Important Information about Creating SCCP Security Rules

You can configure security rules that allow SCCP calls through the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.. After the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. is configured, all SCCP communication is fully secured by Inspection Settings.

Best Practice - Configure Anti-Spoofing on the interfaces of the Check Point Security Gateway.

  • The Call Manager manages SCCP clients, VoIP endpoints, which can be IP phones or Cisco ATA analog phone adapters. The Call Manager controls all the features of the endpoints. The Call Manager requests data (such as station capabilities) and sends data (such as the button template and the date/time) to the VoIP endpoints.

  • Configure the Call Managers in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., as Host objects. Networks that contain directly-managed IP phones are also configured in SmartConsole. It is not usually necessary to configure Network Objects for individual phones. Cisco ATA devices that are managed by a Call Manager must be configured in SmartConsole, but the connected analog phones are not configured.

  • To allow VoIP calls, you must create rules that let VoIP control signals pass through the Security Gateway. It is not necessary to configure a media ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that specifies which ports to open and which endpoints can talk. The Security Gateway gets this information from the signaling. For a given VoIP signaling rule, the Security Gateway automatically opens ports for the endpoint-to-endpoint RTP/RTCP media stream.

  • Make sure to configure Keep all connections on the Security Gateway. Otherwise, it drops your connection every time you install the policy.

    1. Double-click your Security Gateway object.

    2. From the left tree, click Other > Connection Persistence.

    3. Select Keep all connections.

    4. Click OK.

    5. Install policy.

Sample SCCP Rules for Call Manager in Internal Network

Sample SCCP Rules for Call Manager in External Network

Sample SCCP Rules for Call Manager in the DMZ

Securing Encrypted SCCP

To secure encrypted SCCP, use these services in the Security Rule Base:

To create the rule for Secure_SCCP:

  1. Open Manage > Services > New > TCP.

  2. The Advanced TCP Service Properties window opens.

  3. Set the Name to: Secure_SCCP.

  4. Set the port to: 2443.

  5. Click Advanced.

  6. The Advanced TCP Service Properties window opens.

  7. Set the Protocol Type to: Secure_SCCP_Proto.

  8. Other: high_udp_for_secure_SCCP

When an SCCP phone is turned on and identified as Secure SCCP, the phone's IP address is added to the database of secure SCCP phones.

When RTP traffic arrives at the Security Gateway, it is allowed only if the source or destination is in the database of secure SCCP phones.

  1. In SmartConsole, in the Manage & Settings tab, go to Blades > General, select Inspection Settings.

    The Inspection Settings window opens.

  2. From the General tab, in the search window, enter MGCP.

    A list of Settings options shows.

  3. Double-click the setting that you want to configure.

  4. Make your changes and click OK.