Elastix SIP FIREWALL

29
High Performance SIP Security with Elastix SIP Firewall Juan Oliva @jroliva

Transcript of Elastix SIP FIREWALL

Page 1: Elastix SIP FIREWALL

High Performance SIP Security with

Elastix SIP Firewall Juan Oliva @jroliva

Page 2: Elastix SIP FIREWALL

who I am @jroliva

Bio

Pentester - Proyectos de Ethical Hacking Consultor de soluciones de VoIP, especialmente las enfocadas en seguridad Miembro comité académico de Elastix Instructor para los cursos Elastix Certified Engineer y Elastix Security Master Technical writer : Papper “Seguridad en Implementaciones de Voz Sobre IP” Libro “Implementando Elastix SIP Firewall”

Page 3: Elastix SIP FIREWALL

Realidad Actual …..

l Cómo protegemos actualmente las PBX ?

Page 4: Elastix SIP FIREWALL

Realidad Actual …..

l Opción 1 : En la misma plataforma

FAIL2BAN Firewall APF

SIPCheck2 IPTABLES

Page 5: Elastix SIP FIREWALL

Realidad Actual …..

l En la misma plataforma... ?

l Para eso necesito a un GEEK

Page 6: Elastix SIP FIREWALL

Realidad Actual …..

l Opción 2: En el Perímetro

l Pero el Firewall no protege nada

Page 7: Elastix SIP FIREWALL

Qué hacemos para gestionar la seguridad en la PBX ??

Page 8: Elastix SIP FIREWALL

Elastix SIP Firewall

Page 9: Elastix SIP FIREWALL

Qué es ?Es un equipo de frontera o perimetral para ser instalado sobre una IP PBX.

El SIP Firewall es dispositivo totalmente agnóstico a la red donde esté posicionado el servidor IP PBX , ya que funciona en modalidad mirror.

De tal forma que no es necesario realizar ninguna configuración del lado de la central IP PBX

Elastix SIP Firewall

Page 10: Elastix SIP FIREWALL

Como funciona ?Dentro sus principales funcionalidades:

- Bloquea IPs específicas o países y - Protección de los ataques mas importantes a plataformas VoIP- Previene ataques de denegación de servicio.

Elastix SIP Firewall

Page 11: Elastix SIP FIREWALL

Cómo trabaja internamente ?Cuenta con un motor de inspección de paquetes en tiempo real (DPI) basado en SNORT.

El SIP Firewall analiza cada paquete SIP que va hacia el sistema, identifica aquellos que son maliciosos o anormales, bloqueando la IP de origen.

Elastix SIP Firewall

Page 12: Elastix SIP FIREWALL

Vídeo:

Elastix SIP Firewall

Page 13: Elastix SIP FIREWALL

Elastix SIP FirewallFuncionalidades más resaltantes

Page 14: Elastix SIP FIREWALL

Elastix SIP Fiewall

Security Settings - SIP Attacks Detection

Page 15: Elastix SIP FIREWALL

Elastix SIP Fiewall

Security Settings - SIP Protocols Compilance

Page 16: Elastix SIP FIREWALL

Elastix SIP Firewall

Security Settings - Firewall Rules

Page 17: Elastix SIP FIREWALL

Elastix SIP Firewall

Security Settings - Firewall Settings

Page 18: Elastix SIP FIREWALL

Elastix SIP Firewall

Security Settings -

Writelist IP AddressesBlacklist IP AddressesDynamic IP Addresses

Page 19: Elastix SIP FIREWALL

Elastix SIP Firewall

Security Alerts

Page 20: Elastix SIP FIREWALL

Elastix SIP Firewall

Security Settings - Geo IP Filters

Page 21: Elastix SIP FIREWALL

Elastix SIP FirewallCómo lo instalo en mi red ?

Page 22: Elastix SIP FIREWALL

Elastix SIP Firewall

Cuando la PBX está en la red LAN (1)

Page 23: Elastix SIP FIREWALL

Elastix SIP Firewall

Cuando la PBX está en la red LAN (1)

Page 24: Elastix SIP FIREWALL

Elastix SIP Firewall

Cuando la PBX convive con la red LAN y WAN(1)

Page 25: Elastix SIP FIREWALL

Elastix SIP FirewallCuando la PBX convive con la red LAN y WAN(2)

Page 26: Elastix SIP FIREWALL

Elastix SIP Firewall

Cuando protege un conjunto de PBX IP

Page 27: Elastix SIP FIREWALL

DEMOElastix SIP FirewallMonitoreo y protección en tiempo real

Page 28: Elastix SIP FIREWALL

Elastix SIP Firewall

Ventajas:l Equipo especializado para seguridad VoIP.l Configuración 0 del lado de la PBXl Posibilidad de tener un solo equipo para proteger varias PBX.l Bloqueo en modo pro-activo.l Actualización constante de reglas ante aparición de nuevas

amenazas.l Diversos tipos de alertas, syslog externo, email

Page 29: Elastix SIP FIREWALL

Preguntas ?

