[VOIPSEC] IPS to protect against VOIP Attacks?

Juan B juanbabi at yahoo.com
Wed Jan 6 09:32:56 CST 2010 

man thanks for your answer.. im sure you are right. the issue is that this client is really stupid, they dont have time to invest in VOIP security so they want an IPS which they can configure and not have too much work with it.. I now its bad practice but I only need to present a one week consulting of voip security and part of it is to install an ips, you now of a normal commercial one?

btw, maybe you can answer me this question which I send to the list, It didnt got posted:
Cisco call manager encrypting signaling and voice

am doing a voip security consulting for a big client of mine.

I want to recomend to implement call encryption. the client has 6 cisco call manager version 6.1.3.1000-16 it is an appliance. according to a menual im reading call encryption can be done only if call manager is installed on windows 2000/2003 is it true?? i found a menual named secoview.pdf in the internet.

thanks again!

juan


--- On Wed, 1/6/10, J. Oquendo <sil at infiltrated.net> wrote:

> From: J. Oquendo <sil at infiltrated.net>
> Subject: Re: [VOIPSEC] IPS to protect against VOIP Attacks?
> To: "Juan B" <juanbabi at yahoo.com>
> Cc: voipsec at voipsa.org
> Date: Wednesday, January 6, 2010, 10:15 AM
> Juan B wrote:
> > H All !!
> >
> > I was wondering which is the best (or at least-good)
> IPS
> >  against VOIP attacks coming from the internet to
> the client network. he has an Asterisk
> >  in the DMZ and cisco call manager in the lan. I
> want to protect the voip
> >  components with an IPS against known attacks and
> DOS-DDOS attacks as well.
> >
> > thanks a lot !
> >
> > juan
> >
> >
> >       
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >   
> 
> The one you build on your own. Seriously. To date I have
> yet to see any
> vendor guard successfully against say toll fraud attacks
> and I will
> explain why...
> 
> In an IP based PBX, there is almost ALWAYS going to be
> remote (not local
> on the same network) connectivity. Because of this, ports
> must remain
> opened. While you can fool yourself into thinking that you
> will
> configure a nice set of firewall rules or alert rules, what
> will you do
> if say the CEO takes a trip to China, didn't configure his
> softphone and
> is now generating "unauthorized *something*" messages.
> Block him out? If
> you firewalled the PBX entirely, you'll have one irrate CEO
> ready to
> kick that PBX to kingdom come (trust me I've seen it).
> 
> So what do you do? Tell the CEO: "When you get to China, go
> to
> whatismyip.com, get your address so we can allow you in!"
> Won't work. In
> an IPS, it gets even murkier. So you configure your IPS to
> do what...
> Alert you right, but alert you to what? Bad registrations?
> INVITES gone
> wild. OPTIONS gone bonkers? I'm assuming you're not
> familiar with SIP
> messages (not that SIP is the only game in town). SIP
> messages can give
> a host of informative yet at times incoherent messages.
> Same goes for
> most messages logs on PBX's: e.g. Asterisk: Jan 06 09:14:51
> DEBUG[4944]
> chan_zap.c: Monitor doohicky got event Event 160 on channel
> 3
> 
> So how do you propose an IPS to be intelligent. Your best
> bet is to
> literally understand your messaging, your threats and go
> from there. I
> rambled on about this before (as I always do - ramble) and
> created a
> crude framework anyone can follow under any PBX (your
> mileage may vary):
> http://www.infiltrated.net/asterisk-ips.html
> 
> It's not as difficult as one might think:
> 
> VoIP Call Statistics
> --------------------
> Total Active Calls . . . . . . . . . . . . . . . . . 1374
> 
> ... edited boring stuff
> 
> Calls Processed. . . . . . . . . . . . . . . . . 4754903
> Completed Calls           
>                
>       4157345
> 
> ... done editing boring stuff (nCite for those wondering:
> show stats
> voip to be more concise)
> 
> I parse out logs to one server, do some fuzzy insane
> perl|ruby|awk (awk
> is your friend) voodoo, get offenders, create rules and
> push those rules
> back out to my managed PBX's. All within seconds. Its not
> that hard, you
> have to know what you're looking for though. Take note...
> Working at a
> VoIP carrier, even we have issues with marketing and choose
> to stay away
> from hype and "CRAP Cross Reverse Anomaly Processing"
> devices and
> applications.
> 
> When it comes to DDoS, the answer (drum roll) is: "In
> Soviet Russian
> DDoS..." kidding ;) There is little to get into on
> protection from DDoS,
> ultimately, your upstreams can help you here. However, if
> you want to
> continue with this conversation, I can custom write you an
> all inclusive
> IPS, IDS, TollFraud Mitigation System using "Intelligent
> Heuristic Cross
> Compatible Anomalous Processing Processing" for a fee.
> Otherwise, you're
> just wasting money. Strong passwords, vigilant monitoring,
> is all you
> should need. Maybe (just maybe) a finely tuned SIEM (OSSIM)
> with some
> nifty scripts will save you some serious ching.
> 
> By the way Happy New Year all.
> 
> -- 
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP
> 
> "It takes 20 years to build a reputation and five minutes
> to
> ruin it. If you think about that, you'll do things
> differently." - Warren Buffett
> 
> 227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E
> 
>

More information about the Voipsec mailing list