VOIP Security

paulm17781

Was just thinking. I use my ATA as a router. If someone hacked in to this what damage could they do? I mean both to my phone and computer. Is there anyway to prevent these?

causal

If your ATA has an option to allow WAN side access - disable it.
The Grandstream 486 has this option; if you're using your ATA as a router then there's no need for WAN side configuration (unless you want to configure it remotely, or allow someone else to configure it remotely

A gateway/router with SPI firewall, NAT, DHCP, QoS, UPnP, etc. (does your D-Link have these) and put your ATA behind that - which is what I do.

[pedant]A hacker won't do any damage;[/pedant] otoh a cracker could most easily make a denial of service attack; or if you leave your WAN side access enabled then they can screw/copy your config. Nothing a reset and reconfigure won't fix for your ATA, but they could login to your VoIP account and use all your credit. This type of crime will probably bubble, but free VoIP calls will end it

hth,
causal

paulm17781

Does anyone know if the Sipura 2100 has Wan side access? It's not written plain as day and I'm tired.

Thanks

capistrano

paulm17781 wrote:

Does anyone know if the Sipura 2100 has Wan side access? It's not written plain as day and I'm tired.

Thanks

It does.

On the WAN Setup page there is the option "Enable WAN Web Server? Yes/No".

Set this to No and noone will be able to remotely access the Sipura configuration.

The really cool way to disable it is to use the IVR setup feature. Just dial **** and at the prompt enter 7932 for the WAN Port Web Server Option and then 0 to disable (or 1 to enable).

paulm17781

capistrano wrote:

It does.

On the WAN Setup page there is the option "Enable WAN Web Server? Yes/No".

Set this to No and noone will be able to remotely access the Sipura configuration.

The really cool way to disable it is to use the IVR setup feature. Just dial **** and at the prompt enter 7932 for the WAN Port Web Server Option and then 0 to disable (or 1 to enable).

I saw that and assumed that to be it but I was too tired to find out what "WAN Web Server" meant. What is the purpose of WAN Web Server?

causal

I think you've just set some kind of record for sheer laziness :rolleyes:

RTFM

causal

capistrano

paulm17781 wrote:

I saw that and assumed that to be it but I was too tired to find out what "WAN Web Server" meant. What is the purpose of WAN Web Server?

The WAN Web Server is the web server that serves the Setup Pages.

paulm17781

Does anyone know of a good guide to security? I want to lock down everything and then open the ports that I need.

Thanks.

medO

paulm17781 wrote:

Does anyone know of a good guide to security?

"Assessing Network Security" published by Microsoft
written by Lam, LeBlanc and Smith
ISBN 0-7356-2033-4 Price EUR 48,95 (USD 49,99)

Very readable compared with other books on this topic. Not VoIP specific - covers the full range of network issues.

About 550 pages.

It doesn't talk about VoIP client security issues (eg leaving Skype running on your pc all day)

One possible solution for the paranoid might be to connect one's VoIP device to the DMZ port of a firewall/router box - thus separating VoIP traffic from the rest of one's home or business network. VoIP traffic would go straight to/from the Sipura (or whatever) box one is using without having to fiddle with port settings. I'd think twice about putting a Sipura 3000 in this mode however, if it is also connected to a PSTN line for long periods!

medO

fisab

causal wrote:

A gateway/router with SPI firewall, NAT, DHCP, QoS, UPnP, etc. (does your D-Link have these) and put your ATA behind that - which is what I do.
causal

Just bought a SPA2100 and plan to put it behind my SMC barricade SPI firewall. Is there any FAQs/guides around for configuring sipuras behind routers with info on best security?

capistrano

fisab wrote:

Just bought a SPA2100 and plan to put it behind my SMC barricade SPI firewall. Is there any FAQs/guides around for configuring sipuras behind routers with info on best security?

I had to do some port forwarding on my router when I moved the Sipura 2100 ATA behind my firewall. See this post .

ikomj

On the WAN Setup page there is the option "Enable WAN Web Server? Yes/No

Can't find this option on the WAN Setup page of my Sipura 2100!!

capistrano

ikomj wrote:

On the WAN Setup page there is the option "Enable WAN Web Server? Yes/No

Can't find this option on the WAN Setup page of my Sipura 2100!!

It's there. On the "Wan Setup" tab in the section called "Remote Management": "Enable WAN Web Server:"

ikomj

Found it! But in my software [2.0.4(b002)]
it is under:
Voice - System - Remote Management.
Thanks.

fisab

causal wrote:

If your ATA has an option to allow WAN side access - disable it.
The Grandstream 486 has this option; if you're using your ATA as a router then there's no need for WAN side configuration (unless you want to configure it remotely, or allow someone else to configure it remotely

A gateway/router with SPI firewall, NAT, DHCP, QoS, UPnP, etc. (does your D-Link have these) and put your ATA behind that - which is what I do.

<snip>
hth,
causal

Putting the ATA behind the router seems to me to be the best option, though the Sipura FAQ says that you need to disable "SPI" : http://www.sipura.com/Documents/faq/Section_1.html#5

This is something I dont want to do, so maybe its best to put the ATA in front of the firewall so I can keep the "SPI" on my local network.

I assume then that disabling WAN side access to the ATA is my only defense for it.

causal

If you're putting the Sipura outside your firewall then certainly disable WAN side access, and note capistranos earlier point about port forwarding.

If you prefer to keep the Sipura behind your firewall - then you can leave SPI enabled and see if it stymies the ATA working.

Another possibility is to have the Sipura behind the firewall, but put it in the DMZ. Maybe that's the worst of both worlds (unsecure and possibly no QoS). But it should allow you to keep SPI enabled, whilst keeping the Sipura LAN side of the firewall (at least as far as the physical connection is concerned, but the DMZ is outside the firewall).

tbh what's best depends on what configuration (physical wiring, network layout) and requirements (QoS, security) you have.
Maybe somone here who has a Sipura and knows more than I do about networks, firewalls, QoS can help you further.

If it wasn't already mentioned then here's a link to the blueface Sipura coniguration.

hth,
causal

fisab

Thanks for all your help - much appreciated.
Got the SPA working last night with the firewall out of the loop.
Very impressed with inital tests using blueface.
I was disappointed that line 1 is locked to broadvoice (restricted access) but line 2 works fine.
Before I try to put the firewall back into the config, I'm going to do some QOS tests. Its not the right thread but can someone point me to a good QOS discussion.

causal

fisab wrote:

Thanks for all your help - much appreciated.
Got the SPA working last night with the firewall out of the loop.
Very impressed with inital tests using blueface.
I was disappointed that line 1 is locked to broadvoice (restricted access) but line 2 works fine.

np, glad to be able to help
It's possible that a firmware update will unlock line 1.
Others on the forum have updated Sipura firmware so they may be able to shed some more light on this.
But be certain to take note of all your settings before any update

Before I try to put the firewall back into the config, I'm going to do some QOS tests. Its not the right thread but can someone point me to a good QOS discussion.

As if by magic air had the same thought - check this thread Implementing Decent QOS for VOIP .

While on the subject of VoIP security - embarassing for Cisco (who own Linksys)

Cisco Systems has said that a central component of its enterprise VoIP (voice over IP) system is vulnerable to several security flaws. The flaws could allow remote attackers to compromise a company's VoIP network, redirect or listen in on calls, according to Cisco and Internet Security Systems, which discovered the flaws. Patching instructions are available on Cisco's website.

I suppose this is the modern version of phone phreaking, although nowadays crackers are malicious, unlike the good old days of (mostly) harmless hacking :cool:

causal