> Asterisk: The Open-Source

Asterisk: The Open-Source PBX
PBX servers were notoriously expensive to justify when an organization wasn’t
ready for a major capital outlay, plus they tended to rely on closed or proprietary
architecture, which made PBX systems more expensive than they might otherwise
have been. Then along came Asterisk, from the mind of Mark Spencer. Asterisk is
an open-source PBX software package that runs on many operating systems,
including Linux, BSD, Mac, and even Windows. Asterisk requires very little in the
way of hardware, with old Pentium 100MHz boxes with 64MB of RAM still ample
enough to power a small business. Aside from the relatively low hardware horsepower
requirements, Asterisk doesn’t necessarily need any additional hardware,
aside form what’s already in your computer. Utilizing the popular Session
Initiation Protocol (SIP) and the Inter-Asterisk Exchange Protocol (IAX), two
Continued
increasingly ubiquitous VoIP technologies, Asterisk can make and take calls completely
over the Internet or operate with special hardware like PCI T1/E1 cards for
PSTN connectivity. Users may purchase DIDs from the VoIP provider to dial in to
their PBX from their normal phones, or they may dial in using a special software
phone. We discuss softphones later in this chapter.
The appeal of a PBX system is obvious to not only businesses and campuses but
also attackers, who have taken an increased interest in them as well, since most PBX
systems can support trunk-to-trunk transfer (i.e., dial-out again from the PBX after
coming in on another line). PBX security often is overlooked by enterprises until a big
phone bill arrives, and oftentimes the hackers have no challenge at all when settings
are never changed from the manufacturer’s default.Try a Google search for “default
password” and a PBX vendor and you’ll see just how easy this information can be to
obtain. It is important to note that because PBX vendors typically have provided
detailed instructions on how to secure the PBX, the remaining security responsibility
lies completely on the operator of the PBX system, and any toll charges that may be
obtained by fraud are left to be paid by the PBX owner. Attackers who have compromised
a PBX system may set up their own private conference room, a “party-line”
where they may hang out and exchange illicit information on your dime.
Other features can be a double-edged sword as well. Many PBX systems also
provide a call-monitoring feature for managers to supervise their agents (or to record
calls).You know those recordings that go,“Your call may be monitored for quality
assurance and training purposes”? Well, if you’re not careful, they might also be
monitored for humorous or larcenous purposes. And it may not be just calls to your
call center that get monitored; if your monitoring system wasn’t properly designed
or an intruder gets access to PBX administration at a high enough level, any call can
be monitored.
The bottom line when it comes to PBX features is that you need to read the
associated security recommendations carefully. Some vendors have assembled detailed
security guides for addressing toll fraud and feature access that are well over 100
pages, and you would be wise to find out what kind of documentation exists.And
don’t forget to back up your PBX regularly so that you don’t lose the security policy
you create! More critically, if a VoIP vendor does not have these kinds of capabilities,
you would be wise to find out what can be done to reduce exposure to toll fraud. In
some cases, the lack of feature-functionality in many VoIP solutions is a blessing
because it reduces the opportunities for security-affecting misconfiguration.Yet at
best this is a temporary benefit since VoIP solutions are becoming more sophisticated
each and every year.
Notes from the Underground…


Toll Fraud
Attackers have discovered a myriad of ways to make all the long distance calls
they want from your PBX system, leaving you with the hefty collect-call charges.
Here are a few:
■ Even with good security elsewhere, a caller can ask to transfer to
extension to 9011 on a system where dialing 9 goes to an outside
line and 011 is the international direct dial access code. Make sure
your employees (particularly those that answer many external calls)
know about this ruse and consider using your PBX’s trace feature to
track down the source of such calls (you can even have the call transferred
to your security department as part of the trace feature).
■ Attackers can read the same manuals online that your systems
administrators can, and the smart ones will figure out how to get
around the obvious restrictions. For instance, if trunk access codes
aren’t restricted, it really won’t matter how well you’ve locked out
other dial restrictions. And just because you don’t use your local
trunks for long distance doesn’t mean an attacker won’t.
■ Adding support for IP softphones or WiFi phones to a PBX means
that a softphone or wireless phone could be used by a remote
attacker who can get onto your IP network (by wire or wireless) for
toll fraud or other nefarious purposes. In this case, defense of your IP
network overall is what will minimize exposure to the PBX, but it’s
important that the PBX not weaken overall IP security (by allowing
WEP-based security on wireless networks shared by voice and data,
for instance).