混合工作場景的高速公路安全和強化建議.pdf

《混合工作場景的高速公路安全和強化建議.pdf》由會員分享，可在線閱讀，更多相關《混合工作場景的高速公路安全和強化建議.pdf（88頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveLuca Pellegrini Technical Marketing EngineerBRKCOL-3301Expressway Security and Hardening Recommendations for Hybrid Work Scenarios 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex Ap

2、p to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 C

3、isco and/or its affiliates.All rights reserved.Cisco PublicBRKCOL-33013 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveYour Expressway is Visible(massive scan)BRKCOL-33014 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSelective DNS ScansGet th

4、e list of newly registered domainsDNS Scan for collab records_sips._sip._sip._h323ls._h323cs._h323rs._sipfederationtls._sip._Get IP,port and collab protocolStart periodic scansBRKCOL-33015#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaIntroductionExpressway Securit

5、y General AspectsPlatform HardeningEnhanced SecuritySpam Call&Toll Fraud Mitigation through Firewall IntegrationDemoBRKCOL-33016 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMRA Client&Endpoint Support Webex Desk Series88XX Series78XX SeriesInternal NetworkInternal Netw

6、orkExternal NetworkExternal NetworkDMZDMZExpressway-EExpressway-CInternetUCM/Webex DIVideo Room Series(*)Webex BarWebex Room Series7832&8832BRKCOL-33017 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveB2B Call FlowInternal NetworkInternal NetworkExternal NetworkExternal Ne

7、tworkDMZDMZExpressway-EExpressway-CInternetUCMBRKCOL-33018 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExpressway Incoming Traffic Internal NetworkInternal NetworkExternal NetworkExternal NetworkDMZDMZExpressway-EExpressway-CInternetUCMSIP UDPSIP TCP/TLSHTTP/HTTPSSTUND

8、iagram below shows the most common traffics used over the internet to attack an Expressway deployment.In the following slides we will learn best practices to block this traffic.BRKCOL-33019Expressway Security General Aspects 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive

9、Expressway Incoming Traffic Expressway-EExpressway-CUCMWhere do I block the traffic?What features should I enable on each server?ACLsCPLFirewall RulesAutomated DetectionSearch RulesInbound CSSRerouting CSSACLsBRKCOL-330111 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFi

10、rewall Traversal Firewalls generally block unsolicited incoming requests,meaning that any calls originating from outside your network will be prevented.Firewalls can be configured to allow outgoing requests to certain trusted destinations,and to allow responses from those destinations.The traversal

11、client constantly maintains a connection through the firewall to a designated port on the traversal server.All connections are initiated from the traversal client inside the firewall.Expressway-EExpressway-CCisco Expressway IP Port Usage Configuration GuideBRKCOL-330112 2023 Cisco and/or its affilia

12、tes.All rights reserved.Cisco Public#CiscoLiveExpressway Incoming Traffic ACLOnly open required ports in the direction specified in the Expressway IP Port guide and block any other traffic.Heres a quick overview of the traffic for MRA.Off Premise clients initiate the connection to the Exp-E.TURN med

13、ia and and RTP/RTCP ports are different.Traffic on port 5061,8443 and 5222 uses TLS.Phone only deployments dont need port 5222 open.BRKCOL-330113 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExpressway Incoming Traffic ACL Expressway C(traversal client)initiates the con

14、nection to Expressway-E(traversal server).2776-2777 are demuxed ports used for RTP/RTCP in small/medium deployments.Large deployments use the first 12 ports from the Media Traversal port range.XMPP port changes from 5222 to 7400.BRKCOL-330114 2023 Cisco and/or its affiliates.All rights reserved.Cisc

15、o Public#CiscoLiveUDP Media Firewall Port Count on Expressway-EHow many ports to be opened in the firewall?Full video call:audio,video,duo video,BFCP,iX,FECC.For each media line,SRTP and RTCP port.Total:12 ports per callAudio only call:2 ports per callPhone deployment option with audio and video:4 p

