IDS/IPS on DMZ PBX System

NollipfSense

I am thinking of running Suricata on a DMZ PBX phone system. What rules have others use except for Emerging-voip rules and maybe why?

Patch

@nollipfsense said in IDS/IPS on DMZ PBX System:

What rules have others use

• White list ports and IP addresses the VoIP system needs to access.

• Use a alias for each VoIP companies IP addresses

• Use and alias combining VoIP company specific aliases in your firewall rules

I don't use Suricata but would consider it for location specific rules if remote access from a wider range of IP addresses was required.

NollipfSense

@patch I was hoping that since I mentioned IDS/IPS and post in IDS/IPS section of the forum that the response(s) would be specifically rules on either Suricata or Snort. Location will be just U.S or North America. I got my firewall setup...thanks for responding.

Patch

@nollipfsense said in IDS/IPS on DMZ PBX System:

rules on either Suricata or Snort. I got my firewall setup

So what specifically do you trying to achieve by using Suricata on PBX network traffic?

NollipfSense

@patch said in IDS/IPS on DMZ PBX System:

@nollipfsense said in IDS/IPS on DMZ PBX System:

rules on either Suricata or Snort. I got my firewall setup

So what specifically do you trying to achieve by using Suricata on PBX network traffic?

I don't know yet...I watched Jimp's video on setting up DMZ and that was one of the things mentioned towards the end, and it got me thinking. So, I looked through Suricata rules but only Emerging-voip rules seems applicable...hence my quest to learn what others have done

I see Snort has voip rules as well as protocol_voip, even the protocol_voip.so rules.

NollipfSense

I cannot imagine I am the only person wanting to use IDS/IPS on a phone system tied to pfSense. So, I share from my little research. Snort appears the tool to use especially the VRT subscriber protocol-voip rules that have two hundred and sixty-six (266), whereas Suricata, according to: https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#VOIP_Rules
VOIP Rules: A new and emerging ruleset. Small at the moment, but we expect it to grow soon.

One can view the Snort subscriber rules for protocol-voip here:
https://github.com/John-Lin/docker-snort/blob/master/snortrules-snapshot-2972/rules/protocol-voip.rules

I also found this voip use case for IDS/IPS from Purdue University, if anyone wants to read: https://engineering.purdue.edu/dcsl/publications/papers/2009/voipids_ijis09_submit.pdf

So, I will be using Snort IDS as well as lock the firewall down super tight to make the DMZ phone system trusted. I might also use two SIP trunk providers.

SteveITS

@nollipfsense Not sure the ET ruleset existed when I first set ours up? I would also add your SIP trunk provider IPs to the pass list. We also allow web connections and client ports by country.

Patch

@steveits said in IDS/IPS on DMZ PBX System:

I would also add your SIP trunk provider IPs to the pass list. We also allow web connections and client ports by country.

That’s a cleaner way of saying what I was trying to convey in post #2

• SIP trunk provider only via white listed IP / domain name and allowed ports (no IDS/IPS involved)

• Web and client connections (if your PBX is set up to allow them) may benefit from IDS/IPS such as to restrict countries access is allowed from.

NollipfSense

@steveits & @Patch Yes, that the way I had planned except I shall use a WAN floating rule with quickset check with the SIP trunk provider IP and aliases with the ports.

Patch

@nollipfsense said in IDS/IPS on DMZ PBX System:

WAN floating rule with quickset check with the SIP trunk provider IP and aliases with the ports

I use

1. Aliases for IP and port groups

2. For incomming to my premises: a Wan rule associated with the PBX port forwarding rule. It uses Aliases from 1, to limit the scope of the port forewarding.

3. For outgoing from my PBX VLan: VLan rules using aliases from 1, to restrict outgoing to the required ports & IP addresses.

Floating rules could be used to simulate the above but are less specific, so less maintainable imo.

I don't currently allow external client access to my PBX, but if I did, restricting exposure surface by country maybe useful.

NollipfSense

@patch I am learning how to use Haproxy's reverse proxy and using private domain (secret TLS/SNI) to help make the PBX more secure in the DMZ...very interesting...I'll post in the proxy section questions I may have.