Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Operator » Network design feedback for security
  •  
bradleyland

Messages: 23
Karma: 0
Send a private message to this user
We've got our Operator Box 3210 set up and working well, but I had some struggles with configuring it to work behind our ZyXEL USG 50 router/firewall. After a lot of fighting with NAT setup and one-way audio when more than 1 simultaneous call is up, I took a step back and decided to take a different approach.

We have two internet connections, both cable internet with static IP assignments. One is connected to our ZyWALL USG 50, and the other directly to the Operator Box 3210. I'm primarily concerned about security. The recommendation in the Kerio manual is to keep the operator box behind a firewall, but the interop issues with our ZyWALL have forced me to reconsider that. Although, I am planning to try and work through those issues on my next visit to this office (I'm offsite).

I've attached a PDF of my network design along with some relevant details (Kerio Firewall rules). I've also tightened up the SIP password guessing rules under security to 3 guesses every 14 days, and blocking for 100 days. Am I crazy for running Operator this way? Any security recommendations?

  •  
ICT and Me

Messages: 936

Karma: 53
Send a private message to this user
Hi Bradley,

What are the problems if you place Operator behind your ZyWALL?
I have the rules that we use in our Kerio Control or other UTM/Firewall solutions. In Kerio Operator we use 4 guesses within 10 minutes be blocked for 100 days. And ofcourse use complexe passwords on the extensions.
--------------
Inbound Rule:
Source : Internet Interfaces
Destination : Firewall
Service: Ping, RTP, SIP, TFTP, TCP ports 5061,5090, UDP ports 5065, 5090, 8000, 8002, 10000-20000
Action : Allow
Translation (mapping) : To IP of Operator

Outbound Rule:
Source : IP Operator
Destination : Internet Interfaces
Service: Ping, RTP, SIP, TFTP, TCP ports 5061,5090, UDP ports 5065, 5090, 8000, 8002, 10000-20000
Action : Allow
Translation (NAT) : To the right Interface
------------------

I hope this can help you.

ICT and Me
Carlo Turk
The Netherlands
www.ictandme.nl
  •  
Vladimir Toncar (Kerio)

Messages: 1696
Karma: 39
Send a private message to this user
Hi,

The recommendation to run Operator behind a firewall is meant to provide an additional layer of security. It is OK to connect Operator directly to the internet, especially if you tighten the SIP security rules. I recommend that you also check your Operator firewall settings for automatic provisioning of the hardware phones (should be allowed from the local network only).

Vladimir
  •  
bradleyland

Messages: 23
Karma: 0
Send a private message to this user
ICT and Me wrote on Wed, 12 March 2014 04:24
Hi Bradley,

What are the problems if you place Operator behind your ZyWALL?
I have the rules that we use in our Kerio Control or other UTM/Firewall solutions. In Kerio Operator we use 4 guesses within 10 minutes be blocked for 100 days. And ofcourse use complexe passwords on the extensions.
--------------
Inbound Rule:
Source : Internet Interfaces
Destination : Firewall
Service: Ping, RTP, SIP, TFTP, TCP ports 5061,5090, UDP ports 5065, 5090, 8000, 8002, 10000-20000
Action : Allow
Translation (mapping) : To IP of Operator

Outbound Rule:
Source : IP Operator
Destination : Internet Interfaces
Service: Ping, RTP, SIP, TFTP, TCP ports 5061,5090, UDP ports 5065, 5090, 8000, 8002, 10000-20000
Action : Allow
Translation (NAT) : To the right Interface
------------------

I hope this can help you.


When we run the Kerio behind the ZyWALL, we can't get two simultaneous calls going. The first call works fine, but the 2nd call has one way audio: user's behind the firewall can hear the caller, but the caller cannot hear users behind the firewall.

On the ZyWALL, I have the firewall configured to allow most of the same ports, but I didn't see some of the ones you're using in the documentation. The ZyWALL uses "zones", which describe network areas by host or subnet. You configure your firewall rules using those zones.

Zones:
WAN: WAN interfaces (two of them)
LAN1: Our LAN network ID and subnet (we only have 1 LAN network defined)

Services:
SIP-RTP: TCP 5060, 5061; UDP 10000-10499
(Note: Our Kerio is configured to use 10000-10499 RTP/UDPTL port range.)

Firewall:
Allow From: WAN, to: LAN1 -- Service: SIP-RTP

Policy Route:
Route to WAN2: Service: SIP-RTP

NAT:
Incoming WAN2: map WAN2_PUB_IP to KERIO_LAN_IP for service SIP-RTP.

I work remotely, so I didn't have a chance to do a deep dive, but when I'm back in this office in April, I plan on doing a packet capture with the one-way audio and turning up firewall logging to debug so I can see what's failing.
  •  
bradleyland

Messages: 23
Karma: 0
Send a private message to this user
Vladimir Toncar (Kerio) wrote on Wed, 12 March 2014 09:35
Hi,

The recommendation to run Operator behind a firewall is meant to provide an additional layer of security. It is OK to connect Operator directly to the internet, especially if you tighten the SIP security rules. I recommend that you also check your Operator firewall settings for automatic provisioning of the hardware phones (should be allowed from the local network only).

Vladimir


Thanks, Vladimir. That's encouraging. I did some poking around to see what the iptables rules looked like, and it looks pretty tight. These are my current SIP security and Firewall settings:

Firewall
  • Web server: Local clients
  • SIP: All IP addresses
  • Hardware phone provisioning: Local clients
  • CRM integration (AMI): All IP addresses
  • SNMP monitoring: Local clients


SIP Security
  • Allow only secure connections: enabled
  • Max duration of outgoing call: 3 hours
  • Protection against SIP password guessing:
    • Number of unsuccessful SIP logins: 3
    • Per time period: 14 days
    • Block source IP for 100 days
    • Send email notification: enabled
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Hi,

since you have SIP and AMI open to the Internet, I suppose you have some users connecting from outside the office. I believe you haven't mentioned it. Otherwise I'd advise you to restrict these services as well.

Filip
  •  
bradleyland

Messages: 23
Karma: 0
Send a private message to this user
Those are great questions. Those configurations are based on some assumptions that might be incorrect.

All of our phones are behind the router/firewall, with no outside users connecting. I have SIP open to the internet because I assumed our carrier (Flowroute) would need to communicate with Kerio via SIP for incoming calls. Is that incorrect? I'd love to restrict SIP to local clients if I could.

AMI is open because we are doing Salesforce integration. Can you confirm that setting is required as well?
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Great, you can safely disable access to both services.

a) When Operator connects to a SIP provider, it doesn't need to have ports 5060, 5061 open.
b) Salesforce doesn't use AMI.

Have a nice day,
Filip

  •  
bradleyland

Messages: 23
Karma: 0
Send a private message to this user
When I set 'Allow access to: SIP: Local clients', then place a test call to our primary number, I get a busy signal. As soon as I change it back, I can get through. I must be missing something.

I closed AMI.
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
I have to do the same thing. I assumed it was because it was SIP UDP, instead of TCP.

However, if Filip is saying otherwise, I'm wondering what I'm missing as well.
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Sorry for misleading you, of course you're right Smile. Asterisk listens on 5060 for incoming udp packets, so it must stay open.
Previous Topic: Play hold music for first caller in conference
Next Topic: Can't get faxes in
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Sep 22 17:16:31 CEST 2017

Total time taken to generate the page: 0.00512 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.