Security - We will get there

Just dived into the hot VoIP technology a while ago. Started with the adapters, asterisk and now integration for those cool stuff.

VBuzzer provides a very inexpensive DID service in Toronto area(although not free as some other lucky guys). It's sip compatible but only vBuzzer software is officially supported. My goal is to setup my home asterisk box to work with vBuzzer. Here is my journey.

First I found this great post at http://www.voip-info.org/wiki/view/Asterisk+settings+vBuzzer, set it up and test it. Outbound is working but not inbound.

Searched again and found a lot of people are complaining the inbound issue when using adapters or asterisk. Hmmm, let me try.

After a lot of sniff data, firewall tuning and config change etc. I had my vBuzzer service working properly with my asterisk box. It's been up and running for more than two weeks now so I would like to share this with my readers.

1. sip.conf: make sure externip,localnet and fromdomain are setup properly. For example:
   externip=www.jlisbz.com
   localnet=192.168.0.0/255.255.255.0
   fromdomain=www.jlisbz.com:5060
2. rtp.conf: make sure rtpstart and rtpend are in a smaller range for your firewall so you can forward them to your asterisk box. For example:
   rtpstart=10000
   rtpend=11000
3. You firewall needs to allow and forward UDP 5060(SIP) and UDP rtpstart-rtpend (RTP) into your asterisk box
4. In registry string and peer setup, DO NOT use vbuzzer.com as the host, please use 209.47.41.48 instead. This is very very important as you will not get SIP invite for inbound signaling from vBuzzer servers if you don't use .48. I don't know why they set it up that way but just happen to find that after couple of sniffing.

You should be able to get inbound call now. Sometimes it will take a short while for it to be effective, but should be less than 5 minutes in my experience. I saw someone posted that you need to wait for more than hours to get the inbound call. Maybe they didn't set the host ip properly.

I just got email back from vBuzzer support that told me "Please understand our dedication to provide low prices for calling services does not allow such support now and in near future". But guess what. I can be a volunteer for their support now. :-)

This provides me the SSH remote control capability from anywhere within a browser.

The product I chose is MindTerm

As I keep monitoring couple of security lists so I noticed last week spamassassin, one of the software used in qmailtoaster package for defending spam has vulnerability which could be exploited by attackers to execute arbitrary commands. As I use qmailtoaster for my email server so I decided to upgrade it to 3.1.3. Then I emailed the source RPM to both Mr. Nick Hemmesch and Mr. Erik A. Espinoza

It's a small thing but both of them are so kind to give me the credit for this upgrade. Thanks, guys.

Microsoft used to think it will be secure if you take care of personal firewall,auto update and anti virus. :-) So they have these three categories in their security center. Microsoft can now provide personal firewall and auto update built into the windows distribution and left the space a little bit for those anti virus vendors. Microsoft also provide anti spyware tool which is now called "Windows Defender". The newer formal release of Windows Defender is to come but the beta version shows some comfort for me. It's basically the old anti spyware plus a software explorer. The software explorer can show Startup programs, Currently running programs, Network-connected programs and Winsock service providers. It's handy to put them together and you can remove/disable the unwanted items or end processes.

When I did my check with Windows Denfender, I noticed the VNC program is still listenning over port 5800 and 5900 from the Network-connected programs category. I thought it shouldn't be there as I always turn off the little TightVNC icon show up in system tray. So I launched the service manager and found the VNC service was there up and running. I had run a VA scanner against this pc before but didn't find these ports as my windows firewall silently dropped the incoming request. But there will be problem definitely if I happen to turn the firewall off. So I turned it off and disabled the service to make sure it will no longer startup by itself. This is a good example that a handy tool can help you busy techies.

Overall, it's nice to have Windows Defender. Plus the three categories in security center, you should have pretty good coverage for Windows XP security.

The online contact database service from www.plaxo.com is great to help me keep sync with my contact in Exchange/Outlook and Thundbird. Once you setup an account, you can install a plugin into outlook and thundbird so any change you have will be synced through the web based service.

But you need to take extra precaution when you re-install your outlook. I once have plaxo just created all the entries in the online database into the outlook/exchange database when I re-installed outlook client. All the contact items just doubled to two exactly same items. As I don't want to pay the premium service just to fix this kind of duplicates so I had to go through around two hundred items to remove the redudant one. I like redudant often as I design my network but not this kind. :-) After that, I deleted the contacts folder in plaxo web site and re-sync again.

So when you re-install outlook which will retrieve contact from exchange server, just delete the contact/calendar etc in the web site first, then you can install the plaxo plugin, sync up to the web server.

Or you can delete all contact/calendar etc in your exchange server first, then install plugin to pull data from the web server.

As a good practice, it's always good to backup data using export from plaxo web site.

It's a great tool to dissect your traffic type. You can use it to analyze traffic pattern into your site when you put it outside of your firewall, or you can use it to analyze your user behavior when install on your user segment. It detects host os properly.The report is very detail including active sessions, their latency etc etc.

