Post on 16-Apr-2017
Your Hosts
Markus Ehlers Benjamin-Nicola Lüken
Why a Firewall?
Agenda
• Introduction
•Why a Firewall
•How to configure a PF Sence
•Questions
Secure Passwords • Digits, letters and special characters •Minimum: 8 characters • No words
adminpassword
000012344321
askoziaaizoksa
8C+inL6B}4_kQu3F6b?!1Q_ct!88_u7V.dLN
1@i+yY{L97Km
•DDoS attacks • Systems becomes slow • Registration not possible anymore
•Brute-Force attacks • Different password are tested until the account is hacked and misused
Why a Firewall?
Why a Firewall? Testing incoming numbers
Why a Firewall?
…NOTICE[2540]: chan_sip.c:26430 in handle_request_register: Registration from '"13796" <sip:13796@80.242.239.124:5060>' failed for '212.83.257.8:5097' - No matching peer foundNOTICE[2540]: chan_sip.c:26430 in handle_request_register: Registration from '"13797" <sip:13797@80.242.239.124:5060>' failed for '212.83.257.8:5097' - No matching peer foundNOTICE[2540]: chan_sip.c:26430 in handle_request_register: Registration from '"13798" <sip:13798@80.242.239.124:5060>' failed for '212.83.257.8:5097' - No matching peer foundNOTICE[2540]: chan_sip.c:26430 in handle_request_register: Registration from '"13799" <sip:13799@80.242.239.124:5060>' failed for '212.83.257.8:5097' - No matching peer foundNOTICE[2540]: chan_sip.c:26430 in handle_request_register: Registration from '"13800" <sip:13800@80.242.239.124:5060>' failed for '212.83.257.8:5097' - No matching peer foundNOTICE[2540]: chan_sip.c:26430 in handle_request_register: Registration from '"13801" <sip:13801@80.242.239.124:5060>' failed for '212.83.257.8:5097' - No matching peer found…
SIP Brute-Force attacks
Why a Firewall?
…dropbear[19696]: Bad password attempt for 'root' from 61.174.251.226:37142dropbear[19696]: Bad password attempt for 'root' from 61.174.251.226:37142dropbear[19696]: Bad password attempt for 'root' from 61.174.251.226:37142dropbear[19696]: Bad password attempt for 'root' from 61.174.251.226:37142dropbear[19696]: Exit before auth (user 'root', 10 fails): Max auth tries reached - user 'root' from 61.174.251.226:37142dropbear[19713]: Child connection from 61.174.251.226:41271dropbear[19713]: Bad password attempt for 'root' from 61.174.251.226:41271dropbear[19713]: Bad password attempt for 'root' from 61.174.251.226:41271dropbear[19713]: Bad password attempt for 'root' from 61.174.251.226:41271dropbear[19713]: Bad password attempt for 'root' from 61.174.251.226:41271dropbear[19713]: Bad password attempt for 'root' from 61.174.251.226:41271…
SSH attacks
Why a Firewall? What can happen?
• High phone bills • System gets “taken over” • Passwords get sold (such as for provider & e-mail accounts) • PBX is used for "free" phone calls • Call-through and fax devices are used for scams • System is used as a spam distributor • Calls get recorded (espionage) • Trojaner/Viren get installed • Additional IT systems become infected (internal network) • Loss of face in front of your customer
Why a Firewall? Solution
• Blocking ports by means of a global firewall •Port forwarding is dangerous and not necessary! • Using NAT-Firewall • Activating Askozia firewall • Blocking ports for the internet • Using Fail2Ban • IP is blocked automatically after n tries • Attacks are effectively prevented
• Using VPN • Calls are encrypted • No audio problems
• A poorly configured firewall is as good as no firewall.
Application
Presentation
Session
Transport
Network
Data Link
Physical
SIP
IP
MAC
Application
Presentation
Session
Transport
Network
Data Link
Physical
SIP
IP
Laye
r 2 (S
witc
h)
Laye
r 3 (R
outin
g)
SIP-
ALG
, SIP
-Pro
xy
MAC
Application
Presentation
Session
Transport
Network
Data Link
Physical
SIP
IP
Laye
r 2 (S
witc
h)
Laye
r 3 (R
outin
g)
SIP-
ALG
, SIP
-Pro
xy
Dee
p Pa
ckag
e In
spec
tion
MAC
Application
Presentation
Session
Transport
Network
Data Link
Physical
SIP
IP Network IPe.g. 216.123.123.123
SIP IPe.g. 192.168.1.5
Laye
r 2 (S
witc
h)
Laye
r 3 (R
outin
g)
SIP-
ALG
, SIP
-Pro
xy
Dee
p Pa
ckag
e In
spec
tion
MAC
RouterDHCP
FirewallDHCP
NAT IPv4172.0.0.x
Internet
Public IP216.123.123.123
LAN
NAT IPv4192.168.1.x
SIP-ServerSIP-Gateway(Provider)
192.168.1.5
216.123.123.123
Firewall configuration Doubled NAT
RouterDSL-Mode
FirewallDHCP-Server
PPPoE216.123.123.123
Internet
Public IP216.123.123.123
LAN
NAT IPv4192.168.1.x
SIP-ServerSIP-Gateway(Provider)
192.168.1.5
216.123.123.123
Firewall configuration Doubled NAT
Firewall configuration pfSense
• System > Advanced > Firewall/NAT
•Firewall Optimization Options -> Conservative UDP timeouts results in connection losses and missing SIP registration
•Disable firewall scrub Could result in packet loss on some network cards
•Firewall rules for WANAdd SIP provider as an aliasAllow all connections from that added alias