On Thu, March 26, 2015 22:29, Michelle Dupuis wrote:> You have to consider whether you really want "anonymous" calls, or you > just want to enable SIP calls from trusted companies/partners. The > latter means setting up routes to these companies and (ideally) > registration between peers. >This is what I am trying to get a handle on. It seemed to me that the promise of VOIP was essentially that one could use the Internet as a replacement for the PSTN directly, providing that ones callers/callees were also directly connected via VOIP. SIP providers I had considered a necessary transition to act as gateways between PSTN dialing and VOIP until VOIP replaced PSTN virtually entirely if not completely. That is why we are on Asterisk. We had to replace our old keyed system and the thought was that we might as well get ready for VOIP even if we planned to stay on PSTN for the foreseeable future. However, the overwhelming evidence I find is that one simply does not employ VOIP in the same way that PSTN works. Actually, I have put that backwards. What I have discovered is that the most commonly recommended method is to switch from a Telco to A SIP provider and continue in a manner similar to the former set-up. External calls all have to travel through a third party provider. One does not accept incoming VOIP calls from just everyone, apparently. One only accepts VOIP calls from known correspondents. I am not clear why this is so other than vague warnings respecting (admittedly real and serious) security issues. Even limiting VOIP to known correspondents one is ultimately trusting that they themselves are secured sufficiently to prevent unauthorised access to your systems through theirs. And that seems a bit of a stretch by way of rationalisation to me. Also I do not understand is why the same issues do not exist from incoming calls via PSTN. I somewhat understand the process of getting devices to register and authenticate to obtain access to our outgoing routes. What is it about incoming SIP calls destined to our internal users that make those calls so dangerous? Why cannot incoming anonymous SIP calls not be treated exactly as incoming PSTN calls (other than PSTN have to go though DAHDI to turn them into digital VOIP calls). What is it that prevents them from being blocked from gatewaying through to our PSTN lines? Please forgive my abysmal ignorance on this matter. Perhaps I have been down in the weeds too long getting our internal FreePBX system working to see what is obvious to others. I have been going theough the Asticon Videos on security and have or already had implemented most of the suggestions: Outbound LD secured by pins and allowed only during work hours; IPTABLES rules and fail2ban checks; Separation of voice and data network segments and addresses; Private IP for VOIP desk-sets and internal provisioning; and so forth. However, I still have the sense that I am just not getting it. What am I missing? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
To answer your first question, what you refer to as the PSTN is also quite dangerous. There is a lot of fraud going on over analog lines - usually hackers try to find an outside line by calling in to a PBX and trying lots of digits. or, in some cases fooling a naive user to forward them to an outside line (claiming to be Bell), etc. As for VoIP, even a beginner can try 100000 PBX's with 100000 dialout codes in a matter of hours. So because it's easier it becomes more popular. (There was a an article in the Globe and Mail a few years ago about this - one Toronto company lost a lot of money because someone called in saying it was Bell Canada and their receptionist forward the technician to a "diagnostic number"...which was 9XXXXX and surprise they got an outside line). Since' you're in Hamilton I figure this might ring a bell...:) A lot of the value from what you refer to as the PSTN is really just a bridging point, and a massive directory (i.e. phone numbers). But their role is changing and someday they may be little more than the equivalent of root DNS servers. But for now they are still the major interconnect for ITSP's to legacy/TDM customers. As for security and using fail2ban, I hope you read this: http://forums.asterisk.org/viewtopic.php?p=159984 Fail2ban is not really security...but it's certainly better than nothing. What you might be missing is that VoIP is the wild west of fraud. It's easy, and there are lots of holes in SIP, Asterisk, FreePBX, etc! Do a search on FreePBX security flaws and you'll find that hackers discovered a massive hole last summer exposing systems to toll fraud. This is big business for hackers and a single breach can earn them $10,000 to $100,000 (or more) -not bad for 1 day of work, and you the SIP customer are on the hook for that bill. Major ITSP are not likely to forgive your bill just because you got hacked. It's your