asterisk users - Jun 2010 - restricting sip users to a certain useragent

Greetings list,this question is rather a pain in my side.. i have been trying to
figure it out.. it could be simple.i have a customer with a callcenter .. we
developed a CRM "Customer Relations Management"  with an SIP dialers
built in.the question is the following.. is it possible to force the agents
(users) to use a certain UserAgent which is the one built-in our system?  this
way will prevent the agents we are restricting them to only be able to dial
through the software which is already restricted to their seats in the call
center.. but someone might sniff around .. and get the sip username and password
assigned to him and use it through Zoiper or any other softphone to make calls
..our agents are allowed international calls .. so we want to restrict them to
only use our dialer.Is that possible?Asterisk version 1.4.33regards

-- Tarek Sawah

Integrated Digital Systems

CCNA, MCSE, RHCE, VoIP USA: +1 386 492 9993   

 		 	   		  
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100628/dc1a28bd/attachment.htm

This is a very good question. I faced the same problem some time ago, and by
goggling found out that somebody had actually programmed a patch for this
purpose, but it never got approved to go into the main branch of Asterisk.
If you google, you'll probably found out details on it.

I am, however, found a very simple way to do it, which is not perfectly
secure because it is crackable by any hi tech cracker who could send
modified SIP headers, but otherwise it does its job great.

Here is how you can do it (I use Asterisk 1.4):

First check the user agent name using "sip show peers". Lets say sip
user
agent is "Sipura/SPA1001-3.1.8(SEc)".

When a SIP phone registers on your asterisk server, asterisk stores its user
agent information in variable ${SIPUSERAGENT}. This means when an extension
dials out, you can check in the dialplan if the ${SIPUSERAGENT} matches your
user agent or not, and based on the result you can decide how to proceed
with the call.

I use AEL, and it'll look like this:

// Check if the user agent is the one we supplied
if ("${SIPUSERAGENT}"!="Sipura/SPA1001-3.1.8(SEc)") {
  // If not, hangup the call or do something else. I block the IP in
iptables and record IP in MySQL for future reference
  NoCDR();
  Hangup();
}

// Otherwise continue the dialplan

In regular non AEL config, which is harder to work with, it will look
something like this:

exten => _NXXNXXXXXX,1,...
exten => _NXXNXXXXXX,n,...
...
...
...
exten =>
_NXXNXXXXXX,n,GotoIf($["${SIPUSERAGENT}"!="Sipura/SPA1001-3.1.8(SEc)"]?hangup:continue)
exten => _NXXNXXXXXX,n(hangup),NoCDR()
exten => _NXXNXXXXXX,n,Hangup()
exten => _NXXNXXXXXX,n(continue),...
exten => _NXXNXXXXXX,n,...

As I said earlier, if an experienced cracker really wants, and knows what
sip user agent name you are using, he can figure out that you are checking
the sip user agent name, and then send custom sip user agent name with the
same name. But in your case its probability is very little. In fact I was
using a webphone with free calls to anywhere in North American and some
other countries right from my website, and wouldn't really care if crackers
would crack it or not, because call duration was only one minute, but this
setup really helped block a lot of crakcers, because before they would know
I was checking extensions by user agent name, their IP address would already
be blocked.

--
Zeeshan

On Mon, Jun 28, 2010 at 7:58 PM, Tarek Sawah <tareksawah at hotmail.com>
wrote:
>  Greetings list,
> this question is rather a pain in my side.. i have been trying to figure it
> out.. it could be simple.
> i have a customer with a callcenter .. we developed a CRM
> "Customer Relations Management"  with an SIP dialers built in.
> the question is the following.. is it possible to force the agents (users)
> to use a certain UserAgent which is the one built-in our system?  this way
> will prevent the agents we are restricting them to only be able to dial
> through the software which is already restricted to their seats in the call
> center.. but someone might sniff around .. and get the sip username and
> password assigned to him and use it through Zoiper or any other softphone
to
> make calls ..our agents are allowed international calls .. so we want to
> restrict them to only use our dialer.
> Is that possible?
> Asterisk version 1.4.33
> regards
>
> -- Tarek Sawah Integrated Digital Systems CCNA, MCSE, RHCE, VoIP USA: +1
> 386 492 9993
>
>
> ------------------------------
> The New Busy is not the too busy. Combine all your e-mail accounts with
> Hotmail. Get
busy.<http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>


-- 
Zeeshan A Zakaria
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100628/2a47b0e3/attachment.htm

On Tuesday 29 Jun 2010, Tarek Sawah wrote:
> ..... is it possible to
> force the agents (users) to use a certain UserAgent which is the one
> built-in our system?  this way will prevent the agents we are restricting
> them to only be able to dial through the software which is already
> restricted to their seats in the call center.. but someone might sniff
> around .. and get the sip username and password assigned to him and use it
> through Zoiper or any other softphone to make calls .....
If someone is *that* determined, what will stop them from modifying the 
user-agent string in some Open Source softphone?

-- 
AJS