ALERT WhatMeWorry: €11 Million Heist

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
SECURITY: $100,000 Phone Bill

If you couldn't tell from reading this week's Nerd Vittles article, we are headed in a new direction with respect to Asterisk security now that we have Asterisk functioning reliably from behind a hardware-based firewall WITH NO HOLES punched for SIP, IAX, or Web traffic.

In short, we now have Asterisk working the same way that Skype works on your Desktop. You can call people and people can call you with no Internet vulnerability on your computer or your server in the case of PIAF. This is extremely secure with very few tradeoffs.

In coming week's we're going to start building tools to let you lock down all necessary SIP, IAX, and Web traffic using IPtables. The victim of this lockdown will be outside devices with dynamic IP addresses. If anyone has suggestions/concerns, now's the time to suggest/ask. :smile5:
 

kenn10

Well-Known Member
Joined
Dec 16, 2007
Messages
3,764
Reaction score
2,173
Most of my intruders that get locked out are from countries outside of North America. I hope we will have the option to block other countries but leave the system open for dynamic IP's from our remotes users. I let DenyHosts and Fail2Ban take care of the rest.
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

With SIP traffic, whether or not there are issues with NAT traversal, and whether ports on the external firewall need to be open very much depends on the implementation of NAT, I.E. which of the four types of NAT, and additionally, the implementation of method of that NAT by the manufacturer concerned.

Rather than putting PBX in a Flash in a virtual chastity belt behind an external firewall, I would rather that the effort be continued in improving the intrinsic security of PBX in a Flash, which is far and away better than most other distributions. This is what sets PiaF apart.

If you are going to suggest that PiaF always should be behind an external firewall, then iptables, and fail2ban become fairly pointless.

Joe
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Security is like a bundle of sticks. Which sticks you choose to use is completely up to you. Wasn't suggesting we force this down anyone's throat. :crazy:
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

I was not suggesting that you were forcing anything down my throat, so to speak, simply that to hide a PBX behind an external firewall is the easy option, and I would prefer to see PiaF continue to be intrinsically secure, and be one of the few distros that can be exposed directly to the internet without sleepless nights, and costly results, and that, I believe, should be your focus.

Joe
 

james

Guru
Joined
Oct 18, 2007
Messages
374
Reaction score
38
http://www.countryipblocks.net/ << gives IP blocks for chosen countries in various formats

# Country: UNITED STATES
# ISO Code: US
# Total Networks: 37,690
# Total Subnets: 1,488,446,462

probably easier to allow certain ISP's or ranges as apposed to the whole US :)
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Hi

... I would prefer to see PiaF continue to be intrinsically secure, and be one of the few distros that can be exposed directly to the internet without sleepless nights, and costly results, and that, I believe, should be your focus.

Joe

My focus is a secure PBX, period. If there is a legitimate reason for Internet exposure, that's fine. But I see very little, if any, benefit to continuing exposure of most of our systems to the Internet. There have been major security breaches in Asterisk and FreePBX almost monthly and, from what I hear, another whopper is just around the corner. :incazzato:
 

MyKroFt

Guru
Joined
Oct 31, 2008
Messages
659
Reaction score
3
I would perfer it locked down solid and require VPN to access any of it, including remote users - its time some of the ATA manufactures take note of this and help secure their own products.
 
Joined
Apr 17, 2009
Messages
829
Reaction score
9
I would perfer it locked down solid and require VPN to access any of it, including remote users - its time some of the ATA manufactures take note of this and help secure their own products.


agreed! I would also like to see this. although at this point. we need to focus on how to keep it secure with having ports open for remote users. that is going to be my biggest concern.
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Does this mean that you will be not only recommending that PiaF not be exposed the internet directly ( which is good advice) but also developing PiaF, secure in the knowledge that it will be protected by an external firewall, and therefore does not need to be intrinsically secure?

Joe
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
Joe,
We're not going to throw the baby out with the bath water. I don't envision removing any of the existing security mechanisms. But we are going to develop some additional BEST PRACTICES. If folks want to stray from the recommendations at their peril, that's their call to make. But the bottom line is we're not removing any existing protection in order to tighten things up. Why would that ever make sense? :confused5:
 

hkgonra

knows just enough to be dangerous
Joined
Dec 16, 2008
Messages
140
Reaction score
0
This reminds me of an old tech joke.
Owner says I want all my systems completely secure so that nothing can get in and hack them, the tech unplugged the ethernet cable.
 

YoungOrtho

Member
Joined
Sep 4, 2009
Messages
55
Reaction score
0
Ward, I read the article but I'm still not clear on how it's possible to have the PBX behind a hardware firewall without having to open any firewall ports. How is that possible?
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Ward, I read the article but I'm still not clear on how it's possible to have the PBX behind a hardware firewall without having to open any firewall ports. How is that possible?

