Good Afternoon forum; I was wondering what is the best approach to secure remote SIP users. I have setup an asterisk PBX at home but I will have 5 peopple working from outside, they have to be connected to my server. I have read that SIP protocol could be hijacked and hackers could listen to the conversations happening over the internet. Could anyone please tell me if I have remote users what would be the best and cost-efficient way to secure SIP calls? any help will be greatly appreciated.
Batrams, thanks for the link…how about RTP streams being hijcked. I have read that cain and abel does this pretty easy; it collects RTP packets and you can hear a conversation. How do you avoid that? also if you buy sip trunks from a VOIP provider does this means all your traffic from your PBX to the VOIP provider can be hijacked as well; I’m confused!
I would recommend to implement a VPN on a firewall and only accept outside users that connect via the VPN connection.
So both traffic SIP and RTP get inside a “secured” tunnel.
Jacknight; OK; lets say I have a VPN secure between the PBX and remote users. what happens if you place an outgoing call using your VOIP SIP provider, would that be consider secure? is there a way to sniff that traffic from your PBX —internet–VOIP provider? Thanks for your help.
When an IP packet run over the Internet you can consider it as if anybody could read what is inside.
That’s the reason I would prefer a VPN connection.
Now for the case with a SIP Trunk to aSIP Provider. Well, one way to hear your conversation or exploit SIP informations is to use the “Man in the middle” (MITM) exploit.
There are several possible weak points where a pirate could perform this.
For example, if you you don’t take care of deactivating ICMP Redirect parameter on your server (or your network’s routers), the SIP/RTP traffic could be hijacked to go through/via a local/distant compromised machine (laptop or PC) where the pirate can have his hand on your SIP session.
By default this parameter is deactivated on Debian. I suppose it 's the same with Red Hat. So that’s a good point. But a double check is better.
Have a check at your /etc/sysctl.conf file or your current parameter with cat /proc/sys/net/ipv4/conf/all/accept_redirects and cat /proc/sys/net/ipv4/conf/all/secure_redirects
(0=inactive ; 1= active)
Using FQDN (Fully Qualified Names) in your SIP.CONF file instead of IP address is as well a weak point. If a pirate can perform a MITM on one of your DNS requests or corrupt your DNS tables, then he can have his hand your SIP session.
I don’t know much about all the possibilities, but security is really a world apart, so you’d better to rely on a good manufactured Firewall (I wouldn’t recommend Cis** as those one are really not user friendly) and look for some hacker advise about SIP (btw, a hacker is not a pirate).
Thank you again for your reply; I check both rules you mentioned above
cat /proc/sys/net/ipv4/conf/all/accept_redirectsand
cat /proc/sys/net/ipv4/conf/all/secure_redirects
They both Have “1” so I guess I should disable this feature.
“Using FQDN (Fully Qualified Names) in your SIP.CONF file instead of IP address is as well a weak point. If a pirate can perform a MITM on one of your DNS requests or corrupt your DNS tables, then he can have his hand your SIP session.”
In this part you are refering to the Domain name when I configure the SIP phones? I do not have static IP so I’m using DynDns to route to my PBX. This attack can be done only if someone has access to my local network or DNS can be corrupted from the outside?
Thanks again for all your help and sharing your knowlege with me.
