SCCP Security Rules

You can configure security rules that allow SCCP calls through the gateway. After the Rule Base is configured, all SCCP communication is fully secured by Inspection Settings.

• SCCP has a centralized call-control architecture. The CallManager manages SCCP clients, VoIP endpoints, which can be IP phones or Cisco ATA analog phone adapters. The CallManager controls all the features of the endpoints. The CallManager requests data (such as station capabilities) and sends data (such as the button template and the date/time) to the VoIP endpoints.
• The CallManagers are defined in SmartConsole, as Host objects. The networks containing directly-managed IP phones are also defined in SmartConsole. It is not usually necessary to define network objects for individual phones. Cisco ATA devices that are managed by a CallManager must be defined in SmartConsole, but the connected analog phones are not defined.
• To allow VoIP calls, you must create rules that let VoIP control signals pass through the gateway. It is not necessary to define a media rule that specifies which ports to open and which endpoints can talk. The gateway gets this information from the signaling. For a given VoIP signaling rule, the gateway automatically opens ports for the endpoint-to-endpoint RTP/RTCP media stream.
• Make sure to check Keep all connections or the firewall drops your connection every time you Install Policy.
  1. Double-click your gateway.

     The Check Point Security Gateway window shows.

  2. From General Properties > Other > Connection Persistence > Keep all connections > OK.

     Note - Rematch connections is selected by default.

Best practice - Configure anti-spoofing on the Check Point gateway interfaces.

SCCP-Specific Services

These predefined SCCP services are available:

Service	Purpose
TCP:SCCP	Used for SCCP over TCP
Other:high_udp_for_secure_SCCP	Used for media from Secure SCCP phones

Securing Encrypted SCCP

To secure encrypted SCCP, use these services in the Security Rule Base:

To create the rule TCP: Secure_SCCP:

1. Open Manage > Services > New > TCP.
2. The Advanced TCP Service Properties window opens.
3. Set the Name to: Secure_SCCP.
4. Set the port to: 2443.
5. Click Advanced.
6. The Advanced TCP Service Properties window opens.
7. Set the Protocol Type to: Secure_SCCP_Proto.
8. Other: high_udp_for_secure_SCCP

When an SCCP phone is turned on and identified as Secure SCCP, the phone's IP address is added to the database of secure SCCP phones.

When RTP traffic arrives at the gateway, it is allowed only if the source or destination is in the database of secure SCCP phones.

1. From SmartConsole, in the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter MGCP.

   A list of Settings options shows.

3. Double-click the setting that you want to configure.
4. Make your changes and click OK.

Configuring SCCP Security Rules

VoIP rule for this scenario:

Source	Destination	Services & Applications	Action	Comments
Net_A Net_B Call_Manager	Net_A Net_B Call_Manager	SCCP	Accept	Incoming and Outgoing calls

To configure the Rule Base for secure SCCP-based VoIP:

1. Define network objects (nodes or networks) for SCCP endpoints (Cisco ATA devices or IP phones) controlled by the CallManagers.
2. Define a Host object for the CallManager.
3. Define the SCCP VoIP rules.
4. Define other rules for SCCP and the other VoIP protocols. (SCCP interoperates with other VoIP protocols.)

   This rule lets all phones in Net_A and Net_B make calls to each other:

   • Net_A is the internal IP phone network
   • Net_B is the external IP phone network

     The CallManager (Call_Manager) can be in:

     • The internal or external network
     • A DMZ connected to a different interface of the gateway.
5. To secure encrypted SCCP over TCP connections:
   1. Create an identical rule
   2. In the Service cell, add only:
      • TCP:Secure_SCCP
      • Other:high_udp_for_secure_SCCP.
6. Install policy.

When you configure a security rule, if you do not want in-progress calls to be dropped, make this change:

1. From the Security Policies tab, in the search box at the top right of the screen, enter the service.
2. Double-click the service and a window opens.
3. Select Advanced > Override default settings.
4. Check the box Keep connections open after Policy has been installed.

Note - Even if the new policy does not allow calls like those in-progress, in-progress calls will not be dropped during Install Policy.