MI-80 De Oppresso Liber

Like many small & medium businesses (SMBs) in recent years we've decided to utilize Voice Over Internet Protocol (VoIP), after all it's cheap, perfect for a decentralized organization, as well as quick and easy to deploy. Unfortunately being a security company the many inherent weaknesses soon began to surface, some obvious, yet some not so much.

Research firm Access Markets International (AMI) Partners, Inc. estimated VoIP solutions brought in over $3billion last year, up 26% from 2005 [1]. They even estimate a majority of SMBs will migrate to VoIP by about 2012. Suffice to say regardless of its flaws, VoIP isn't going away, so we as an industry while unable to magically fix the issues, must ensure we're at least aware of them. Here are the top five security hurdles we run into with customer VoIP deployments and what we recommend to work around them.

So I recently had a buddy of mine pen test my SFTP. While the SFTP isn't open to the general public, it is accessible via the Net, so I treat it like everyone in the world has at least user level access. While it got an overall good bill of health he did point out one key issue, that users had the ability to max out the HDD and render the box useless, or at least incredibly slow. So that's where it began. I discovered disk quotas.

Of course most of us know of disk quotas, or at least their general theory. It's what limits our gmail Inbox folder, stops us from filling the school server with porn, and all sorts of practical limitations on users. Basically they just keep us in line in regards to how much space we're allowed to use on a particular drive. Honestly they're not very difficult to setup, at least not with Gentoo. In fact to get started you only need to head here and give it a run-through. The only problem came when I discovered that quota support on my file system of choice, XFS, was...less than well documented.

So, after three days of poking around IRC, reading man pages, HOW-TO's, manuals, asking the programmers who wrote quota itself, Googling, and reading old XFS mailing list threads, I found all the answers. So I hope to make it easier on others with a simple guide here. I've already sent these modifications to the maintainer of the Gentoo Security Guide, so hopefully they'll make it into that shortly and no one will ever have a need to read this, but if you do, enjoy.

Port forwarding. It's a hard lesson everyone who has a NAT router has learned at one point or another. From transferring images via AIM or hosting a game of Battlefield 2, it's a very handy ability. While it's pretty easy with your average Linksys router or even a firewall based Linux distribution like IPCop, that's not how I roll. The Gentoo Hardened project lets me combine crazy technologies together to stop all sorts of attacks that haven't been discovered yet, so that's what I use. The problem is it takes more knowledge to get port forwarding working from the command line than it does from some check boxes. So, here's how I do it.

First off is the mechanism. I use Bastille, an all purpose networking configuration and hardening script to handle all of my firewall setup, including NAT and port forwarding. Obviously there are other ways, but this is how I prefer to handle it. I'll certainly be mentioning Bastille in the future and going more into that, but today I'm just giving a brief overview of port forwarding via it.