Nerd Uno Dishes Out Advice on SIP Security

Ward Mundy over at Nerd Vittles has a great post today about SIP security. It’s entitled The Incredible PBX: Adding Remotes, Preserving Security. If you run an Asterisk based PBX you should probably read this. Now!

Ward’s advice really rings true (sorry for the telecom geek pun, it couldn’t be helped!)  His “Baker’s Dozen SIP Security Checklist” makes perfect sense. That doesn’t mean that I can’t add my own two cents.

Many people are using ITSPs that must have a credit card to refill access to calling services. Ward advices to turn off auto-billing that charges your card every time your account balance drop below a certain threshold.

Borrowing an idea from the early days of online shopping, I also suggest that you use a card with a deliberately low credit limit. That way even if you allow auto-refills you can limit the maximum amount that your calling plan can consume before you notice the exploit.

I also like the idea of using a VPN based solution to encapsulate SIP traffic. I’ve done this myself and it works great.

Finally, I especially like his recommendation of using a third party service to leverage calling based upon SIP URIs. He recommends voip.ms where as I use OnSIP, but there are also others.

Of course, I have my own reasons for appreciating this idea. When you start making use of SIP URIs you are on a path to enjoying HDVoice calling. That you can achieve  superior call quality and take a proactive stance with regard to security is massive benefit.

  • I think the article is good for a home user… or very small office. But beyond that, the methods can actually cause issues with voice quality and call load… again, good recommendations for a home user or very small business.

    • Care to elaborate on that sir? Inquiring minds want to know?

      • I guess the issue is… how many calls are you wanting to put on this box? The pbx in a flash box is already running Apache, Asterisk, SendMail, MySQL, PHP, phpMyAdmin, IPtables Linux firewall, Fail2Ban, and WebMin plus any optional software you want. It’s also recommended to use the Wal-mart special type of system with (generally) one core or low grade cpu. Now, add to this openvpn and more and you’re really pushing that box to the limit. Instead… for a small business, I’d say astlinux is a much better choice for a system optimized for voice communication. For a home user or very small business I think the other may be a fun system and offer some real neat things to play with, but for an office or normal small business with let’s say more than 8 simultaneous calls, I’d say there’s a much better way of securing your entire network and providing a good, reliable pbx.

        • Then we are agreed. PIAF and The Incredible PBX are certainly no lightweights. Astlinux and Askozia take very different approaches. However, from hearing Ward the other week it certainly seems like there are some large PIAF installations. Perhaps those don’t use the low-end hardware that he otherwise recommends.

  • We have a number of users that have reported processing upwards of 50 simultaneous SIP calls using newer Intel Atom-based systems. For example, Acer’s Aspire Revo retails for $199 at stores such as WalMart and Best Buy and makes an ideal Asterisk platform for small and medium-sized businesses. Indeed, we have a major airline using similar machines at numerous airports across the United States. Many of the apps referenced in the comment above consume virtually no system resources on a typical production system running PBX in a Flash or the Incredible PBX. The tools are simply available when an administrator wishes to use them.