That’s not true, of course.
I just applied to Skype the idea of security that manages to create an “Open Source Genius.”
Let’s leave Skype aside and see what really happened.
Giacomo Brusciati of Comunica.Meta srl, an installer of telephone systems in the Marche region, has installed about 2,200 systems. First ISDN and then VoIP.
Like every day, Giacomo installs a new PBX. Today, it is on a beautiful farm with multiple locations and he reaches the point of connecting remote IP phones.
The farm has a firewall provided and configured by a “ leading Italian company” focused on doing EVERYTHING (so it is a leader in everything): Phone System, Firewall, CRM, NAS, Fax Server, antivirus, anti-spam, remote assistance etc.
In short, a range not even Cisco has.
Giacomo sends an e-mail asking that the IP ports on the firewall be opened to connect the SIP/TLS.
Answer:
“This practice is STRONGLY NOT RECOMMENDED by us because the SIP protocol is very weak.”
Giacomo points out that the fact that their system is weak (FreePBX configured more or less at random) does not mean that others are weak and he replies:
“I would like to clarify that our system is different from that of an asterisk system, therefore, please avoid (at each of our requests to open the ports) PSYCHOLOGICAL TERROR to the customer.”
The “Open Source Genius” doesn’t give up:
“The SIP protocol is inherently unsafe, communications over it vulnerable.”
Giacomo gets angry, opens the IP ports anyway, and finishes his job.
Result? Two days work, that could have been done in one hour.
Did Giacomo do the right thing?
Or did he expose his client to unnecessary risks?
Can the SIP protocol be secure?
There is secure SIP, which we can deduce from some companies that are not leaders like the “Open Source Genius” but they still exist and we can not ignore them.
All telecom operators such as Fastweb, Telecom, TWT, Wind, etc. as well as all manufacturers of VoIP systems, such as Avaya, Cisco, Shoretel, Mitel, Broadsoft, Unify, Microsoft, Alcatel etc. all use SIP.
Either they are all criminals and imbeciles or our “Open Source geniuses” ignore some elements.
But why do they say that SIP is not safe?
A SIP account is protected by a pair of logins and passwords. Typical login and password pairs chosen by “Open Source Geniuses” are:
1200 / 1200
100 / 1234
203 / 0000
320 / password
How does a very complicated attack on the system work?
With “bad” and free software downloaded from the internet:
- Scan the Internet and find a SIP server
- Contact requests to various extension numbers: 100-101 … 1000-1001 …
- Login attempts with the extension number and password taken from a database
- What’s in the database?
- If so, look at “0000”, “1234”, “password”, and a few more million keywords.
So you make the system break, even if the attack is unsuccessful, the inconvenience for the customer is considerable, slowing down the server (which is busy responding to authentication requests) and saturating the internet line.
How do you solve the problem?
- do as the “Open Source Genius” says, i.e. install an insecure server and then hide it well (it’s interesting to know how secure the firewall is at this point)…
- do as Giacomo (Fastweb, Telecom etc) and install a secure SIP system of your own
What does a secure SIP server do:
- Automatically generates secure passwords and does not accept insecure passwords even if Giacomo wants to
- Doesn’t respond to unsanctioned requests for an extension of 100
- If the “bad” software arrives, the source IP is blocked for 5 minutes, if you try again, it blocks it for one day
- Has two levels of passwords, one for the user and one that uses the system to configure phones automatically, so even the user can not communicate the password to others
- Does not send the data outright, but uses SIP/TLS (Transport Layer Security) and SRTP (Secure Real-time Transport Protocol) the encryption standard to make the SIP secure
Result:
- The system is safe
- The customer can communicate from wherever they want to
But doesn’t the “Open Source Genius” know?
The ‘Genius’ did nothing but download FreePBX for free, called it VoIPTruz, changed the web interface by putting its logo on it and sells it to unsuspecting phone installers, both don’t have the faintest idea of what they’re doing at the expense of the unsuspecting customer.
Why do they do that?
The system, PBX or firewall, is their Trojan horse, what they are interested in is not what they earn from the sale of the product, but to create a “partner in crisis” who, every day, needs to ask for assistance to do anything, and THEY’RE AFRAID to do anything.
In short, they don’t become rich off of $65 an hour, but they leach your money in other ways to survive.
Stop allowing the “Open Source Genius” on duty to take your money!
- If you buy an iPhone 6 for $100, you’re buying a stolen phone: you’re a fence.
- If you buy an unlimited internal PBX for $1,600 based on FreePBX: you’re naive; you buy a product that doesn’t exist, you pay for hours without assistance: bankruptcy is waiting for you and you deserve it.
It’s not your fault in either case, but you need to be a little more careful and make serious assessments of what you’re buying.
If you want to experiment with Open Source, it’s great, download FreePBX and try it at home, not in the office for customers. You don’t need a VoIPTruz that charges you to solve the problems that they create.
It really hurts me to see Giacomo suffering from your competition.
Unlike you, the customer looks at price first.
They never asked for money for their own mistakes or those of the systems they install.
In a word, Giacomo is responsible. That is, he bears the consequences of his choices and does not pass them on to customers, so he chooses products that give him the same guarantees.
The difference between you and Giacomo?
Giacomo started out alone and today he finds himself with a beautiful company.
You started out with a nice company and by working with VoIPTruz you will find yourself working alone.
Thanks to those who leave a comment!
Stefano Osler