
HTTP to secure the transactions and prevent unauthorized access.
Note also that by default we are using HTTP/HTTPS ports that are different from the well know ports 80
and 443.
Finally, users have the option to specify a list of UP to 10 IP addresses which will be allowed to access the
UCM web GUI, otherwise the connection will be refused for any IP address not figuring in the white list.
Page | 5
UCM Security Manual
User Login
UCM web UI access is restricted by user login. Username and password are required when logging in to
web UI.
The factory default value of “Username” is “admin” while the default random password can be found on the
sticker at the back of the unit.
Page | 6
UCM Security Manual
Note: Units manufactured starting January 2017 have a unique random password printed on the sticker.
Older units and UCM6100 series have default password “admin”.
It is highly recommended to change the default password after login for the first time.
To change the password for the default user “admin”, go to web GUISettingsChange Password page.
The new password has to be at least 4 characters. The maximum length of the password is 30 characters.
The minimum requirement for the login password is as below if “Enable Strong Password” (on web GUI
PBXInternal OptionsGeneral) is turned on:
Strong password with a combination of numbers, lowercase alphabet characters, uppercase characters
and special characters is always recommended to protect your login.
Page | 7
UCM Security Manual
Login Settings
An authenticated user of the UCM web UI may log in the system and then leave the active session on a
terminal unattended without intentionally logging-off from the system. An adversary with access to the
terminal could then have access to the UCM, meaning all the configuration and status information could be
exposed and changed intentionally or unintentionally.
UCM provides protection from such vulnerability using login timeout. After the user logs in the UCM web UI,
the user will be automatically logged out after certain timeout. This timeout value can be specified under
UCM web GUIMaintenanceChange InformationLogin Settings page. In the case that the user doesn’t
make any operation on web GUI within the timeout period, the user will be logged out automatically and the
web UI will be redirected to the login page, requiring password to access the web pages.
If the login timeout period is set to a short enough time, the chances of an adversary gaining access to an
unattended terminal are significantly reduced. However, the timeout period cannot be too short that an
authenticated user becomes annoyed by frequent automatic logouts during normal use. Therefore, users
shall set it to a value according to actual usage and situation. The default value of login timeout is 10
minutes.
Along with the login timeout feature, the UCM supports also user banning upon unsuccessful login attempts
with the possibility to configure the maximum number of allowed failed login attempts as well as settings
the ban period as shown on the below figure.
Page | 8
UCM Security Manual
User Management Levels
Super administrator can access all pages on UCM web UI, change configuration for all options and execute
all the operations, while normal administrator created by super administrator has limited access. Normal
administrator can access all pages on UCM web UI except the following:
• MaintenanceUpgrade
• MaintenanceBackup
• MaintenanceCleaner
• MaintenanceReset/Reboot
• SettingsUser ManagementOperation Log
A “Super Admin” user with username “admin” is innately configured in the UCM at the factory setting. It is
the only allowed “Super Admin” account and cannot be deleted and changed. This super administrator
could create, edit and delete new user accounts with lower privileges “Admin”, “Custom” and “Consumer”.
Super Admin also has the authority to view operations done by all the users in web
GUIMaintenanceOperation Log where normal users with lower privilege level “Admin” don’t have
access.
If there are more than one PBX administrator required to manage the UCM in your enterprise, it’s highly
recommended for the super administrator to create lower privilege administrators in order to manage the
UCM together, instead of handing out super administrator password to all the other users who may need
access the UCM web UI. The super administrator can also monitor the operation log to keep a record as
well as ensure no abnormal operations done on the PBX.
While In case the super admin wants to assign some users specific privileges, the custom privilege user
level can be helpful by giving him access to one or more of the following items:
Page | 9
UCM Security Manual
To create a new custom privilege level, navigate to the web UI menu MaintenanceUser
ManagementCustom Privilege, the name the new custom user level and assign the desired modules as
shown on the figure below.
From the security perspective, this feature can be helpful by giving each person the level of access that
they just need, no more nor less.
The last user access level is the “Consumer” level, this is the default assigned one for user portal access
where each user can access the UCM portal using his/her extension number and password in order to
manage their own data and benefit from the value-added feature. This way normal users don’t have access
to configuration modules/items than can affect the whole system and cannot access to advanced
maintenance operations.
P a g e | 10
UCM Security Manual
EXTENSION SECURITY
SIP/IAX Password
When creating a new SIP/IAX extension, the UCM administrator is required to configure “SIP/IAX Password”
which will be used for account registration authentication.
If “Enable Random Password” (on web GUIPBX SettingsGeneral Settings) is enabled, “SIP/IAX
Password” is automatically filled with a randomly generated secure password when creating the extension
on the UCM.
