If you have a router running CME or a UC500 series using a SIP trunk then it's quite likely you had to expose it to the Internet via NAT for the SIP trunk to work. Now this can cause an expensive problem!
Cisco routers with voice gateway functionality trust SIP or H323 call signalling by default, so if your router has outbound dial peers configured someone can send SIP invites to your router and provided the sent digits match a dial peer it'll connect the call. Now you may be thinking that there's no inbound dial peer to match the hacker's IP address, CODEC, DTMF relay settings, etc. but remember any inbound VoIP call that doesn't match a dial peer gets handled by the default dial peer, so it's pretty easy to guess the settings needed to make a connection!
Originally the only way to lock down your router was to apply a suitable access list on the outside interface or on the router handling Internet access, fortunately in IOS 15.1(2)T Cisco finally got around to introducing enhanced toll fraud prevention.
Using Access Lists
SIP or H323 traffic should be restricted to only be sourced from the IP address of your SIP trunk and RTP traffic allowed. Below is an example access list that would allow SSH and RTP traffic from anywhere, but lock down the inbound SIP traffic:
ip access-list extended OUTSIDE_IN
permit tcp any any eq 22
permit udp host 146.101.248.200 any eq 5060
permit tcp host 146.101.248.200 any eq 5060
permit udp any any range 16384 32767
deny ip any any log
The limitation with this method is that call signalling received from internal sources are trusted, so if someone managed to hop onto your LAN they could potentially initiate calls from a rogue device.
Using Toll Fraud Prevention
IOS 15.1(2)T introduced the concept of trusted VoIP sources, allowing you to lock down which IP addresses can initiate a call regardless of the interface the call setup messages are received on. However to maintain backward compatibility Cisco defaults to trusting all IP addresses. The list of trustred IP addresses is defined in the
voice service voip section of the router's configuration, the default to trust everything is shown below:
voice service voip
ip address trusted list
ipv4 0.0.0.0 0.0.0.0
So if you were to lock down the IP addresses, wouldn't it break your existing dial peers? Cisco thought of that - the
router automatically adds any destinations that are defined as an ipv4 target in a dial peer to the trusted source list. You can display the dynamic list of trusted IP address with the show ip address trusted list command:
IP Address Trusted Authentication
Administration State: UP
Operation State: UP
IP Address Trusted Call Block Cause: call-reject (21)
VoIP Dial-peer IPv4 Session Targets:
Peer Tag Oper State Session Target
-------- ---------- --------------
1003 UP ipv4:10.1.10.1
1005 UP ipv4:10.1.10.1
1009 UP ipv4:10.1.10.1
2001 UP ipv4:10.1.10.1
2002 UP ipv4:10.1.10.1
IP Address Trusted List:
ipv4 93.95.124.7 255.255.255.255
Here you can see that 5 entries were learnt from dial peers and 1 IP address has been manually configured. As my outbound dial peers used
session target sip-server, the IP address for the SIP trunk had to be manually configured in the trust list.
Note that phones registered with CME are excluded from this fraud prevention mechanism and so can make calls, phone registration security is a separate matter.