Elastix securing, preventing, monitoring

Elastix® SecuritySecuring, Prevention, Monitoring

Security Reality – the hard facts

Toll Fraud - A growing issue

Toll Fraud – what is the potential damage?

What do they gain from Toll Fraud?

Toll Fraud - Highly organised & Smart

A Quick Analysis of an Attack: SIP Port Probe

A Quick Analysis of an Attack: Extension Harvest

A Quick Analysis of an Attack: Dictionary Attack

A Quick Analysis of an Attack Quick Facts

Summary

• SIP Hacking Tools are readily available and for free.

• SIPVicious is one such tool.

• Toll Fraud costs money, and can happen to anyone.

• Securing, Prevention, Monitoring is of the utmost importance.

Securing - Extension Security

• Do not use simple words even with a couple of numbers on the end.

• Do not use extension number as password

• Passwords like Hy7g6#8!9pWe are good

• Use the Permit/Deny for each extension

• Remote Extensions – require them to use a static IP address or at least via VPN

• Change the SIP Port for the phone / Extension

Securing - Remote Extensions

Securing - Elastix® PBX Security

Securing – Network Firewall Security

Securing - Elastix® Firewall

Securing - Trunk Security

• Look for Voice Providers that can provide a trunk via a VPN (e.g. OpenVPN)

• Consider using IAX Trunks between offices, and further securing them with RSA keys

• Take the time to understand Trunks and what each configuration line means to your security.

Prevention – Don’t Install applications!!

Prevention – Change Control

Prevention - Use a VPN

Prevention – Outbound options

Prevention - SIP Provider Daily Cost Limits

• Select a Voice Provider that can set a limit per day or per month on call costs.

• Still allows calls in when over your limit

• Greatly limits your possible monetary liability

• Gives you a very clear idea that something is wrong when you can’t make calls out.

Monitoring - Regular Maintenance

• Implement Regular Maintenance

• Time frame will be dependent on other security measures in place

• Test SIP Port access from external locations

• Check logs

• Check CDR logs for any unusual events

Monitoring - Log review

• Regularly review the logs

• Review the logs when any unusual event occurs (e.g. calls with nobody there, ringing individual extensions, extensions going offline)

• Look at the following logs

• /var/log/messages

• /var/log/secure

• /var/log/full

Monitoring - Humbug

• Humbug now part of add-ons for Elastix 2.2+

• Low cost (starting from $4.99 per month to monitor key call indicators

• Blacklist Alerts, Long Distance Alerts, via email, SMS, etc.

Monitoring - Router/Firewall Log Review

Monitoring – Via Network Management

Monitoring – Who pays for it?• Sell maintenance contracts to your clients

• Typically charge 1 or 2 hours per month

• Review the logs and other housekeeping

• Sell Monitoring Contracts to your clients

• Monitor for unusual activity

• Monitor for High Bandwidth Usage

• Monitor for trunk over subscription

• Monitor Connectivity / Phones online

• Provide monthly graphs

• Sell Security Reviews (even for non-clients)

• Perform Log check

• Review Firewall/Router setup

• Attempt external penetration test

• Recommend improvements to security

Security - Common Mistakes

How can I implement some of these suggestions

• Review this Presentation again in your own time

• Think holistically about your security – don’t concentrate on just one area or tool

• Always think of three layers of security as a minimum

• E.g.

• Router/Firewall (maybe not under your control)

• Elastix® Firewall (under your control)

• Fail2ban (under your control)

• Complex passwords on Extensions (under your control)

Elastix Security - More info

Application Note releases and updates are posted on twitter @ElastixBob

Any Questions?