It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Phone System

What are security best practices for SIP on the Barracuda Phone System?

  • Type: Knowledgebase
  • Date changed: one year ago
Solution #00006729

All Barracuda Phone Systems 

Signalling Ports 

The Barracuda Phone System sends and receives SIP INVITEs on both port 5060 and 5065. Public unauthenticated callers can place calls directly via SIP URI over port 5060. If a caller places a call inbound over port 5060 to a valid extension, the telephony engine will attempt to route the call to the destination dialed. If the telephony engine cannot route the call because the number dialed does not exist as a valid extension on the system, the call will show up as a zero second call in the Call Detail Records along with the caller's IP address. The hangup cause code will be NO_ROUTE_DESTINATION. More resources are expended on calls received on port 5060 because the system has to evaluate if the number dialed is a valid extension. 

 If the caller attempts to place a call out a route configured on the PROVIDERS > Call Routing page the call will be denied as well. These will also show up as zero second calls in the CDRs. This is known as grey routing. This is the process of routing calls through an exposed phone server in order to make the calls for free. The Barracuda Phone System does not allow any inbound public calls to route without first being processed and authorized by an internal router, such as configuring a call router to forward to an external number. 

Callers using port 5065 (i.e. provisioned phones, generic sip devices, etc..) are required to register first before placing any calls inbound or outbound. Therefore, if a malicious party attempts to place a call first without registering, a 401 challenge will be sent requesting the caller authenticate. If the caller does not authenticate correctly, the call will be rejected. Compared to callers on port 5060, there are significant less system resources used on port 5065 due to this automatic 401 challenge. 

Potential Attack Vectors 

It is possible that malicious callers could initiate a denial of service attack or place 'phantom' phone calls to internal destinations on port 5060. To mitigate the potential for these scenarios, use firewall rules on your edge firewall (if using the LAN port) or set up firewall rules on the WAN port firewall (CONFIGURATION > Security page) to only allow authorized IP addresses inbound on port 5060. 

Examples include: 
*SIP provider signalling addresses 
*IP addresses of remote sites or other IP PBXes that signal over port 5060.  (i.e. IP-based sites configured on the CONFIGURATION > Sites page that are 'automatically authorized') 

For the case of port 5065, depending on your configuration, it may be administratively burdensome to create firewall rules for each authorized IP address, however, the probability of a DoS attack is significantly reduced because of the inherent security of this port.  'Phantom calls' are not possible over port 5065. 

Outbound International Route Hardening Considerations

In addition to firewall rules, best practices for outbound international calling are outlined below. Increasing the security of your international call routes will decrease the risk of an attack being able to grey route calls through your Barracuda Phone System. 

Remove international call route if it is not required: 
? By default, no outbound call routes exist on Barracuda Phone System. If the international call route was added and you do not require international dialing, be sure that it is not listed in the call routing section of the web interface. This can be accomplished by navigating to Providers>Call Routing>select the international route, and click delete selected. 

Add forced authentication to international call routing: 
? If you do require international dialing, you can add forced authentication to the existing route template by placing ;authenticate=true after the regular expression for international calls. This will play a tone before the call goes through in which the user must authenticate using their voicemail PIN before the call will complete. This can be accomplished in the web interface by navigating to Providers>Call Routing and editing the existing international call route. 

Example regular expression: ^(011\d{8,18})$:::$1;authenticate=true 

Add dial prefix to international call routing: 
? An additional layer of protection may be added by putting a prefix on international dialing (example: 999). This can be accomplished in the web interface by navigating to Providers>Call Routing and editing the existing international call route. 

Example regular expression: ^999(011\d{8,18})$:::$1 

Add Group restriction to the international call route: 
? You may also limit international call routing to specific groups of users. This can be accomplished by adding a restriction to a route from Providers>Call Routing. You may select from any existing group. This pairs well with the authentication option listed above. 

Add Site restriction to the international call route: 
? To create a site, navigate to Configuration>Sites and add a Subnet/IP address site. You may then specify the IP range that will be allowed. Next, you can apply the restriction from the Providers>Call Routing page.

Link to this page: