Forums/Community Help

Answered

SIPTrunk Setup & Security

Stephen Nelson
asked this on January 10, 2011 02:44

Below you will find the necessary address information to start using our services

XCast Softswitch IP address: 38.102.250.50 (outbound) and 38.102.250.60 (inbound)

XCast Softswitch Domain address: wholesale.xcastlabs.com (outbound)

 

NOTEXCast authenticates based on your IP address(es) and not on username/password

 

***IMPORTANT SECURITY ALERT***

XCast has noticed a significant increase in attempts of trying to breach the security of VoIP applications and services. The goal of the attack is to find equipment with low or non-existent security and use it to send “free” calls to expensive destinations. Unlike previous hacker attacks, the currents ones are systematic, persistent, and quite capable of defrauding you of significant dollar amounts if you do not adequately secure your equipment.

We recommend that your equipment should be configured to accept and answer SIP messages ONLY from white-listed IP addresses. If XCast is your only VoIP provider, then your equipment should NOT respond to queries from any IP address other than the one above. Any response only tells the hacker that this IP address has VoIP services associate with it and invites them to continue trying to break whatever security may be in place.

If for some reason you cannot limit SIP communications to only white listed IP addresses, for example you are using SIP phones registered to your PBX from multiple locations connected over public Internet, we recommend using Session Border Controller. You can obtain one from different manufactures as well as order one from XCast. In case that you do not like use additional equipment we encourage at least move SIP communication to the different port number (not 5060).

Our security team recently ran a SIP scanning application against our customer accounts and found that many of them do not block SIP messages from unknown IP addresses. We also found that many of the systems were wide open and would relay calls from ANY SIP device, while others use dial prefixes as a security measure. The first case is completely open to any fraudulent traffic, and even the prefix-based security is not good enough. Even a moderately skilled hacker can figure out the prefix in a matter of minutes or hours by interrogating the system.

It is your responsibility to take measures to protect your account from fraudulent calls. We highly recommend that you contact whoever is responsible for the installation of your equipment for assistance. If you need more help, you may contact XCast’s Support by email at support@xcastlabs.com or via http://support.xcastlabs.com and special consulting arrangements can be made. Please include your account number in any correspondence with us.

If your equipment is behind a firewall and has a list of authorized IP addresses to which it will respond, no additional action should be needed.

Disclaimer: While XCast is willing to help protect end-user systems, XCast is not responsible for unauthorized usage. Please refer to your signed Agreement for details.

INSTALLATION, TROUBLE-SHOOTING & ONGOING SUPPORT

Installation and Initial Troubleshooting of Service: If Customer wishes XCast personnel to assist with and/or monitor installation of Service, this must be scheduled at least 72 hours in advance. If XCast personnel are enlisted to help debug, configure or otherwise assist Customer with the setup or functioning of any hardware, network and/or software outside of XCast’s Service applications beyond one hour, Customer agrees to pay XCast at the rate of $125 per hour for such assistance, billed to the nearest half hour.

Ongoing Support of Service: Standard response time for trouble support requests is 6 hours during weekdays from 8AM to 8PM, US Central time, and 10 hours during other times. Standard response time for adding, disconnecting or reconfiguring services is 24 hours. XCast will use best efforts to respond more quickly than this in the event of an outage or serious service disruption caused by fault in XCast’s applications. If XCast personnel are enlisted to help debug, configure or otherwise assist Customer with the setup or functioning of any hardware, network and/or software outside of XCast’s Service applications, Customer agrees to pay XCast at the rate of $125 per hour for such assistance, billed to the nearest half hour.

 

If you should have any customer service concerns please contact our support center toll free by dialing 18002543109. 

 

 

Comments

User photo
ITS Main Technical Operations
ITS Telecom

Stephen,

This seems to be more for Address Trunking as opposed to Device Trunking. Devices use suernames/auth names and passwords to authenticate. Am I wrong?

January 18, 2011 08:15
User photo
Dmitriy Asetov
XCast Labs, Inc.

Cesar,

 

This is in fact only for Address trunking.

February 22, 2011 15:12
User photo
James Jones
XCast Labs, Inc.

Typical Trunk PEER and USER details for an Asterisk-based IP-PBX:

PEER Detail –

insecure=port,invite
secret=no
qualify=yes
host=38.102.250.50
disallow=all
allow=ulaw;alaw
dtmfmode=rfc2833
externip=xxx.xxx.xxx.xxx <-- PUBLIC IP ADDRESS
localnet=192.0.0.0/255.0.0.0 <-- Or the range on their internal IP address
nat=no
canreinvite=no
context=from-internal
type=peer


USER Details –

insecure=port,invite
secret=no
qualify=yes
host=38.102.250.60
disallow=all
allow=ulaw;alaw
externip=xxx.xxx.xxx.xxx <-- PUBLIC IP ADDRESS
localnet=192.0.0.0/255.0.0.0 <-- Or the range on their internal IP address
nat=no
canreinvite=no
context=from-trunk
dtmfmode=rfc2833
type=peer

 

February 28, 2011 12:59