A new way to secure your IP-PBX
Recently introduced by the well-established Canadian telecoms manufacturer Pika Technologies, the Pika µFirewall offers a novel way to make your Asterisk (or any other SIP-based PBX) more secure. The best way to describe it is as a “SIP Firewall”, but unlike conventional network firewalls, installation is very simple and the device does not require its own IP address on the network. So there is no need for DHCP address reservations or static IP assignments. Furthermore, because the device does not have an IP address, it should be virtually impossible for a remote user to gain direct access to its internal software. This means you do not need to worry about the firewall device itself being hacked.
Unpacking and installing
The thing that is most striking when you unpack the box is the appearance and small size of the firewall device. The unit I received in September 2013, which I believe looks different to earlier samples, uses a colourless semi-transparent plastic case to house the circuitry and connector sockets. The device is only 10 cm long, 4 cm wide and 3 cm high, making it only a little larger than the body of the plug-top mains PSU that comes with it.
The only written instructions enclosed with it are on a single sheet of A4 paper, giving the web URL where the “Getting Started” guide can be found and the address and phone number of Pika Technologies Inc. along with the email address for their support department.
It is installed simply by unplugging the existing Ethernet connection to your PBX, connecting that lead into one end of the µFirewall and using another patch lead (not supplied) to connect from the other end of the uFirewall back into the PBX. It does not even matter which end of the µFirewall you connect to the PBX because it will figure it out after the event, although the instructions say to make one outbound call after installation to help the device work out which end is facing the PBX and which is facing the Internet.
It must be powered on before it will pass any data. Power is delivered via a plug-top PSU so you will need a free mains socket reasonably near the equipment. Be careful if purchasing a uFirewall from overseas, because you will want it to be supplied with the clip-on mains pin adaptor appropriate in your country – for example, the photograph above shows my sample had a standard UK 3-pin mains connection. The low voltage output is delivered through a 1.4 m long lead terminated with a standard USB plug. The USB plug is inserted into a USB socket on the µFirewall unit (there is one socket at each end).
There is no shortage of LED’s within the body of the device. A central one shows it has power and two at each end show if the Ethernet connections are active. These lamps glow through the semi-transparent casing and are easily visible, as can be seen in the photograph above and in the main photograph at the top of this article. Additional LED’s tell you if the device is detecting suspicious activity (flashing red) or is actively blocking messages from a remote IP address (continuous red). This is the only way you have of monitoring device activity in real time – there is no web interface or other GUI in the current release.
Logs and configuration parameter setting
It is possible to directly interact with the device using a USB memory stick. This is simply inserted in the free USB socket on one end of the device (the USB socket at the other end will already be in use powering the device). It should detect the memory stick immediately – indicated by slow flashing green LED’s – and then it will write some files to it. Give it plenty of time – say 2 minutes – to write these files because the fast-flashing green LED’s are not a reliable indication of actual read/write activity, as I found by experience. This slightly clumsy mechanism allows you to get information logs off the µFirewall. Included in the logs is a report showing what version of firmware is loaded and the values of the configurable parameters. The logs also include tabular reports giving statistics for recent anti-hacking activity including:
- The number of times a friendly-scanner port scan message was detected and dropped
- The SIP account ID’s used to access the IP-PBX
- Remote IP addresses of servers or devices that tried to communicate with your IP-PBX
For the latter two, the table includes data for the number of failed access attempts and shows if the remote address is currently blocked.
The USB memory stick can also be used to upload data onto the device. This is accomplished by copying files to the USB stick before you insert it. The file names are pre-defined and the text content is formatted as parameter-value pairs. The “getting started” guide provides details, but frankly there are only a few configuration options and I suspect most people will not bother to use them. The option to upload a blacklist of undesirable source IP addresses has some potential, but in practice is of limited use.
How does it protect your IP-PBX?
It’s a SIP firewall, so the big question is “Does it protect my PBX from hacking?”. The simple answer is that your PBX will be a lot more secure with a uFirewall in front of it than it would be without one, but nothing can guarantee total invulnerability.
Let’s look at what it does objectively. First, and arguably of greatest importance, it drops the well known “friendly-scanner” probing messages that are so prevalent on the Internet. This defensive behaviour is important because the friendly-scanner probing messages are like the hackers’ radar. If your PBX completely ignores them then it is like flying under the radar – the hackers have to know there is a potential target there before they start testing it for vulnerable accounts. Under the same heading, Audit Tools, Pika also include protection against probing messages from the scanning tools VoIPER and SiVuS.