Juan [email protected]

@jroliva


SIP Carrier 2 IX78 ADSL SIP FW CDR (MOS) QoS IP-Centrex – First phase Billing / User db ITSP Servers SIP Carrier 1 Ingate SBC Firewall Internet FENT CDR.

SIP Carrier 2 IX78 ADSL SIP FW CDR (MOS) QoS IP-Centrex – First phase Billing / User db ITSP Servers SIP Carrier 1 Ingate SBC Firewall Internet FENT CDR.

Elastix installation

Elastix installation

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Elastix Easy.pdf

Elastix Easy.pdf

Kamailio - SIP Firewall for Carrier Grade Traffic

Kamailio - SIP Firewall for Carrier Grade Traffic

Intertex Data AB, Sweden Firewall and NAT Traversal Bringing SIP the LAN Prepared for:International SIP 2003 By: Karl Erik Ståhl President Intertex Data.

Intertex Data AB, Sweden Firewall and NAT Traversal Bringing SIP the LAN Prepared for:International SIP 2003 By: Karl Erik Ståhl President Intertex Data.

Manual Elastix

Manual Elastix

Elastix PBX - How to interconnect with Elastix PBX? · For the setting of the trunk between the 2N® VoiceBlue Next and your Elastix PBX, you need to configure “SIP proxy (GSM→IP)”

Elastix PBX - How to interconnect with Elastix PBX? · For the setting of the trunk between the 2N® VoiceBlue Next and your Elastix PBX, you need to configure “SIP proxy (GSM→IP)”

SIP Trunking with Elastix

SIP Trunking with Elastix

Firewall Setup and NAT Configuration Guide for H.323 / … · Firewall Setup and NAT Configuration Guide for H.323 / SIP Room Systems - 2 How to setup Firewall and NAT to work with

Firewall Setup and NAT Configuration Guide for H.323 / … · Firewall Setup and NAT Configuration Guide for H.323 / SIP Room Systems - 2 How to setup Firewall and NAT to work with

SIP Firewall

SIP Firewall

Elastix Elastix Elastix Elastix Elastix Elastix Elastix Elastix Elastix Elastix Elastix Elastix Elastix

Elastix Elastix Elastix Elastix Elastix Elastix Elastix Elastix Elastix Elastix Elastix Elastix Elastix

Elastix HA Cluster

Elastix HA Cluster

SurfinBird Firewall IX78 Router INTERNET GATE · • System log, Firewall log and SIP log Context Help ADSL PBX IMS To use these applications generally your Firewall and NAT router

SurfinBird Firewall IX78 Router INTERNET GATE · • System log, Firewall log and SIP log Context Help ADSL PBX IMS To use these applications generally your Firewall and NAT router

Documentation of Elastix (English Version) Elastix 0.9-alpha For ...

Documentation of Elastix (English Version) Elastix 0.9-alpha For ...

ELASTIX EASY - Asterisk – VoIP – Redes – Telefoniaflexpabx.com.br/asterisk/Elastix Easy.pdf · ELastix Easy For ELastix 2.x and Freepbx 2.x by Haamed Kouhfallah حلافهوك

ELASTIX EASY - Asterisk – VoIP – Redes – Telefoniaflexpabx.com.br/asterisk/Elastix Easy.pdf · ELastix Easy For ELastix 2.x and Freepbx 2.x by Haamed Kouhfallah حلافهوك

Atcom MP01 and Elastix Server · 2018. 11. 6. · Atcom MP01 and Elastix Server Setup Guide 7 Configuring Atcom MP01 Only one MP01 must be configured with a SIP Trunk to register

Atcom MP01 and Elastix Server · 2018. 11. 6. · Atcom MP01 and Elastix Server Setup Guide 7 Configuring Atcom MP01 Only one MP01 must be configured with a SIP Trunk to register

VoIPon sales@voipon.co.uk Tel: +44 (0 ... · This Quick Start Guide describes the steps involved in setting up the Elastix SIP Firewall Appliance. It comes with 1 fast Ethernet LAN

VoIPon [email protected] Tel: +44 (0 ... · This Quick Start Guide describes the steps involved in setting up the Elastix SIP Firewall Appliance. It comes with 1 fast Ethernet LAN

How to connect Elastix to MyPBX via SIP · PDF filePBX Option Unembedded freePBX Figure 1-6 ... How to connect Elastix to MyPBX via SIP Trunking 17/21 3.2 Elastix Configuration In

How to connect Elastix to MyPBX via SIP · PDF filePBX Option Unembedded freePBX Figure 1-6 ... How to connect Elastix to MyPBX via SIP Trunking 17/21 3.2 Elastix Configuration In

Wireless, Routing, QoS, Firewall, The Dude - MikroTikmum.mikrotik.com/presentations/TR15/presentation_2649_1444241932.pdf · Ubiquiti Certified Trainer elastiX Certified Trainer Being

Wireless, Routing, QoS, Firewall, The Dude - MikroTikmum.mikrotik.com/presentations/TR15/presentation_2649_1444241932.pdf · Ubiquiti Certified Trainer elastiX Certified Trainer Being