If “Enable Strong Password” (on web GUI PBX SettingsGeneral Settings) is enabled, the password
must be alphanumeric which should contain numeric digit and at least one lower case alphabet or upper-
case alphabet, or special character.
It is recommended to use random password and strong password to reduce the chance that the password
being guessed or cracked out.
The UCM administrator could control what IP address(s) is allowed to register to a certain extension by
editing “strategy” option under extension configuration dialog“Media” tag. Make sure to configure the
“strategy” option to the smallest set to block registration attempts from anyone that doesn’t need to register
to the account.
• “Local Subnet Only”: allows register requests from local IPs only. By default, the local subnet where the
UCM is location is allowed. User could also add more local subnets where devices are allowed to
register to this extension.
• “A Specific IP Address”: allows register requests from one user specified IP only.
• “Allow All”: the registration address is the entire Internet which is least recommended.
2. Under UCM web UI extension dialog, configure “Local Subnet Only” for “Strategy” option and
192.168.40.0 for “Local Subnet”.
P a g e | 11
UCM Security Manual
Figure 5: Strategy – Local Subnet Only
Now if the SIP end device is in subnet other than 192.168.40.x, e.g., 172.18.31.x subnet, the UCM will not
allow registration using this extension. The following figure shows the SIP device IP address is 172.18.31.17.
The UCM on IP 192.168.40.171 replies 404 Not Found for the registration request.
P a g e | 12
UCM Security Manual
Figure 6: Registration Failed from Subnet Not Allowed for Registration
Once moving this device to 192.168.40.x subnet, registration will be successful. The following figure shows
the IP address for the same SIP end device is 192.168.40.190. The UCM on IP address 192.168.40.171
replies 200 OK for the registration request.
P a g e | 13
UCM Security Manual
SRTP
SRTP is supported on UCM to secure RTP audio stream during the call. By default, it’s disabled. To use it,
please configure under extension configuration dialog“Media” tab when creating/editing an extension. If
SRTP is enabled, RTP data flow will be encrypted.
As shown above, users have two options while enabling SRTP under extension parameters:
▪ Enabled and forced: On this case, the extension does support SRTP for secure audio and doesn’t
allow any calls without SRTP.
▪ Enabled But Not Forced: The extension does support SRTP, but can allow negotiation to setup
calls without SRTP in case the other end doesn’t support it.
P a g e | 14
UCM Security Manual
TRUNK SECURITY
A potential risk for trunks is that unwanted users may gain the authority to make international or long-
distance calls. This will result in unexpected high charges before the UCM administrator notices this. Usually
this high cost is due to improper configurations on the UCM. Therefore, administrators must be extremely
cautious when configuring those trunks that will be charged by placing certain calls, for example, PSTN
trunks or SIP trunks with international call capability.
Four methods are supported on UCM to control outbound rule permissions and users can apply one of
them to the outbound rule.
1. Privilege Level
2. Enable Filter on Source Caller ID
3. Password protection
4. PIN groups
Please make sure to configure it to allow only the desired group of users to call from this route.
Privilege Level
On the UCM, the supported 4 privilege levels are “Internal”, “Local”, “National” and “International” from the
lowest to the highest. Outbound calls through trunk can be placed only if the permission level assigned to
the caller is higher or equal to the privilege level of the outbound rule. Outbound call requests from users
with privilege lower than the outbound rule will be rejected.
P a g e | 15
UCM Security Manual
Please configure the privilege for the outbound rule high enough to restrict the extensions allowed to call
external numbers via this trunk.
Instead of using privilege level, UCM administrator could specify the extensions/extension groups that are
allowed to use the outbound rule. This can be done by selecting extension/extension groups or defining
pattern for the source caller ID in “Custom Dynamic Route” field. The extension allowed to make outbound
call will either need to be an extension in the selected list or match the defined pattern.
Please specify the extension or the pattern here to the minimal set so that only the desired users can dial
out from this outbound route.
For detailed configuration instructions, please refer to MANAGING OUTBOUND ROUTE section in white
paper: How to manage inbound/outbound route on UCM6510/6100
Password protection
For even more security, users could protect the outbound rule with a password that will be requested by
the UCM from the callers in order to allow outbound calls. Users can set the password on each outbound
on the specified field as shown on the figure below.
