Securing your IP based Phone System - PowerPoint Presentation

Slide1

Securing your IP based Phone System

By Kevin Moroz

VP Technology

Snom Inc. Slide2

What are we trying to protect?

Denial of Service – the phone system is down!

T

oll Fraud – a very large phone bill!

Eavesdropping – someone listening to your calls.

Call detailed records exposed – who is calling you and who are you calling!

Karma! – keeping everyone happy!

remote users, internal users, road warriors, finance,

admins

,

system should be “Set it and forget it “

moves adds changes SHOULD be the major activitySlide3

Denial of Service is Priority 1

DoS

attacks can take your whole system down.

nobody can call you and you can’t call anybody for help! Worse case scenario!

If your phone system sits on a public IP address this is a very realistic scenario.

Why be on a public IP address?

makes it very easy for remote users to connect from home and on the road from behind

NAT’d

devices if the IPBX has this capability.

debatable whether this is the practical scenario for enterprises but a must for service providers. Slide4

Intrusion Detection is a must!

Need to automatically detect an attack and email admin Slide5

Intruder Alert! Automatic Email Notification

From: thepbx@yourcompany.com [mailto:admin@mycompany.com]

Sent: Sunday, January 09, 2011 8:57 PM

To: admin@mycompany.com.com

Subject: My Company Name Goes here: Address 69.61.210.157 has been blacklisted

The IP address 69.96.218.157 has been blacklisted for 1440 minutes

because there were 10 unsuccessful authentication attempts

(sip).

From

: thepbx@yourcompany.com [mailto:admin@mycompany.com]

Sent: Sunday, January 09, 2011 8:57 PM

To: admin@mycompany.com.com

Subject: My Company Name Goes here: Address 70.96.218.17 has been blacklisted

The IP address 70.96.218.17 has been blacklisted for 1440 minutes

because there were 10 unsuccessful authentication attempts

(http).Slide6

Many programs on Internet to “test” the system for vulnerabilities. Slide7

Friendly VoIP Scanner not so friendly!

scans the network SIP packets.

Once it gets a SIP response back like a 401 or a 404 it sends massive amounts of SIP packets to the IP address

Renders it useless since it is to busy processing all of the packets.

Even if you have port forwarding the router will forward the calls and bog it down.

Need something intelligent to figure out you are being attached and to do something about it while maintaining the current call load. Slide8

SipVicious!

test tool that can go rogue easily.

test tools gone wild!Slide9

hackingvoip.com

probably a good read to learn some torture tricks for an IPBX!

Not a bad idea to test your system with some of these public tools. Slide10

More free “tools” available

these tools make it easier for “

newbies

” to be able to launch “DOS” attacks. Slide11

IPBX should monitor the CPU!

If more than x% of the CPU is in use then don’t accept any more calls.

Send a 5xx message – Server Failure with the reason code in the packet.

protects current calls to be processed without any quality issues.

New calls may not go through until a call is released or CPU is under the threshold.

Send email alert! Slide12

Different topologies

IPBX has one network interface card (NIC) on a private address. Remote users VPN in.

not practical since not many phones support VPN natively yet and complex to setup the VPN endpoints.

open VPN is a good open source project.

IPBX has on NIC on a private address with a SIP aware router/session border controller installed.

IPBX is on a public IP address and a private IP address.

make sure your running the latest OS and patches.

IPBX is only on a public IP address

service providersSlide13

Need slide with picture of scenariosSlide14

Toll Fraud- Big business! Big Money

VoIP Bandit Got

em

!

http://www.amw.com/fugitives/capture.cfm?id=49218&refresh=1

Recent 12 Million dollar case in Romania.

Not Slide15

1st line of defense is the passwords!

Most toll fraud is accomplished by guessing simple passwords. Extension 101 / password 101.

This happened to one of my customers just last week. The ITSP cut them off at $250 since their usage spiked dramatically. Slide16

How to protect toll fraud

password management

restrict Direct Inward Station Access (DISA) accounts or calling card type of features.

Put a rate table on the trunk and restrict the accounts.

prepay or have the ITSP put limits on the accounts. Slide17

How can we train the users?

Force them to use strong passwords?

How? Make sure the system forces them! Slide18

Difference between High and Medium Passwords

Medium Security: The score must be 120 or

higher

High

Security: The score must be 200 or

higherSlide19

admin needs to monitor passwords!

The status screen indicates that the password is weak.

either it is the same as the username.

It is easily guessable 1234 Slide20

Prepay support

ability to put a rate table in the

pbx

put a dollar amount in on the extension or the whole

pbx

.

Once the balance is expired no more external calls for that extension or system. Slide21

Number of srtp implementationsSlide22

What are we trying to protect?

Denial of Service – the phone system is down!

T

oll Fraud – a very large phone bill!

Eavesdropping – someone listening to your calls.

Call detailed records exposed – who is calling you and who are you calling!

Karma! – keeping everyone happy!

remote users, internal users, road warriors, finance,

admins

,

system should be “Set it and forget it “

moves adds changes SHOULD be the major activitySlide23

Prepay support

ability to put a rate table in the

pbx

put a dollar amount in on the extension or the whole

pbx

.

Once the balance is expired no more external calls for that extension or system. Slide24

Protecting the conversation!

Probably the easiest since not a new problem to solve. i.e. https.

Probably the hardest to implement

certificates, keys, encryption, VPN’sSlide25

Number of SRTP implementationsSlide26
Slide27
Slide28