Taking the IAX protocol for instance, which operates on one port, the matter of registration punches a hole in the NAT device, and therefore when traffic comes from the other end of the registration, the NAT device knows where to send the traffic.

Traffic from any other origin will be dropped.

SIP is more complicated, because although the SIP protocol is on 5060, and traffic can flow freely between you and the other end on that port. However in it's pure form the RTP stream is able to leave, but the return audio is on a different port, which is dropped by the firewall.

NAT=yes asks the other end to send audio back on the same port that you send it to them. Hole punched in NAT, everything fine.

With the right router, and the right carrier, there should be no issues, providing your asterisk server or your SIP aware firewall reports the correct external public IP address to the carrier, and not the internal IP address, and if the other end does not support synchronous RTP, then the firewall / NAT device needs to be intelligent enough to realise that an RTP stream coming in as a result of another going out is related, and should be directed to the firewall - this is basically what ALG routers do.

Things get a bit more tricky with the majority of commercial DID providers who do not demand that you register to them, they simply send the DID to your IP address, and you have to allow anonymous SIP, and do some port forwarding to allow this to happen.

I trust that this gives a 30,000ft overview of how this works.

In respect of this comment

But the bottom line is we're not removing any existing protection in order to tighten things up. Why would that ever make sense?

In no way was I suggesting that anything should be taken out, and I have re-read my posts to try and understand where you get that impression.

The current security model can always be improved, with deeper reaching fail2ban scripts, intrusion detection by monitoring the MD5 sum of important files, and continued enforcement of strong passwords, Geo-IP on calls, and so on, and I hope that you will continue to develop these techniques, rather than not bother because the advice is to put your system behind an external firewall.

Joe
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
In no way was I suggesting that anything should be taken out, and I have re-read my posts to try and understand where you get that impression.


How 'bout this one...


Does this mean that you will be not only recommending that PiaF not be exposed the internet directly ( which is good advice) but also developing PiaF, secure in the knowledge that it will be protected by an external firewall, and therefore does not need to be intrinsically secure?
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
With the right router, and the right carrier, there should be no issues, providing your asterisk server or your SIP aware firewall reports the correct external public IP address to the carrier, and not the internal IP address, and if the other end does not support synchronous RTP, then the firewall / NAT device needs to be intelligent enough to realise that an RTP stream coming in as a result of another going out is related, and should be directed to the firewall - this is basically what ALG routers do.

Great explanation, Joe. As you've noted, this usually isn't a problem with IAX providers, and it's not a problem with good SIP providers that know what they're doing provided you have the right type of firewall... which need not be expensive. The dLink WBR-2310 works just fine, and it's $35.

Seems to me the moral of the story is that the security of your PBX is going to force you to make some better decisions in choosing providers and firewalls. With the right combination, there really is no reason to expose your phone system to Internet vulnerabilities. After all, the primary purpose of the PBX is to be able to make and receive phone calls. Simple as that.
 

mtennant

Guru
Joined
Oct 22, 2007
Messages
293
Reaction score
0
In a related vein, I recently had issues with a SIP client running on the iPhone. It is called SessionTalk and even though I opened up and forwarded port 5060 to the IP address of my Asterisk machine, it had issues and could not talk to it.

The maker of the client, FROUTE (http://www.froute.ltd.uk/index.html), stated on VOIP Talk on DSLReports.com,

"Well , we've been testing on Trixbox and its fine, on a Nerd Vittles it didn't like the RTP keepalive packets we were sending so we are putting in an option to turn these off."

Since I'm running an Orgasmo 5.1 system with the new security, I'm assuming they had issues due to the new security lockdown.

Are they on the right path towards fixing this problem by providing an option to turn off RTP keepalive packets?
 

MrBostn

Guru
Joined
Jan 5, 2009
Messages
459
Reaction score
35
Snom 370's

Maybe those Snom 370's with the built in openvpn client are worth the price afterall?? :rolleyes:



I would perfer it locked down solid and require VPN to access any of it, including remote users - its time some of the ATA manufactures take note of this and help secure their own products.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,170
Reaction score
5,199
For those that may think this is an academic exercise, here's the latest reminder of the consequences...

$45,582 telephone bill: Furniture company's security breach traced back to Somalia


It only took 12 hours for a hacker to run up $45,582 in telephone charges for a local [North Carolina] furniture company.
More than 10,000 minutes of phone calls were made from the phones at Sherrill Furniture on Highland Ave. NE from 9 p.m. on Friday, March 5 to 9 a.m. the following day.
 

Members online

Forum statistics

Threads
25,782
Messages
167,512
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top