[VOIPSEC] IPS to protect against VOIP Attacks?

[J. Oquendo]

Juan B wrote:
> H All !!
>
> I was wondering which is the best (or at least-good) IPS
>  against VOIP attacks coming from the internet to the client network. he has an Asterisk
>  in the DMZ and cisco call manager in the lan. I want to protect the voip
>  components with an IPS against known attacks and DOS-DDOS attacks as well.
>
> thanks a lot !
>
> juan
>
>
>       
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>   

The one you build on your own. Seriously. To date I have yet to see any
vendor guard successfully against say toll fraud attacks and I will
explain why...

In an IP based PBX, there is almost ALWAYS going to be remote (not local
on the same network) connectivity. Because of this, ports must remain
opened. While you can fool yourself into thinking that you will
configure a nice set of firewall rules or alert rules, what will you do
if say the CEO takes a trip to China, didn't configure his softphone and
is now generating "unauthorized *something*" messages. Block him out? If
you firewalled the PBX entirely, you'll have one irrate CEO ready to
kick that PBX to kingdom come (trust me I've seen it).

So what do you do? Tell the CEO: "When you get to China, go to
whatismyip.com, get your address so we can allow you in!" Won't work. In
an IPS, it gets even murkier. So you configure your IPS to do what...
Alert you right, but alert you to what? Bad registrations? INVITES gone
wild. OPTIONS gone bonkers? I'm assuming you're not familiar with SIP
messages (not that SIP is the only game in town). SIP messages can give
a host of informative yet at times incoherent messages. Same goes for
most messages logs on PBX's: e.g. Asterisk: Jan 06 09:14:51 DEBUG[4944]
chan_zap.c: Monitor doohicky got event Event 160 on channel 3

So how do you propose an IPS to be intelligent. Your best bet is to
literally understand your messaging, your threats and go from there. I
rambled on about this before (as I always do - ramble) and created a
crude framework anyone can follow under any PBX (your mileage may vary):
http://www.infiltrated.net/asterisk-ips.html

It's not as difficult as one might think:

VoIP Call Statistics
--------------------
Total Active Calls . . . . . . . . . . . . . . . . . 1374

... edited boring stuff

Calls Processed. . . . . . . . . . . . . . . . . 4754903
Completed Calls                                  4157345

... done editing boring stuff (nCite for those wondering: show stats
voip to be more concise)

I parse out logs to one server, do some fuzzy insane perl|ruby|awk (awk
is your friend) voodoo, get offenders, create rules and push those rules
back out to my managed PBX's. All within seconds. Its not that hard, you
have to know what you're looking for though. Take note... Working at a
VoIP carrier, even we have issues with marketing and choose to stay away
from hype and "CRAP Cross Reverse Anomaly Processing" devices and
applications.

When it comes to DDoS, the answer (drum roll) is: "In Soviet Russian
DDoS..." kidding ;) There is little to get into on protection from DDoS,
ultimately, your upstreams can help you here. However, if you want to
continue with this conversation, I can custom write you an all inclusive
IPS, IDS, TollFraud Mitigation System using "Intelligent Heuristic Cross
Compatible Anomalous Processing Processing" for a fee. Otherwise, you're
just wasting money. Strong passwords, vigilant monitoring, is all you
should need. Maybe (just maybe) a finely tuned SIEM (OSSIM) with some
nifty scripts will save you some serious ching.

By the way Happy New Year all.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E