16、orts per callExample:100 concurrent calls hitting Expressway:1200 ports to be opened in the firewall(set the same value in the firewall)Note:avoid B2BUA engagement on Expressway-E if you want to keep the number of ports lowBRKCOL-330115Platform Hardening 2023 Cisco and/or its affiliates.All rights r

17、eserved.Cisco Public#CiscoLiveCisco Expressway PlatformHost based intrusion protection Host based firewallThird party software installations NOT allowedOS and applications are installed with a single packageSecure Management(HTTPS,SSH,SCP)Audit loggingBRKCOL-330117 2023 Cisco and/or its affiliates.A

18、ll rights reserved.Cisco Public#CiscoLiveSecure Physical and Console AccessAs is the case with most networking infrastructure,if physical access to Expressway servers is not secure,password recovery mechanism can be used to compromise the systemDont forget about access to VMware management consoleUs

19、e Dedicated Management Interface if possible and make it the sole interface for management traffic.DMI as sole management interfaceBRKCOL-330118 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrepare for Multiple AdministratorsAvoid sharing a single admin account across m

20、ultiple administratorsThe configuration log is much more valuable when admins dont share a common username&passwordConsider enabling per-account and system session limits(limits apply to web,SSH and console sessions)BRKCOL-330119 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc

21、oLiveAdministrator Access LevelProvide associate administrators,auditors,management,etc.an account with the minimum required access level(Auditor,Read-only,Read-write)BRKCOL-330120 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSelect Administrator Authentication SourceLo

22、cal only:credentials are verified against a local database stored on the Expressway (this option aligns with typical security policy for DMZ hosts)Remote only:credentials are verified against an external credentials directory,(ie.Windows Active Directory).Note that this disables login access via the

23、 default adminadminaccountBoth:credentials are verified first against a local database stored on the Expressway,and then if no matching account is found the external credentials directory is used insteadBRKCOL-330121 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnable S

24、trict Password EnforcementForbidden password dictionaryBRKCOL-330122 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMinimize Access to Management InterfacesConsole,ssh,and web interface are the primary management interfacesEach of these interfaces can be completely disabl

25、ed,if requiredTo disable SSH access for the root account,login via ssh as root and sendrootaccess ssh offAlternatively,admins can limit access to the web and ssh interface with custom host-based firewall rulesBRKCOL-330123 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHo

26、st Based FirewallExpressway includes a host-based firewall(iptables)that allows admins to customize firewall rulesThe Expressway host-based firewall should be used in conjunction with an external filtering firewallIn case that DMI is not configured:Step 1 Define high priority firewall rules to allow

27、 mgmt traffic from trusted networkStep 2 Define low priority firewall rules to block mgmt traffic from all other networksStep 3 Activate new firewall rules,test from trusted and untrusted network,and confirm new rules if tests are successfulBRKCOL-330124 2023 Cisco and/or its affiliates.All rights r

28、eserved.Cisco Public#CiscoLiveHost-based Intrusion ProtectionExpressway includes a host-based intrusion protection system(fail2ban)When enabled,Expressway scans logs for signatures,and establishes dynamic rules to block source ip addressesThis protects against brute force attacks that originate from

29、 a single source ip addressWhen a blocked IP tries to access the system,the request is dropped by the firewall and no response is sent back to the sourceBRKCOL-330125 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomated DetectionIntrusion Prevention automatically bans

30、 IPs matching the rules in each category BRKCOL-330126 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomated Detection Each category allows you to configure the timers and trigger level.By default,the categories will try to match an event 5 times for 10 minutes and blo

31、ck the IP for 10 minutes.Under each category there are examples of the logs messages the system is using to identify the unauthenticated traffic.BRKCOL-330127 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomated Detection for MRA MRA clients trying to register can be

32、blocked by the system if the HTTP categories are enabled,but this is a necessary protection to prevent attacks using HTTP traffic.We suggest that each customer customize the category settings to match their deployment.If you have multiple users connecting to the Expressway-E using the same public IP

33、(satellite office/contractor),you want to keep the timers low in the HTTP categories.This way you prevent a couple of users typing their passwords incorrectly a day from blocking all the users in that remote location.Heres an example:BRKCOL-330128 2023 Cisco and/or its affiliates.All rights reserved

34、.Cisco Public#CiscoLiveIn order to avoid blocking a remote site because many users might misspell a password,you can configure exceptions in case of static remote IPs:ExemptionsBRKCOL-330129 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDisable Unnecessary ProtocolsSIP U

35、DP is easy to spoof,lacks encrypted signaling option,and is generally not required for Expressway DeploymentsVerify SIP UDP is disabled under Configuration Protocols SIP menuDo not publish SIP UDP DNS SRV records _sip._H.323 may not be required for an Expressway Deployment,and H.323 mode can be disa

36、bled from the Configuration Protocols H.323 menuHowever,Expressway clustering requires H.323 between peersConsider keeping H.323 enabled in clustered deploymentsUse a firewall to block access to H.323 ports from internetDo not publish any H.323 DNS SRV records if filtering H.323 on firewallBRKCOL-33

37、0130 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveH.323Required for clustering but insecure.Should be turned off if possible.BRKCOL-330131 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGranular Control of Cipher SuitesExpressway offers the a

38、bility to change cipher suites offered for various protocolsEECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:+ADHHIGH:larger than 128-bit keysMEDIUM:128-bit keysLeading!:completely removed from the listhttps:/www.openssl.org/docs/man1.0.2/man1/ciphers.htmlBRKCOL-330132Enhanced Security

39、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRate Limits for SIP,Edge and ManagementSIP-tcp:5060,5061,5062,udp:5060Edge-tcp:8443Management-tcp:22,80,udp:161,tcp:443Enforced:traffic will be droppedMonitored:traffic will be loggedBRKCOL-330134Checking the Identity Throug

40、h Certificates 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEncryption vs AuthenticationIs an encrypted call secure?DNSus-203.0.113.4(and not 192.0.2.10)DNS PoisoningSpoofingMain-in-the-middleus-192.0.2.10203.0.113.4hackerEncrypted media to the hacker(no certificate che

41、ck)BRKCOL-330136 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEncryption vs AuthenticationCan a SIP calling ID be trusted?DNSus-Calling ID:BRKCOL-330137 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivemTLS vs TLS RecapClient helloClient helloS

42、erver helloServer hellofollowed by certificateExpressway-EClient helloClient helloServer helloServer hellofollowed by certificateCertificate RequestCertificate RequestExpressway-ETLSTLSMTLSMTLSBRKCOL-330138 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveChecking B2B Calls

43、 Through Mutual TLSCertificate check on Expressway can be activated only if TLS verify is set to“On”Even if the fraudulent calling system/device has a certificate for ,will never match For dedicated neighbours and traversal zones this might not be a problem,but all B2B calls enter into the same Defa

44、ult Zone and gets out via the DNS Zone.TLS verify migth be challengingBRKCOL-330139 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTLS Verify With DNS Zone ExampleCERTIFICATE Client hello1 1Server hello2 23 3Expressway-EThird-party EdgeBRKCOL-330140 2023 Cisco and/or its

45、affiliates.All rights reserved.Cisco Public#CiscoLiveClosed Video FederationmTLS can be setup for a limited set of partners only,and can use a different port than 50615061 will still be enabled for TLS only for those services not supporting mTLS(MRA)Must be listed between SANs of received certInboun

46、d call cert check(mTLS)BRKCOL-330141 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivemTLS Helps Mitigate Spam CallsSpam calls BOT are not equipped with a public,CA signed certificatemTLS requires that inbound calls present a valid certificate.If not,the connection is dropp

47、edThe following slides present an option to setup mTLS for the Default Zone with port 5061BRKCOL-330142 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivemTLS and Default Zone Access RulesBRKCOL-330143 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLi

