Enabling Inspection Settings on MGCP

Inspection Settings add more than 80 protections and VoIP settings. It protects against malicious attacks by:

• Identifying attack signatures
• Identifying packets with protocol anomalies
• Ensuring RFC compliance
• Inspecting signaling protocols, verifying header formats and protocol call flow state

As part of Inspection Settings, VoIP protections can be:

• Enforced for different gateways using Inspection Setting profiles
• Monitored using Detect Mode

With Inspection Settings you can:

• Generate detailed logs with packet captures on VoIP security events
• Configure granular VoIP security for maximum flexibility in deployment and enforcement
• Add exceptions to specified VoIP protections

  For example, if you add an exception that allows non-RFC compliant SIP traffic on a specified VoIP server, security is not compromised for all other VoIP traffic.

Inspection Settings can be configured for each profile and can be:

• Prevent
• Detect
• Inactive

The Security Gateway has a number of Inspection Settings for MGCP. Inspection Settings protects against attacks by identifying attack signatures and identifying packets with protocol anomalies. Strict compliance is enforced with RFC-2705, RFC-3435 (version 1.0), and ITU TGCP specification J.171. In addition, all Inspection Settings network security capabilities are supported, such as inspection of fragmented packets, anti-spoofing, and protection against Denial of Service attacks.

Configuring MGCP Protections

To configure Inspection Settings:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter MGCP.

   In the Settings column, MGCP Inspection Settings shows.

   Double-click the service you want to configure. A window opens.

3. Double-click on the Inspection Profile of your choice. Select Advanced.
4. Check the boxes to enable the protections that you want.
5. Click OK.

Configuring MGCP Application Policy

Specified VoIP services can be blocked if the services:

• Consume more bandwidth than the IP infrastructure can support
• Do not comply with the organization's security policy

To configure Application Policy:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter MGCP.

   A list of Settings options shows.

3. Double-click the setting that you want to configure.
4. Make your changes and click OK.

Notes:

• Application Policy options are not intended to protect against attacks.
• Logging settings for each protection are configured for each profile.

Configuring MGCP Commands

Command Filtering blocks MGCP commands that must not be processed. MGCP command filtering makes it possible to block commands that the MGCP server does not support, or that you do not want the server to handle.

Supported MGCP Commands

There are nine MGCP commands. They are defined in RFC 3435 section 2.3. Commands can be sent by the MGCP server to the endpoint or from the endpoint to the MGCP server.

The Nine supported MGCP commands are:

• AuditConnection (AUCX)
• AuditEndpoint (AUEP)
• CreateConnection (CRCX)
• DeleteConnection (DLCX)
• EndpointConfiguration (EPCF)
• ModifyConnection (MDCX)
• NotificationRequest (RQNT)
• Notify (NTFY)
• RestartInProgress (RSIP)

To view enable supported commands:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter MGCP - Command Filtering.
3. Select a Profile > Advanced.

   Check the boxes for the commands that you want to support.

4. Click OK.

   It is possible to add new commands.

Important - If an MGCP server is flooded with requests that use commands that the server does not support, the server might experience an overload. An overloaded MGCP server will affect customer service levels.

User Defined MGCP Commands

RFC 3435 section 3.2.1.1 states: New verbs may be defined in further versions of the protocol. It may be necessary, for experimentation purposes, to use new verbs before they are sanctioned in a published version of this protocol. Experimental verbs MUST be identified by a four letter code starting with the letter X, such as for example XPER.

To add new commands:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter MGCP - Command Filtering.
3. Select a Profile > General Properties > Override with Action > Accept.
4. Select Advanced > (+) to add your command.
5. Click OK.

You can configure MGCP Command Filtering for these options:

• Block Unknown Commands

  Unknown commands are commands that do not show in the Blocked commands or Supported commands lists. By default, all unknown commands are blocked.

• User Defined Commands have SDP Header

  If user-defined commands include an SDP header and the option is selected, the gateway inspects the SDP header attached to the command. If this option is not selected, the SDP header is ignored.

When defining an MGCP command, you can specify if the command contains an SDP header. This VoIP security option parses the header and checks that it has the correct syntax. If the destination address and port in the header are allowed, the media connection is allowed through the gateway.

To block MGCP commands:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search go to Blawindow, enter MGCP.
3. Select a Profile > Advanced.
4. Check the boxes for the commands.
5. Click OK.

   A list of Settings options shows.

6. Double-click the setting that you want to configure.
7. Make your changes and click OK.

Configuring MGCP Engine Settings

To configure Engine Settings:

1. In the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter MGCP - General Settings.

   The SIP - General Settings window opens.

3. Select Advanced and configure the fields.
4. Click OK.

Fields

• Hide NAT changes source port for MGCP

  Enabling this option configures the gateway to use Hide NAT on the:

  • IP address
  • Source port of the MGCP endpoint phones.

  With this option disabled, the gateway uses Hide NAT only on the IP address of the MGCP endpoint phones. This option must be enabled in environments where:

  • The gateway is configured for Hide NAT on the internal IP addresses of the endpoints
  • The MGCP server can register only one endpoint with a given IP address and port combination
• Block dynamic opening of ports for MGCP media channel

  A gateway dynamically opens ports for VoIP media channel, according to the information in the MGCP signaling connection. When you select this option, it prevents the opening of MGCP media channels. Do not select this option if an MGCP media channel passes through the gateway.