[Freeswitch-users] Your Security Best Practices

stephen at stephenjc stephen at stephenjc.com
Tue Jun 15 13:01:00 PDT 2010


I would also be interested to see some more best practices

On Jun 15, 2010 2:37 PM, "Code Ghar" <codeghar at gmail.com> wrote:

Recently I have seen many attempts to break in to VoIP switches I work with.
So I thought this might be a good time to discuss everyone's security best
practices. If you could relate them to how you implemented them in
FreeSWITCH, it would give us beginners good ideas on how to follow the
principle of "security first". Let me start off the discussion with some
practices we use and have seen in carriers we deal with.

Since we only do carrier-to-carrier stuff, it is easy to restrict the IPs
where we accept traffic from. This is done using either a dedicated firewall
(we use Cisco and pfSense) or host-based (since we use Linux, iptables it
is). We restrict ingress traffic on port 5060 (SIP) to trusted sources only.
Since a lot of carriers are starting to use re-invites and most do not
provide ranges of media IPs they will use, we leave open all UDP ports used
by our servers for RTP, usually between 10,000 and 50,000. In this
situation, how well does FreeSWITCH cope with attacks? For example, if RTP
ports are 10,000 to 20,000, does FS recognize invalid RTP packets and knows
how to deal with them?

Another scenario is user registration of softphones or ATAs, etc. A practice
we use in our lab environment (we will soon be putting servers in
production) is to use lengthy passwords, at least 15 characters, mixing
alpha-numeric characters. We also do not use 4-digit extensions (default in
FS) but use 6-digit. It wasn't started as a security measure but turned out
that many attackers we saw usually try 4-digit extensions. So we are safer
today (maybe not so in the future when attackers wise up). How do you manage
your users, extensions, registrations, etc., from a security aspect?

In the same context, we recently saw a flood of invalid user registration
requests, at close to 60-80 requests per second, for a sustained period of
less than a minute. One proprietary solution we use was unable to handle
this flood of requests and dropped 70% of its call before the attacks
stopped and it was able to recover. Let's say we use top-of-the-line servers
to run FS, maybe two quad-cores with 16GB memory, then should it increase
the ability of FS to deal with such unwanted floods? I assume FS is
configured with default settings. The real question is: does throwing
hardware at the problem solve the issue for FS? And even if it does, is
there anything we can do at the FS level to allow it to handle even more
flooded traffic on its own, without relying on superior hardware?

Then come Man in the Middle attacks. So far I haven't seen a real push in
the industry to mitigate these. One common practice is to use prefixes to
identify traffic from a source. For example, we can use 999912125550000
where 9999 identifies us to the egress gateway and the rest is the number to
call. Of course, since signaling is in plain text someone can analyze this
data and then start using the same prefix to send traffic to our egress
gateway/carrier. They believe the traffic is from us and charge us for the
calls.

A second option is to use SIPS but I haven't seen it being used at all. Of
course, now we are talking about using TCP instead of UDP, bringing its own
advantages and disadvantages.

A third option I am starting to see if the use of IPSec tunnels for
signaling and RTP is exchanged outside of the tunnel. This works well for
carrier-to-carrier traffic but cannot be deployed widely cost-effectively if
you do home user to service provider traffic.

If you have dealt with any one or all of these scenarios, or have come
across others, please share your experiences and solutions with all of us.
Of course, if you can also advise how to implement your security best
practices in FS it would be just wonderful.

_______________________________________________
FreeSWITCH-users mailing list
FreeSWITCH-users at lists.freeswitch.org
http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20100615/df6cf172/attachment.html 


More information about the FreeSWITCH-users mailing list