48、vemTLS and Default Zone Access Rules UseIf the calling doesnt present a valid certificate,the connection will be rejected before any SIP message is sentSpam calls would be completely blockedIf a remote host is sending spam calls while presenting a valid certificate,the certificate will show in the l

49、ogs and it will be possible to create a rule to stop those callsBRKCOL-330144Spam Call and Toll Fraud Mitigation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLicensing and ConsumptionClick to edit Master text stylesSecond levelThird levelFourth levelBusiness to Business

50、 Business to Business CallsCallsFirewall Traversal Calls consume 1 x RMS on Expressway-E Business to Customer Business to Customer CallsCallsJabber Guest Calls consume 1 x RMS on Expressway-E Interoperability Gateway Interoperability Gateway CallsCallsi.e.MS Interop calls,consume 1 x RMS on Expressw

51、ay-C GatewayRegistered Calls(no RMS required)Registered Calls(no RMS required)Calls between endpoints registered to Cisco Call control services1Calls to Cisco conferencing infrastructure2or cloud services3BRKCOL-330146 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRoutin

52、gDoesDoes callingcallingor or calledcalledmatch a CPL match a CPL rulerule?Apply Apply TransformTransformDoesDoes the the alias match a alias match a searchsearch rulerule?YesYesInbound callInbound callNoNoYesYesSend call to Send call to target Zonetarget ZoneYesYesYesYesNoNoNext lower-priority rule

53、 until end of rules or the alias is foundNoNoRejectRejectForbiddenForbiddenDoes the alias Does the alias match a match a transformtransform?NoNoYesYesSpam calls shouldstop hereIs Is the alias the alias foundfound?STOPSTOPBRKCOL-330147 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public

54、#CiscoLiveSpam Call and Toll FraudSpam Calls are used to find the way to the PSTNOnce the route is found,toll fraud is performedBlocking spam calls is key to limit toll fraud,that might occur if the system is poorly configured or for human errors(i.e.CPLs set to Off)BRKCOL-330148 2023 Cisco and/or i

55、ts affiliates.All rights reserved.Cisco Public#CiscoLiveToll Fraud ScenarioInternal NetworkInternet0048 01234 5678Charge number Multiple SIP INVITEs/OPTIONS are sent The aim is not DoS,but might become pretty nasty(2-3 cps).So once these BOTs get an answer(403,404 or other)they keep on trying again

56、and again.PSTNBRKCOL-330149 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExampleBRKCOL-330150 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCPL ImplementationMake CPL rules as tight as possibleExample 1.Company with 8395XXX,8417XXX,8445XXX a

57、s internal numbers.8d6 opens from 8000000 to 8999999(1M possibilities against 3000 allocated numbers)83,41,4,95,7d3 opens to 12,000 possibilities8395d3,8417d3 and 8445d3 open to 3000 possibilities.Example 2.Cisco-like userID(lpellegr).* opens to infinite possibilitiesa-z2,7(w)?Matches“lpellegr”,“lp”

58、,but not“l”,“lpellegrini”,“luca.pellegrini”Important note:CPL dont interfere with Mobile and Remote Access traffic(MRA bypasses CPL)If possible,mark traffic from Expressway as authenticatedBRKCOL-330151 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCPL Best PracticesExpr

59、essway-EExpressway-CAuthenticatedAuthenticatedUnauthenticatedUnauthenticatedTraversal ZoneTraversal ZoneBRKCOL-330152 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCPL Best PracticesFor security reasons,if possible disable numeric dialingIf the attacker finds that 302 is

60、 available,will try with 303,304 and so onConfigure prefixes or suffixes for an easier CPL VMCT-1-Match the CPL with a-z2,7(w)?.usr or.roomBRKCOL-330153 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCPL StructureZoneZoneOriginatingOriginating ZoneZoneDestinationDestinati

