Security for Asterisk

Use SecAst to protect any Asterisk based phone systems against

fraud and hacking. SecAst uses a variety of techniques to detect
intrusion attempts, halt ongoing attacks, and prevent future
attacks. SecAst uses advanced techniques to detect valid
credentials that have been disclosed / compromised and are being
abused, fraudulent activity based on known attack patterns,
unusual call and dialing patterns, etc. SecAst also offers detailed IP
address based geographic allow/deny rules (geofencing) down to
the city level allowing administrators to limit PBX access to regions
where legitimate clients actually reside.
Overview
SecAst is a firewall and intrusion detection and prevention system designed specifically to protect Asterisk based
phone systems against attack and fraud. SecAst uses a variety of techniques to detect intrusion attempts, halt
ongoing attacks, and prevent future attacks. In addition, SecAst uses advanced techniques to detect valid
credentials that have been disclosed / compromised and are being abused. SecAst also uses heuristic algorithms
to detect fraudulent activity based on known attack patterns. Upon detection SecAst blocks the current attacker
from the Asterisk host at the network level.

SecAst is a 100% software solution, communicating with Asterisk primarily through the Asterisk Management
Interface (AMI), but also monitoring Asterisk message/security logs for relevant information, and also
communicating with the Linux network interfaces. The data from these sources allows SecAst to monitor
connection and dial attempts with invalid credentials, the rate at which users/peers are dialing, the number of
channels in use by user/peer across all protocols, the source IP of remote users/peers, etc. By combining this data
SecAst can effectively stop attacks/fraud in its tracks, and alert the administrator with details of each attack.

SecAst offers detailed geographic allow/deny rules (geofencing) down to the city level without large or complex
firewall rules (all geofencing rules remain within SecAst). Use of geofencing dramatically reduces the number of,
and risk from, attacks, allowing administrators to quickly eliminate continents/countries/regions/cities where
their users would never be located.

SecAst offers extensive interfaces to interact with other programs, utilities, external firewalls, billing systems, etc.
allowing for considerable customization. For example, changes in Threat Level can trigger scripts which alert
administrators, shutdown interfaces, change firewall rules, etc.

Features

Asterisk Compatibility
SecAst is compatible with a broad range of Asterisk versions and distributions. SecAst works with
Asterisk versions 1.4 through 13, both 32-bit and 64-bit. SecAst is also compatible with a wide
range of Asterisk distributions, from Digium's plain old Asterisk, to FreePBX and PBX in a Flash
and TrixBox, to Thirdlane and more.

Brute Force Attack Detection

SecAst can detect brute force attacks (attempts to gain access by trying various combinations of
usernames/passwords, commonly used extensions, commonly used passwords, etc). Unlike
other products, SecAst can detect these attacks even if spread across many days (attackers are
now performing "thin" attacks to bypass simplistic detection programs like fail2ban). SecAst can
respond to these attacks by blocking them at the network level, preventing any further attempts.
These blocks can last for hours, days, or indefinitely.

Breached Credential Use Detection

SecAst can detect unusual traffic and usage patterns indicative of credentials that have been
breached (leaked or somehow discovered by an attacker). This includes monitoring the number
of calls in progress, how quickly the calls are setup, even the rate at which the user is dialing
digits. SecAst can respond to these attacks by blocking them at the network level, preventing any
further attempts. These blocks can last for hours, days, or indefinitely.
Heuristic Attack Detection
SecAst can learn new attack patterns and adjust its detection accordingly. The heuristic scanner
monitors a variety of Asterisk and network traffic patterns to detect suspicious activity, correlate
them with rules which indicate likely attacker activity, and then block the attacker at the network
level, preventing any further attempts. These blocks can last for hours, days, or indefinitely.

Geographic Allow / Deny

SecAst incorporates a database of IPv4 and IPv6 address across the world, including the
continent / country / region / city of each IP. SecAst can be configured to allow or deny access to
any combination of these geographic attributes (as well as a default allow / deny behavior). If an
attacker or user attempts to use the Asterisk server from a denied location, the user is
immediately disconnected. This creates a geographic fence (or geofence) which keeps good guys
in and bay guys out.

Trunk and Endpoint Trust

SecAst can be instructed to trust particular trunks, endpoints (users or phones), and IP addresses
so that they are exempt from security screening. This allows administrators to grant particular
users access regardless of location, call volumes, etc. (which may be necessary for traveling sales
staff, etc). This also allows administrators to designate certain trunks / routes as trusted and
others as untrusted.

Threat Level Management

SecAst monitors the number and rate of attacks against the Asterisk server, and based on
administrator defined thresholds will set the threat level of the system. Changes in threat levels
can trigger custom scripts, notifications, and other system based features.

Telnet Interface
Administrators will be immediately comfortable with the simple and powerful telnet interface to
SecAst. The security system can be managed and controlled from a telnet interface, whether
from a PC, a tablet, or a cell phone. The interface includes online help, and user friendly rich
terminal output.

Browser Interface
Seasoned administrators and novices alike will be comfortable with the simple and powerful
browser (web) interface to SecAst. The security system can be managed and controlled from any
browser, including a PC, a tablet, or a cell phone. The interface includes blocking / unblocking
IP's, checking threat levels, viewing attack history, etc.

Socket & REST Interfaces

Developers will appreciate the socket and REST (Representational State Transfer) interfaces to
SecAst, as the power and control of SecAst can be easily expanded and integrated with other
system administration and monitoring tools. SecAst includes sample PHP code to show how to
extract data and control SecAst via a web service and via the socket interface.
Technology
SecAst runs as a service on Linux, normally running on the same server as Asterisk. This design allows SecAst
immediate access to security events on the server as well as access to the network interface for monitoring. Equally
as important, running SecAst on the same server as Asterisk avoids introducing a single point of failure on the critical
VoIP traffic path in front of Asterisk.

SecAst interfaces with a variety of subsystems to gather information about the state of the network, the state of
Asterisk, and activities performed by VoIP users (or attackers). This unique approach allows SecAst to look deep into
the specific actions performed by users, correlate them with network data, and compare them with responses
expected by Asterisk.

telium
P.O. Box 33032 Ira Needles, Waterloo, On, N2T 0A2, Canada
www.telium.ca
(519) 266-4357
info@telium.ca