Traffic collector manual

The IP whitelist helps you detect intrusions to your VoIP network analyzing all the IP addresses collected from the signaling packets.

Overview

The IP whitelist module collects all IPs that send H.323 setups or SIP invites to your switch, independently of switch CDRs, from raw packets, and in case a number of per hour occurrences of new IPs that are not in the whitelist exceeds a preset threshold, you will be alerted. IP whitelist can be accessed by adding a IP whitelist screen.

This feature might be useful to catch any unauthorized traffic originating from your server, either from your own VoIP switch, if it is cracked and the config is changed, or from a new switch installed by intruders. In the latter case, it could take a carrier several days till they catch the extra traffic that is originating from their IPs open at their vendors. No such traffic will be visible in carrier's switch or billing. This is why this whitelist should be created independently, on a different server (a 5gVision logging server) the intruders have no access too, as any precautions at your switch will be bypassed, if this server with a VoIP switch is compromised.

If an IP whitelist module is purchased, log collection via mirroring is a more preferred method of setting up the logger (see Collection methods), as in case of collecting logs over SSH, the attackers can block logs collection, once the softswitch server is compromised. This is not possible with mirroring, as 5gVision will be able to get and analyze all the packets traveling through your network.

The main table of the IP whitelist module is Collected IPs, where you can see all collected IPs with showing leg, direction, customer, vendor.

Configuration of the IP whitelist module is made via the corresponding Whitelist config tables.

Collected IPs

All collected IPs are added to the Collected IPs table. 5gVision Traffic collector, Ip whitelist collected ips The system distinguishes packets on basis of several parameters:
  • IP collected from traffic packets - source or destination IP address of the packet.
  • Port - source or destination port of the packet.
  • Dir SRC/DST - source or destination information of the packet was taken into account.
So if the system collects packets with an identical IP and port there are still can be 2 records in the table differentiated by direction.

The table contains records with the following information included:
  • Leg and direction - leg number and direction of the packet, detected on basis of correlation of the Dir SRC/DST and Customer, Vendor or own switch parameters.
  • IP net match from the White List - IP or IP net against which the collected IP was matched. If the collected IP does not match any defined pattern, the red label IP NOT FOUND! is displayed.
  • Customer, Vendor or own switch - entity to which the matched IP is supposed to belong.
  • SIP invites and H323 setups - Number of SIP INVITEs or H.323 SETUPs that have sent to/arrived from the collected IP within the specified interval.
For your convenience, it is possible to add the desired IP(s) into whitelist from this screen by selecting the required row or rows, invoking the pop-up menu and selecting Add selected to White List. 5gVision Traffic collector, Ip whitelist collected ips

Whitelist config

IP whitelist configuration consists of several tables:
  • WL customers - needed to detect unauthorized traffic not originating from your customer.
  • WL vendors - needed to detect unauthorized traffic terminating to vendors.
  • WL own switch - needed to detect pirate switches installed on the same server as your own switch.
  • Own nets - needed to detect which IPs belong to customers/vendors and can never be assigned to a pirate switch in your network.
By default all users can edit these tables. But it is possible to allow access only for certain users to add/edit/remove customers, vendors, own switches and nets from the whitelist. Please send a request to 5gVision support for this purpose. You may manually add IPs and nets against which the collected IPs are matched in the WL customers, WL vendors and WL own switch tables. All auto-added IPs via the Collected IPs screen will also appear in the former two tables.

To add an allowed IP or IP net to the WL customers table, please click the green plus. 5gVision Traffic collector, Ip whitelist whitelist config A new record will be added to the table, with the following parameters:
  • Status - whether the record is enabled (and takes part in IP matching) or disabled.
  • Whitelist Customer IP/net - define the IP or net against which the collected IPs will be tested.
  • Whitelist Customer port range - define the port or port range against which the collected ports will be tested.
  • Customer name - optional information about the customer, to which the IP belongs.
  • Last change, GMT - date and time when the record was added or edited the last time.
  • Change mode - If the IP was added through this screen, the system will show Added manually in this column. If the IP was added from the Collected IPs screen with the help of a pop-up menu, the column will have the Added from collected text.
  • Last editing user - ID of a user who edited the record at the latest.
  • Comment.
To save the added row, click Save. To discard the changes before they are saved, click Cancel.

To edit or remove a record, select it in the table and click the pen or red cross button respectively.

The WL vendors and WL own switch tables have the similar parameters.

In the Own nets you should just enter full owned networks where your VoIP switches are located.