Asterisk VoIP Security

When I came across a blog on Huffington Post that called Asterisk out on the security of their open source VoIP platform I just had to know, is this true?

So I asked Asterisk (after I said “asked Asterisk” five times fast) and got this detailed response from David Duffet, Director of Worldwide Asterisk Community.

Duffett (@dduffett) explains that protecting your network is a not whole lot unlike fortifying your house against break-ins.

VoIP Supply: Who is the Asterisk VoIP platform designed for?

David Duffet: The Asterisk IP communications engine is for anyone that wants to create a flexible and powerful communications solution. Asterisk configuration is performed through a number of ascii text files, and this is why a number of pre-packaged IP PBX solutions based on Asterisk have become available that allow configuration via a web GUI.

VS: Why open source?

DD: When Mark Spencer (the creator of Asterisk and CTO of Digium) decided to make Asterisk an open source project, he did this in part to liberate the stodgy, closed world of telecoms, but also to allow (and encourage) contributions to Asterisk from people all over the world that are particularly keen to see Asterisk enhanced in specific directions (like conferencing and contact centre applications).

VS: In this blog post on Huffington Post, 6 Keys to a Successful VoIP Implementation, the writer, Jason Volmut (@javolmut), CEO of CPUrx, states that:

“VoIP systems built on the open-source telephone platform Asterisk are routinely subject to hacking attempts, and should be avoided. “

What VoIP security measures can Asterisk take to secure their systems from hackers?

DD: Although there are a number of places within Asterisk that could be configured to enhance security, I would like to make some more general points:

The mention of only Asterisk in point 5, regarding security, is extremely misleading.
To set the scene, PBXs, even before the advent of IP communications, have always been subject to attacks of one sort or another – all the way from people trying to hack into voicemail boxes to full scale toll fraud through PRIs or even analog lines.

*ANY* SIP IP PBX that has an open connection to the internet (i.e., not within a VPN, or not tied down to a specific IP address, or addresses) will be subject to hacking attempts.

" Just like any type of system – it’s all in the implementation. If that is done in a sloppy way, it could lead to trouble." - David Duffett, Asterisk
” Just like any type of system – it’s all in the implementation. If that is done in a sloppy way, it could lead to trouble.”
- David Duffett, Asterisk

Asterisk is certainly the most popular and established open source communications engine in the world, with millions of Asterisk-based IP PBXs out there – but they are by no means particularly prone to issues of this nature. Just like any type of system – it’s all in the implementation. If that is done in a sloppy way, it could lead to trouble.

There is lots of information around on the internet about certain brands of proprietary IP PBXs and potential vulnerabilities, but to focus on the PBX is to miss the main point about securing IP systems – and that is to ensure proper measures are taken at the network level, before thinking of applications running in the network like a PBX or a CRM system.

If you found a robber in your kitchen, you know that he would have broken into your house through the front door, back door or a window. The best thing to do would be to improve the security on the exterior of your house so as not to let the robber in! And so it is with your network… Stop the bad guys getting into your network in the first place!

Anything you can do in a given appliance or application like an IP PBX or a CRM system should be seen as a secondary line of defence.

Due to the power and flexibility of Asterisk, there are actually more things you can do on an Asterisk PBX to detect and prevent any form of compromise than there are on any other PBX solution. Of course, they must be implemented and adjusted by people that know what they are doing.

xorcom_voip_supply_cert_banner
Michael Taylor (center), VoIP Engineer at VoIP Supply Receives Xorcom Certification

We’re proud to announce that VoIP Supply is now a Xorcom Certified Dealer for Complete PBX Solutions.

Thanks to Michael Taylor (pictured above) our VoIP Engineer putting in all the hard work at the Xorcom technical training class.

We’re not sure what was harder for him the three days of in-depth training to learn all the details of Xorcom PBX installation, programming, and troubleshooting or being able to avoid all the distractions of the class location, Las Vegas.

If you’re not familiar with Xorcom the company was founded in 2004 and they focus on business telephony solutions for both VoIP and traditional PSTN. Xorcom products are based on Asterisk®, the open-source communication software used worldwide, for a flexible range of PBX solutions.

