Security in VoIP networks
On average, according to statistics, at the beginning of each month 1-2 clients of the average operator experience a situation. The understanding comes to them - they got money. Why at the beginning of the month? At this time, operators print and send invoices to customers for the past month.
Security Asterisk is discussed by all who know the correct spelling of the word. I would like to once again raise the issue of security in VoIP networks, this time from the part of the employee of the SIP operator, perhaps this is close to the truth.
The opinion of the masses - Asterisk (hereinafter *) breaks, very often, very easily, very * necessary to insert *. In fact, everything breaks down. * most often falls into this list because it is open source, it is set by companies (most) who do not have enough money for CUCM, with two CUBE and ASA in reserve. It's not about its possible “flawedness”, as an open and free product, it's just that it is usually not completely tuned in, just like its surroundings. And they are setting up * administrators and enikey, and by doing this, they first become acquainted with VoIP.
They say do it - you have to do it. First and foremost, if you were given the task to set up * or implement IP telephony in a company, you need to get rid of all further possible moral and financial problems - “I’m not responsible for the director’s signature”, and only then set it up.
')
Periodically on Habré and on the Internet I meet such articles , they write mostly necessary and useful things. Specially not googled, but I didn’t come across articles where I could touch upon such a thing as an endpoint. Perhaps somewhere there is mention of security gateways.
I will not paint the same thing, a lot of attention is paid to a lot of things, in my opinion I will highlight, in my opinion, something where there are unaffected moments. Do not do someone else's work, and if you took it, then the following points pay more attention.
Install , finish , set up , protect , inspect , inspect # 2 , test .
By the above articles I want to add a little ad-libbing.
If from * only SIP is required, then obviously the remaining chan_ * are not needed.
In the modules.conf file we add everything that we will not use:
Remove default conf files:
And according to the instructions above we write our own.
In addition to sip.conf:
And the default context in extensions.conf:
Today * is not the hero of the day. I approach the main idea of ​​this article. As many may have noticed, administrators first of all want to secure * and this is obtained if they follow the recommendations. But which of you thinks: what if the weak point is the endpoint?
Endpoint is an IP phone, a VoIP gateway to which a fax is connected, a softphone running on the manager's computer, and other points of entry into the VoIP network established by the end user.
Worry about protecting the environment, and do not forget about it. On examples I will explain what it is about.
For convenience of management and remote administration, often, IP phones are hung out. In the course of work, in order to prevent possible incidents, he scanned the addresses of the company's (operator) clients. Such links turned out:
external_address : 8101
external_address : 8102
external_address : 8103
In this case, 101,102,103 is the extension number that was dialed on the phone (it is more convenient for the admin). Clicking on the link we get into the web-interface of the phone, then everything depends on the vendor. If it is Cisco - admin lucky; Linksys - admin is also lucky, most likely the bill for the MN will not come. It is better not to check what happens if a person with malicious intent gets at least web access to Polycom phones.
There are other manufacturers, for examples do not go far. China is famous for its good technique, by the way, good technique. They release noname IP Phone, most often they can be found under the name Fanvil BW210 - it rings, forwards, time shows, is cheap and not buggy. He has several colleagues, differ in name, but otherwise the box and the web interface are the same. One feature makes it stand out, if my memory serves me right by going to it like this:
ip_phone / config.txt - we will get the config and all details in clear text.
VoIP gateways, unfortunately, even more often show the world wide web. Typically, the gateway acts as a “mixer” technology, but it can also act as ip2ip. From the phone, you can steal data, and through the gateway to shed traffic.
For the one who is looking for, selecting a password will not take as long as we would like. Therefore, strictly restrict and allow access only from "their" addresses. This also applies to alarms. Three types of impact are possible on the gateway:
1. There was an admin - followed the computers, network and “office PBX”. I set it up by manual. But something didn’t work out for him, nightly MN calls fell down. An honest provider, who cares about the welfare of his client, for the first time will track and block such calls, call back to the client in the morning, reject and ask: “didn’t bring inconvenience by blocking night traffic in Papua New Guinea”.
They proved to the client for several days that he called him before he understood and decided to do something about it. For the sake of interest, I decided to go to his external_address : 80, I saw Trixbox there, I found the default administrator login / password on the Internet, entered them and they approached. The admin was assertive, blamed us, cursed and said that he was OK! The client was indignant and demanded explanations. I had to take some screenshots of Trixbox's internal interface with a detailed description of the situation, after which the client’s contact on technical issues changed.
2. The operator provides the client with a service called “Virtual PBX”, “IP Centrex” and so on. The service implies VoIP traffic in external networks, that is, the operator does not bind the registration of the extension client to its IP address.
The client admin in the billing saw “left” calls and asked for help. Changed passwords to uchetku, interrupted on the phones. The next day, the situation repeated. I scanned the client's addresses, about 50 phones (Polycom) hung in the open access. This administrator is not fired.
Take care of yourself and your reputation as a reliable specialist!
Security Asterisk is discussed by all who know the correct spelling of the word. I would like to once again raise the issue of security in VoIP networks, this time from the part of the employee of the SIP operator, perhaps this is close to the truth.
The opinion of the masses - Asterisk (hereinafter *) breaks, very often, very easily, very * necessary to insert *. In fact, everything breaks down. * most often falls into this list because it is open source, it is set by companies (most) who do not have enough money for CUCM, with two CUBE and ASA in reserve. It's not about its possible “flawedness”, as an open and free product, it's just that it is usually not completely tuned in, just like its surroundings. And they are setting up * administrators and enikey, and by doing this, they first become acquainted with VoIP.
They say do it - you have to do it. First and foremost, if you were given the task to set up * or implement IP telephony in a company, you need to get rid of all further possible moral and financial problems - “I’m not responsible for the director’s signature”, and only then set it up.