P a g e | 16
UCM Security Manual
Figure 11: Password Protection
PIN Groups
In some cases, multiple users do share same phone (ex: phone on public mode with user login), and the
shared phone can be used to make outbound calls, the administrator on this case can set the outbound
rule protection mode to PIN groups where each user should enter his PIN code in order to be allowed to
make outbound calls through trunks. In order to set PIN group protection, the admin should follow below
steps:
P a g e | 17
UCM Security Manual
3. Save and apply, then on your outbound routes you can select the created group and each time one
the PIN group members tries to make outbound call, he/she will be requested to enter their PIN
code as a security protection.
P a g e | 18
UCM Security Manual
IVR Dial Trunk
When creating/editing an IVR, the administrator could decide whether to allow the calls entering the IVR to
make outbound calls through trunks by configuring “Dial Trunk” and “Permission”. If “Dial Trunk” option is
enabled, the caller calling into the IVR will be able to dial external numbers through a trunk if the IVR’S
permission is higher than or equal to the privilege of the trunk. The potential risk here is that unwanted
users may call into IVR and then dial external number. This could possibly generate expected high charges
especially if an IVR is configured as the destination of an inbound route of a PSTN trunk, in which case,
anyone can call into the IVR and then dial out to long distance or international calls.
We recommend disabling “Dial Trunk” option unless the risk associated with it is clearly understood or the
PBX administrator intentionally configures it to do so for specific reasons. If it has to be enabled, please
configure the “permission” as secure as possible to restrict the authorized callers to be known users.
For more information about IVR permissions, please refer to IVR PERMISSION section in white paper:
How to manage inbound/outbound route on UCM6510/6100
P a g e | 19
UCM Security Manual
Allow Guest Calls
“Allow Guest Calls” option can be found on web GUIPBX SettingsSIP SettingsGeneral page. We
highly recommend NOT to turn on this option for any deployments. Enabling “Allow Guest Calls” will stop
the PBX from authenticating incoming calls from unknown or anonymous callers. In that case, hackers get
the chance to send INVITE to UCM and the UCM will place the call without authentication. This can result
in high toll charges. The administrator might also want to check CDR regularly to make sure there is no
suspicious calls in the early stage of deployment.
P a g e | 20
UCM Security Manual
TLS
The UCM administrators may consider securing SIP packets sent across an untrusted network. Using TLS
could be a solution. It will authenticate servers and clients, and then encrypt SIP messages between the
authenticated parties.
TLS can be configured under UCM web GUIPBX SettingsSIP SettingsTCP/TLS page.
2. Configure “TLS Do Not Verify”, “TLS Self-Signed CA” and “TLS Cert” properly to achieve basic TLS
authentication and encryption.
P a g e | 21
UCM Security Manual
• TLS Self-Signed CA
This is used when UCM acts as a client, to authenticate the server. If the server the UCM connecting
to uses a self-signed certificate, you should have their certificate installed here so authenticity of
their certificate can be verified. If the server uses a certificate that is signed by one of the larger
CAs, you should install a copy of server CA certificate here.
• TLS Cert
This is used when UCM acts as a server. It’s sent to the client during TLS handshake. The TLS
Cert should include the key and server certificate. The “common name” field in the server certificate
should match the server host (either IP or domain name). This is required if the client side is another
UCM (not a standard, some clients do not have this requirement for server authentication). If not
matching, authentication on the UCM (client) fails and the TLS connection cannot get established.
Please note that administrator also needs configure “SIP Transport” to be “TLS” on the SIP endpoint device
to encrypt SIP messages sent to the UCM.
P a g e | 22
UCM Security Manual
FIREWALL
The firewall functionality provided by UCM model consists of Static defense, Dynamic defense and Fail2ban.
User could manually configure each of the three options to block certain malicious attack.
Static Defense
It can be configured from Web UISystem SettingsSecurity SettingsStatic Defense. One main purpose
of static defense is using pre-configured filtering rules. Three type of filtering rules are supported, ACCEPT,
REJECT, and DROP. UCM administrator can configure filtering rules based on source/destination IP
addresses and ports. For example, if a remote host allowed to connect to a certain service using port X is
known with IP x.x.x.x, the administrator can create an ACCEPT rule to allow traffic from IP x.x.x.x destined
to port X on UCM.
1. Ping Defense
Once enabled, ICMP response will not be allowed for Ping request. This is a predefined mechanism in
order to protect flooding Ping attack.
2. SYN-Flood Defense
Once enabled, UCM can response to the SYN flood denial-of-service (DOS) attack.
3. Ping-of-Death defense
Once enabled, UCM can response to the Ping packet that is greater than 65,536 bytes.