61、onPatternPatternActionActionDrop-down menuConfigurable with RegexAllow/rejectFrom From AddressAddressRule Rule AppliesApplies ToToSource PatternSource PatternDestinationDestinationPatternPatternActionActionAuthenticated vs unauthenticatedtrafficConfigurable with RegexConfigurablewith RegexAllow/Reje

62、ctSource Source TypeTypeBRKCOL-330154 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveChecking the Calling AliasInternal domain:From From AddressAddressRule Rule AppliesApplies ToToSource PatternSource PatternDestinationDestinationPatternPatternActionActionExampleExampleUn

63、authenticated(.*).*.*RejectCall from rejectedUnauthenticated(.*)10.10.10.112.*RejectCall from user10.10.10.11 or 20010.10.10.12 rejectedBRKCOL-330155 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveChecking the Called AliasZoneZoneOriginatingOriginating ZoneZoneDestination

64、Destination PatternPatternActionActionSampleSampleDefault Z.*ADefault Z.*ADefault Z.*ADefault Zonea-z2,7(w)?.*ADefault Zone.*RejectAnything elseBRKCOL-330156 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSearch RulesSearch Rules dont need to be specific,as long as CPL ar

65、e well detailedPriorityRegexSource ZoneSIP VariantTargetContinue60.*.*Default ZoneAll SIP VariantsTraversalServerNo65(?!.*.*$).*Traversal ServerAll SIP VariantsDNS ZoneYesBRKCOL-330157 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCPL to Block CallsRouting process stops

66、immediately(CPL is analysed before search rules)and resources are savedNo RMS are consumed(without CPL any spam call takes a license)It doesnt block scans:answering endpoints could be foundIt doesnt make Expressway invisible:because”403 Forbidden”is returned,the bot knows that there is an IP address

67、 listening and potentially offering a way to toll fraud,and will keep on tryingFor the next scenario CPL are not enoughBRKCOL-330158 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveToll Fraud Through SIP REFERINVITE sent to a legitimate address,discovered through multiple

68、SIP INVITEs or OPTIONSDestination with auto-answer(endpoint,IVR)Internal NetworkInternet0048 01234 5678Charge numberPSTNINVITEINVITEBRKCOL-330159 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveToll Fraud Through SIP REFERCall is SIP REFERred to the PSTNInternal NetworkInt

69、ernet0048 01234 5678Charge numberPSTNREFERREFERBRKCOL-330160 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveToll Fraud Through SIP REFER:MitigationBlock unwanted transfers to the PSTN via Rerouting Calling Search Space on device settings:“The rerouting calling search spac

70、e of the referrer gets used to find the route to the refer-to target.When the Refer fails due to the rerouting calling search space,the Refer Primitive rejects the request with the 405 Method Not Allowed message.”Available for trunks as well(IVR,CMS,Expressway)REFER sip:12345192.168.1.105:5561;trans

71、port=tls SIP/2.0 CSeq:2 Refer-To:sip:+ Referred-By:.BRKCOL-330161 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInvestigate Your ImplementationHow did they discover the legitimate address?Published addressScans/Spam calls through INVITEs or SIP OPTIONSIf you have IVR/aut

72、o-answer services from the Internet,analyse carefully the architectureBRKCOL-330162 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCPL LimitsCPL implementation does not stop a hacker from testing the internal dial plan until:A route to the PSTN is foundAn endpoint that ha

73、s access to the PSTN is found in order to perform a REFER-based attackBRKCOL-330163 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveX.14 IP Blocking Feedback MechanismBased on Fail2BanCPL and CPL and Routing Routing LogicLogicNetwork LayerTCP Connection to port 5060/5061Ap

74、plication LayerAnalyse the SIP/H.323 stack403 ForbiddenFail2ban rulesFail2ban IPSBlock IPLogsBRKCOL-330164 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdvanced Protection:SIP Authentication(release X14)SIP Authentication checks if:Calls are rejected with”Forbidden”SIP

75、registrations get“Not Found”If conditions are met,the source IP address is jailed in Fail2banFrom release X14,SIP Authentication works with CPLBRKCOL-330165 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExpressway X14Expressway X14 has the ability of blocking an IP addre