responsibility to secure your system. And if you haven't you might get a whopper of a bill. There are working groups, industry groups, etc. dedicated to VoIP security. They exist for a reason - this is a HUGE problem. It's easy to get over confident and a mistep in security can cost you your job and your company a small fortune. ________________________________________ From: James B. Byrne <byrnejb at harte-lyne.ca> Sent: Friday, March 27, 2015 4:03 PM To: Michelle Dupuis Cc: Asterisk Users List; byrnejb at harte-lyne.ca Subject: RE: [asterisk-users] Anonymous SIP calls On Thu, March 26, 2015 22:29, Michelle Dupuis wrote:> You have to consider whether you really want "anonymous" calls, or you > just want to enable SIP calls from trusted companies/partners. The > latter means setting up routes to these companies and (ideally) > registration between peers. >This is what I am trying to get a handle on. It seemed to me that the promise of VOIP was essentially that one could use the Internet as a replacement for the PSTN directly, providing that ones callers/callees were also directly connected via VOIP. SIP providers I had considered a necessary transition to act as gateways between PSTN dialing and VOIP until VOIP replaced PSTN virtually entirely if not completely. That is why we are on Asterisk. We had to replace our old keyed system and the thought was that we might as well get ready for VOIP even if we planned to stay on PSTN for the foreseeable future. However, the overwhelming evidence I find is that one simply does not employ VOIP in the same way that PSTN works. Actually, I have put that backwards. What I have discovered is that the most commonly recommended method is to switch from a Telco to A SIP provider and continue in a manner similar to the former set-up. External calls all have to travel through a third party provider. One does not accept incoming VOIP calls from just everyone, apparently. One only accepts VOIP calls from known correspondents. I am not clear why this is so other than vague warnings respecting (admittedly real and serious) security issues. Even limiting VOIP to known correspondents one is ultimately trusting that they themselves are secured sufficiently to prevent unauthorised access to your systems through theirs. And that seems a bit of a stretch by way of rationalisation to me. Also I do not understand is why the same issues do not exist from incoming calls via PSTN. I somewhat understand the process of getting devices to register and authenticate to obtain access to our outgoing routes. What is it about incoming SIP calls destined to our internal users that make those calls so dangerous? Why cannot incoming anonymous SIP calls not be treated exactly as incoming PSTN calls (other than PSTN have to go though DAHDI to turn them into digital VOIP calls). What is it that prevents them from being blocked from gatewaying through to our PSTN lines? Please forgive my abysmal ignorance on this matter. Perhaps I have been down in the weeds too long getting our internal FreePBX system working to see what is obvious to others. I have been going theough the Asticon Videos on security and have or already had implemented most of the suggestions: Outbound LD secured by pins and allowed only during work hours; IPTABLES rules and fail2ban checks; Separation of voice and data network segments and addresses; Private IP for VOIP desk-sets and internal provisioning; and so forth. However, I still have the sense that I am just not getting it. What am I missing? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
James, I'm a systems and telecom professional with experience going back more than thirty years, to the days of teletype, current loop, POTS (2600hz signalling anyone?) and echo cancellation via analog level control and hybrid balance. Your read of the intent of the VOIP/SIP design correctly. The intent WAS to make making connections between endpoints as easy as using a browser. Unfortunately, setting up ALL of the infrastructure, not JUST the registration/switching points (Asterisk/Kamailiao/Freeswitch), can be quite daunting... In general, simple DNS is beyond most and the necessary specialized (and they aren't That SPECIAL) SRV records make most systems admins run for the hills these days. When we see a statement regarding consideration of allowing anonymous calls, we seeing someone who is (rightly) concerned about fraudulent use of an expensive resource... PSTN interconnect. In the intended vision, that would be a "don't care" scenario, because the PSTN interconnect wouldn't exist, but it does and it's billed by it's use making it expensive. In theory, E164 would have take up closer to that ideal. Asterisk has hooks and connections to use it and it's own, competing directory mechanism, DUNDi. Let's make special note of a word I used in that last sentence... Competing. Is DUNDi better? I don't