Securing your IP based Phone System

By Kevin Moroz VP Technology Snom Inc.

What are we trying to protect? • Denial of Service – the phone system is down!• Toll Fraud – a very large phone bill! • Eavesdropping – someone listening to your calls. • Call detailed records exposed – who is calling

you and who are you calling! • Karma! – keeping everyone happy! – remote users, internal users, road warriors, finance,

admins, – system should be “Set it and forget it “– moves adds changes SHOULD be the major activity

Denial of Service is Priority 1

• DoS attacks can take your whole system down. – nobody can call you and you can’t call anybody for help!

Worse case scenario! • If your phone system sits on a public IP address this is a

very realistic scenario. • Why be on a public IP address? – makes it very easy for remote users to connect from home

and on the road from behind NAT’d devices if the IPBX has this capability.

– debatable whether this is the practical scenario for enterprises but a must for service providers.

Intrusion Detection is a must!

• Need to automatically detect an attack and email admin

Intruder Alert! Automatic Email Notification

From: thepbx@yourcompany.com [mailto:admin@mycompany.com] Sent: Sunday, January 09, 2011 8:57 PMTo: admin@mycompany.com.comSubject: My Company Name Goes here: Address 69.61.210.157 has been blacklistedThe IP address 69.96.218.157 has been blacklisted for 1440 minutesbecause there were 10 unsuccessful authentication attempts (sip).

From: thepbx@yourcompany.com [mailto:admin@mycompany.com] Sent: Sunday, January 09, 2011 8:57 PMTo: admin@mycompany.com.comSubject: My Company Name Goes here: Address 70.96.218.17 has been blacklistedThe IP address 70.96.218.17 has been blacklisted for 1440 minutesbecause there were 10 unsuccessful authentication attempts (http).

Many programs on Internet to “test” the system for vulnerabilities.

Friendly VoIP Scanner not so friendly!• scans the network SIP packets.• Once it gets a SIP response back like a 401 or a 404 it

sends massive amounts of SIP packets to the IP address • Renders it useless since it is to busy processing all of the

packets. • Even if you have port forwarding the router will forward

the calls and bog it down. • Need something intelligent to figure out you are being

attached and to do something about it while maintaining the current call load.

SipVicious!• test tool that

can go rogue easily.

• test tools gone wild!

hackingvoip.com• probably a good read to learn some torture tricks for an IPBX! • Not a bad idea to test your system with some of these public tools.

More free “tools” available • these tools make it easier for “newbies” to be able to launch “DOS” attacks.

IPBX should monitor the CPU!• If more than x% of the CPU is in use then don’t

accept any more calls. – Send a 5xx message – Server Failure with the reason

code in the packet. • protects current calls to be processed without any

quality issues. • New calls may not go through until a call is

released or CPU is under the threshold. • Send email alert!

Different topologies• IPBX has one network interface card (NIC) on a private

address. Remote users VPN in.– not practical since not many phones support VPN natively yet

and complex to setup the VPN endpoints. – open VPN is a good open source project.

• IPBX has on NIC on a private address with a SIP aware router/session border controller installed.

• IPBX is on a public IP address and a private IP address. – make sure your running the latest OS and patches.

• IPBX is only on a public IP address– service providers

Need slide with picture of scenarios

Toll Fraud- Big business! Big Money

• VoIP Bandit Got em! http://www.amw.com/fugitives/capture.cfm?id=49218&refresh=1

• Recent 12 Million dollar case in Romania.• Not

1st line of defense is the passwords!

• Most toll fraud is accomplished by guessing simple passwords. Extension 101 / password 101.

• This happened to one of my customers just last week. The ITSP cut them off at $250 since their usage spiked dramatically.

How to protect toll fraud• password management • restrict Direct Inward Station Access (DISA)

accounts or calling card type of features. • Put a rate table on the trunk and restrict

the accounts. • prepay or have the ITSP put limits on the

accounts.

How can we train the users?• Force them to use strong passwords? – How? Make sure the system forces them!

Difference between High and Medium Passwords

• Medium Security: The score must be 120 or higher• High Security: The score must be 200 or higher

admin needs to monitor passwords!

• The status screen indicates that the password is weak. – either it is the same as the username. – It is easily guessable 1234

Prepay support

• ability to put a rate table in the pbx• put a dollar amount in on the extension or the whole pbx. • Once the balance is expired no more external calls for

that extension or system.

Number of srtp implementations

What are we trying to protect? • Denial of Service – the phone system is down!• Toll Fraud – a very large phone bill! • Eavesdropping – someone listening to your calls. • Call detailed records exposed – who is calling

you and who are you calling! • Karma! – keeping everyone happy! – remote users, internal users, road warriors, finance,

admins, – system should be “Set it and forget it “– moves adds changes SHOULD be the major activity

Prepay support• ability to put a rate table in the pbx• put a dollar amount in on the extension or the

whole pbx. • Once the balance is expired no more external calls

for that extension or system.

Protecting the conversation!• Probably the easiest since not a new

problem to solve. i.e. https. • Probably the hardest to implement– certificates, keys, encryption, VPN’s

Number of SRTP implementations