[asterisk-users] Asterisk Security: Allow only one phone per sip registration
Hi there Consider this. You have three SIP extension 200, 201 and 202 and you have configured your phones, say Polycom 331 to those accounts. 200 being one very sensitive individual. Lets say, an insider, get a new phone or perhaps an xlite and configure it with the same extension, 200. Asterisk will register it as 200 to the new IP address. Now extension 202 call 200. The hacker answers it and pretend is the same person. Do what he want to do and thats it. Question; How can i stop this type of threat Regads Peter -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration
- Original Message - From: Sam Muro resea...@businesstz.com To: asterisk-users@lists.digium.com Sent: Friday, October 14, 2011 2:02:01 AM Subject: [asterisk-users] Asterisk Security: Allow only one phone per sip registration Hi there Consider this. You have three SIP extension 200, 201 and 202 and you have configured your phones, say Polycom 331 to those accounts. 200 being one very sensitive individual. Lets say, an insider, get a new phone or perhaps an xlite and configure it with the same extension, 200. Asterisk will register it as 200 to the new IP address. Now extension 202 call 200. The hacker answers it and pretend is the same person. Do what he want to do and thats it. Question; How can i stop this type of threat I would recommend actually setting a different secret field in sip.conf for each device so that your would-be attacker isn't able to register as someone else. Or you could buy a gun. I bet the insider would be very afraid of the gun and would therefore avoid any shenanigans while you were around. This would especially be true if you randomly shot items like coffee cups and plants whenever you thought they were looking at you funny. That'll show 'em. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration
Terry Wilson wrote: - Original Message - From: Sam Muro resea...@businesstz.com To: asterisk-users@lists.digium.com Sent: Friday, October 14, 2011 2:02:01 AM Subject: [asterisk-users] Asterisk Security: Allow only one phone per sip registration Hi there Consider this. You have three SIP extension 200, 201 and 202 and you have configured your phones, say Polycom 331 to those accounts. 200 being one very sensitive individual. Lets say, an insider, get a new phone or perhaps an xlite and configure it with the same extension, 200. Asterisk will register it as 200 to the new IP address. Now extension 202 call 200. The hacker answers it and pretend is the same person. Do what he want to do and thats it. Question; How can i stop this type of threat I would recommend actually setting a different secret field in sip.conf for each device so that your would-be attacker isn't able to register as someone else. Is there a way one can bind sip account to specific mac-address (assume on the same subnet). In this way, even if you know the username/secret, you will still have to use the same physical phone, unless you play with mac-address. Or you could buy a gun. I bet the insider would be very afraid of the gun and would therefore avoid any shenanigans while you were around. This would especially be true if you randomly shot items like coffee cups and plants whenever you thought they were looking at you funny. That'll show 'em. Lol! Here they will name you a terrorist -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration
On Fri, 2011-10-14 at 10:02 +0300, Muro, Sam wrote: Hi there Consider this. You have three SIP extension 200, 201 and 202 and you have configured your phones, say Polycom 331 to those accounts. 200 being one very sensitive individual. Lets say, an insider, get a new phone or perhaps an xlite and configure it with the same extension, 200. Asterisk will register it as 200 to the new IP address. Now extension 202 call 200. The hacker answers it and pretend is the same person. Do what he want to do and thats it. Question; How can i stop this type of threat Regads Peter Perhaps use secrets? afaicr the secrets you have to provide for hardphone and softphone are readonly. If you avoid something like secret or welcome or the involved hostname, but instead use a 15 char long generated pwd, he'll have a long time trying all the possibilities And different pwds for each phone. hw -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration
Is there a way one can bind sip account to specific mac-address (assume on the same subnet). In this way, even if you know the username/secret, you will still have to use the same physical phone, unless you play with mac-address. No. And mac addresses are easily spoofed so it would not help. Use passwords. Keep them safe. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration
Terry Wilson wrote: Is there a way one can bind sip account to specific mac-address (assume on the same subnet). In this way, even if you know the username/secret, you will still have to use the same physical phone, unless you play with mac-address. No. And mac addresses are easily spoofed so it would not help. Use passwords. Keep them safe. Thanks. Let me see how best i can complicate them per phone. Ooops, 1000 sip phones -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration
