[asterisk-users] Anonymous SIP calls

[Michelle Dupuis]

To answer your first question, what you refer to as the PSTN is also quite dangerous.  There is a lot of fraud going on over analog lines - usually hackers try to find an outside line by calling in to a PBX and trying lots of digits.  or, in some cases fooling a naive user to forward them to an outside line (claiming to be Bell), etc.  As for VoIP, even a beginner can try 100000 PBX's with 100000 dialout codes in a matter of hours.  So because it's easier it becomes more popular.  (There was a an article in the Globe and Mail a few years ago about this - one Toronto company lost a lot of money because someone called in saying it was Bell Canada and their receptionist forward the technician to a "diagnostic number"...which was 9XXXXX and surprise they got an outside line).  Since' you're in Hamilton I figure this might ring a bell...:)

A lot of the value from what you refer to as the PSTN is really just a bridging point, and a massive directory (i.e. phone numbers).  But their role is changing and someday they may be little more than the equivalent of root DNS servers.  But for now they are still the major interconnect for ITSP's to legacy/TDM customers.

As for security and using fail2ban, I hope you read this:
http://forums.asterisk.org/viewtopic.php?p=159984
Fail2ban is not really security...but it's certainly better than nothing.

What you might be missing is that VoIP is the wild west of fraud.  It's easy, and there are lots of holes in SIP, Asterisk, FreePBX, etc!  Do a search on FreePBX security flaws and you'll find that hackers discovered a massive hole last summer exposing systems to toll fraud.  This is big business for hackers and a single breach can earn them $10,000 to $100,000 (or more) -not bad for 1 day of work, and you the SIP customer are on the hook for that bill.  Major ITSP are not likely to forgive your bill just because you got hacked.  It's your responsibility to secure your system.  And if you haven't you might get a whopper of a bill.

There are working groups, industry groups, etc. dedicated to VoIP security.  They exist for a reason - this is a HUGE problem.  It's easy to get over confident and a mistep in security can cost you your job and your company a small fortune.


________________________________________
From: James B. Byrne <byrnejb at harte-lyne.ca>
Sent: Friday, March 27, 2015 4:03 PM
To: Michelle Dupuis
Cc: Asterisk Users List; byrnejb at harte-lyne.ca
Subject: RE: [asterisk-users] Anonymous SIP calls

On Thu, March 26, 2015 22:29, Michelle Dupuis wrote:
> You have to consider whether you really want "anonymous" calls, or you
> just want to enable SIP calls from trusted companies/partners.  The
> latter means setting up routes to these companies and (ideally)
> registration between peers.
>

This is what I am trying to get a handle on.  It seemed to me that the
promise of VOIP was essentially that one could use the Internet as a
replacement for the PSTN directly, providing that ones callers/callees
were also directly connected via VOIP.  SIP providers I had considered
a necessary transition to act as gateways between PSTN dialing and
VOIP until VOIP replaced PSTN virtually entirely if not completely.

That is why we are on Asterisk.  We had to replace our old keyed
system and the thought was that we might as well get ready for VOIP
even if we planned to stay on PSTN for the foreseeable future.

However, the overwhelming evidence I find is that one simply does not
employ VOIP in the same way that PSTN works.  Actually, I have put
that backwards.  What I have discovered is that the most commonly
recommended method is to switch from a Telco to A SIP provider and
continue in a manner similar to the former set-up.  External calls all
have to travel through a third party provider.

One does not accept incoming VOIP calls from just everyone,
apparently.  One only accepts VOIP calls from known correspondents.  I
am not clear why this is so other than vague warnings respecting
(admittedly real and serious) security issues.

Even limiting VOIP to known correspondents one is ultimately trusting
that they themselves are secured sufficiently to prevent unauthorised
access to your systems through theirs.  And that seems a bit of a
stretch by way of rationalisation to me.

Also I do not understand is why the same issues do not exist from
incoming calls via PSTN.

I somewhat understand the process of getting devices to register and
authenticate to obtain access to our outgoing routes.   What is it
about incoming SIP calls destined to our internal users that make
those calls so dangerous?  Why cannot incoming anonymous SIP calls not
be treated exactly as incoming PSTN calls (other than PSTN have to go
though DAHDI to turn them into digital VOIP calls). What is it that
prevents them from being blocked from gatewaying through to our PSTN
lines?

Please forgive my abysmal ignorance on this matter.  Perhaps I have
been down in the weeds too long getting our internal FreePBX system
working to see what is obvious to others.  I have been going theough
the Asticon Videos on security and have or already had implemented
most of the suggestions: Outbound LD secured by pins and allowed only
during work hours; IPTABLES rules and fail2ban checks; Separation of
voice and data network segments and addresses; Private IP for VOIP
desk-sets and internal provisioning; and so forth.

However, I still have the sense that I am just not getting it.  What
am I missing?

--
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3