Reviews:
 ·Velcom
 ·TekSavvy Cable
·Rogers Hi-Speed
·Bell Sympatico
 ·voip.ms
| reply to espaeth
Re: [Asterisk] FreePBX a couple of security questions I was actually thinking of using throwaway credentials in addition to doing it over VPN. You have a couple of options to VPN in when on the go..
1) Most smartphones come with VPN clients or they can be installed pretty easily. Well, I'd assume so, but it's certainly true with Android.
2) You can also go the softphone way if you carry a laptop or a netbook with you. I can't think of a major OS that doesn't have some sort of a VPN client either pre-installed or easily obtainable.
--
If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas.
—George Bernard Shaw |
|
 wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | reply to espaeth
said by espaeth:said by wifi4milez:How much latency would adding a VPN introduce? That depends. Are you terminating to a public VPN gateway (ala VyperVPN) or are you terminating on a VPN gateway on the same hardware as your Asterisk install? Are you using OpenVPN over UDP (preferred), over TCP, or are you using IPSec? A very good question, and in fact I am looking for suggestions. What would you recommend from both an ease of use as well as overall "better" solution? I have nothing in place today so I am willing to consider anything.
said by espaeth:said by wifi4milez:does that mean all the other security precautions need not be put into place? Presuming you want to connect this device to Internet VoIP providers, you clearly still want to implement all necessary security safeguards. Of course. I was more referring to the additional actions that need to be taken if you fully make the Asterisk box available on the public internet.
said by espaeth:said by wifi4milez:What would be some drawbacks of using a VPN to connect to Asterisk? It isn't natively supported in all ATAs and IP Phones, and it adds a level of complexity in troubleshooting and operating your devices. Right now the only device I plan on using off the wired network would be the Android device. That "appears" to support VPN's without an issue, although I havent tried it yet.
said by espaeth:On a wired or secured wifi network, the expectation is that traffic is not being captured and that any incidents of data discovery through packet captures is the rare exception.
By contrast, on public wifi networks that are completely insecure, you should assume that all of your traffic is being captured.
Most of the SIP scans today are just out there looking for random extensions -- those are easy to side step because you can filter out the SIP traffic that doesn't belong with a couple lines in iptables. Someone who captures your credentials on public wifi is harder to stop because your PBX hostname, SIP username, and User-Agent details are all available in cleartext. Even if you're using something like fail2ban, that only blocks 1 IP at a time. The real problem is that Asterisk hacking can result in actual monetary gains, so you attract people who might have the ability to leverage a botnet of several thousand zombie machines that can all attempt passwords until they each get locked out.
The other option would be to get setup to provision "throw-away" credentials that you would only use 1 time while using public wifi. This could be as simple as logging into your PBX using SSH or HTTPS, creating an extension, making the calls you need to make, and then deleting the extension when you're done.
Wouldn't using a VPN eliminate many of the issues you just mentioned?
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | said by wifi4milez:said by espaeth:said by wifi4milez:How much latency would adding a VPN introduce? That depends. Are you terminating to a public VPN gateway (ala VyperVPN) or are you terminating on a VPN gateway on the same hardware as your Asterisk install? Are you using OpenVPN over UDP (preferred), over TCP, or are you using IPSec? A very good question, and in fact I am looking for suggestions. What would you recommend from both an ease of use as well as overall "better" solution? I have nothing in place today so I am willing to consider anything. To start with, you may want to contemplate getting any Some SOHO NAT/Firewall router with a hardware built-in crypto chip to do an encrypted VPN connection..
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | said by mazilo:To start with, you may want to contemplate getting any Some SOHO NAT/Firewall router with a hardware built-in crypto chip to do an encrypted VPN connection..
Just to clarify, everything on my network is behind a consumer grade router so its not just sitting exposed to the internet! Would a DD-WRT device be sufficient as they support OpenVPN, or is a more purpose built (true SOHO) device recommended?
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | said by wifi4milez:said by mazilo:To start with, you may want to contemplate getting any Some SOHO NAT/Firewall router with a hardware built-in crypto chip to do an encrypted VPN connection.. Just to clarify, everything on my network is behind a consumer grade router so its not just sitting exposed to the internet! Would a DD-WRT device be sufficient as they support OpenVPN, or is a more purpose built (true SOHO) device recommended? I don't used any VPN connection, yet. However. from what I read on posts about setting up an encrypted VPN connection, some SOHO router will just get choked without a hardware built-in crypto engine (chipset). On a long and discontinued Netgear WGT634U NAT/Firewall router, its hardware crypto chipset can deliver an encrypted VPN connection up to 75Mbps.
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
|
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | said by mazilo:said by wifi4milez:said by mazilo:To start with, you may want to contemplate getting any Some SOHO NAT/Firewall router with a hardware built-in crypto chip to do an encrypted VPN connection.. Just to clarify, everything on my network is behind a consumer grade router so its not just sitting exposed to the internet! Would a DD-WRT device be sufficient as they support OpenVPN, or is a more purpose built (true SOHO) device recommended? I don't used any VPN connection, yet. However. from what I read on posts about setting up an encrypted VPN connection, some SOHO router will just get choked without a hardware built-in crypto engine (chipset). On a long and discontinued Netgear WGT634U NAT/Firewall router, its hardware crypto chipset can deliver an encrypted VPN connection up to 75Mbps. Interesting. I found a number of routers for sale that come pre-flashed with DD-WRT. In fact, many of them are advertised on VoIP sites. Based on your research, what router would do the job?
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | said by wifi4milez:Based on your research, what router would do the job? Honestly, I don't know the answer. However, I would recommend that you take a look at the OpenWRT Table of Hardware router list and see if there is any router that has a built-in crypto chip with at least a USB2 port and plenty of RAM (minimal 32MB).
OTOH, please take a closer look at the Linux kernel source. Under the Cryptographic API -> Hardware crypto devices sub-menu, you will find two entries, i.e. Marvell's Cryptographic Engine and Driver HIFN 795x crypto accelerator chips. The former driver, Marvell's Cryptographic Engine (MCESA), supports a CESA chipset used by Marvell Orion and Kirkwood SoCs. So, I believe a Seagate DockStar does come with a built-in CESA chipset. That said, perhaps you may wanna look around for some inexpensive PogoPlug devices (i.e. PogoPlug Pro) that employs such a CESA. If you go this route, you may wanna add a USB->RJ45 dongle (as your WAN port) and at least a 4-port (gIGE) switch to turn the device into a SOHO WiFi NAT/Firewall router with a hardware encryption using OpenWRT.
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | said by mazilo:That said, perhaps you may wanna look around for some inexpensive PogoPlug devices (i.e. PogoPlug Pro) that employs such a CESA. If you go this route, you may wanna add a USB->RJ45 dongle (as your WAN port) and at least a 4-port (gIGE) switch to turn the device into a SOHO WiFi NAT/Firewall router with a hardware encryption using OpenWRT.
Its funny you say that, because my Asterisk box is a pogoplug device. I wonder if I could install openWRT on top of Asterisk (via a partition perhaps), or even if I can simply add the VPN cabability to Asterisk via the device....
This looks like more research will be required on my end!
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
maziloFrom MaziloPremium
join:2002-05-30
Lilburn, GA
kudos:1 | said by wifi4milez:Its funny you say that, because my Asterisk box is a pogoplug device. I wonder if I could install openWRT on top of Asterisk (via a partition perhaps), or even if I can simply add the VPN cabability to Asterisk via the device....
This looks like more research will be required on my end! IIRC, your PogoPlug can be configured to boot off of an external USB partition. If so, you just get any USB memory stick to use it with OpenWRT and there is no need to create any additional partitions at all. Otherwise, you will probably have to edit your uboot settings to let it boot from other USB partition.
--
don't and stop are the ONLY two 4-letter words considered offensive to men, but not when used together. |
|
wifi4milezBig Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY | said by mazilo:said by wifi4milez:Its funny you say that, because my Asterisk box is a pogoplug device. I wonder if I could install openWRT on top of Asterisk (via a partition perhaps), or even if I can simply add the VPN cabability to Asterisk via the device....
This looks like more research will be required on my end! IIRC, your PogoPlug can be configured to boot off of an external USB partition. If so, you just get any USB memory stick to use it with OpenWRT and there is no need to create any additional partitions at all. Otherwise, you will probably have to edit your uboot settings to let it boot from other USB partition. That is a good suggestion. I will need to look into it more however, since I dont know if the device can boot from two partitions at once.
--
"No you won't" -The American people to President Obama (11/2/2010)
|
|
Reviews:
·Velcom
·TekSavvy Cable
·Rogers Hi-Speed
·Bell Sympatico
·voip.ms
1 edit | reply to FiReSTaRT
I got something that I think I can work with, but I wanted to submit it for peer review, before going live. Still got a few days as I'm doing a domain transfer and still waiting on a static IP anyway.
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -d 127.0.0.0/8 -j REJECT
-A OUTPUT -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -s SINGLE_TRUSTED_IP --dport 80 -s TRUSTED_IP_ADDR -j ACCEPT
-A INPUT -m iprange --src-range TRUSTED_IP_RANGE -p tcp --dport PORT_# -j ACCEPT
-A INPUT -m iprange --src-range TRUSTED_IP_RANGE -p tcp -m state --state NEW --dport PORT_# -j ACCEPT
-A INPUT -m iprange --src-range TRUSTED_IP_RANGE -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -m string --string "INVITE sip:SIPURIUser1" --algo bm -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -m string --string "BYE sip:SIPURIUser1" --algo bm -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -m string --string "INVITE sip:SIPURIUser2" --algo bm -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -m string --string "BYE sip:sip:SIPURIUser2" --algo bm -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -m string --string "REGISTER sip:pbxname.pbxdomain.com" --algo bm -j ACCEPT
-A INPUT -i eth0 -p udp --dport 5060 -j DROP
-A INPUT -i eth0 -p udp --dport START_PORT:END_PORT -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
COMMIT
If you guys find anything missing or syntax issues, corrections would be appreciated, along with any comments. So far, I am provisioning 5 users, but I figured it would be a waste of screen real estate to post user1-user5 when all I'm doing is an example :)
Edit: fixed allow outbound traffic
--
If you have an apple and I have an apple and we exchange these apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas.
—George Bernard Shaw |
|
 espaethDigital PlumberPremium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2 | You probably want to rewrite the OUTPUT rule to make double sure you're matching state.
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
|
|
Reviews:
·Velcom
·TekSavvy Cable
·Rogers Hi-Speed
·Bell Sympatico
·voip.ms
2 edits | Great point! Thanks.. That ALMOST makes up for making me burn my pork chops while making the tweak ;)
Edit: Small update - Figured out how to turn off the display:
vbetool dpms off
I already put that into rc.local. Another piece of good news: The lappy runs with the lid closed. Tested with a continuous ping. No advanced power management features that GUI's seem to be bloated with. Once I do my domain transfer, I should be ready to get the server up and running in "production" :P |
|