')
Periodically on Habré and on the Internet I meet such articles , they write mostly necessary and useful things. Specially not googled, but I didn’t come across articles where I could touch upon such a thing as an endpoint. Perhaps somewhere there is mention of security gateways.
I will not paint the same thing, a lot of attention is paid to a lot of things, in my opinion I will highlight, in my opinion, something where there are unaffected moments. Do not do someone else's work, and if you took it, then the following points pay more attention.
Combine knowledge
Install , finish , set up , protect , inspect , inspect # 2 , test .
By the above articles I want to add a little ad-libbing.
If from * only SIP is required, then obviously the remaining chan_ * are not needed.
In the modules.conf file we add everything that we will not use:
noload => chan_jingle.so
noload => chan_skinny.so
noload => chan_iax2.so
noload => chan_console.so
noload => chan_mgcp.so
noload => chan_gtalk.soRemove default conf files:
rm /etc/asterisk/extensions.conf
rm /etc/asterisk/sip.confAnd according to the instructions above we write our own.
In addition to sip.conf:
[general]useragent=Linksys/SPA8000-5.1.10 # in SIP packets will be defined as a Linksys SPA8000 such versionsdpsession=Linksys SPA8000-5.1.10 # in SDP there is a field in which the name of the agent is also written, we also change it, then not only bots get confusedAnd the default context in extensions.conf:
[default]
exten => _X.,1,Hangup [default]
exten => _X.,1,Hangup # to everyone who fell into the default context when calling somewhere we hang upJust a little, immediately “Squint!”
Today * is not the hero of the day. I approach the main idea of ​​this article. As many may have noticed, administrators first of all want to secure * and this is obtained if they follow the recommendations. But which of you thinks: what if the weak point is the endpoint?
Endpoint is an IP phone, a VoIP gateway to which a fax is connected, a softphone running on the manager's computer, and other points of entry into the VoIP network established by the end user.
Worry about protecting the environment, and do not forget about it. On examples I will explain what it is about.
For convenience of management and remote administration, often, IP phones are hung out. In the course of work, in order to prevent possible incidents, he scanned the addresses of the company's (operator) clients. Such links turned out:
external_address : 8101
external_address : 8102
external_address : 8103
In this case, 101,102,103 is the extension number that was dialed on the phone (it is more convenient for the admin). Clicking on the link we get into the web-interface of the phone, then everything depends on the vendor. If it is Cisco - admin lucky; Linksys - admin is also lucky, most likely the bill for the MN will not come. It is better not to check what happens if a person with malicious intent gets at least web access to Polycom phones.
There are other manufacturers, for examples do not go far. China is famous for its good technique, by the way, good technique. They release noname IP Phone, most often they can be found under the name Fanvil BW210 - it rings, forwards, time shows, is cheap and not buggy. He has several colleagues, differ in name, but otherwise the box and the web interface are the same. One feature makes it stand out, if my memory serves me right by going to it like this:
ip_phone / config.txt - we will get the config and all details in clear text.
VoIP gateways, unfortunately, even more often show the world wide web. Typically, the gateway acts as a “mixer” technology, but it can also act as ip2ip. From the phone, you can steal data, and through the gateway to shed traffic.
For the one who is looking for, selecting a password will not take as long as we would like. Therefore, strictly restrict and allow access only from "their" addresses. This also applies to alarms. Three types of impact are possible on the gateway:
- Password selection and further access to the admin panel.
- If there are sip accounts on the gateway and there is no address verification, or it is not fully configured, select the details and send the traffic.
- Spam trash traffic. 100% CPU usage, normal requests are not processed - useful traffic is denied service.
Results
- All endpoint must sit inside the local network, and access from the outside world to them should only be via VPN.
- On any IP phone or gateway, it is possible to configure a syslog server - do not neglect this. Collect all traffic and store at least a month.
- Sync CDR * to another server.
- For end users, restrict access to telephones, computers and telephones should not be located in the same LAN.
- Close the directions which are not necessary for the company MN, preferably by a paper letter signed and stamped.
- Watch the trunk of your version *, do not miss the latest patches and update the PBX, they close the vulnerability.
- Update the firmware of phones and gateways, they also close vulnerabilities.
- Build a good relationship with the operator. As a rule, the smaller the provider, the more he appreciates the client, and tries to provide the best service, and will do as much as possible to keep you.
PS A couple of cases from practice
1. There was an admin - followed the computers, network and “office PBX”. I set it up by manual. But something didn’t work out for him, nightly MN calls fell down. An honest provider, who cares about the welfare of his client, for the first time will track and block such calls, call back to the client in the morning, reject and ask: “didn’t bring inconvenience by blocking night traffic in Papua New Guinea”.
They proved to the client for several days that he called him before he understood and decided to do something about it. For the sake of interest, I decided to go to his external_address : 80, I saw Trixbox there, I found the default administrator login / password on the Internet, entered them and they approached. The admin was assertive, blamed us, cursed and said that he was OK! The client was indignant and demanded explanations. I had to take some screenshots of Trixbox's internal interface with a detailed description of the situation, after which the client’s contact on technical issues changed.
2. The operator provides the client with a service called “Virtual PBX”, “IP Centrex” and so on. The service implies VoIP traffic in external networks, that is, the operator does not bind the registration of the extension client to its IP address.
The client admin in the billing saw “left” calls and asked for help. Changed passwords to uchetku, interrupted on the phones. The next day, the situation repeated. I scanned the client's addresses, about 50 phones (Polycom) hung in the open access. This administrator is not fired.
Take care of yourself and your reputation as a reliable specialist!
Source: https://habr.com/ru/post/145206/
All Articles