know and I'm fairly certain I just touched off a debate on the topic. But I do know that when things start competing/contending, people do a few things: 1.) They take sides and fragment things 2.) The sit on the sidelines and wait for things to settle out In my experience, this has a tendency to bring things to a halt. Add to this, most of this tech is really, really only useful to businesses. I give my skills to people who need it (Family, friends my old gray haired mother-in-law). Businesses are in the business of making money and if they want the use of my skills, they get to pay me. No one I know will perform this type of thing for free for a business and we all compete for the limited pool of resource that business is willing to offer. What I have to offer is the "tricks of the trade" I've garnered over a lifetime career. There was a time when systems admins freely swapped these tips, tricks and techniques (for the best example see the old Novell Users FAQ). As I mentioned before, we who know how to install and maintain VOIP systems are now competing and the dollars come hard, so there seems (at least in the areana of VOIP) less willingness to do this. Oddly, VOIP seems to be more cut throat that any other sector of IT. Just my experience and I'm sticking to it... and wishing it weren't so and that unicorns really existed. On 03/27/2015 01:03 PM, James B. Byrne wrote:> On Thu, March 26, 2015 22:29, Michelle Dupuis wrote: >> You have to consider whether you really want "anonymous" calls, or you >> just want to enable SIP calls from trusted companies/partners. The >> latter means setting up routes to these companies and (ideally) >> registration between peers. >> > This is what I am trying to get a handle on. It seemed to me that the > promise of VOIP was essentially that one could use the Internet as a > replacement for the PSTN directly, providing that ones callers/callees > were also directly connected via VOIP. SIP providers I had considered > a necessary transition to act as gateways between PSTN dialing and > VOIP until VOIP replaced PSTN virtually entirely if not completely. > > That is why we are on Asterisk. We had to replace our old keyed > system and the thought was that we might as well get ready for VOIP > even if we planned to stay on PSTN for the foreseeable future. > > However, the overwhelming evidence I find is that one simply does not > employ VOIP in the same way that PSTN works. Actually, I have put > that backwards. What I have discovered is that the most commonly > recommended method is to switch from a Telco to A SIP provider and > continue in a manner similar to the former set-up. External calls all > have to travel through a third party provider. > > One does not accept incoming VOIP calls from just everyone, > apparently. One only accepts VOIP calls from known correspondents. I > am not clear why this is so other than vague warnings respecting > (admittedly real and serious) security issues. > > Even limiting VOIP to known correspondents one is ultimately trusting > that they themselves are secured sufficiently to prevent unauthorised > access to your systems through theirs. And that seems a bit of a > stretch by way of rationalisation to me. > > Also I do not understand is why the same issues do not exist from > incoming calls via PSTN. > > I somewhat understand the process of getting devices to register and > authenticate to obtain access to our outgoing routes. What is it > about incoming SIP calls destined to our internal users that make > those calls so dangerous? Why cannot incoming anonymous SIP calls not > be treated exactly as incoming PSTN calls (other than PSTN have to go > though DAHDI to turn them into digital VOIP calls). What is it that > prevents them from being blocked from gatewaying through to our PSTN > lines? > > Please forgive my abysmal ignorance on this matter. Perhaps I have > been down in the weeds too long getting our internal FreePBX system > working to see what is obvious to others. I have been going theough > the Asticon Videos on security and have or already had implemented > most of the suggestions: Outbound LD secured by pins and allowed only > during work hours; IPTABLES rules and fail2ban checks; Separation of > voice and data network segments and addresses; Private IP for VOIP > desk-sets and internal provisioning; and so forth. > > However, I still have the sense that I am just not getting it. What > am I missing? >