Taylor’s hands-on Xorcom training provided him with real-world application knowledge which means we that we not only provide you with the best first-level technical support but we can also help you:

  • Determine your communication needs and suggest the best Xorcom solution based on your line usage, infrastructure, and employee habits.
  • Streamline your phone system implementation process.
  • Ensure optimal phone up-time by securing the phone system.
  • Improve your overall user experience by providing communication efficiency suggestions.

Xorcom CompletePBX systems are pre-configured so they’re ready to use right out-of-the-box and they’ll give your single office/home office (SOHO), small and medium-sized business (SMB), or enterprise level applications lots of flexibility based on call management, Unified Communications (UC), and strong standard features.

Xorcom Case Study

How does a Xorcom PBX work in the real world?

This Chabot Space and Science Center case study is a good example of an application where cost and licensing fees were an issue. The customer was also going to install the solution themselves so they needed an Asterisk® solution that would work right out of the box and make calls straight away:

Extensive research into IP-based systems led Mr. dosRemedios to Asterisk®-based systems and he tried a test system, using trixbox CE and two Grandstream handsets. He liked what he was able to do, and so he looked for a turnkey system using Asterisk® at its core, and came across Xorcom and the Astribank concept. Because Mr. dosRemedios is the sole support for telephony at Chabot, his greatest concern was getting help configuring the system. So he contacted a local Xorcom reseller and soon realized that he could probably do everything himself.

Mr. dosRemedios chose a Xorcom XR2074 PBX with 1 PRI port, 8 FXO ports, and 16 FXS ports; with RAID (dual hard drive for redundancy), Rapid Recovery (for backup and restore
of the entire PBX), Yealink T20P handsets, and some premises cabling to fulfill the requirements. Deployment was performed in-house over a period of five weeks…The PBX installed without a hitch; Mr. dosRemedios connected four landlines to the FXO ports, and a couple of phones to the POE switch and was able to make calls the same day! He’s currently preparing to deploy the remaining 108 phones to run in parallel to the old PBX until the day he can move the PRI over to the Xorcom box.

Download the full case study here.

To find out if a Xorcom PBX solution is right for you, call us at 800-398-8647 and we’d be happy to help.

To learn more about installing an Asterisk®-based Xorcom PBX, here’s how to do in 10 minutes:

Usually in our VoIP Q & A Blog Series, we answer questions about submitted to us through tech support tickets on VoIPSupply.com or via the “Ask The Expert” tab on our product pages.

This time we’re sharing the questions and answers from the Grandstream UCM6100 PBX webinar that was held as part of our Grandstream Learning Series.

These were real questions from the attendees that were answered by Grandstream’s tech support team. We hope that this is a comprehensive guide on how to use a UCM6100 series PBX and what they’re capable of.

Grandstream UCM 6100-banner-voip-supply

Door Phone and Door Station Support

Q: Can it [UCM6100] support door phone, control, attendance systems? E.g. Helios 2N, any others?

A:  Yes, it supports door stations. We have verified this against FXS/FXO devices from Viking Electronics as well as 2N.

Q: Can we use this system to open gates or use in a system gate?

A:  Yes, this system can perform door station functions depending on the device being used. We’ve interoped with Viking Electronic devices.

Q: The scenario would be a system with several video-doorphones + one GXV3140 + UCM6102. While one video-call from a video-doorphone is being attended from the GXV3140, there are other video-calls being received from other doorphones and those video-calls should be put on queue. How many calls can be queued?

A:  This would be handled like any other call. Since it is video, it will now have video codec being negotiated. You can configure the call queue based on your own preference.

asterisk

Asterisk

Q: Because Asterisk is open source, does Grandstream contribute to this effort?

A:  Yes, we comply with GNU/GPL and provide the source details on our FAQ page.

Video Softphones

Q: Any recommended free video softphones for use?

A:  At the moment, we do not have any free apps listed for video calls. It would be suggested to use a softphone that supports h263, h263+, h264.

IVR Security

Q: Standard set of security protocols to avoid hacking, security issues through IVR?

A:  There are several ways of securing the UCM IVR.

1. Password on outbound route
2. Specify permission/privilege level
3. Disable dial trunk option.

Park BLFs and Shared Line Appearances

Q: Are there plans to add Park BLFs or Shared Line Appearances?

A: On the latest firmware for the UCM we support BLF for parking lot. Shared line appearance has already been requested and is taken into consideration for the future release.

