| {maketoc} |
| +{attachment id=4818} |
| !Overview |
| -SecAst is an intrusion detection and prevention system designed specifically to protect Asterisk phone systems against fraud. SecAst uses a variety of techniques to detect intrusion attempts, halt ongoing attacks, and prevent future attacks. |
| +SecAst (Security For Asterisk) is a firewall and intrusion detection and prevention system designed specifically to protect Asterisk based phone systems against attack and fraud. SecAst uses a variety of techniques to detect intrusion attempts, halt ongoing attacks, and prevent future attacks. In addition, SecAst uses advanced techniques to detect valid credentials that have been disclosed / compromised and are being abused. SecAst also uses heuristic algorithms to detect fraudulent activity based on known attack patterns. Upon detection SecAst blocks the current attacker from the Asterisk host at the network level. |
| |
| -Unlike fail2ban which simply monitors logs, SecAst communicates with Asterisk via the AMI (Asterisk Management Interface) for detailed caller activity, and also directly with the network interface for detailed traffic data. SecAst combines this data (along with log data) to deeply inspect the traffic moving through Asterisk and detect fraudulent/suspicious patterns. SecAst can detect and block over 14 predefined types of brute force attacks, and can detect and block a range of suspicious activities (including the suspicious use of valid credentials). |
| +SecAst is a 100% software solution, communicating with Asterisk primarily through the Asterisk Management Interface (AMI), but also monitoring Asterisk message/security logs for relevant information, and also communicating with the Linux network interfaces. The data from these sources allows SecAst to monitor connection and dial attempts with invalid credentials, the rate at which users/peers are dialing, the number of channels in use by user/peer across all protocols, the source IP of remote users/peers, etc. By combining this data SecAst can effectively stop attacks/fraud in its tracks, and alert the administrator with details of each attack. |
| + |
| +SecAst offers detailed geographic allow/deny rules (geofencing) down to the city level without large or complex firewall rules (all geofencing rules remain within SecAst). Use of geofencing dramatically reduces the number of, and risk from, attacks, allowing administrators to quickly eliminate continents/countries/regions/cities where their users would never be located. |
| + |
| +SecAst offers extensive interfaces to interact with other programs, utilities, external firewalls, billing systems, etc. allowing for considerable customization. For example, changes in Threat Level can trigger scripts which alert administrators, shutdown interfaces, change firewall rules, etc. |
| |
| SecAst is available in both free and commercial editions. You can get SecAst, as well as more documentation, at [http://www.generationd.com?target=secast|www.generationd.com]. |
| |
| -!Brute Force Detection |
| -SecAst includes a wide range of brute force detection features including: |
| -* Attempt to register without matching peer / user ID |
| -* Attempt to register with wrong secret / password |
| -* Attempt to register without matching ACL |
| -* Challenge response mismatch during register |
| -* Attempt to register for peer not expecting registration |
| -* Attempt to use resources (dial) for peer that should register first |
| -* ACL mismatch (permit/deny) for peer |
| -* Peer not in local domain |
| +{attachment id=4820} |
| |
| -!Breached Credential Detection |
| -In many cases Asterisk fraud (toll fraud) is caused by an attacker having gained access to valid credentials and then attempting to exploit them. SecAst includes a number of breached credential detection features including: |
| -* Heuristic detection (complex pattern detection of peer/user activity) |
| -* Dial cadence (rate at which caller is making calls) |
| -* Channel volumes (number of simultaneous calls in use by peer/user - across all protocols) |
| |
| -!Geofencing |
| -SecAst includes the ability to detect the geographic location of each source IP, and allow/deny user access to Asterisk based on this location. Users can be restricted at 4 levels: |
| -* Continent |
| -* Country |
| -* Region |
| -* City |
| +!Asterisk Compatibility |
| +SecAst is compatible with a broad range of Asterisk versions and distributions. SecAst works with Asterisk versions 1.4 through 12, both 32-bit and 64-bit. SecAst is also compatible with a wide range of Asterisk distributions, from Digium's plain old Asterisk, to FreePBX and PBX In A Flash and TrixBox, to 3rd Lane and more. |
| |
| -For example, to allow Asterisk use from the state of Michigan, in the country of US, in the continent of North America: |
| -~pp~ exceptions=NA:US:michigan: ~/pp~ |
| -or to deny Asterisk use from all IP's in Asia: |
| -~pp~ exceptions=AS::: ~/pp~ |
| +!Brute Force Attack Detection |
| +SecAst can detect brute force attacks (attempts to gain access by trying various combinations of usernames/passwords, commonly used extensions, commonly used passwords, etc). Unlike other products, SecAst can detect these attacks even if spread across many days (attackers are now performing "thin" attacks to bypass simplistic detection programs like fail2ban). SecAst can respond to these attacks by blocking them at the network level, preventing any further attempts. These blocks can last for hours, days, or indefinitely. |
| |
| -!Blocking/Banning Attackers |
| -SecAst has the ability to block attackers at the network level. This can be done at the Asterisk server using iptables, and/or at an external firewall through SecAst API's. |
| +!Breached Credential Use Detection |
