VOIP for the Security Guy

Bl8ckr0uter

Anyone have a decent list of security readings for VOIP noobs?

I am looking to set up an Asterix server at home but I also want a decent list of stuff for general knowledge of VOIP and the like.

shodown

Bl8ckr0uter wrote: »

Anyone have a decent list of security readings for VOIP noobs?

I am looking to set up an Asterix server at home but I also want a decent list of stuff for general knowledge of VOIP and the like.

WE don't like security its tomone else's job. Honestly I don't know of too many books that just focus on security for VOIP, I'm sure they are around in basic form. Most vendors have a best practice and in the CCNP voice its covered in the CIPT2 exam on some basic protection measures. I could point you in some directions if you were more specific IE Toll Fraud, Packet Sniffing, payment card theft and so on.

Bl8ckr0uter

shodown wrote: »

WE don't like security its tomone else's job. Honestly I don't know of too many books that just focus on security for VOIP, I'm sure they are around in basic form. Most vendors have a best practice and in the CCNP voice its covered in the CIPT2 exam on some basic protection measures. I could point you in some directions if you were more specific IE Toll Fraud, Packet Sniffing, payment card theft and so on.

Lol. I should have been more specific and clear:

1: I want to learn about VOIP. Any good vendor neutral books?
A: In addition to learning VOIP, I would like to learn about common attack vectors regarding VOIP, how to test for them and how to fix them.

I am a VOIP noob (as well as a general noob).

shodown

Bl8ckr0uter wrote: »

Lol. I should have been more specific and clear:

1: I want to learn about VOIP. Any good vendor neutral books?
A: In addition to learning VOIP, I would like to learn about common attack vectors regarding VOIP, how to test for them and how to fix them.

I am a VOIP noob (as well as a general noob).

VOIP fundamentals from cisco press is a good voip book to begin with.


Most common thing I see is toll fraud, I get around 1 case a month, and damn near every major holiday. Sometimes its internal (they find a phone that has international dialing(receptionst is a good target for this), and they will foward her phone to a international number and place calls from a payphone or to it and call someone far away.


Other times someone leaves a interface with SIP enabled exposed. People will connect there sip phones and dial internationally. I got one company who got hit with 5K phone bill for just 2 days of toll fraud.

shednik

sexion's website may of be some interest - Home

Bl8ckr0uter

shednik wrote: »

sexion's website may of be some interest - Home

Yea I have read it. He is pretty much a monster (in a good way ) lol

sexion8

Bl8ckr0uter wrote: »

Yea I have read it. He is pretty much a monster (in a good way ) lol

Speak of ye devil... What would you like to know about, anything specific?

Asterisk Intrusion Prevention 101
A Simple Asterisk Based Toll Fraud Prevention Script

Why Fail2Ban Fails 2 Ban
Failed2Ban

Assorted Asterisk butchery I whipped up
http://www.infiltrated.net/scripts/

Phorensix - Asterisk based honeypot incident response
Phorensix VoIP Forensics Tool For Asterisk 1 ≈ Packet Storm

I also wrote a custom IPS slash anti-toll fraud platform for Audiocodes' Session Border controller using expect, perl and shell scripts and am now working on migrating them to my Acme Packet net-nets when I have the time.

Bl8ckr0uter

sexion8 wrote: »

Speak of ye devil... What would you like to know about, anything specific?

Asterisk Intrusion Prevention 101
A Simple Asterisk Based Toll Fraud Prevention Script

Why Fail2Ban Fails 2 Ban
Failed2Ban

Assorted Asterisk butchery I whipped up
http://www.infiltrated.net/scripts/

Phorensix - Asterisk based honeypot incident response
Phorensix VoIP Forensics Tool For Asterisk 1 ≈ Packet Storm

I also wrote a custom IPS slash anti-toll fraud platform for Audiocodes' Session Border controller using expect, perl and shell scripts and am now working on migrating them to my Acme Packet net-nets when I have the time.

I actually read all of your articles over the last few days....
This actually stems from another article I read (Ironically on your site) about how to become a decent pentester. While pentesting isn't my end goal, it is a general skillset I'd like to have and I'd like to be very good at. But that's another story...

What I need to do is buy a phone and set up an asterix/google voice server at home and just go for it. I don't know anyone who knows voip at all. The other guy here isn't going to teach me so basically I am going to have to just dive in one of these days. The problem is time and hardware, both are in short supply.