One of the active sessions:

This test is done on a Dell 750 server with P4 2.8G, 512M RAM and 80G SATA HD.

But when the network is busy, NTOP will eat up memory very fast. For example, it used up about 300M memory when "85.0 MB [324,151 Pkts]" passed it's horizon, about 700M memory after "203.6 MB [691,806 Pkts]" passed. The good news is that memory usage will slow down when reach to some point. And it's around 800M after "504.3 MB [1,624,032 Pkts]", it's now 1.1G after "1.1 GB [3,821,462 Pkts]".

I checked with www.ntop.org, it says the memory requirement "In general it ranges from a few MB (little LAN) to 100 MB for a WAN." Why on my machine the memory usage kept rising? Something is not right. Probably it's because I am using NST bundled NTOP. Need to find out.

The data files only occupy couple of mega byte.

According to man page, "-x -X ntop creates a new hash/list entry for each new host/TCP session seen. In case of DOS (Denial Of Service) an attacker can easily exhaust all the host available memory because ntop is creating entries for dummy hosts. In order to avoid this you can set an upper limit in order to limit the memory ntop can use." and " -c --sticky-hosts Use this parameter to prevent idle hosts from being purged from memory." In the current conf file, there is no sticky and no -x or -X.

Tried to use both -x 1000000 and -X 1000000 in ntop, will see the result soon.

This afternoon I noticed that one of my virtual PCs could not connect to Internet. At first I though it could be the buggy Microsoft Virtual PC software/WinXP so I restarted the whole thing include the host OS as I have not restart it for a long while. It didn't work! As I have access to all firewalls/switches for security admin purpose, I decided to give it a shot.

Soon I found out from one of the firewall arp table the mac for the ip of my  virtual pc was not the one it should be. Checked DHCP server but didn't find anything wrong and my virtual pc was getting that ip perfectly fine. Someone was using static ip in the DHCP range, Again! It didn't take too much time to find out Tony who realized the issue right away but here is his explanation. He started workstation in the morning but found he could not get anywhere. Restarted couple of times and changed his ip eventually to the ip next to the one assigned by DHCP. Another static ip in DHCP range! So I asked him to release and wait for my furthur instruction. Then I worked with my network engineer to find out who used this ip. Soon another workstation was found out and disconnected. I asked Tony to renew his ip and made sure he was happy to do his work. Then I got my virtual pc connected.

Now problem resolved. I sent out a email to my team to remind DHCP discipline. It's lucky that not too many users get affected today but it may end up a big chaos if more people get affected, setup static ip, then affected even more people.

So policy come in as a vital player, user education etc etc.

This can be restricted in varieties of ways if in a environment require higher security.

In snortcenter 2, it says "Once Sensor Agent can handle multiple snort daemons if the system has multiple network interfaces". In the case you even need to run multiple daemons in one engine on one interface, you seem to be out of luck.

Snortcenter agent will use the parameters passed by curl from snortcenter to construct two files, one for the config and another for the command line options. These two files need to be different for different daemons. After review the source code, I found there is one parameter passed to snortcenter agent called r_option which is taken from the sensor command line option tag after -R. The -R tag is used in snort to create distinct PID file and this tag after -R is used by snortcenter agent to construct those two file names too.

So the way to run multiple snort daemons in one engine on one interface is:

1. Use different sensor names for different daemons.
2. Use "-R tag" at the end of command line option when define the sensor in snortcenter.

One of the usage for this is to run multiple daemons for multiple policy sets. For example, one daemon to check policy violation while the other one to check the intrusion signatures for valid traffic.

I came across Skybox for Risk Management suit which can integrate network/firewall/servers into one view to analysis the overall security. It can help you put together regulation/standard requirement, vulnerabilities, network security etc. Here is the snippet:

Skybox's award-winning product, Skybox Viewâ„¢ creates a virtual Integrated Security Model (ISM) in order to understand IT network security risks, control dependencies and proposed changes within the context of your overall network design.

This virtual model can be safely attacked, changed, and analyzed for the purpose
of improving the security profile of the network as well as verifying security control compliance with defined policies.

The result is a more secure network, operational efficiency and reduced IT workload. This is achieved through continuous evaluation of an organization network security risk and connectivity profile.

Today we started our bus tour with TourEast for Orlando Disney World. I decided for bus tour just because it's much cheaper in March break and I want to check out more places as it's the first time I get into USA.
The bus went through Peace Bridge US custom, then take highway 90-79-19-77

Along HW19, there are at least 2 Peiking buffet. We had dinner at the one in Beckley. The food was good.

Night stay at around 11:30PM in Comfort Inn .It's in Jonesville of North Carolina and it has free wireless Internet access, tried the connectivity is good.

I can almost get my blackberry connected everywhere. Noticed the provider is changing from time to time. They are Cingular, AT&T, 1-80?? etc.

What a long trip. Tired and I will sure have a good sleep.