Have you ever read/watched Harry Potter and the Order of the Phoenix?
If so you may remember that our heroes hunker down at a safe house – the aptly addressed “12 Grimmauld Place” – in order to hide from the increasingly powerful dark witches and wizards allied with Lord Voldemort.
They are very keen to protect themselves from the Deatheaters, so in addition to all the usual locks and spells to prevent anyone breaking into the house, they go one step further: the house itself cannot be seen unless you know it’s there.
This idea – of security through invisibility – is equally important in the real world. The best way to stay secure on the internet is to be invisible – if no-one is trying to hack you then you’ll be fine… but if a team of dedicated expert hackers really have it in for you, then eventually they’ll find a path to your front door.
So what does this have to do with your Perimeta Session Border Controller?
Well, it turns out that there’s one small setting in your Perimeta configuration that controls whether your SBC is invisible. It’s part of each service-interface, and the setting is named network-security.
This setting can have one of three different values, which can be a little confusing at first.
- trusted: you should only mark a service-interface as trusted if its connected to your core network – to a private network that you fully control. Any packets that arrive on this interface will be routed without any blacklisting rules applies.
- untrusted-priority: this value is designed for managed networks (e.g. a fiber network communicating with on-premise PBXs) that you don’t directly control but which is nevertheless restricted from access by random parties. Any packets that arrive on this interface will be subject to both dynamic and static blacklisting rules, but even packets from random IP addresses will get a response.
- untrusted: this is the value that should be used for access networks accessible through the public internet. The default policy for any packets arriving on this interface is that they should be dropped, unless they are part of an existing registration, or an attempt to create a new registration. You can whitelist specific IPs to be treated differently, but by default all requests are considered dangerous and will be ignored.
Importantly, while both unstrusted-priority and untrusted seem pretty secure, an interface set to untrusted is harder for hackers to find, because it won’t respond to random SIP messages. Like 12 Grimmauld Place, it’s (mostly) invisible.
If you’re curious to check on the visibility of your SIP SBCs, check out shodan.io. This website describes itself as a search engine for the internet of things – in other words you can type “metaswitch” into the search box, and get a list of all SIP user agents running Metaswitch software that can easily be found on the internet. If someone was looking to hack a VoIP service provider this would be a great place to start – so if you can stay invisible, then maybe the hackers will try to pick someone else’s lock.