IDS/IPS on DMZ PBX System
-
I am thinking of running Suricata on a DMZ PBX phone system. What rules have others use except for Emerging-voip rules and maybe why?
-
@nollipfsense said in IDS/IPS on DMZ PBX System:
What rules have others use
-
White list ports and IP addresses the VoIP system needs to access.
-
Use a alias for each VoIP companies IP addresses
-
Use and alias combining VoIP company specific aliases in your firewall rules
I don't use Suricata but would consider it for location specific rules if remote access from a wider range of IP addresses was required.
-
-
@patch I was hoping that since I mentioned IDS/IPS and post in IDS/IPS section of the forum that the response(s) would be specifically rules on either Suricata or Snort. Location will be just U.S or North America. I got my firewall setup...thanks for responding.
-
@nollipfsense said in IDS/IPS on DMZ PBX System:
rules on either Suricata or Snort. I got my firewall setup
So what specifically do you trying to achieve by using Suricata on PBX network traffic?
-
@patch said in IDS/IPS on DMZ PBX System:
@nollipfsense said in IDS/IPS on DMZ PBX System:
rules on either Suricata or Snort. I got my firewall setup
So what specifically do you trying to achieve by using Suricata on PBX network traffic?
I don't know yet...I watched Jimp's video on setting up DMZ and that was one of the things mentioned towards the end, and it got me thinking. So, I looked through Suricata rules but only Emerging-voip rules seems applicable...hence my quest to learn what others have done
I see Snort has voip rules as well as protocol_voip, even the protocol_voip.so rules.
-
I cannot imagine I am the only person wanting to use IDS/IPS on a phone system tied to pfSense. So, I share from my little research. Snort appears the tool to use especially the VRT subscriber protocol-voip rules that have two hundred and sixty-six (266), whereas Suricata, according to: https://doc.emergingthreats.net/bin/view/Main/EmergingFAQ#VOIP_Rules
VOIP Rules: A new and emerging ruleset. Small at the moment, but we expect it to grow soon.One can view the Snort subscriber rules for protocol-voip here:
https://github.com/John-Lin/docker-snort/blob/master/snortrules-snapshot-2972/rules/protocol-voip.rulesI also found this voip use case for IDS/IPS from Purdue University, if anyone wants to read: https://engineering.purdue.edu/dcsl/publications/papers/2009/voipids_ijis09_submit.pdf
So, I will be using Snort IDS as well as lock the firewall down super tight to make the DMZ phone system trusted. I might also use two SIP trunk providers.
-
@nollipfsense Not sure the ET ruleset existed when I first set ours up? I would also add your SIP trunk provider IPs to the pass list. We also allow web connections and client ports by country.
-
@steveits said in IDS/IPS on DMZ PBX System:
I would also add your SIP trunk provider IPs to the pass list. We also allow web connections and client ports by country.
That’s a cleaner way of saying what I was trying to convey in post #2
-
SIP trunk provider only via white listed IP / domain name and allowed ports (no IDS/IPS involved)
-
Web and client connections (if your PBX is set up to allow them) may benefit from IDS/IPS such as to restrict countries access is allowed from.
-
-
-
@nollipfsense said in IDS/IPS on DMZ PBX System:
WAN floating rule with quickset check with the SIP trunk provider IP and aliases with the ports
I use
-
Aliases for IP and port groups
-
For incomming to my premises: a Wan rule associated with the PBX port forwarding rule. It uses Aliases from 1, to limit the scope of the port forewarding.
-
For outgoing from my PBX VLan: VLan rules using aliases from 1, to restrict outgoing to the required ports & IP addresses.
Floating rules could be used to simulate the above but are less specific, so less maintainable imo.
I don't currently allow external client access to my PBX, but if I did, restricting exposure surface by country maybe useful.
-
-
@patch I am learning how to use Haproxy's reverse proxy and using private domain (secret TLS/SNI) to help make the PBX more secure in the DMZ...very interesting...I'll post in the proxy section questions I may have.