Important Information about Creating SCCP Security Rules

You can configure security rules that allow SCCP calls through the gateway. After the Rule Base is configured, all SCCP communication is fully secured by Inspection Settings.

Best practice - Configure anti-spoofing on the Check Point gateway interfaces. SCCP has a centralized call-control architecture.

• The Call Manager manages SCCP clients, VoIP endpoints, which can be IP phones or Cisco ATA analog phone adapters. The Call Manager controls all the features of the endpoints. The Call Manager requests data (such as station capabilities) and sends data (such as the button template and the date/time) to the VoIP endpoints.
• Configure the Call Managers in SmartConsole, as Host objects. Networks that contain directly-managed IP phones are also configured in SmartConsole. It is not usually necessary to configure Network Objects for individual phones. Cisco ATA devices that are managed by a Call Manager must be configured in SmartConsole, but the connected analog phones are not configured.
• To allow VoIP calls, you must create rules that let VoIP control signals pass through the gateway. It is not necessary to configure a media rule that specifies which ports to open and which endpoints can talk. The gateway gets this information from the signaling. For a given VoIP signaling rule, the gateway automatically opens ports for the endpoint-to-endpoint RTP/RTCP media stream.
• Make sure to check Keep all connections or the firewall drops your connection every time you Install Policy.
  1. Double-click your gateway.

     The Check Point Security Gateway window shows.

  2. From General Properties > Other > Connection Persistence > Keep all connections > OK.

     Note - Rematch connections is selected by default.

Sample SCCP Rules for Call Manager in Internal Network

Sample SCCP Rules for Call Manager in External Network

Sample SCCP Rules for Call Manager in the DMZ

Securing Encrypted SCCP

To secure encrypted SCCP, use these services in the Security Rule Base:

To create the rule TCP: Secure_SCCP:

1. Open Manage > Services > New > TCP.
2. The Advanced TCP Service Properties window opens.
3. Set the Name to: Secure_SCCP.
4. Set the port to: 2443.
5. Click Advanced.
6. The Advanced TCP Service Properties window opens.
7. Set the Protocol Type to: Secure_SCCP_Proto.
8. Other: high_udp_for_secure_SCCP

When an SCCP phone is turned on and identified as Secure SCCP, the phone's IP address is added to the database of secure SCCP phones.

When RTP traffic arrives at the gateway, it is allowed only if the source or destination is in the database of secure SCCP phones.

1. From SmartConsole, in the Manage & Settings tab, go to Blades > General, select Inspection Settings.

   The Inspection Settings window opens.

2. From the General tab, in the search window, enter MGCP.

   A list of Settings options shows.

3. Double-click the setting that you want to configure.
4. Make your changes and click OK.