On 27/3/15 8:03 pm, James B. Byrne wrote:> One only accepts VOIP calls from known correspondents. I > am not clear why this is so other than vague warnings respecting > (admittedly real and serious) security issues.Because on the whole most people don't *want* to receive calls from random strangers :-)> What is it > about incoming SIP calls destined to our internal users that make > those calls so dangerous? Why cannot incoming anonymous SIP calls not > be treated exactly as incoming PSTN callsOthers have already written far more eloquently than I about the security implications, but I think there are other factors at play here. One of the principal benefits E.164 brought to the table was the ability to 'bypass' the telco (and their call charges) and route the call direct to the desired endpoint over our respective internet connections. But the cost of making calls via the PSTN has reduced to a point where the cost of the call is no longer a significant factor in whether to place the call. Think back even a few years: the cost of calling another country could easily rise above 1 (GBP/USD/whatever) per minute. Now, with the exception of a few far-flung locations, there are very few destinations to which calls are even a fifth of that cost. Calls that come via the PSTN are subject to some sort of regulation. Bonafide marketing companies are obliged to screen their calls through the TPS (in the UK - I presume there's a similar 'do not call' screening process in other countries). It's not perfect (international marketers aren't effectively covered, for example), but it is marginally better than a total free for all. As for solutions, I think that for direct SIP-to-SIP calling to gain the traction originally promised, we need to get to the same level of incoming call control as we have with spam filtering on email. So there will need to be organisations running distributed RBLs similar to (for example) Spamhaus which SIP servers can query in real time to check not just for hack attempts, but also those SIP servers from which unsolicited marketing calls have originated, etc. In summary: 1) PSTN calls are now /cheap enough/ that the financial benefits of direct SIP-to-SIP calls for most users are negligible. 2) When the cost of calls falls to (effectively) zero, the principal beneficiaries are fraudsters and telemarketers, and most people would rather not deal with either group. 3) Lack of effective protection - both technical and regulatory - against SIP-to-SIP misuse (not just fraud, but unsolicited callers, etc.) Kind regards, Chris -- This email is made from 100% recycled electrons
Hi James, Fortunately, your theory about common "run for dollars" is false with many contra-examples. :) jh ---------- P?vodn? zpr?va ---------- Od: Bruce Ferrell <bferrell at baywinds.org> Komu: asterisk-users at lists.digium.com Datum: 28. 3. 2015 0:17:54 P?edm?t: Re: [asterisk-users] Anonymous SIP calls "James, I'm a systems and telecom professional with experience going back more than thirty years, to the days of teletype, current loop, POTS (2600hz signalling anyone?) and echo cancellation via analog level control and hybrid balance. Your read of the intent of the VOIP/SIP design correctly. The intent WAS to make making connections between endpoints as easy as using a browser. Unfortunately, setting up ALL of the infrastructure, not JUST the registration/switching points (Asterisk/Kamailiao/Freeswitch), can be quite daunting... In general, simple DNS is beyond most and the necessary specialized (and they aren't That SPECIAL) SRV records make most systems admins run for the hills these days. When we see a statement regarding consideration of allowing anonymous calls, we seeing someone who is (rightly) concerned about fraudulent use of an expensive resource... PSTN interconnect. In the intended vision, that would be a "don't care" scenario, because the PSTN interconnect wouldn't exist, but it does and it's billed by it's use making it expensive. In theory, E164 would have take up closer to that ideal. Asterisk has hooks and connections to use it and it's own, competing directory mechanism, DUNDi. Let's make special note of a word I used in that last sentence... Competing. Is DUNDi better? I don' t know and I'm fairly certain I just touched off a debate on the topic. But I do know that when things start competing/contending, people do a few things: 1.) They take sides and fragment things 2.) The sit on the sidelines and wait for things to settle out In my experience, this has a tendency to bring things to a halt. Add to this, most of this tech is really, really only useful to businesses. I give my skills to people who need it (Family, friends my old gray haired mother-in-law). Businesses are in the business of making money and if they want the use of my skills, they get to pay me. No one I know will perform this type of thing for free for a business and we all compete for the limited pool of resource that business is willing to offer. What I have to offer is the "tricks of the trade" I've garnered over a lifetime career. There was a time when systems admins freely swapped these tips, tricks and techniques (for the best example see the old Novell Users FAQ). As I mentioned before, we who know how to install and maintain VOIP systems are now competing and the dollars