By Kevin Moroz VP Technology Snom Inc What are we trying to protect Denial of Service the phone system is down T oll Fraud a very large phone bill Eavesdropping someone listening to your calls ID: 225500
Download Presentation The PPT/PDF document "Securing your IP based Phone System" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Securing your IP based Phone System
By Kevin Moroz
VP Technology
Snom Inc. Slide2
What are we trying to protect?
Denial of Service – the phone system is down!
T
oll Fraud – a very large phone bill!
Eavesdropping – someone listening to your calls.
Call detailed records exposed – who is calling you and who are you calling!
Karma! – keeping everyone happy!
remote users, internal users, road warriors, finance,
admins
,
system should be “Set it and forget it “
moves adds changes SHOULD be the major activitySlide3
Denial of Service is Priority 1
DoS
attacks can take your whole system down.
nobody can call you and you can’t call anybody for help! Worse case scenario!
If your phone system sits on a public IP address this is a very realistic scenario.
Why be on a public IP address?
makes it very easy for remote users to connect from home and on the road from behind
NAT’d
devices if the IPBX has this capability.
debatable whether this is the practical scenario for enterprises but a must for service providers. Slide4
Intrusion Detection is a must!
Need to automatically detect an attack and email admin Slide5
Intruder Alert! Automatic Email Notification
From: thepbx@yourcompany.com [mailto:admin@mycompany.com]
Sent: Sunday, January 09, 2011 8:57 PM
To: admin@mycompany.com.com
Subject: My Company Name Goes here: Address 69.61.210.157 has been blacklisted
The IP address 69.96.218.157 has been blacklisted for 1440 minutes
because there were 10 unsuccessful authentication attempts
(sip).
From
: thepbx@yourcompany.com [mailto:admin@mycompany.com]
Sent: Sunday, January 09, 2011 8:57 PM
To: admin@mycompany.com.com
Subject: My Company Name Goes here: Address 70.96.218.17 has been blacklisted
The IP address 70.96.218.17 has been blacklisted for 1440 minutes
because there were 10 unsuccessful authentication attempts
(http).Slide6
Many programs on Internet to “test” the system for vulnerabilities. Slide7
Friendly VoIP Scanner not so friendly!
scans the network SIP packets.
Once it gets a SIP response back like a 401 or a 404 it sends massive amounts of SIP packets to the IP address
Renders it useless since it is to busy processing all of the packets.
Even if you have port forwarding the router will forward the calls and bog it down.
Need something intelligent to figure out you are being attached and to do something about it while maintaining the current call load. Slide8
SipVicious!
test tool that can go rogue easily.
test tools gone wild!Slide9
hackingvoip.com
probably a good read to learn some torture tricks for an IPBX!
Not a bad idea to test your system with some of these public tools. Slide10
More free “tools” available
these tools make it easier for “
newbies
” to be able to launch “DOS” attacks. Slide11
IPBX should monitor the CPU!
If more than x% of the CPU is in use then don’t accept any more calls.
Send a 5xx message – Server Failure with the reason code in the packet.
protects current calls to be processed without any quality issues.
New calls may not go through until a call is released or CPU is under the threshold.
Send email alert! Slide12
Different topologies
IPBX has one network interface card (NIC) on a private address. Remote users VPN in.
not practical since not many phones support VPN natively yet and complex to setup the VPN endpoints.
open VPN is a good open source project.
IPBX has on NIC on a private address with a SIP aware router/session border controller installed.
IPBX is on a public IP address and a private IP address.
make sure your running the latest OS and patches.
IPBX is only on a public IP address
service providersSlide13
Need slide with picture of scenariosSlide14
Toll Fraud- Big business! Big Money
VoIP Bandit Got
em
!
http://www.amw.com/fugitives/capture.cfm?id=49218&refresh=1
Recent 12 Million dollar case in Romania.
Not Slide15
1st line of defense is the passwords!
Most toll fraud is accomplished by guessing simple passwords. Extension 101 / password 101.
This happened to one of my customers just last week. The ITSP cut them off at $250 since their usage spiked dramatically. Slide16
How to protect toll fraud
password management
restrict Direct Inward Station Access (DISA) accounts or calling card type of features.
Put a rate table on the trunk and restrict the accounts.
prepay or have the ITSP put limits on the accounts. Slide17
How can we train the users?
Force them to use strong passwords?
How? Make sure the system forces them! Slide18
Difference between High and Medium Passwords
Medium Security: The score must be 120 or
higher
High
Security: The score must be 200 or
higherSlide19
admin needs to monitor passwords!
The status screen indicates that the password is weak.
either it is the same as the username.
It is easily guessable 1234 Slide20
Prepay support
ability to put a rate table in the
pbx
put a dollar amount in on the extension or the whole
pbx
.
Once the balance is expired no more external calls for that extension or system. Slide21
Number of srtp implementationsSlide22
What are we trying to protect?
Denial of Service – the phone system is down!
T
oll Fraud – a very large phone bill!
Eavesdropping – someone listening to your calls.
Call detailed records exposed – who is calling you and who are you calling!
Karma! – keeping everyone happy!
remote users, internal users, road warriors, finance,
admins
,
system should be “Set it and forget it “
moves adds changes SHOULD be the major activitySlide23
Prepay support
ability to put a rate table in the
pbx
put a dollar amount in on the extension or the whole
pbx
.
Once the balance is expired no more external calls for that extension or system. Slide24
Protecting the conversation!
Probably the easiest since not a new problem to solve. i.e. https.
Probably the hardest to implement
certificates, keys, encryption, VPN’sSlide25
Number of SRTP implementationsSlide26Slide27Slide28