The
IP whitelist module collects all IPs that send H.323 setups or SIP invites to your switch, independently of switch CDRs, from raw packets, and in case a number of per hour occurrences of new IPs that are not in the whitelist exceeds a preset threshold, you will be alerted. IP whitelist can be accessed by adding a
IP whitelist screen.
This feature might be useful to catch any unauthorized traffic originating from your server, either from your own VoIP switch, if it is cracked and the config is changed, or from a new switch installed by intruders. In the latter case, it could take a carrier several days till they catch the extra traffic that is originating from their IPs open at their vendors. No such traffic will be visible in carrier's switch or billing. This is why this whitelist should be created independently, on a different server (a 5gVision logging server) the intruders have no access too, as any precautions at your switch will be bypassed, if this server with a VoIP switch is compromised.
If an IP whitelist module is purchased, log collection via mirroring is a more preferred method of setting up the logger (see
Collection methods), as in case of collecting logs over SSH, the attackers can block logs collection, once the softswitch server is compromised. This is not possible with mirroring, as 5gVision will be able to get and analyze all the packets traveling through your network.
The main table of the
IP whitelist module is
Collected IPs, where you can see all collected IPs with showing leg, direction, customer, vendor.
Configuration of the
IP whitelist module is made via the corresponding
Whitelist config tables.