76、ss using fail2banIP address banned:after 3 CPL rejected attempts in an hour timefor 12 daysBRKCOL-330166 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExample Call#1 sent to 9001ent-.Received“403 Forbidden”After 10 minutes call#2 sent to 5000ent-.Received“403 Forbidden”A

77、fter 30minutes call#3 sent to 7000ent-.Received“403 Forbidden”3 Rejected calls in 40 minutes trigger the IPS to ban the IPTCP connection#4 never established.No message returnedSource IP automatically put in fail2banCPL configAllow 88XXent-Reject anything elseInternal NetworkInternetSIP Authenticatio

78、nTrigger level 3Detection window 1 hourForbiddenForbiddenTimeout1234BRKCOL-330167 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExemptionsExemptions can be configured for one or more intrusion-protection categoriesIf an IP is exempted for one or more categories it can fr

79、eely perform activities that would require ban for those categoriesBRKCOL-330168 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBlocked Address listIP Address blocking is at peer-level,not cluster wideTo unblock an IP address the admin has to go in all the peers where tha

80、t IP is banned and unblockBlocked addresses are released after a reboot,or after the time expiresExemptions are cluster-wideExemptions are permanentBRKCOL-330169 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExpressway X.14 CPL/IPS Integration EffectInternal statistics s

81、how that spam calls drop from 50-80%to 8%-10%This is dependent on the SIP Authentication configuration.Implemented values have been:Detection window:3600Trigger level:3Block duration set to max value:1000000Suggestion for the implementationDetection window:3600Trigger level:start from 7,then reduce

82、to 5,then to 3Block duration set to max valueFor the initial phase constantly monitor the blocked addresses listBRKCOL-330170Demo:Measure the Impact of Spam Calls 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUsing REST APIRelease 14.0.6 and before:https:/api/management/

83、status/call/call Release 14.0.7 and above:https:/api/status/common/call/call861 spam calls,864 total callsBRKCOL-330172Demo:Find the Activity of a CPL-Blocked IP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUsing CDR APIBRKCOL-330174 2023 Cisco and/or its affiliates.All

84、 rights reserved.Cisco Public#CiscoLiveIf the CDR API Doesnt Return the Banned IPIf that IP didnt make any call:jailed because of SIP REGISTER issue orCDR have overwrittenIt might be a false positive:unban This issue will be solved in the last section of this presentationBRKCOL-330175Automated Feedb

85、ack to the Firewall 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveASA FirePOWER Network FeedCreate a Network Feed for the Block ListPull the block list from a web serverSet the timerBRKCOL-330177 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive

86、Firewall IntegrationExpressway-E X14 jails the IPs based on CPL”403 Forbidden”outputCisco firewalls powered by FirePower can get blocklists from web serversCan be done manually or automatic through scripting and using Expressway APIsIP1IP2IP3IP4IP Blocked ListInternal NetworkInternetBRKCOL-330178 20

87、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSpam Calls Blocked in the FirewallBRKCOL-330179 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBenefitsExpressway block list is not persistent:it is lost after a rebootAfter at most 12 days the IP ad

88、dress is releasedIf an IP is jailed on an Expressway peer and communicated to the firewall,also the other peers or clusters are protectedInternal NetworkInternetIP1IP1blockedBRKCOL-330180 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInternetUsing Expressway Internal Fir

89、ewallIn case the use of an external firewall is not possible,Expressway Internal Firewall can be usedAutomatic feedback based on scripting and Expressway firewall APIsOnce an IP is banned on a peer,the script will add a firewall rule on that cluster.If multiple clusters are deployed,the script shoul

90、d update other clusters as well IP1IP1blockedfail2bancluster 1cluster 2Internal NetworkBRKCOL-330181 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveScript Demohttps:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco S

91、howcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your ses

92、sion surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the

93、Cisco Live Challenge for every survey completed.BRKCOL-330185Thank you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123487 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKCOL-330187#CiscoLive