I thought the IDS was nice, actually pretty epic tbh. I wish I could figure out how to get something like that in place for my VOIP system at work (it really isn't my responsibility but I don't like not knowing about it). I may be wrong but I don't think putting snort on the other side of the gateway (where it trunks to the lan) is a viable option. Hell I wouldn't even know what I am looking for so that I could even determine if something is an attack or not

sexion8

Bl8ckr0uter wrote: »

Hell I wouldn't even know what I am looking for so that I could even determine if something is an attack or not

Your approaching things the wrong way What is VoIP? At the end of the day it's all data. Voice converted into data and sent in a client/server configuration. As in email, you have a To a From and a Subject (SIP message type: OPTION, REGISTER, INVITE, etc.) Logging is pretty much the same as you would see in say /var/log/messages or Windows' Event Log.

As for buying a phone, you could always go the free route and download a "softphone" something like Counterpath's XLite. Asterisk can be a little intimidating at first but it is no different than configuring an SMTP server (postfix, sendmail, etc). There are some very good tutorials out there, I'd begin with voip-info, nerd vittles. voip-info.org - voip-info.org and www.nerd-vittles.com

Wish I could help on the Google side of things but I work at a Managed Service Provider which does ITSP (Internet Telephony Services Provider (think of a Vonage for Vonage)). So I deal with mainly trunking, session border controllers and managed PBXs (Avaya, CME, Asterisk, Allworx, Panasonic, Mitel, pbxnsip and the list goes on). I come from the systems slash networking slash security arena and have been involved with voip full time alongside security for 5 years straight, dabbling in it for a total of almost 8 years. When I first started it was as foreign as dropping me off in Vietnam. I went the RFC route, the breaking it route, the configuring it route, etc.

My first week at the ITSP, I was given no instruction. Instead they handed me a punchblock, some Rhino channel banks, 6 servers and told me it needed to be up in a week for an install. Not understanding enough, I dug in... Dug in, dug in, kicked, shouted, drank coffee and never got it working... It was a joke. The system I was supposed to configure would have never worked as back then, Asterisk had little support for Rhino and Rhino's channel drivers were flaky. I even went as far as starting to re-program my own drivers... So yes it can be intimidating because when I GOT involved, my approach was flawed. I was thinking VoIP when at the end of the day, its still nothing more than data.

Bl8ckr0uter

sexion8 wrote: »

Your approaching things the wrong way What is VoIP? At the end of the day it's all data. Voice converted into data and sent in a client/server configuration. As in email, you have a To a From and a Subject (SIP message type: OPTION, REGISTER, INVITE, etc.) Logging is pretty much the same as you would see in say /var/log/messages or Windows' Event Log.

This is what I thought but some of the hardcore voice postings have lead me to believe there is waaaaay more to it than I realize. Funny thing is I just got a call about a job and one of the things they want is voice support (call manager) along with general network support.

sexion8 wrote: »

Wish I could help on the Google side of things but I work at a Managed Service Provider which does ITSP (Internet Telephony Services Provider (think of a Vonage for Vonage)). So I deal with mainly trunking, session border controllers and managed PBXs (Avaya, CME, Asterisk, Allworx, Panasonic, Mitel, pbxnsip and the list goes on). I come from the systems slash networking slash security arena and have been involved with voip full time alongside security for 5 years straight, dabbling in it for a total of almost 8 years. When I first started it was as foreign as dropping me off in Vietnam. I went the RFC route, the breaking it route, the configuring it route, etc.

My first week at the ITSP, I was given no instruction. Instead they handed me a punchblock, some Rhino channel banks, 6 servers and told me it needed to be up in a week for an install. Not understanding enough, I dug in... Dug in, dug in, kicked, shouted, drank coffee and never got it working... It was a joke. The system I was supposed to configure would have never worked as back then, Asterisk had little support for Rhino and Rhino's channel drivers were flaky. I even went as far as starting to re-program my own drivers... So yes it can be intimidating because when I GOT involved, my approach was flawed. I was thinking VoIP when at the end of the day, its still nothing more than data.

The google voice side seems to be not too bad.
Mario's adventures in geekery: Asterisk 1.8 and native Google Voice support