come hard, so there seems (at least in the areana of VOIP) less willingness to do this. Oddly, VOIP seems to be more cut throat that any other sector of IT. Just my experience and I'm sticking to it... and wishing it weren't so and that unicorns really existed. On 03/27/2015 01:03 PM, James B. Byrne wrote:> On Thu, March 26, 2015 22:29, Michelle Dupuis wrote: >> You have to consider whether you really want "anonymous" calls, or you >> just want to enable SIP calls from trusted companies/partners. The >> latter means setting up routes to these companies and (ideally) >> registration between peers. >> > This is what I am trying to get a handle on. It seemed to me that the > promise of VOIP was essentially that one could use the Internet as a > replacement for the PSTN directly, providing that ones callers/callees > were also directly connected via VOIP. SIP providers I had considered > a necessary transition to act as gateways between PSTN dialing and > VOIP until VOIP replaced PSTN virtually entirely if not completely. > > That is why we are on Asterisk. We had to replace our old keyed > system and the thought was that we might as well get ready for VOIP > even if we planned to stay on PSTN for the foreseeable future. > > However, the overwhelming evidence I find is that one simply does not > employ VOIP in the same way that PSTN works. Actually, I have put > that backwards. What I have discovered is that the most commonly > recommended method is to switch from a Telco to A SIP provider and > continue in a manner similar to the former set-up. External calls all > have to travel through a third party provider. > > One does not accept incoming VOIP calls from just everyone, > apparently. One only accepts VOIP calls from known correspondents. I > am not clear why this is so other than vague warnings respecting > (admittedly real and serious) security issues. > > Even limiting VOIP to known correspondents one is ultimately trusting > that they themselves are secured sufficiently to prevent unauthorised > access to your systems through theirs. And that seems a bit of a > stretch by way of rationalisation to me. > > Also I do not understand is why the same issues do not exist from > incoming calls via PSTN. > > I somewhat understand the process of getting devices to register and > authenticate to obtain access to our outgoing routes. What is it > about incoming SIP calls destined to our internal users that make > those calls so dangerous? Why cannot incoming anonymous SIP calls not > be treated exactly as incoming PSTN calls (other than PSTN have to go > though DAHDI to turn them into digital VOIP calls). What is it that > prevents them from being blocked from gatewaying through to our PSTN > lines? > > Please forgive my abysmal ignorance on this matter. Perhaps I have > been down in the weeds too long getting our internal FreePBX system > working to see what is obvious to others. I have been going theough > the Asticon Videos on security and have or already had implemented > most of the suggestions: Outbound LD secured by pins and allowed only > during work hours; IPTABLES rules and fail2ban checks; Separation of > voice and data network segments and addresses; Private IP for VOIP > desk-sets and internal provisioning; and so forth. > > However, I still have the sense that I am just not getting it. What > am I missing? >-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users" -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150328/3e54acf2/attachment-0001.html>
Some of us do allow sip from the internet, but just like for smtp email protections are in order. I point my SRV records at dedicated sip proxies (I use kamailio) which check the INVITEd sip uri the same way my MXs check the SMTP Evelope-To addresses, and only allow INVITEs through to authorized destinations. And when those INVITEs make it to asterisk/freeswitch or the like, the dialplan is generally not direct to phone(s), but via an IVR. As an example, calling my email address via sip goes to an Asterisk FollowMe instance. I also provide my clients with dedicated sip addresses which avoid the protections. But the vast majority of the INVITEs coming to my public sip proxies are fraud attempts. My primary sip proxy has blocked over 32k fraudulent INVITEs over the last six months. And about one OPTIONS sip:100 at ... per hour by something calling itself "friendly-scanner". Then again, the number of invalid sip INVITEs per public sip destination are fewer than the number of spam/virus type SMTP attempts per unit time. And all of the telemarking fraud I have had to deal with have come via pstn dids, not via direct sip. A half-gig virtual works fine for such a sip proxy. You may also want to look into getting an ISN number, check out http://freenum.org/ for the details. -JimC -- James Cloos <cloos at jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6