Preventing SIP registration from the Internet at SwyxConnect/LANCOM VoIP routers (kb4357)
The information in this article applies to:
- SwyxConnect 1724
- SwyxConnect 1723
- SwyxConnect 1722
After activation of the SwyxConnect/LANCOM Voice Call Manager and the creation of a SIP user account in the configuration of a SwyxConnect/LANCOM VoIP router, SIP registrations will be accepted from remote peers at various sources, including from behind a masked WAN connection. If SIP registrations are protected only by a weak combination of authentication name and password, this registration data could potentially be determined by third parties and misused.
This applies to all SwyxConnect/LANCOM devices with an activated Voice Call Manager and with configured SIP user accounts.
- We recommend that SIP users located at other company sites should fundamentally be integrated into the network over a VPN connection. Using VPN assures that your telephone communication remains secure at all times.
- We would ask you to check whether the registration of SIP users at the SwyxConnect/LANCOM device from a masked WAN connection can be temporarily prevented. To do this, the port used for SIP registration from the corresponding masked WAN peer is to be redirect to an unused private IP address by means of port forwarding. How this is configured is described in the LANCOM Knowledge Base.
If it is not possible for you to follow this advice, then we would ask you at the very least to work with secure login data for SIP registration and to update this data regularly to secure yourself from the usual password attacks.
In the near future, LANCOM will release a new software version of LCOS that will finally solve this problem.