1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
  2. If you had a PIAF Forum account in the vBulletin days, log in with your old credentials. Otherwise, sign up again and we'll get you back in business as soon as we can.
Cookies Welcome Back

Security: What Me Worry: €11 Million VoIP Heist

Discussion in 'Open Discussion' started by wardmundy, Mar 17, 2010.

Page 1 of 4

  1. wardmundy Nerd Uno

    SECURITY: $100,000 Phone Bill

    If you couldn't tell from reading this week's Nerd Vittles article, we are headed in a new direction with respect to Asterisk security now that we have Asterisk functioning reliably from behind a hardware-based firewall WITH NO HOLES punched for SIP, IAX, or Web traffic.

    In short, we now have Asterisk working the same way that Skype works on your Desktop. You can call people and people can call you with no Internet vulnerability on your computer or your server in the case of PIAF. This is extremely secure with very few tradeoffs.

    In coming week's we're going to start building tools to let you lock down all necessary SIP, IAX, and Web traffic using IPtables. The victim of this lockdown will be outside devices with dynamic IP addresses. If anyone has suggestions/concerns, now's the time to suggest/ask. :smile5:
    wardmundy, Mar 17, 2010
    #1

  2. kenn10 Guru

    Most of my intruders that get locked out are from countries outside of North America. I hope we will have the option to block other countries but leave the system open for dynamic IP's from our remotes users. I let DenyHosts and Fail2Ban take care of the rest.
    kenn10, Mar 17, 2010
    #2

  3. jroper Guru

    Hi

    With SIP traffic, whether or not there are issues with NAT traversal, and whether ports on the external firewall need to be open very much depends on the implementation of NAT, I.E. which of the four types of NAT, and additionally, the implementation of method of that NAT by the manufacturer concerned.

    Rather than putting PBX in a Flash in a virtual chastity belt behind an external firewall, I would rather that the effort be continued in improving the intrinsic security of PBX in a Flash, which is far and away better than most other distributions. This is what sets PiaF apart.

    If you are going to suggest that PiaF always should be behind an external firewall, then iptables, and fail2ban become fairly pointless.

    Joe
    jroper, Mar 17, 2010
    #3

  4. wardmundy Nerd Uno

    Security is like a bundle of sticks. Which sticks you choose to use is completely up to you. Wasn't suggesting we force this down anyone's throat. :crazy:
    wardmundy, Mar 17, 2010
    #4

  5. jroper Guru

    Hi

    I was not suggesting that you were forcing anything down my throat, so to speak, simply that to hide a PBX behind an external firewall is the easy option, and I would prefer to see PiaF continue to be intrinsically secure, and be one of the few distros that can be exposed directly to the internet without sleepless nights, and costly results, and that, I believe, should be your focus.

    Joe
    jroper, Mar 17, 2010
    #5

  6. james Guru

    http://www.countryipblocks.net/ << gives IP blocks for chosen countries in various formats

    # Country: UNITED STATES
    # ISO Code: US
    # Total Networks: 37,690
    # Total Subnets: 1,488,446,462

    probably easier to allow certain ISP's or ranges as apposed to the whole US :)
    james, Mar 17, 2010
    #6

  7. wardmundy Nerd Uno

    My focus is a secure PBX, period. If there is a legitimate reason for Internet exposure, that's fine. But I see very little, if any, benefit to continuing exposure of most of our systems to the Internet. There have been major security breaches in Asterisk and FreePBX almost monthly and, from what I hear, another whopper is just around the corner. :incazzato:
    wardmundy, Mar 17, 2010
    #7

  8. MyKroFt Guru

    I would perfer it locked down solid and require VPN to access any of it, including remote users - its time some of the ATA manufactures take note of this and help secure their own products.
    MyKroFt, Mar 17, 2010
    #8

  9. completetech Guru


    agreed! I would also like to see this. although at this point. we need to focus on how to keep it secure with having ports open for remote users. that is going to be my biggest concern.
    completetech, Mar 17, 2010
    #9

  10. jroper Guru

    Does this mean that you will be not only recommending that PiaF not be exposed the internet directly ( which is good advice) but also developing PiaF, secure in the knowledge that it will be protected by an external firewall, and therefore does not need to be intrinsically secure?