P a g e | 23
UCM Security Manual
Static Defense Example: Blocking TCP Connection from a Specific Host
This example demonstrates how to set up a new rule to block a host with a specific IP address to connect
to UCM using TCP connection. In the following figure, 192.168.40.142 is the host IP address and
192.168.40.131 is the UCM’s IP address. Port 8089 on UCM is used for HTTP server/web UI access. This
setting will block host on 192.168.40.131 to access UCM port 8089 using TCP connection.
Figure 17: Static Defense Blocking Host 192.168.40.142 Using TCP Connection
After saving and applying the change, host 192.168.40.142 will not be able to access UCM web UI anymore.
P a g e | 24
UCM Security Manual
Figure 18: Host blocked by UCM
The UCM can be accessed via SSH connection by default. The SSH access provides device status
information, reboot, reset and limited configuration capabilities. It is recommended to disable it once the
UCM is deployed for security purpose. This can be done using static defense.
P a g e | 25
UCM Security Manual
Figure 19: UCM SSH Access
Configuration steps:
1. In UCM web UISystem SettingsSecurity SettingsStatic Defense page, click on “Create New
Rule”.
P a g e | 26
UCM Security Manual
Figure 20: Block SSH Connection
Now SSH connection to the UCM will not be allowed anymore from any host.
P a g e | 27
UCM Security Manual
Figure 22: SSH Connection Blocked by UCM
Dynamic Defense
The UCM Dynamic Defense model also allows users to customize the connection threshold and time
interval, meaning users can manually set the period for the max connection made by individual IP address.
In addition, whitelist is supported so that certain hosts will not be blocked by Dynamic Defense.
Fail2ban
Fail2Ban is mainly designed to detect and prevent intrusion for authentication errors in SIP REGISTER,
INVITE and SUBSCRIBE method. It can be configured from Web UISystem SettingsSecurity
SettingsFail2ban. Users can customize the maximum retry times that one host can attempt in a period of
time. If a host initiates attempts which exceed maximum retry times, it will be banned by UCM for a certain
amount of time. User can also add a whitelist for the host that will not be punished by this defensive
mechanism.
Fail2Ban can be enabled in the UCM web UISystem SettingsSecurity SettingsFail2Ban. By default,
Fail2Ban is disabled (see figure below).
P a g e | 28
UCM Security Manual
Figure 23: Fail2Ban Default Configuration
Banned Duration: This specifies the amount of time the IP address will be blocked by UCM. By default, it is
set to 10 mins (600s).
Max Retry Duration: This specifies the amount of time one IP host can connect to the UCM. If in this period
the host connection exceeds the maximum connection limit, it will be banned for the “Banned Duration”. By
default, it is set to 10 mins (600s).
Max Retry: This speficies the amount of times a host can try to connect to the UCM during “Max Retry
Duration. If the host connection exceeds this limit within Max Retry Duration, it will be banned for the
“Banned Duration”. By default, it is set to 5 times.
Fail2Ban Whitelist: user can add desired IP address into the whiltelist in order to bypass this restriction. By
default, 127.0.0.1/8 is set to the loopback address.
P a g e | 29
UCM Security Manual
Figure 24: Asterisk Service Fail2Ban setting
If Fail2Ban is enabled under “Global Settings”, user must select “Asterisk Service” under “Local Settings”
in order for it to take effect. Starting from firmware version 1.0.15.13, UCM Fail2ban feature works on all
type of ports (UDP, TCP and TLS). Users can then define the value for “MaxRetry” which will override the
"MaxRetry" value under "Global Settings". “Max Retry” specifies the number of authentication failures
during "Max Retry Duration" before the host is banned and the default value is 5.
In addition to defending against hostile SIP messages, Fail2Ban can now be configured to defend against
login attacks. Excessive login attempts will ban IP addresses from accessing the UCM web UI, users could
enable the option as shown on the figure above.
Once enabled, and When the number of failed login attempts from an IP address exceeds the MaxRetry
number, that IP address will be banned from accessing the UCM Web UI.
Please note the listening port number is always kept the same as HTTP server number under UCM web UI
MenuSystem SettingsHTTP ServerPort.
P a g e | 30
UCM Security Manual
AMI
Asterisk Manager Interface (AMI) is supported on UCM with restricted access. The documentation can be
found in the following link:
http://www.grandstream.com/products/ucm_series/UCM/documents/UCM_ami_guide.pdf
Please do not enable AMI on the UCM if it is placed on a public or untrusted network unless you have taken
steps to protect the device from unauthorized access. It is crucial to understand that AMI access can allow
AMI user to originate calls and the data exchanged via AMI is often very sensitive and private for your UCM
system. Please be cautious when enabling AMI access on the UCM and restrict the permission granted to
the AMI user.
P a g e | 31
UCM Security Manual