A second, and slightly more sophisticated, defence mechanism is included which Pika put under the two headings user and saddr. I believe this part of the protection to be almost equivalent to stateful packet inspection in a conventional firewall. As I understand it, the uFirewall watches for incoming SIP requests and matches the responses to see if your PBX accepted or rejected the request. The incoming SIP request might be a simple unauthenticated probing one such as OPTIONS (these are often used to test for the presence of a SIP service). Detection and blocking of unexpected requests like these is important, although it is essential to permit the requests when they come from a trusted source. Other SIP requests, requiring authentication, are matched with responses to see if the correct user credentials were supplied. If too many password failures are detected then all further traffic from that source address is blocked for a pre-set period of time. The firewall software uses various internal algorithms to determine if requests coming from each remote source look like legitimate ones. It looks for typical patterns suggesting extension scanning or brute force password guessing and quickly blocks them after a few attempts. Using the configurable parameters it is also possible to restrict requests just to remote devices that have successfully registered.
The stateful inspection mechanism (which goes under the heading saddr) effectively updates a dynamically managed black list. i.e. a list of remote IP addresses that are not allowed to send any SIP messages to your PBX. In addition to this, you can specify your own list of banned IP’s using a USB memory stick and the parameter upload mechanism described earlier. However, the list of banned IP’s has to be specified as individual addresses. There is no provision for blocking a range or subnet. I am doubtful that the manual blacklist will be of any use without the option to block a whole range of addresses. In my experience, it is necessary to block all IP’s associated with a particular service provider or even a geographic region.
How good is it?
In my opinion, this device does a good job and provides added protection over and above that normally available in an Asterisk PBX and probably beyond that available in most other makes too. It is arguable that fail2ban could be used to achieve a similar effect to the dynamic blacklist, if correctly configured. The ability to drop friendly-scanner port scanning requests, while not rocket science, is a big plus and something that is sadly missing from the standard release of Asterisk. The simple installation and setup is a big plus too.
On the negative side, there are a number of issues I would point out where it seems to me they could do better. These are:
Potential false positives – might it block a legitimate user?
During testing, I occasionally found it necessary to reset the device or turn it around before it would allow my PBX to connect through it (in fairness, it was usually fine if you didn’t keep moving it).
I found a legitimate peer device became blocked because it was sending keep-alive SIP messages (typically where you have set “qualify=yes” in another Asterisk box). The µFirewall may start blocking all SIP requests from the remote peer if the responses to the keep-alives are not “200 OK”. With some subtle adjustments to the PBX behind the uFirewall, I was able to fix this problem, but it shows that the addition of a white list would be extremely useful. Pika state that a white list will be added in a forthcoming firmware update release. They also informed me they were releasing an update for the firmware at the start of October 2013 which would address various issues including ones connected with over-aggressive blocking.
Call rate limiting
I don’t know for sure, but I suspect the algorithms used in this device to detect hacking activity may not be smart enough to help you if the attacker already knows the password for one of your SIP accounts. I could find no mention of any measurement of call rates (number of calls per minute or number of concurrent calls). So make sure you use strong passwords and don’t leave the web portal open on your PBX, don’t leave it open to any IP handsets or allow unauthorised access to the PBX configuration files.
The need for power
The device requires an external power source and stops passing all IP packets if the power fails. Why doesn’t it work with PoE?
I only tested it with UDP on port 5060. Pika tell me it will work ok if your IP-PBX is using a non-standard UDP port. However, it does not currently support SIP over TCP.
The reports that can be uploaded to a USB memory stick are quite limited and not at all easy to use. Some of the information is obscure and not explained properly. The statistics are presented in tables, but with no indication of what period of time they relate to. Furthermore, the device does not detect the proper time and date so it always shows the date as Jan 1st 1970 which is very unhelpful.
At about £200 plus VAT and delivery, the device appears to be expensive for its size. Arguments about value for money are therefore based on the potential cost of your PBX being hacked. Not only do you run the risk of massive call charges being racked up (£3000 in 10 hours is not unheard of), but you must also factor in the inconvenience and disruption of fixing the security once you realise your PBX has been hit.
The µFirewall represents a new approach to an old problem and, in my opinion, deserves a high score for innovation and imagination. Provided it does not create problems through false positives, you are almost certainly better off installing one than leaving your IP-PBX open to the Internet. It will not prevent all possible fraudulent activity on your PBX, but I am confident it will increase your security level considerably and greatly reduce the chances of a successful attack.
Where can I buy one?
Smartvox is an authorised reseller and would be happy to supply the Pika µFirewall, although we don’t have a web-based eCommerce system yet. Please call me, John, for details on 01727-221221. You can see from this, and other articles in the Smartvox Knowledgebase that our knowledge and experience is considerable in matters of VoIP security and toll fraud prevention strategies.
There are also a couple of online VoIP traders in the UK who are selling it and can be found with a simple Google search.