Jump to content

Binding to MAC address & security


Jack Russell Racing

Recommended Posts

OK, so we have made the long awaited switch from 3CX and are happily running SNOM One now. We have all SNOM 821 phones deployed, all of which are considered 'external' to the PBX because it is hosted elsewhere. On 3CX we were obviously victims of SIP hacks on earlier releases of their software. With strong passwords, it diminished greatly, in conjunction with new releases. SNOM seems to have security considerations from the ground up. (thank you)

 

Some basic questions about security:

 

1) When we bind to MAC addresses on the PBX, does that mean absolutely no other devices can register to that extension, even if they hacked through the password? The MAC is the MAC, and that's all ? Right now, all our SNOM phones are 'MAC defined' in the PBX. Is this safest practice available?

 

2) We use 8-digit mixed case random passwords. Sufficient?

 

3) Limit registrations per extension is set to "1". Right?

 

4) The fixed public IP address of our external phones are white-listed. Should we blacklist everyone else on earth? What is the syntax for this?

 

5) What else can we do to 'hide' the PBX from things like sipvicious? In playing with a sandbox deployment, I turned logging all the way to maxi-detail. Within 24 hours, that sandbox environment was pounded with sipvicious probes. I assume our production system is getting the same beating.... does the IP blacklist prevent it?

 

Thanks in advance!

Link to comment
Share on other sites

OK, so we have made the long awaited switch from 3CX and are happily running SNOM One now. We have all SNOM 821 phones deployed, all of which are considered 'external' to the PBX because it is hosted elsewhere. On 3CX we were obviously victims of SIP hacks on earlier releases of their software. With strong passwords, it diminished greatly, in conjunction with new releases. SNOM seems to have security considerations from the ground up. (thank you)

 

Some basic questions about security:

 

1) When we bind to MAC addresses on the PBX, does that mean absolutely no other devices can register to that extension, even if they hacked through the password? The MAC is the MAC, and that's all ? Right now, all our SNOM phones are 'MAC defined' in the PBX. Is this safest practice available?

 

2) We use 8-digit mixed case random passwords. Sufficient?

 

3) Limit registrations per extension is set to "1". Right?

 

4) The fixed public IP address of our external phones are white-listed. Should we blacklist everyone else on earth? What is the syntax for this?

 

5) What else can we do to 'hide' the PBX from things like sipvicious? In playing with a sandbox deployment, I turned logging all the way to maxi-detail. Within 24 hours, that sandbox environment was pounded with sipvicious probes. I assume our production system is getting the same beating.... does the IP blacklist prevent it?

 

Thanks in advance!

 

1. Mac addresses are for plug and play only.

 

2. I use 12 digit "mixed case with numbers" passwords.

 

3. If you are only going to have one phone per registration, you could do this.

 

4. I only white list addresses if they have problems, if you set the access to 5-10 attempts in one second and ban for 7 days, they cannot brute force the extension. The reason I only white list addresses with problems is that most of my external phones are on dynamic IPs. Most brute force attacks that I have seen start at 40-45 registration attempts per second. In my opinion, blacklisting all other addresses is over kill with snomONE. If you blacklist all other IPs you cannot login to the web GUI if you are not on one of your allowed IPs.

 

5 Don't know on this one, better left for snomONE to answer...sorry.

 

-Steve

Link to comment
Share on other sites

I agree with what Steve says.

 

1) When we bind to MAC addresses on the PBX, does that mean absolutely no other devices can register to that extension, even if they hacked through the password? The MAC is the MAC, and that's all ? Right now, all our SNOM phones are 'MAC defined' in the PBX. Is this safest practice available?

 

As Steve said, the MAC are only for PnP. Other devices can register if they know the password. MAC are actually not very safe, it is easy to spoof MAC addresses.

 

2) We use 8-digit mixed case random passwords. Sufficient?

 

8 digits are 100 million combinations, that is actually not too much these days. It would take a few seconds to try all combinations out. Including alphanumeric dramatically increases the number of possible combinations. Or you go for 12 digits, thats at least a trillion combinations, which would take a couple of days to try the combinations out. For good for "top secret", but for regular use it should be okay.

 

3) Limit registrations per extension is set to "1". Right?

 

IMHO that does not make a big difference. if you have a good password you control pretty well who registers. Limiting the number of registrations is primarily for hosted PBX providers that want to avoid abuse of the extension as a kind of hunt group.

 

4) The fixed public IP address of our external phones are white-listed. Should we blacklist everyone else on earth? What is the syntax for this?

 

You can blacklist everyone else (in IPv4) with 0.0.0.0/0. If you have a envronment where you know all IP addresses, IMHO whitelisting is actually not such a bad idea, considering the stuff going on with friendly scanner and so on. At least that keeps a lot of problems away, and then even passwords with 8 digit numbers can be okay.

 

5) What else can we do to 'hide' the PBX from things like sipvicious? In playing with a sandbox deployment, I turned logging all the way to maxi-detail. Within 24 hours, that sandbox environment was pounded with sipvicious probes. I assume our production system is getting the same beating.... does the IP blacklist prevent it?

 

Well, version 4 has this automatic blacklisting feature and this IMHO keeps tings like sipvicous pretty much under control. We have seen some successful hacks, but there were all because of weak passwords (account name = 100, password = 100) or trunks configured for accepting any traffic and send it out on other trunks without any kind of authentication. When the PBX blacklists an address, it sends an email, and I would st up an email filer that really highlights those attacks. I can sleep well with the automatic blacklisting.

Link to comment
Share on other sites

Can you explain this in more detail? I assume ours are configured as such, but am (candidly) unsure of what you're describing.

 

If the trunk has no outbound proxy set and no "Explicitly list addresses for inbound traffic", then it must assume that the traffic may come from anywhere (e.g. ENUM traffic). If you let that trunk for example use a DISA feature (like you are calling from a cell phone and want to place an outbound call), you have a security problem. Bottom line: Always specify the outbound proxy.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...