280 likes | 293 Views
Learn how to safeguard your IP phone system against denial of service attacks, toll fraud, eavesdropping, and more. Understand the importance of intrusion detection, password management, and ways to enhance system security.
E N D
Securing your IP based Phone System By Kevin Moroz VP Technology Snom Inc.
What are we trying to protect? • Denial of Service – the phone system is down! • Toll Fraud – a very large phone bill! • Eavesdropping – someone listening to your calls. • Call detailed records exposed – who is calling you and who are you calling! • Karma! – keeping everyone happy! • remote users, internal users, road warriors, finance, admins, • system should be “Set it and forget it “ • moves adds changes SHOULD be the major activity
Denial of Service is Priority 1 • DoS attacks can take your whole system down. • nobody can call you and you can’t call anybody for help! Worse case scenario! • If your phone system sits on a public IP address this is a very realistic scenario. • Why be on a public IP address? • makes it very easy for remote users to connect from home and on the road from behind NAT’d devices if the IPBX has this capability. • debatable whether this is the practical scenario for enterprises but a must for service providers.
Intrusion Detection is a must! • Need to automatically detect an attack and email admin
Intruder Alert! Automatic Email Notification • From: thepbx@yourcompany.com [mailto:admin@mycompany.com] Sent: Sunday, January 09, 2011 8:57 PMTo: admin@mycompany.com.comSubject: My Company Name Goes here: Address 69.61.210.157 has been blacklisted • The IP address 69.96.218.157 has been blacklisted for 1440 minutes • because there were 10 unsuccessful authentication attempts (sip). • From: thepbx@yourcompany.com [mailto:admin@mycompany.com] • Sent: Sunday, January 09, 2011 8:57 PM • To: admin@mycompany.com.com • Subject: My Company Name Goes here: Address 70.96.218.17 has been blacklisted • The IP address 70.96.218.17 has been blacklisted for 1440 minutes • because there were 10 unsuccessful authentication attempts (http).
Many programs on Internet to “test” the system for vulnerabilities.
Friendly VoIP Scanner not so friendly! • scans the network SIP packets. • Once it gets a SIP response back like a 401 or a 404 it sends massive amounts of SIP packets to the IP address • Renders it useless since it is to busy processing all of the packets. • Even if you have port forwarding the router will forward the calls and bog it down. • Need something intelligent to figure out you are being attached and to do something about it while maintaining the current call load.
SipVicious! • test tool that can go rogue easily. • test tools gone wild!
hackingvoip.com • probably a good read to learn some torture tricks for an IPBX! • Not a bad idea to test your system with some of these public tools.
More free “tools” available • these tools make it easier for “newbies” to be able to launch “DOS” attacks.
IPBX should monitor the CPU! • If more than x% of the CPU is in use then don’t accept any more calls. • Send a 5xx message – Server Failure with the reason code in the packet. • protects current calls to be processed without any quality issues. • New calls may not go through until a call is released or CPU is under the threshold. • Send email alert!
Different topologies • IPBX has one network interface card (NIC) on a private address. Remote users VPN in. • not practical since not many phones support VPN natively yet and complex to setup the VPN endpoints. • open VPN is a good open source project. • IPBX has on NIC on a private address with a SIP aware router/session border controller installed. • IPBX is on a public IP address and a private IP address. • make sure your running the latest OS and patches. • IPBX is only on a public IP address • service providers
Toll Fraud- Big business! Big Money • VoIP Bandit Got em! http://www.amw.com/fugitives/capture.cfm?id=49218&refresh=1 • Recent 12 Million dollar case in Romania. • Not
1st line of defense is the passwords! • Most toll fraud is accomplished by guessing simple passwords. Extension 101 / password 101. • This happened to one of my customers just last week. The ITSP cut them off at $250 since their usage spiked dramatically.
How to protect toll fraud • password management • restrict Direct Inward Station Access (DISA) accounts or calling card type of features. • Put a rate table on the trunk and restrict the accounts. • prepay or have the ITSP put limits on the accounts.
How can we train the users? • Force them to use strong passwords? • How? Make sure the system forces them!
Difference between High and Medium Passwords • Medium Security: The score must be 120 or higher • High Security: The score must be 200 or higher
admin needs to monitor passwords! • The status screen indicates that the password is weak. • either it is the same as the username. • It is easily guessable 1234
Prepay support • ability to put a rate table in the pbx • put a dollar amount in on the extension or the whole pbx. • Once the balance is expired no more external calls for that extension or system.
What are we trying to protect? • Denial of Service – the phone system is down! • Toll Fraud – a very large phone bill! • Eavesdropping – someone listening to your calls. • Call detailed records exposed – who is calling you and who are you calling! • Karma! – keeping everyone happy! • remote users, internal users, road warriors, finance, admins, • system should be “Set it and forget it “ • moves adds changes SHOULD be the major activity
Prepay support • ability to put a rate table in the pbx • put a dollar amount in on the extension or the whole pbx. • Once the balance is expired no more external calls for that extension or system.
Protecting the conversation! • Probably the easiest since not a new problem to solve. i.e. https. • Probably the hardest to implement • certificates, keys, encryption, VPN’s