Toll Fraud Prevention 6

[ipolmans]

Good Morning Tech Tips,

Hope everyone is keeping well!!

We've recently had a couple of our IPO/SIP customers get hacked. Nothing serious in the way of toll fraud as the telco caught it quickly in both cases. The problem we're having is, some of our customer do not want the system behind the firewall or the firewall restricts certain feature like IP Phones. That and our tech's are not capable of programming a firewall in the case that there is no IT in the customers company.

So my question to the community is this. What can we do (without a networking guru) to secure our IPO/SIP installs going forward?
What are you guys doing in that regard? do you position a special security package with the SBC maybe? Also what is the most common way these hackers are getting in?

Any advice you can provide is greatly appreciated!

Thanks Guys/Gals!
Andrew

 

[IPGuru]

Do not want the system behind the firewall or the firewall restricts certain feature like IP Phones.

Then they are F**ked, changing passwords for all admin accounts, setting secure passwords for users, setting secure login codes for all users & disabling auto create Extns may slow things down but if the IPO is visible on the internet it is a tempting target & will receive the attention of hackers

Most IPO functionality does not require it to be visible on the internet, the items that do are One-x mobility & H323 remote handsets
The use of H323 remote handsets is strongly discouraged & VPN handsets should be used wherever possible.
if using One-x mobility then you should restrict inbound traffic to only the ports req.

if the customer insists that the IPO is not secured behind a firewall then your only option is to present them with a nice legal document to sign accepting confirming they know the system is exposed to hacking against your advise & that you will not be liable for any costs incurred. if written correctly only a complete moron would sign such a document.


A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[tlpeter]

some of our customer do not want the system behind the firewall -> is not an option period.
Tell them security or get hacked.


BAZINGA!

I'm not insane, my mother had me tested!

 

[mattKnight]

Offer them a correctly configured SBC too


Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[Westi]

our tech's are not capable of programming a firewall

a firewall is $300 upward and a decent tech programs them within an hour so even if you have to pay an IT company to program it for you you are about $500 out which is less than the sleepless nights will cost you if you are unsecured on the Internet exposed to all the idiots that have nothing better to do than trying to scam money by exploiting security holes like this.

even if you by a $100 router and install it fiddling with the settings it is still better than exposing your IPO to the world.

Programming the firewalls is not brain surgery but know that the better the Firewall the more options you have and also in some cases it makes it harder to program.

I agree fully with IPGuru that you should CYA (cover your backside ) with a document that tells a customer that refuses to spend the money on insurance (Firewall) that in case something happens they did a gamble and lost.

Joe W.

FHandw, ACSS (SME), ACIS (SME)


“This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[IPGuru]

As a couple of quick analogies

1) IPO with direct connection to the internet & default passwords = unlocked car with keys in the ignition
2) IPO with Direct connection to the internet but passwords changed = unlocked car but keys removed.
3) IPO with firewall but default passwords = car locked in garage but keys in ignition
4) IPO with firewall & changed passwords = car locked in garage & keys removed.

The life expectancy of cars 1 & 2 is not good.
Car 3 is probably safe unless you share your hows with someone dodgy
Car 4 is as safe as you can get whilst it is still usable.


A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear

 

[Westi]

Love your analogies IPGuru

Pink for you

Joe W.

FHandw, ACSS (SME), ACIS (SME)


“This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[Gunnaro]

Also what is the most common way these hackers are getting in?

Not going to give away any guide to the bastards lurking around here. But to prevent intrusion:

a) Always install a firewall and/or SBC - Customer should have no saying on this.

b) Make sure that these ports are not accessible for everyone on the outside:
69, 80, , 443, 1718 - 1721, 5060-5061, 7070-7071, 8000, 8080, 8443, 50780-50823.

c) Change passwords and disable accounts that are not in use.

d) Protect the IPO from inside attacks, infected computers, VNP box with default pwds, etc. (You could use the built-in firewall for this)

To set up a firewall is fairly easy, pick a couple of brands and stick to them, no matter what the customer says.
Here's a few that works well: Watchguard (all of them), Cisco 800 series, Juniper SGG 5 and Netgear 336Gv2
(The last one is probably the easiest to configure, and the cheapest of them as well)

Make a template, and for every new install your firewall setup is done in minutes.

If the customer has their own firewall, it's still better that you stay in control with your own equipment.
Connect your firewall to the internet and get a static IP.

(Some of this has been mention already, now you read it twice...)

Kind regards

Gunnar
__________________________________________________________________
Hippos have bad eyesight, but considering their weight, it’s hardly their problem

 

[ipolmans]

Thanks Gents,

Thanks to all for your advice... being in Sales this is a huge concern for me! Honestly doesn't seem that hard at all... based on your recommendations I'll suggest to our ownership that we deploy our own firewall going forward and get signed documentation if they choose not to use one.

Also, IPGuru, great analogies!!

 

[mattKnight]

To extend ipguru's analogy...

When you leave your car unlocked with thekey in the ignition, the scrote has to physically find it. Hackers have evolved automated tools to seek out vulnerable system to exploit.

To misquote Terminator - they will hunt you down and hack you - it's what they do

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[mattKnight]

To extend ipguru's analogy...

When you leave your car unlocked with thekey in the ignition, the scrote has to physically find it. Hackers have evolved automated tools to seek out vulnerable system to exploit.

To misquote Terminator - they will hunt you down and hack you - it's what they do

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[Westi]

Matt seems I have a Deja Vu

Joe W.

FHandw, ACSS (SME), ACIS (SME)


“This is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[qtelcom]

To misquote Zero Wing - All your IPOs are belong to us

 

[MikeMart74]

I have a similar situation.

Customer has a IPO and we are trying to get it behind a Cisco RV042 router, using a private lan on lan 2 pointed(one to one NAT)to the public static address for the SIP provider. Half the calls are getting fast busy inbound ,and the few that route to extensions(DID lines) only get one way audio path. Where is our problem? The SIP provider states it is going to the private ip address rather than the public address as it should.

Thanks in Advance.....

 

[amriddle01]

You need to use STUN

 

[IPGuru]

turn off sip alg on the cisco

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear