To answer your first question, what you refer to as the PSTN is also quite dangerous. There is a lot of fraud going on over analog lines - usually hackers try to find an outside line by calling in to a PBX and trying lots of digits. or, in some cases fooling a naive user to forward them to an outside line (claiming to be Bell), etc. As for VoIP, even a beginner can try 100000 PBX's with 100000 dialout codes in a matter of hours. So because it's easier it becomes more popular. (There was a an article in the Globe and Mail a few years ago about this - one Toronto company lost a lot of money because someone called in saying it was Bell Canada and their receptionist forward the technician to a "diagnostic number"...which was 9XXXXX and surprise they got an outside line). Since' you're in Hamilton I figure this might ring a bell...:)
A lot of the value from what you refer to as the PSTN is really just a bridging point, and a massive directory (i.e. phone numbers). But their role is changing and someday they may be little more than the equivalent of root DNS servers. But for now they are still the major interconnect for ITSP's to legacy/TDM customers. As for security and using fail2ban, I hope you read this: http://forums.asterisk.org/viewtopic.php?p=159984 Fail2ban is not really security...but it's certainly better than nothing. What you might be missing is that VoIP is the wild west of fraud. It's easy, and there are lots of holes in SIP, Asterisk, FreePBX, etc! Do a search on FreePBX security flaws and you'll find that hackers discovered a massive hole last summer exposing systems to toll fraud. This is big business for hackers and a single breach can earn them $10,000 to $100,000 (or more) -not bad for 1 day of work, and you the SIP customer are on the hook for that bill. Major ITSP are not likely to forgive your bill just because you got hacked. It's your responsibility to secure your system. And if you haven't you might get a whopper of a bill. There are working groups, industry groups, etc. dedicated to VoIP security. They exist for a reason - this is a HUGE problem. It's easy to get over confident and a mistep in security can cost you your job and your company a small fortune. ________________________________________ From: James B. Byrne <byrn...@harte-lyne.ca> Sent: Friday, March 27, 2015 4:03 PM To: Michelle Dupuis Cc: Asterisk Users List; byrn...@harte-lyne.ca Subject: RE: [asterisk-users] Anonymous SIP calls On Thu, March 26, 2015 22:29, Michelle Dupuis wrote: > You have to consider whether you really want "anonymous" calls, or you > just want to enable SIP calls from trusted companies/partners. The > latter means setting up routes to these companies and (ideally) > registration between peers. > This is what I am trying to get a handle on. It seemed to me that the promise of VOIP was essentially that one could use the Internet as a replacement for the PSTN directly, providing that ones callers/callees were also directly connected via VOIP. SIP providers I had considered a necessary transition to act as gateways between PSTN dialing and VOIP until VOIP replaced PSTN virtually entirely if not completely. That is why we are on Asterisk. We had to replace our old keyed system and the thought was that we might as well get ready for VOIP even if we planned to stay on PSTN for the foreseeable future. However, the overwhelming evidence I find is that one simply does not employ VOIP in the same way that PSTN works. Actually, I have put that backwards. What I have discovered is that the most commonly recommended method is to switch from a Telco to A SIP provider and continue in a manner similar to the former set-up. External calls all have to travel through a third party provider. One does not accept incoming VOIP calls from just everyone, apparently. One only accepts VOIP calls from known correspondents. I am not clear why this is so other than vague warnings respecting (admittedly real and serious) security issues. Even limiting VOIP to known correspondents one is ultimately trusting that they themselves are secured sufficiently to prevent unauthorised access to your systems through theirs. And that seems a bit of a stretch by way of rationalisation to me. Also I do not understand is why the same issues do not exist from incoming calls via PSTN. I somewhat understand the process of getting devices to register and authenticate to obtain access to our outgoing routes. What is it about incoming SIP calls destined to our internal users that make those calls so dangerous? Why cannot incoming anonymous SIP calls not be treated exactly as incoming PSTN calls (other than PSTN have to go though DAHDI to turn them into digital VOIP calls). What is it that prevents them from being blocked from gatewaying through to our PSTN lines? Please forgive my abysmal ignorance on this matter. Perhaps I have been down in the weeds too long getting our internal FreePBX system working to see what is obvious to others. I have been going theough the Asticon Videos on security and have or already had implemented most of the suggestions: Outbound LD secured by pins and allowed only during work hours; IPTABLES rules and fail2ban checks; Separation of voice and data network segments and addresses; Private IP for VOIP desk-sets and internal provisioning; and so forth. However, I still have the sense that I am just not getting it. What am I missing? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