API

Q: Is there a way to install A2Billing?

A: The UCM is a locked down asterisk system so you cannot instlal any applications onto the appliance. however, a later firmware release will support API and allow users to pull caller data for billing programs.

Zero Config

Q: Does the endpoint manager support other vendor phones for configuration and Key defs?

A: No. The UCM can only zero-config Grandstream products at the moment.

 

Grandstream UCM6102
Grandstream UCM6102

BroadSoft Softswitch

Q: Is the UCM6102 certified to work on BroadSoft softswitch?

A: At the moment, it is stil under certifcation and has not been fully supported. Working in progress.

Voicemail to Email and Remote Voicemail Access

Q: Are we able to listen and delete voicemail directly from Outlook so the voicemail is also deleted in the UCM?

A: No. Voicemail sent to your email needs to be removed from the PBX. It does not sync up with your email. This has been requested for future consideration.

Q: How do you listen to your voice messages remotely, from a phone not registered to the UCM?

A: You can dial into the UCM via IVR, then dial an option for a dummy extension(not registered) and have that dummy extension undconditional forward to your voice mail system *98

Call Monitoring and Recording

Q: Calls Monitor Feature?

A: This has already been requested and is being implemented for a future release. However, we do have an option to record calls.

Q: Can we direct the recordings to external storage?

A: This is done automatcally when a USB/SD is connected to the UCM.

Service Providers Tested

Q: What providers have been successfully tested with this?

A: 3NG, Nexvortex, Callcentric, Clearfly, vitelity, Phonepower.

google voice_logo

Google Voice Support

Q: Can google voice be integrated on the UCM?

A: No, this is not supported unless it uses SIP signalling.

G.729 Codec

Q: Any license fees to use G.729 codec?

A: No licensing fee for G.729, we have a license for the max number of concurrent calls on the UCM.

Grandstream HT704 Adapter
Grandstream HT704 Adapter

How to Add Additional Analog Phones

Q: How to add FXS phones if i need more analogue phones?

A: All UCM models come with 2 FXS ports. You can add more by using an ATA or FXS gateway like the HT700 series or GXW400x/4200 series.

LAN Ports for Failover

Q: Are the 2 LAN ports in UCM6104 – for a failover mode – i can use 2 separate internet connections? or is there another purpose to the 2 LAN ports?

A: Exactly, this is used for failover purposes.

Demo Programs and Training

Q: If we want to be more familiar with the product do you have some DEMO programs?

A: We do provide UCM trainig events. You can visit this page for all the upcoming events: http://www.grandstream.com/ucm-events

Need More Lines

Q: What I can do if i need more than 16 lines?

A: You can peer an FXO gateway to the UCM. We provide FXO gateways to extend this. Here’s the link to the guide.

T1 or DSL Support

Q: Can we use a T1 or DSL Service?

A: T1/E1 is not supported on the UCM61xx series. However, we are coming out with a UCM65xx series that will support such services.

CounterPath Bria Desktop Client
CounterPath Bria Desktop Client

Desktop Clients

Q: What kind of desktop clients are you supporting? And on what OS?

A: We support either Linux/Mac/Windows. Any soft client that is SIP compliant works with our UCM. E.g CounterPath Bria.

Concurrent Video Calls

Q: Max concurrent video-calls supported?

A: This is anywhere between 6-10 calls.

Storage

Q: Does the UCM6100 series use a disk or SSD for storage?

A: Internal flash storage.

Q: Does the USB port of UCM6104 suport a passport drive (which doesn’t have its own power)?

A: That should be fine. I have used a Buffalo 1TB drive without power and was just fine.

System Recovery

Q: I have read that asterisk-based systems have known lock-up issues that typically have to be resolved by a system reboot. How has that been dealt with for this solution?

A: Our system recovers itself during these moments and provide core dump files that can be analyzed by our developers for root cause.

Stay Tuned

Check back next time  for more VoIP Q & A.

Thanks for your questions!

Newest Digium cards currently not compatible with latest version of Switchvox

The TE133 and TE134 are the most recent single span telephony card solution from Digium, and VoIP Supply gives you a first look at the Asterisk company’s cards.

What is it?

The Digium 1TE133F PCI-e and Digium 1TE134F PCI are new telephony cards for seamless PTSN connectivity to VoIP. These single span cards use state of the art technology to increase overall consistent phone quality and system performance, including features such as toll-bypass adjuncts for legacy TDX PBXs, SIP trunk interface for legacy TDM systems and small call center ACDs with T1/E1 trunks.

Digium te134

From these single T1 digital telephony cards, you can expect:

  • Up to 24 (T1/J1) or 30 (E1) simultaneous calls
  • Selectable T1, E1 or J1 Mode / Half-Length, Half-Height, Digital Card
  • PCI-Express (TE133)
  • PCI (TE134)
  • One (1) RJ48 Interface Port
  • Protocol support includes: ISDN PRI, Robbed-Bit, CAS
  • Built-in 128ms Octasic DSP hardware echo cancellation
  • 5 year warranty
  • Risk-free ESP guarantee

Digium TE133 and TE134 cards are designed to support T1/E1/PRI environments and industry standard telephony protocols, mainly Primary Rate ISDN protocol families for voice in North America and Euro standards. Octasic DSP hardware echo cancellation is built directly into the cards which removes the task of echo cancellation from the system’s CPU card, improving efficiency in your VoIP system.

As these cards are created by the makers of Asterisk, you can feel confident about 100% interoperability, straight from the source. Digium wants you to feel comfortable with your purchase, so even though we all know you’ll love it, Digium offers a no-risk ESP guarantee that if qualifying Digium products don’t perform 100% as designed, Digium will refund the product. That’s confidence.

Who is it for?

The TE133 and TE134 are designed for Asterisk and it’s open source drivers, so basically, anyone with an existing legacy system looking to upgrade to VoIP. Digium cards have been tested with major server hardware platforms like Dell, HP and IBM, as well as hardware platforms with chipsets like AMD, Intel, VIA and Nvidia. Being designed by Asterisk, Digium cards are compatible with all version of Asterisk using the DAHDI driver framework. Asterisk and DAHDI are available for free from the Asterisk.org website.

Pricing

Digium 1TE133F MSRP $730.00
Digium 1TE134F MSRP $730.00

Availability

The Digium TE133 and TE134 are now shipping from VoIP Supply. For more information on the 1TE133F and 1TE134F, call the VoIP experts at 1.800.398.8647 or email sales at sales@voipsupply.com.

Polycom Asterisk

Most or our readers are likely familiar with Asterisk Open Source PBX, but for those of you who aren’t, Polycom has recently put together an easy to follow technical bulletin on using their SoundPoint IP Phones with Asterisk.

This document covers all the basics of integrating Polycom IP phones with your Asterisk PBX. Key topics covered in this bulletin include:

As you may have noticed, VoIPSupply.com has recently discontinued sales of the Trixbox Appliance. We will continue to fully support existing Trixbox Appliance customers, but we are focusing our efforts on the PhoneBochs Asterisk Appliance as our recommended hardware solution for users of Asterisk, Trixbox, 3CX and other SIP based communications platforms.

Some of you may be familiar with PhoneBochs, but for those of you who are not, I have put together a basic feature comparison between the Trixbox Appliance and the PhoneBochs Asterisk Appliance. The PhoneBochs Asterisk Appliance offers true “telco grade” build quality and performance and is a suitable server hardware platform for Asterisk/Trixbox installations of all sizes.


Continue reading

In a move that I interpret as Cisco beginning to view the “open source” telephony market as a viable opportunity, Cisco today released a new application note on how to configure the new Cisco SPA8800 4FXS+4FXO SIP Gateway with Asterisk.  The document is entitled Configuring SPA8800 with Asterisk, and is intended to help position the Cisco SPA8800 an a cost-effective PSTN gateway for Asterisk deployments, as well as adding additional FXS ports.

Yep, you read that right….an application note, produced by Cisco, specifically for Asterisk users…..an exciting first I believe.

This application note includes configuration guidance for the Cisco SPA8800, Asterisk sip.conf, and Asterisk extensions.conf files. A troubleshooting section complete with sample traces showing registration and call flows is also included.

You can download the PDF configuration guide for free here.

The Cisco SPA8800 is currently available to purchase at VoIPSupply.com.

