Security - We will get there

This idea is from the snort.org web site for invisible tap. Basically with a 24 port patch pannel, you can have 6 100M full duplex taps right from it. Each tap will use 4 ports, two ports for host connection and the other two for tap purpose. For example, I have port 1 and 4 for host and 2,3 for tap. I use 4 wires to connect the following 4 pin groups:

1. pin 1 of port 1, pin 3 of port 2 and pin 1 of port 4
2. pin 2 of port 1, pin 6 of port 2 and pin 2 of port 4
3. pin 3 of port 1, pin 3 of port 3 and pin 3 of port 4
4. pin 6 of port 1, pin 6 of port 3 and pin 6 of port 4

After that, you can get traffic from port 2 and port 3, one for sending and one for receiving traffic. Then you can use interface bonding to setup a virtual interface to capture the full duplex 100Mbps traffic. Cool!

Just dived into the hot VoIP technology a while ago. Started with the adapters, asterisk and now integration for those cool stuff.

VBuzzer provides a very inexpensive DID service in Toronto area(although not free as some other lucky guys). It's sip compatible but only vBuzzer software is officially supported. My goal is to setup my home asterisk box to work with vBuzzer. Here is my journey.

First I found this great post at http://www.voip-info.org/wiki/view/Asterisk+settings+vBuzzer, set it up and test it. Outbound is working but not inbound.

Searched again and found a lot of people are complaining the inbound issue when using adapters or asterisk. Hmmm, let me try.

After a lot of sniff data, firewall tuning and config change etc. I had my vBuzzer service working properly with my asterisk box. It's been up and running for more than two weeks now so I would like to share this with my readers.

1. sip.conf: make sure externip,localnet and fromdomain are setup properly. For example:
   externip=www.jlisbz.com
   localnet=192.168.0.0/255.255.255.0
   fromdomain=www.jlisbz.com:5060
2. rtp.conf: make sure rtpstart and rtpend are in a smaller range for your firewall so you can forward them to your asterisk box. For example:
   rtpstart=10000
   rtpend=11000
3. You firewall needs to allow and forward UDP 5060(SIP) and UDP rtpstart-rtpend (RTP) into your asterisk box
4. In registry string and peer setup, DO NOT use vbuzzer.com as the host, please use 209.47.41.48 instead. This is very very important as you will not get SIP invite for inbound signaling from vBuzzer servers if you don't use .48. I don't know why they set it up that way but just happen to find that after couple of sniffing.

You should be able to get inbound call now. Sometimes it will take a short while for it to be effective, but should be less than 5 minutes in my experience. I saw someone posted that you need to wait for more than hours to get the inbound call. Maybe they didn't set the host ip properly.

I just got email back from vBuzzer support that told me "Please understand our dedication to provide low prices for calling services does not allow such support now and in near future". But guess what. I can be a volunteer for their support now. :-)

It's a great tool to dissect your traffic type. You can use it to analyze traffic pattern into your site when you put it outside of your firewall, or you can use it to analyze your user behavior when install on your user segment. It detects host os properly.The report is very detail including active sessions, their latency etc etc.

One of the active sessions:

This test is done on a Dell 750 server with P4 2.8G, 512M RAM and 80G SATA HD.

But when the network is busy, NTOP will eat up memory very fast. For example, it used up about 300M memory when "85.0 MB [324,151 Pkts]" passed it's horizon, about 700M memory after "203.6 MB [691,806 Pkts]" passed. The good news is that memory usage will slow down when reach to some point. And it's around 800M after "504.3 MB [1,624,032 Pkts]", it's now 1.1G after "1.1 GB [3,821,462 Pkts]".

I checked with www.ntop.org, it says the memory requirement "In general it ranges from a few MB (little LAN) to 100 MB for a WAN." Why on my machine the memory usage kept rising? Something is not right. Probably it's because I am using NST bundled NTOP. Need to find out.

The data files only occupy couple of mega byte.

According to man page, "-x -X ntop creates a new hash/list entry for each new host/TCP session seen. In case of DOS (Denial Of Service) an attacker can easily exhaust all the host available memory because ntop is creating entries for dummy hosts. In order to avoid this you can set an upper limit in order to limit the memory ntop can use." and " -c --sticky-hosts Use this parameter to prevent idle hosts from being purged from memory." In the current conf file, there is no sticky and no -x or -X.

Tried to use both -x 1000000 and -X 1000000 in ntop, will see the result soon.

This afternoon I noticed that one of my virtual PCs could not connect to Internet. At first I though it could be the buggy Microsoft Virtual PC software/WinXP so I restarted the whole thing include the host OS as I have not restart it for a long while. It didn't work! As I have access to all firewalls/switches for security admin purpose, I decided to give it a shot.

Soon I found out from one of the firewall arp table the mac for the ip of my  virtual pc was not the one it should be. Checked DHCP server but didn't find anything wrong and my virtual pc was getting that ip perfectly fine. Someone was using static ip in the DHCP range, Again! It didn't take too much time to find out Tony who realized the issue right away but here is his explanation. He started workstation in the morning but found he could not get anywhere. Restarted couple of times and changed his ip eventually to the ip next to the one assigned by DHCP. Another static ip in DHCP range! So I asked him to release and wait for my furthur instruction. Then I worked with my network engineer to find out who used this ip. Soon another workstation was found out and disconnected. I asked Tony to renew his ip and made sure he was happy to do his work. Then I got my virtual pc connected.

Now problem resolved. I sent out a email to my team to remind DHCP discipline. It's lucky that not too many users get affected today but it may end up a big chaos if more people get affected, setup static ip, then affected even more people.

So policy come in as a vital player, user education etc etc.

This can be restricted in varieties of ways if in a environment require higher security.