Security for Asterisk

Compare SECast to alternatives





SIP Connection Monitoring

Credentials valid
Breached credentials
Diffused probes
SIP packet structure

User Behaviour Monitoring

Fraud phone number database verification
Dialing cadence
Simultaneous calls
Heuristic patterns

Network Connection Monitoring

Hacker database IP address verification
SIP data transfer rate
Clustered connection attempts
Geographic location
Port connection rate

Attack Containment

Ban IP on PBX or firewall
Override dialplan permitted patterns
Disconnect individual calls
Lockdown new connections

Attack Response Orchestration

Control internal firewall
Control external firewall
Control external router
Change dialplan
Share attack data with peers

Comparison Details

The following boxes provide further evaluation details, and by clicking the down arrow at the bottom of each box you can see how SECast compares.

Regular firewalls are oblivious to the content of VoIP related traffic, and simply forward SIP/RTP/IAX/etc. from the internet to the Asterisk server.  A complete lack of understanding of the packet content results in traditional firewalls being little more than routers.  Fail2ban is actually not a security system, rather it depends completely on Asterisk to report a failed login attempt (and fail2ban then adds the source IP to a local iptables ban list).

SECast is the only product that builds a profile of every user or connected device, and ensures the SIP commands received are safe and appropriate.  Even normal SIP commands issued at unusual frequencies can be indicative of hacking.  SECast is the only product able to detect such patterns, detect valid SIP credentials being misused, etc.

Traditional firewalls do not monitor behavior at the user level, and simply pass VoIP related packets back and forth.  Fail2Ban also has no visibility into the behavior of the user (only errors reported by Asterisk can be acted on by Fail2Ban).

SecAst is the only product that monitors the behavior of each user (and in fact each device) and creates a risk score based on the behavior of the user combined with other factors.  While one action on its own may not be enough to identify a hacking attempt, the combination of actions detected by SecAst allow it to detect and halt hacking before the attacker can do much harm (or generate massive fraud charges on your carrier account).

Fail2Ban has no visibility at the network connection level; it can only respond to error messages from Asterisk.  Traditional firewalls, on the other hand, excel in this area as monitoring UDP and IP level traffic is what they were designed to do.  The only weakness of traditional firewalls is that they are not aware of patterns and sources of VoIP specific hacking.

SecAst combines both high level (user and SIP) with low level (UDP/IP) traffic information to provide unmatched sensitivity to hacking attempts at the network level.  SecAst also uses databases of known hacker IP addresses to block connection attempts before the attacker even has a chance to communicate with the PBX.

Traditional firewalls have no visibility into the activities of the PBX; once a connection from the attacker is permitted by the firewall, then the attacker may proceed unencumbered through the firewall.  Fail2Ban, on the other hand, can ban an attacker’s IP address if Asterisk reports an error from that IP source, otherwise Fail2Ban does not impede the progress of an attacker.

SecAst has the ability to terminate calls in progress (without blocking an IP) if it detects suspicious activity.  In the case where an attacker has breached the Asterisk / configuration generator security system, he/she normally has unrestricted access to fraudulent toll numbers and premium services.  However, SecAst is the only product that can block these calls even if Asterisk (or for example FreePBX) has been compromised.  SecAst can also take increasing steps to protect the PBX as an attack progresses even shutting down call services to protect the PBX.

Fail2Ban has only one response capability: banning the source IP address at the PBX level.  Attackers may be left with access to the internal subnet or other services on the PBX.  Fail2Ban has no ability to adapt PBX behavior, notify other PBX’s of the attack, block users at the network edge, etc.

Traditional firewalls offer a step up from Fail2Ban as they inherently block attacks at the network edge.  However, they have no visibility into, or control of, the PBX.  As such they can only block an attack if the attack is detectable at the UDP/IP traffic level.

SecAst blends PBX visibility with control of external devices.   Upon detecting an attack SecAst can adjust the dialplan to restrict actions, change routes to limit access to certain devices, instruct the firewall at the network edge to take certain actions, and even share the attacker information with other SecAst installations.