Thanks. Let me see how best i can complicate them per phone. Ooops, 1000 sip phones If it were me, I would look into Asterisk Realtime for handling the SIP phones. I would then write a script to generate the configs for the phones into the SIP realtime database with random passwords. Match up the phones with the accounts and provision the phones. You would most likely use a provisioning server of some kind to generate the actual phone configurations. You can check out the res_phoneprov module in Asterisk, find another one somewhere, or write your own. Many people tend to write their own for large installations. I did. If you have a big installation like this and are wondering about things like whether mac addresses should be used for security, it might also be a good idea to hire a consultant. Check out the asterisk-biz mailing list. Terry -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration
Thanks Terry! Let me think of all possibilities and shall holla. Can you be one? Terry Wilson wrote: Thanks. Let me see how best i can complicate them per phone. Ooops, 1000 sip phones If it were me, I would look into Asterisk Realtime for handling the SIP phones. I would then write a script to generate the configs for the phones into the SIP realtime database with random passwords. Match up the phones with the accounts and provision the phones. You would most likely use a provisioning server of some kind to generate the actual phone configurations. You can check out the res_phoneprov module in Asterisk, find another one somewhere, or write your own. Many people tend to write their own for large installations. I did. If you have a big installation like this and are wondering about things like whether mac addresses should be used for security, it might also be a good idea to hire a consultant. Check out the asterisk-biz mailing list. Terry -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration
On Friday 14 October 2011, Muro, Sam wrote: Hi there Consider this. You have three SIP extension 200, 201 and 202 and you have configured your phones, say Polycom 331 to those accounts. 200 being one very sensitive individual. Lets say, an insider, get a new phone or perhaps an xlite and configure it with the same extension, 200. Asterisk will register it as 200 to the new IP address. Now extension 202 call 200. The hacker answers it and pretend is the same person. Do what he want to do and thats it. Question; How can i stop this type of threat Be careful who you employ and how you treat them :) Once someone has physical access to your equipment, all bets are off . -- AJS Answers come *after* questions. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration
the best way to handle large sip client base is using provisioning interface. Even though you can create configuration files and server them with asterisk+extensions, you need to consider security aspects of this approach as well. Using tftp or simple protocols to server config files works on LAN, but does not scale for large installs (my opinion). HTTP is a better choice, but then all the information is passed in clear. HTTPS is obviously a better choice with SSL, but if your devices can't handle SSL it will become a problem. A good solution is to provide a mix depending on your SIP client capabilities. In the configuration you can supply password/secret as other recommend and any other device specific configuration (i.e. preferred codec, DNS, etc). it really becomes a powerful tool. You also need to have a management capabilities to generate and update your configuration profile either for individual devices (i.e. changes users's secret) or in bulk (change DNS servers or proxy on 1000 SIP clients at once). SIP clients will also need to have capabilities to poll for this configuration on reboot or on regular poll intervals. If you are doing that on the poll interval, don't make it the interval too short (i.e. minutes). I would say 3-4 times a day is a good starting point. If your network is pretty static and not much information changes you can even make it 1-2 a day and experiment with your network load. On Oct 14, 2011, at 7:09 AM, A J Stiles wrote: On Friday 14 October 2011, Muro, Sam wrote: Hi there Consider this. You have three SIP extension 200, 201 and 202 and you have configured your phones, say Polycom 331 to those accounts. 200 being one very sensitive individual. Lets say, an insider, get a new phone or perhaps an xlite and configure it with the same extension, 200. Asterisk will register it as 200 to the new IP address. Now extension 202 call 200. The hacker answers it and pretend is the same person. Do what he want to do and thats it. Question; How can i stop this type of threat Be careful who you employ and how you treat them :) Once someone has physical access to your equipment, all bets are off . -- AJS Answers come *after* questions. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk Security: Allow only one phone per sip registration
Thanks A.J I know and I can assure you no one will get that physical access to the system. A J Stiles wrote: On Friday 14 October 2011, Muro, Sam wrote: Hi there Consider this. You have three SIP extension 200, 201 and 202 and you have configured your phones, say Polycom 331 to those accounts. 200 being one very sensitive individual. Lets say, an insider, get a new phone or perhaps an xlite and configure it with the same extension, 200. Asterisk will register it as 200 to the new IP address. Now extension 202 call 200. The hacker answers it and pretend is the same person. Do what he want to do and thats it. Question; How can i stop this type of threat Be careful who you employ and how you treat them :) Once someone has physical access to your equipment, all bets are off . -- AJS Answers come *after* questions. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