    Joe
    jroper, Mar 17, 2010
    #10

  11. wardmundy Nerd Uno

    Joe,
    We're not going to throw the baby out with the bath water. I don't envision removing any of the existing security mechanisms. But we are going to develop some additional BEST PRACTICES. If folks want to stray from the recommendations at their peril, that's their call to make. But the bottom line is we're not removing any existing protection in order to tighten things up. Why would that ever make sense? :confused5:
    wardmundy, Mar 17, 2010
    #11

  12. hkgonra Guru

    This reminds me of an old tech joke.
    Owner says I want all my systems completely secure so that nothing can get in and hack them, the tech unplugged the ethernet cable.
    hkgonra, Mar 17, 2010
    #12

  13. wardmundy Nerd Uno

    may not go quite that far. :wink5:
    wardmundy, Mar 17, 2010
    #13

  14. YoungOrtho New Member

    Ward, I read the article but I'm still not clear on how it's possible to have the PBX behind a hardware firewall without having to open any firewall ports. How is that possible?
    YoungOrtho, Mar 17, 2010
    #14

  15. jroper Guru

    Taking the IAX protocol for instance, which operates on one port, the matter of registration punches a hole in the NAT device, and therefore when traffic comes from the other end of the registration, the NAT device knows where to send the traffic.

    Traffic from any other origin will be dropped.

    SIP is more complicated, because although the SIP protocol is on 5060, and traffic can flow freely between you and the other end on that port. However in it's pure form the RTP stream is able to leave, but the return audio is on a different port, which is dropped by the firewall.

    NAT=yes asks the other end to send audio back on the same port that you send it to them. Hole punched in NAT, everything fine.

    With the right router, and the right carrier, there should be no issues, providing your asterisk server or your SIP aware firewall reports the correct external public IP address to the carrier, and not the internal IP address, and if the other end does not support synchronous RTP, then the firewall / NAT device needs to be intelligent enough to realise that an RTP stream coming in as a result of another going out is related, and should be directed to the firewall - this is basically what ALG routers do.

    Things get a bit more tricky with the majority of commercial DID providers who do not demand that you register to them, they simply send the DID to your IP address, and you have to allow anonymous SIP, and do some port forwarding to allow this to happen.

    I trust that this gives a 30,000ft overview of how this works.

    In respect of this comment

    In no way was I suggesting that anything should be taken out, and I have re-read my posts to try and understand where you get that impression.

    The current security model can always be improved, with deeper reaching fail2ban scripts, intrusion detection by monitoring the MD5 sum of important files, and continued enforcement of strong passwords, Geo-IP on calls, and so on, and I hope that you will continue to develop these techniques, rather than not bother because the advice is to put your system behind an external firewall.

    Joe
    jroper, Mar 18, 2010
    #15

  16. wardmundy Nerd Uno


    How 'bout this one...


    wardmundy, Mar 18, 2010
    #16

  17. wardmundy Nerd Uno

    Great explanation, Joe. As you've noted, this usually isn't a problem with IAX providers, and it's not a problem with good SIP providers that know what they're doing provided you have the right type of firewall... which need not be expensive. The dLink WBR-2310 works just fine, and it's $35.

    Seems to me the moral of the story is that the security of your PBX is going to force you to make some better decisions in choosing providers and firewalls. With the right combination, there really is no reason to expose your phone system to Internet vulnerabilities. After all, the primary purpose of the PBX is to be able to make and receive phone calls. Simple as that.
    wardmundy, Mar 18, 2010
    #17

  18. mtennant Guru

    In a related vein, I recently had issues with a SIP client running on the iPhone. It is called SessionTalk and even though I opened up and forwarded port 5060 to the IP address of my Asterisk machine, it had issues and could not talk to it.

    The maker of the client, FROUTE (http://www.froute.ltd.uk/index.html), stated on VOIP Talk on DSLReports.com,

    "Well , we've been testing on Trixbox and its fine, on a Nerd Vittles it didn't like the RTP keepalive packets we were sending so we are putting in an option to turn these off."

    Since I'm running an Orgasmo 5.1 system with the new security, I'm assuming they had issues due to the new security lockdown.

    Are they on the right path towards fixing this problem by providing an option to turn off RTP keepalive packets?
    mtennant, Mar 18, 2010
    #18

  19. MrBostn Guru

    Snom 370's

    Maybe those Snom 370's with the built in openvpn client are worth the price afterall?? :rolleyes:



    MrBostn, Mar 18, 2010
    #19

  20. wardmundy Nerd Uno

    For those that may think this is an academic exercise, here's the latest reminder of the consequences...

    $45,582 telephone bill: Furniture company's security breach traced back to Somalia


    wardmundy, Mar 19, 2010
    #20
Page 1 of 4

Share This Page