VoIP Study and Implementation Security Version 1.0 – Author : Marc PYBOURDIN / Julien BERTON...
-
Upload
horatio-cain -
Category
Documents
-
view
212 -
download
0
Transcript of VoIP Study and Implementation Security Version 1.0 – Author : Marc PYBOURDIN / Julien BERTON...
VoIP Study and ImplementationSecurity
Version 1.0 – Author : Marc PYBOURDIN / Julien BERTONDernière Mise à Jour : 19/02/2012
Course objectives
•Identify threat to your Asterisk installation
•Mitigate risk of attacks
By completing this course, you will see:
Security overview
ASTERISK SECURITY THREATSAsterisk Installation and Configuration – Part 1
What are Asterisk security threats?
• Phreaking• Vishing• Call tampering/DoS• Spamming over Internet
Telephony(SPIT)• Eavesdropping• Man-in-the-middle
Security
Phreaking
• Attacker steal service from a service provider or use service while passing the cost to another person
• Mitigation options– Strong user password policy– Automatic bans where too many
authentication failures• Fail2Ban
Security
Vishing
• An another word for VoIP phishing– Invoves a party calling you faking a
trustworthy organization and requesting confidential and often critical informations.
• Mitigation options– Training of employees – Discarding of anonymous calls(too
restrictive)
Security
Call tampering/DoS
• Attacks in the main objective of prevent legit users to place/maintain calls.
• Mitigation options– Firewalling– Fail2Ban
Security
Fail2Ban
• A protection framework written in Python– Block bruteforce and DoS attacks on several services
• SSH, Postfix, Dovecot, Asterisk,…
– Automatically reads log files and can take actions if suspicious activities occurs • IP block(using IPTables), send mails(Whois report, complain
messages)
– Configuration files located in /etc/fail2ban directory• /etc/fail2ban/filter.d
– Definition of log filters
• /etc/fail2ban/action.d– Actions to be realized
• /etc/fail2ban/jail.conf– Link between filters and actions
Security
Fail2Ban installation
• You can install Fail2Ban using two ways– From sources
• Create source directory and go in it– mkdir /usr/src/fail2ban && cd /usr/src/fail2ban
• Download the package and extract it– wget –O fail2ban.tar https://github.com/fail2ban/fail2ban/tarball/sdist/0.8.5 && tar –xvf fail2ban.tar
• Go into the source directory and install– cd fail2ban-fail2ban-4f733aa && python setup.py
install
Security
Fail2Ban installation
• You can install Fail2Ban using two ways– From packages
• Debian– apt-get install fail2ban
• Fedora– yum install fail2ban
• Always ensure before installing Fail2Ban that iptables is installed in your system
• You can start Fail2Ban with the command– /etc/init.d/fail2ban start
Security
Fail2Ban configuration
• Once Fail2Ban is installed, we have to create two elements– The filter element in /etc/fail2ban/asterisk.conf
• Content of the file available on the slide comments
– The action defined in /etc/fail2ban/jail.conf[asterisk-iptables]enabled = truefilter = asteriskaction = iptables-allports[name=ASTERISK,protocol=all]sendmail-whois[name=ASTERISK, dest=root, [email protected]]logpath = /var/log/asterisk/messagesmaxretry = 20# Ban for 10 daysbantime = 864200
Security
SPamming over Internet Telephony(SPIT)
– Spam over VoIP
– Can be sort of commercial/strange calls
–Mitigation options• Employees training • Anonymous calls discarding (too
restrictive)
Security
Eavesdropping/Man-in-the-middle
– Listening of the calls by sniffing VoIP packets/modifying call content
–Mitigation options• Encryption of call signaling and voice
payload with Asterisk
Security
Calls encryption
• Encryption and hashing are supported by Asterisk – Call signaling(SIP)– Call payload(SRTP)
• Needs several steps including :– Compilation of Asterisk with librstp – Server/Client certificate generation– Configuration for SIP & RSTP
Security
Asterisk compilation with libsrtp
• You need to compile again Asterisk with libsrtp libraries.– Download the file and uncompress it
• cd /usr/src/ && wget http://srtp.sourceforge.net/srtp-1.4.2.tgz && tar -xvzf srtp-1.4.2.tgz
– Compile and install it• cd srtp && ./configure CFLAGS=-fPIC --prefix=/usr && make && make install
Security
Asterisk compilation with libsrtp
• You need to compile again Asterisk with libsrtp libraries.
– Compile again Asterisk and install it• cd /usr/src/asterisk/asterisk-10.2.1 && make clean && ./configure && make && make install
Security
Server/Client certificate generation
• Create the Asterisk keys directory– mkdir /etc/asterisk/keys
• Generate server certificates using script in /usr/src/asterisk/asterisk-10.2.1/contrib/scripts directory– ./ast_tls_cert -C pbx.supinfo.com -O "SUPINFO VoIP
Services" -d /etc/asterisk/keys
Security
Server/Client certificate generation
• Generate client certificate using script in
/usr/src/asterisk/contrib/scripts directory– ./ast_tls_cert -m client -c /etc/asterisk/keys/ca.crt -k /etc/asterisk/keys/ca.key -C phone1.pbx.supinfo.com -O "SUPINFO VoIP Services" -d /etc/asterisk/keys -o phone1
Security
Configuration for SIP encryption
• In /etc/asterisk/sip.conf file, add the following under [general] context:tlsenable=yestlsbindaddr=0.0.0.0tlscertfile=/etc/asterisk/keys/asterisk.pemtlscafile=/etc/asterisk/keys/ca.crttlscipher=ALLtlsclientmethod=tlsv1
Security
Configuration for RSTP encryption
• In /etc/asterisk/users.conf file, add the following:
– Inside an already configured user:
[user]encryption=yestransport=tls
Security
Advanced networking
• When Asterisk is behind a NAT(Network Address Translation), you need to configure port forwarding to your local Asterisk server:– For SIP
• UDP 5060 by default• Can be changed in the
configuration(/etc/asterisk/sip.conf)– port parameter under [general] context
– For RTP• 10000-20000 by default• Can be changed in the
configuration(/etc/asterisk/rtp.conf)– rtpstart & rtpend parameters under [general] context
Security
Any questions?