securing your ip based phone system
DESCRIPTION
Securing your IP based Phone System. By Kevin Moroz VP Technology Snom Inc. . What are we trying to protect? . Denial of Service – the phone system is down! T oll Fraud – a very large phone bill! Eavesdropping – someone listening to your calls. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/1.jpg)
Securing your IP based Phone System
By Kevin Moroz VP Technology Snom Inc.
![Page 2: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/2.jpg)
What are we trying to protect? • Denial of Service – the phone system is down!• Toll Fraud – a very large phone bill! • Eavesdropping – someone listening to your calls. • Call detailed records exposed – who is calling you
and who are you calling! • Karma! – keeping everyone happy! – remote users, internal users, road warriors, finance,
admins, – system should be “Set it and forget it “– moves adds changes SHOULD be the major activity
![Page 3: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/3.jpg)
Denial of Service is Priority 1
• DoS attacks can take your whole system down. – nobody can call you and you can’t call anybody for help! Worse
case scenario! • If your phone system sits on a public IP address this is a
very realistic scenario. • Why be on a public IP address? – makes it very easy for remote users to connect from home and
on the road from behind NAT’d devices if the IPBX has this capability.
– debatable whether this is the practical scenario for enterprises but a must for service providers.
![Page 4: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/4.jpg)
Intrusion Detection is a must!
• Need to automatically detect an attack and email admin
![Page 5: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/5.jpg)
Intruder Alert! Automatic Email Notification
From: [email protected] [mailto:[email protected]] Sent: Sunday, January 09, 2011 8:57 PMTo: [email protected]: My Company Name Goes here: Address 69.61.210.157 has been blacklistedThe IP address 69.96.218.157 has been blacklisted for 1440 minutesbecause there were 10 unsuccessful authentication attempts (sip).
From: [email protected] [mailto:[email protected]] Sent: Sunday, January 09, 2011 8:57 PMTo: [email protected]: My Company Name Goes here: Address 70.96.218.17 has been blacklistedThe IP address 70.96.218.17 has been blacklisted for 1440 minutesbecause there were 10 unsuccessful authentication attempts (http).
![Page 6: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/6.jpg)
Many programs on Internet to “test” the system for vulnerabilities.
![Page 7: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/7.jpg)
Friendly VoIP Scanner not so friendly!• scans the network SIP packets.• Once it gets a SIP response back like a 401 or a 404 it
sends massive amounts of SIP packets to the IP address • Renders it useless since it is to busy processing all of the
packets. • Even if you have port forwarding the router will forward
the calls and bog it down. • Need something intelligent to figure out you are being
attached and to do something about it while maintaining the current call load.
![Page 8: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/8.jpg)
SipVicious!• test tool that
can go rogue easily.
• test tools gone wild!
![Page 9: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/9.jpg)
hackingvoip.com• probably a good read to learn some torture tricks for an IPBX! • Not a bad idea to test your system with some of these public tools.
![Page 10: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/10.jpg)
More free “tools” available • these tools make it easier for “newbies” to be able to launch “DOS” attacks.
![Page 11: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/11.jpg)
IPBX should monitor the CPU!• If more than x% of the CPU is in use then don’t
accept any more calls. – Send a 5xx message – Server Failure with the reason
code in the packet. • protects current calls to be processed without any
quality issues. • New calls may not go through until a call is released
or CPU is under the threshold. • Send email alert!
![Page 12: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/12.jpg)
Different topologies• IPBX has one network interface card (NIC) on a private
address. Remote users VPN in.– not practical since not many phones support VPN natively yet
and complex to setup the VPN endpoints. – open VPN is a good open source project.
• IPBX has on NIC on a private address with a SIP aware router/session border controller installed.
• IPBX is on a public IP address and a private IP address. – make sure your running the latest OS and patches.
• IPBX is only on a public IP address– service providers
![Page 13: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/13.jpg)
Need slide with picture of scenarios
![Page 14: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/14.jpg)
Toll Fraud- Big business! Big Money
• VoIP Bandit Got em! http://www.amw.com/fugitives/capture.cfm?id=49218&refresh=1
• Recent 12 Million dollar case in Romania.• Not
![Page 15: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/15.jpg)
1st line of defense is the passwords!
• Most toll fraud is accomplished by guessing simple passwords. Extension 101 / password 101.
• This happened to one of my customers just last week. The ITSP cut them off at $250 since their usage spiked dramatically.
![Page 16: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/16.jpg)
How to protect toll fraud• password management • restrict Direct Inward Station Access (DISA)
accounts or calling card type of features. • Put a rate table on the trunk and restrict
the accounts. • prepay or have the ITSP put limits on the
accounts.
![Page 17: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/17.jpg)
How can we train the users?• Force them to use strong passwords? – How? Make sure the system forces them!
![Page 18: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/18.jpg)
Difference between High and Medium Passwords
• Medium Security: The score must be 120 or higher• High Security: The score must be 200 or higher
![Page 19: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/19.jpg)
admin needs to monitor passwords!
• The status screen indicates that the password is weak. – either it is the same as the username. – It is easily guessable 1234
![Page 20: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/20.jpg)
Prepay support
• ability to put a rate table in the pbx• put a dollar amount in on the extension or the whole pbx. • Once the balance is expired no more external calls for that
extension or system.
![Page 21: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/21.jpg)
Number of srtp implementations
![Page 22: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/22.jpg)
What are we trying to protect? • Denial of Service – the phone system is down!• Toll Fraud – a very large phone bill! • Eavesdropping – someone listening to your calls. • Call detailed records exposed – who is calling you
and who are you calling! • Karma! – keeping everyone happy! – remote users, internal users, road warriors, finance,
admins, – system should be “Set it and forget it “– moves adds changes SHOULD be the major activity
![Page 23: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/23.jpg)
Prepay support• ability to put a rate table in the pbx• put a dollar amount in on the extension or the
whole pbx. • Once the balance is expired no more external calls
for that extension or system.
![Page 24: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/24.jpg)
Protecting the conversation!• Probably the easiest since not a new
problem to solve. i.e. https. • Probably the hardest to implement– certificates, keys, encryption, VPN’s
![Page 25: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/25.jpg)
Number of SRTP implementations
![Page 26: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/26.jpg)
![Page 27: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/27.jpg)
![Page 28: Securing your IP based Phone System](https://reader035.vdocument.in/reader035/viewer/2022081520/56815ee9550346895dcd9a1a/html5/thumbnails/28.jpg)