SecAst can check every phone number dialed against a database of phone numbers known to be involved in fraud (and hacking) activities. Calls suspected of being fraudulent can be automatically disconnected and/or originating devices can be blocked from connecting to the PBX. SecAst can also treat premium rate and shared cost numbers differently, helping to avoid calls to zero-day fraud phone number exploits. Telium’s fraud database has been developed over many years and is one of the largest and most comprehensive fraud prevention tools available to carriers and end-users alike.
Hacker IP Address Database
SecAst can check the source IP address of every device/user agent connecting to the PBX against a database of IP addresses known to be used in hacking (and fraud) activities. SecAst can also treat proximate addresses (which may be used by the same hacker) as suspect and evaluate them based on their neighbors. Devices suspected of being involved in hacking can be prevented from making calls and/or blocked from connecting to the PBX. Telium’s hacker IP address database has been developed over many years and is one of the largest and most comprehensive PBX specific intrusion prevention tools available to carriers and end-users alike.
Geographic IP Address Database
SecAst incorporates a database of IPv4 and IPv6 addresses from across the world, including the continent / country / region / city of each IP. SecAst can be configured to allow or deny access to any combination of these geographic attributes (as well as a default “allow / deny” behavior). If an attacker attempts to access the Asterisk server from a denied location, the user is immediately disconnected. This creates a geographic fence (or geofence) which keeps good guys in and bad guys out.
Breached Credential Attack Detection
SecAst can detect unusual traffic and usage patterns indicative of credentials that have been breached (leaked or somehow discovered by an attacker). This includes monitoring the number of calls in progress, how quickly the calls are setup, even the rate at which the user is dialing digits. SecAst can respond to these suspicious activities by blocking the user at the network level, and preventing any further exploits. These blocks can last for hours, days, or indefinitely.
Heuristic Attack Detection
SecAst can learn new attack patterns and adjust its detection and defenses accordingly. The heuristic scanner monitors a variety of Asterisk and network traffic patterns to detect suspicious activity, correlate them with rules which indicate likely attacker activity, and then block the attacker at the network level preventing any further attempts. These blocks can last for hours, days, or indefinitely.
Moving IP Attack Detection
SecAst can detect attacks from hackers who are constantly and rapidly changing IP addresses. Professional hackers are now moving their IP addresses through large ranges of IP addresses from clouds, VPN services, large subnets, etc. to avoid detection by simplistic tools like fail2ban or regular firewalls. SecAst integrates a diverse collection of data points to allow detection of hackers the instant they connect to the PBX from a new IP address.
Brute Force Attack Detection
SecAst can detect brute force attacks (attempts to gain access by trying various combinations of usernames / passwords, commonly used extensions, commonly used passwords, etc). Unlike other products, SecAst can detect these attacks even if spread across many days (attackers are now performing “thin” attacks to bypass simplistic detection programs like fail2ban) and many IP addresses. SecAst can respond to these attacks by blocking them at the network level and preventing any further attempts. These blocks can last for hours, days, or indefinitely.
Dialplan Override Protection
SecAst monitors all digits being dialed and can block attempts to call restricted numbers or dial other patterns. Although dialplans also perform this function, if an Asterisk server is compromised (eg: FreePBX® GUI hacked) then SecAst will override the dialplan and still block or accept only certain numbers. Dial pattern recognition can match any dial string and either allow or block the dial attempt based on administrator defined rules.
Trunk and Endpoint Trust
SecAst can be instructed to trust particular trunks, endpoints (users or phones), and IP addresses so that they are exempt from security screening. This allows administrators to grant particular users or devices access regardless of location, call volumes, etc. (which may be necessary for traveling sales staff, autodialers, etc). This also allows administrators to designate certain trunks / routes as trusted and others as untrusted.
Threat Level Response
SecAst monitors the number and rate of attacks against the Asterisk server, and based on administrator defined thresholds maintains an overall threat level faced by the PBX. Changes in the threat level can trigger custom scripts, notifications, and other system based responses. Threat level integrates directly with the event handler system as noted below.
External Firewall Control
Although SecAst can block hackers directly at the PBX if required, SecAst can block hackers at a firewall on the network edge. SecAst can interact directly with virtually any external firewall, commanding it to add rules to block IP addresses, remove blocked IP addresses, etc. using the event handler system described below. (To mitigate overall hacking risk, commercial PBX environments should always block attackers at the network edge.)
Event Handler System
One feature that makes SecAst both flexible and powerful is the event handler system, which lets administrators hook any program/script into events generated by or detected by SecAst. For example, events related to an attack allow administrators to automate changes to firewalls, routers, SIP endpoints, dialplan rules, accessible extensions, etc.
Administrators will be immediately comfortable with the simple and powerful telnet interface to SecAst. All PBX security can be managed and controlled from a telnet interface, whether from a PC, a tablet, or a cell phone. The interface includes online help and user friendly, rich terminal output.
Seasoned administrators and novices alike will be comfortable with the simple and powerful browser (web) interface to SecAst. Security can be monitored from any browser, including a PC, a tablet, or a cell phone. The interface provides details of attacks, threat level, attack source maps, and more.
Socket, PHP, and REST Interfaces
Developers will appreciate the socket, PHP, and REST (Representational State Transfer) interfaces to SecAst, as the power and control of SecAst can be easily expanded and integrated with other system administration and monitoring tools. The download package includes sample code demonstrating how to extract data and control SecAst via a web service, via a PHP class, and via the socket interface.
SecAst is compatible with a broad range of Asterisk versions and distributions. SecAst works with Asterisk versions 1.4 through 16, both 32-bit and 64-bit. SecAst is compatible with a wide range of Asterisk® distributions including Digium’s Asterisk, FreePBX®, PBX In A Flash®, TrixBox®, Elastix®, Issabel®, xCALLY Motion®, Thirdlane®, Genesis ISS®, and more.