Is there a way.. Dual Authentication?

I know that in a typical endpoint scenario one can use IP authorizations or Username and Password (dynamic) Authorizations.

I also know that one can use allow/deny to block or allow IP address ranges (which can be complex)

Here is a scenario…

Location A has 5 VoIP phones

Location B has 5 Voip Phones

Asterisk accessible over the internet (spare me the security lecture as that is precisely why I am writing this)

Location A has hypathetical Dynamic DNS of a.dyndns.com

Location B has Hypathetical Dynamic DNS of b.dyndns.com

I can register the phones normally to asterisk, however this is not very secure in the day and age of sip password brute forcing. (even when taking the available measures)

Now if I go to an extension registered at Location A and I change it from Dynamic to IP auth. I have just authorized ALL of the phones there and asterisk no longer expects nor responds to registration attempts. It is a pure IP auth (I may as well disable all other extensions at location A as the one IP auth is now valid for all of them (but more complex inbound calls specified only by port.)

Half a step further lets say we could use a dynamic hostname (it appears we can not presently) in said auth and have the same result as the IP auth.

Now another half step further if we could use an IP auth or Dynamic hostname auth AND a registration, we could keep all phones registered to receive calls separately. This would give us an additional layer of security, as asterisk would allow a registration ONLY from the IP that corresponds to a.dyndns.com

It seems silly that this is a “staring me in the face” kind of solution and far easier than allow/deny when factoring in ISPs various IP ranges.

To look at this another way …

Allow an IP auth AND a registration (dual auth) for an extension.

Step two would be to expand the IP auth to include dynamic hostname support

I must ask why is there no such “Dual Authentication”?
Is it already possible?

Mark

Brute forcing a properly chosen SIP password is not something that a normal attacker would consider, and fail2ban can fend off anyone who is really intent on this. In fact, best practice on device names wouldn’t even allow a normal attacker to get the device name in an acceptable amount of time.

Registration is not a security measure; it is a method of learning the dynamic IP address. Once you have registered, you are identified by IP address, but, unless you use remotesecret, or insecure=invite, the password will still be checked.

SIP generally requires stable IP addresses, so dynamic ones are not a good idea. IP addresses should not change from first registration to when the phone is shut down.

You can use OS or higher level firewalls to limit access to semi-trusted networks.

I respectfully disagree.

Registration user/password is the PRIMARY method of security used for most endpoints, and allow/deny (whether in firewall or extension) is a luxury that is complicated by an ISPs IP address ranges . Firewalls present the same issues so when I refer to allow/deny not only does this apply to a SIP user but the same complexities arise with the use of a firewall. Neither of these is friendly to dynamic IP addresses on large ISPs and in that case forget using your android SIP client at Starbucks.

SIP does NOT require “stable” IP addresses as evidenced by dynamic IPs that change frequently and are tracked through the process of registration. I do not believe however that a dynamic hostname lookup after an IP change would be as fast as an update from a registration, thus a “probation period” from the time a New IP is registered to the time that the dynamic DNS gets updated might be in order.

As an example I have a simple linux/asterisk box that runs as a basic “gateway” to PSTN with FXO and Chan_dongle . this “gateway” box is on a dynamic IP . This basic “gateway” connects to my “real” asterisk server over the internet. I configure my “real” server for the gateway as if it were a trunk with fixed IP but instead of IP address I use the dynamic hostname, so neither box registers to the other and it works just fine for months now. My IP changes about every 2 days it seems, and usually at around 12 midnight. My calls go to and from the PSTN and cell networks without issue.

So what if I could put a dynamic DNS client on my android phone that also has a SIP client that registers to my asterisk box and my asterisk box is aware of the dynamic hostname of my android phone . This would entirely negate the need for allow/deny and firewall rules as the combination of registration and dynamic hostname would represent the most secure “dual auth” method available. Effectively you could make allow/deny automatic based on dynamic hostname. Any dynamic DNS is everywhere today, why not use it?

Now if I do the same for one of the three homes I go to on a regular basis, problem solved as each router at each home has a dynamic hostname already . those brute force password attempts would completely STOP.

So my point being if I can have the security of dynamic hostname auth without negating the user password it would make asterisk MUCH more secure than either of these alone.

Of course if we keep thinking the “old ways” the hackers will always be one step ahead, but I truly believe this kind of “dual auth” would be nearly impenetrable unless of course someone hijacked the dynamic hostname . Now if your goal is to make more work for yourself in the future, keep defending the traditional methods and ignore other possibilities. I also believe it or something like it will become the norm. But if we keep thinking like Fred Flintstone , George Jetson will have us hacked in no time.

And if you do not believe that brute force passwords is being done just leave an open extension on your asterisk box for a month. It is possible to download an ISO, whose name slips my mind (said to be for security testing) that can crack a SIP password in most cases in a day. I know I did it, and have also had extensions hacked.

Mark

Not registration. It is the re-use of the password on every invite that provides the security, and you do not need to register for that. However, once you have registered, as long as you don’t make the common mistake of using type=friend or type=user, the IP is constrained to be the one used at registration time.

If you use type=friend, or type=user, the registration is only used to deal with outgoing calls.

I believe most attacks are done with INVITE, rather than REGISTER, and are therefore relying on behaviour equivalent to using type=friend on Asterisk, when you should be using type=peer. From the attackers point of view, an INVITE attack has the advantage that it does not disrupt the registration of the legitimate user, so is less likely to be noticed when it is happening.

As to dynamic addresses, SIP is well know to have problems with NAT (there have been various bolt ons for this) and registration is intended to deal with mobile devices that call in from different addresses, not for devices that suffer vicarious changes in IP address whilst in use.

Mr David55 (Flintstone)

Well yes it is the password part of the registration process that implies security. I do not need to be specific in that nor defend my statement as you seem to want me to do by nit-picking my reply.

As for things like mobile devices on dynamic addresses I am not referring to a “bolt on”: solution rather a solution that seemingly could be integrated to asterisk. There is a huge difference. In fact it seems that asterisk is 70% there already. We only need the incorporation of dynamic hostname support where we now do a host= and to make that not preclude the ability to still register

My intention of this post was NOT to have someone TELL me what is better, why I am bent or how I should do it, it is to explore other options. The solution I am suggesting seems far more logical to me and clearly you and I think differently. It is this difference in how people think that innovations are created so please refrain from trying to persuade me to do things YOUR way. If we all thought alike or fell to the traditional ways of doing things there would be little progress or improvement.

As the title asks…"…Is there a way…" , not persuade me otherwise.