Do you already own a Nokia “E” Series mobile phone, or are you considering purchasing one? The Nokia “E” series phones, although not inexpensive, offer the flexibility of both GSM and WiFi/SIP calling, and can be integrated with most SIP based IP PBX platforms. For the purpose of this article, we chose a Nokia E51 and configured it to leverage any open WiFi connection to register with our Switchvox IP PBX.

These instructions apply to and of the Nokia “E” series dual mode GSM/WiFi mobile phones.

NOTE: The SIP registration instructions below assume you have already setup your WLAN settings on the phone, and will use WiFI to communicate to your SIP server. It is always suggested to have the AP on the same network as the IP PBX and to place a certain level of security.

1. First, power on the Nokia “E” series phone by holding down the power button located on the top of the phone. Continue reading

Fresh off their announcement of revamped, comprehensive support package offerings for open source Asterisk, Digium today has released Fax for Asterisk .

HUNTSVILLE, Ala.—April 6, 2009—Digium®, Inc., the Asterisk® Company, today announced Fax For Asterisk, a complete, cost-effective platform for the development of fax solutions. The offering provides Asterisk users and integrators a suite of user-friendly applications and a licensed version of the industry-leading fax modem software from Commetrex. To meet the demanding requirements of business users, Fax For Asterisk provides reliable faxing across the Internet and public switched telephone network (PSTN).

Asterisk is the most widely used open source telephony platform. The software is available free of charge and has been downloaded millions of times for use by individual developers and systems integrators creating custom telephony solutions for businesses. Asterisk is also available as the professional-grade and commercially supported Asterisk Business Edition.

“Asterisk users, developers and integrators now have a toolkit allowing them to integrate fax with their phone systems,” said Bill Miller, vice president of product management at Digium. “With Fax For Asterisk, Digium offers a reliable and fully supported fax solution.”

Fax For Asterisk interoperates with standards-compliant fax machines connected to Asterisk 1.4 and 1.6 on x86 Linux systems. It provides low-speed PSTN faxing via DAHDI-compatible telephony interface cards as well as VoIP faxing to T.38-compatible SIP end points and service providers. Fax For Asterisk operates at speeds up to 14.4kbps and supports V.17, V.27 and V.29 fax modems.

Fax For Asterisk is available free of charge from the Digium webstore at http://store.digium.com/ for one concurrent fax session. Multi-session licenses are available for a one-time fee of $38.50 per channel. Fax For Asterisk is available immediately. Fax capabilities for Digium’s Switchvox IP PBX were announced in February of this year and are based on this solution. For more details, visit www.digium.com.

Fax solutions for Asterisk are not new (Hylafax, SpanDSP, etc) but direct support from Digium for faxing is, and this plugs another hole in open source Asterisk making it an even more compelling option that has the Shoretel’s of the world looking in their rearview mirror.

One of the most powerful things about Asterisk is the relative ease of developing and integrating new applications.   Historically, the telephony world has been a “walled-garden”, with proprietary technologies, arcane configuration methods, and non-trivial integration hurdles.  Asterisk is a pure software application, and an open source one at that.  It’s highly configurable, and through various interfaces (such as AGI and the manager API), it’s easy to write new applications.  And most importantly, Asterisk doesn’t dictate the implementation language or technology — you can develop your app in any language you want (e.g. Python, Ruby, Java, C, etc.)

I’ve built a number of simple applications for our home Asterisk system.  For example, we have one that’s used on school-day mornings.

First, the system rings scheduled wakeup calls in each of the kid’s bedrooms.  Next, as the school bus time approaches, the system announces five minute and two minute warnings on the kitchen phone.  It takes advantage of the auto-answer feature on many Ethernet phones (such as the Linksys SPA942 in our kitchen).  Pre-recorded announcements (e.g. “the bus is coming in 5 minutes“) announce automatically out of the phone’s speakerphone, without anyone having to pick up the phone.

I wrote the entire application in a few hours (most of which was spent learning how to get Asterisk to initiate outgoing calls).  The app is a simple Python script that runs early each morning (using cron) on the server hosting the Asterisk system.  It first checks to see if it’s a weekday (i.e. school day), and if it is, it queues up the wakeup calls and the two announcement calls.

Future versions will include the holiday calendar to omit the calls and announcements on school holidays, and will automatically check the local news Web site to see if school has been cancelled or delayed. 

Try doing that with your Nortel PBX!

DISCLOSURE:  Andy Payne is an investor in Digium.