| +SecAst can detect unusual traffic and usage patterns indicative of credentials that have been breached (leaked or somehow discovered by an attacker). This includes monitoring the number of calls in progress, how quickly the calls are setup, even the rate at which the user is dialing digits. SecAst can respond to these attacks by blocking them at the network level, preventing any further attempts. These blocks can last for hours, days, or indefinitely. |
| |
| -Based on configuration settings, SecAst can control the local iptables to add and remove IP addresses to effectively permit/deny access to the Asterisk server. As well, SecAst offers a number of hooks to allow the administrator to interface SecAst with an external firewall. SecAst include sample BASH scripts which can be called whenever an IP is added, removed etc. SecAst has been successfully interfaced with firewalls from Cisco, Barracuda, Mikrotik, and more. See API section below for more details. |
| +!Heuristic Attack Detection |
| +SecAst can learn new attack patterns and adjust its detection accordingly. The heuristic scanner monitors a variety of Asterisk and network traffic patterns to detect suspicious activity, correlate them with rules which indicate likely attacker activity, and then block the attacker at the network level, preventing any further attempts. These blocks can last for hours, days, or indefinitely. |
| |
| -!API's / Programmatic Interfaces |
| -SecAst exposes a number of interfaces to allow for automatic interconnection with third party products and tools. These interfaces include: |
| -* Socket (control and data retrieval via Unix domain socket) |
| -* PHP (control and data retrieval via PHP class with command methods) |
| -* REST (control and data retrieval via web URL / AJAX) |
| -* BASH (IP notification/actions via call of BASH scripts) |
| -* Signals (basic controls via Linux signals) |
| +!Geographic Allow / Deny |
| +SecAst incorporates a database of IPv4 and IPv6 address across the world, including the continent / country / region / city of each IP. SecAst can be configured to allow or deny access to any combination of these geographic attributes (as well as a default allow / deny behavior). If an attacker or user attempts to use the Asterisk server from a denied location, the user is immediately disconnected. This creates a geographic fence (or geofence) which keeps good guys in and bay guys out. |
| |
| -!User Interfaces |
| -SecAst offers a number of interfaces to facilitate the operation and monitoring of SecAst including: |
| -* Web - a web interface with reports and graphs |
| -* Telnet - a powerful and remote friendly interface to SecAst control |
| -* E-Mail - detailed information on the status/events affecting SecAst |
| +!Trunk and Endpoint Trust |
| +SecAst can be instructed to trust particular trunks, endpoints (users or phones), and IP addresses so that they are exempt from security screening. This allows administrators to grant particular users access regardless of location, call volumes, etc. (which may be necessary for traveling sales staff, etc). This also allows administrators to designate certain trunks / routes as trusted and others as untrusted. |
| |
| -!Protocols |
| -At the time of creation of this page, SecAst supports SIP and IAX protocols. The vendor is also expanding coverage of other protocols (SCCP/Skinny/MGCP) with updates available on their website. |
| +!Threat Level Management |
| +SecAst monitors the number and rate of attacks against the Asterisk server, and based on administrator defined thresholds will set the threat level of the system. Changes in threat levels can trigger custom scripts, notifications, and other system based features. |
| |
| -SecAst supports both IPv4 and IPv6. At the time of creation of this page, only IPv4 has been tested. |
| +!Telnet Interface |
| +Administrators will be immediately comfortable with the simple and powerful telnet interface to SecAst. The security system can be managed and controlled from a telnet interface, whether from a PC, a tablet, or a cell phone. The interface includes online help, and user friendly rich terminal output. |
| |
| -!fail2ban vs SecAst |
| -SecAst includes all of the features of fail2ban (log monitoring), but this represents just a small fraction of the features of SecAst. Digium does not recommend the use of fail2ban to protect an Asterisk server (see [http://forums.asterisk.org/viewtopic.php?p=159984]) as simple log monitoring is insufficient. |
| +!Browser Interface |
| +Seasoned administrators and novices alike will be comfortable with the simple and powerful browser (web) interface to SecAst. The security system can be managed and controlled from any browser, including a PC, a tablet, or a cell phone. The interface includes blocking / unblocking IP's, checking threat levels, viewing attack history, etc. |
| |
| -fail2ban is a free and open source product, while SecAst is a commercial and closed source product. In order to prevent attackers from knowing what patterns SecAst detects the source code also cannot be released. |
| - |
| -As an alternative to fail2ban for small office / home office users, a free edition of SecAst is available from the Generation D website [http://www.generationd.com?target=secast|www.generationd.com]. Note that the free edition is limited in features and capacity, yet still exceeds the capabilities of many products like fail2ban. |
| +!Socket & REST Interfaces |
| +Developers will appreciate the socket and REST (Representational State Transfer) interfaces to SecAst, as the power and control of SecAst can be easily expanded and integrated with other system administration and monitoring tools. SecAst includes sample PHP code to show how to extract data and control SecAst via a web service and via the socket interface. |
| |
| !Screenshots |
| Web Interface - Top attack sources by country |
