Rob’s Twist on: Why You Need a Firewall, really?

(Or, “Oh no, The Aussie is Blogging Again!”)

It’s a rare day that someone doesn’t come into our IRC channel or forums asking for help with their firewall settings. Usually it’s because they twiddled a knob, or pushed a button on their firewall that they shouldn’t, or even worse, they didn’t twiddle a knob that they should have! After a day of me continuously moaning on IRC about how people just don’t understand firewalls, how there isn’t a good one, and how people just throw things together and go “that’ll do”, my complaints were picked up and echoed around other various forums, by Bloggers who watch our IRC. This made me realize that it wasn’t just me who was irritated by this, and that’s when the idea of a proper FreePBX Firewall was born.

XKDC Comic 1583

Credit to XKCD,

Firewall was, at first, a quiet “Skunkworks” project, but after we sat down and figured out how much this would help the whole community, it was blessed as an official FreePBX project, and has since been released as a module for FreePBX 13!

Historically, we’ve seen a huge number of people who have either had some half broken default firewall installed by their distro, or, have installed one themselves after a random google search returns (often terrible) advice. This almost always causes many more problems than it solves. These firewalls usually default to being massively over enthusiastic and block large chunks of needed traffic, or, they require constant hand-holding and fiddling to keep them working. This tends to cause people to give up and turn them off, or open them far too wide — either because it was TOO configurable, or, not configurable at all without understanding raw iptables rules and memorizing the periodic table backwards!

XKCD Comic 1014

Credit to XKCD,

I saw this as a pretty fundamental problem with third party firewalls and resolved to fix it. Additionally, since FreePBX is an Open Source project, I wanted to make sure everyone else had the opportunity to make suggestions and recommendations, too. I realise that not everyone is as deeply involved in security as I am (and where my background has been for years) but you’ll be happy to know that I also realise that I am quite often not the best person to write user interfaces. I tend to make them nerd friendly, with lots of knobs and buttons to twiddle and push, not human friendly with a simple On and Off setting. So I started a couple of threads in our forums, which sparked a lot of great discussions and ideas.

As a starting point of the design, when thinking about this, I took a step back and pondered the basic, and important question “What is a firewall meant to do?” The answer is, of course, “Keep bad guys out, and let good guys in.” Unfortunately, a lot of the current crop of firewalls have changed the answer to be more along the lines of “Keep everyone out until they cast some magic incantation.” That magic incantation could be something like “Enter your current IP address after dialing some phone number” (How are you meant to dial a number, if you don’t have a working phone?) or “Connect to some random ports on a remote machine in a specific order”, or other overly complex and unneeded things (that, sadly, usually result in the firewall being abandoned). This is something we see in our paid support department on a weekly basis, as the users often turn these default firewalls off because they can’t get their SIP trunk provider or remote phones working.

That is unacceptable! A firewall should not make your life harder. A firewall should make your life easier! (Much easier, in fact, by ensuring you don’t have bad guys attacking your server!). You, as a user, should also never need to do a pile of configuration just to get it to a sensible starting point.

Firewalls can (and often do!) have a large number of nerd-friendly knobs and buttons to twiddle. But I wanted to make this as simple and easy for our users as possible, so I worked hard to constrain my ‘Add a button!’ desires. This means that there’s probably not as much configuration as you expect to see in a firewall — EXACTLY what I wanted to achieve!

I’m also lucky in that I was able to build the firewall around the concept of “This firewall is going to secure a FreePBX Server and that’s it”. I know exactly what FreePBX wants, and FreePBX can tell the Firewall module which firewall rules to care about. This removes most of the complexity that people have to deal with in standard firewalls, and lets me get it to the “Zen-like” On and Off settings that I wanted.

Screenshot 1

Screenshot of the main screen of the Firewall module, when it’s enabled.

With this goal in mind — of it being secure, extremely intuitive, and easy to use so that people actually use it instead of turning it off — I then asked myself “What do FreePBX installations need?” and came up with this short list:

  • By default block everything that shouldn’t be coming in.
  • Examine the PBX configuration and open up specific IPs and Services for everything the user has indirectly configured in their PBX.
  • Find a secure but usable way to automatically detect legitimate remote users who don’t have static IP addresses but need access, and make it easy for them to get to the services and phone access they need while safely blocking everything else out there (I’ve coined this the Responsive Firewall, more on this below!).
  • Provide GUI access for common advanced firewall settings so knowledgeable users who need to do more can do so within the Firewall, and aren’t forced to turn it off so they can do their own thing.

Since I was able to tightly define what the firewall needs to secure, I was then able to put in a lot of VoIP specific intelligence that normal firewalls can’t do. For example, you can expose your SIP ports to the global internet, if you have the need. Normally that’s a terrible idea (and I can hear people lining up to tell me how wrong that is, and how they’re going to punch me in the nose for even suggesting that), and normally I would agree.

However, because this firewall is deeply integrated at a very low level of your system, it can be far more intelligent than a normal firewall. If you’re familiar with firewall concepts, you’ll, of course, see the standard things you expect from a modern firewall, such as zones, network interface configurations, and lists of services (such as SIP, SSH, HTTPS and so on….) Those are all important capabilities in a firewall and are there to allow more advanced configuration by advanced users.

But, where it really shines is the tight integration with FreePBX. The first and most useful integration is to constantly scan your FreePBX configuration and automatically configure the firewall to match it! For example, we’ll detect trunks you’ve configured with your VoIP providers, or other branch offices, and automatically allow those in. We’ll even update the IP addresses on a regular basis, if you’re using dynamically changing hostnames (DDNS) or domains.

At this point you’d think I would have stopped, but where things get REALLY handy is the second integration, the Responsive Firewall.

Screenshot 2

Screenshot of the Responsive Firewall, when it’s enabled.

Of course, it would be wonderful if everyone always used a VPN when away from the office — and, in fact, we’ve put a lot of work into enabling that capability with the new VPN module (more on that to come, but that topic will be left for a future blog). For the rest of us, there’s the Responsive Firewall. If you enable Responsive Firewall and expose the selected protocols (SIP or IAX), the firewall will actively validate clients that are trying to connect to the machine on the selected port(s). This is somewhat similar to what fail2ban does, but fail2ban is passive, banning an ip by looking at logs only after too many failed attempts.

FreePBX Responsive Firewall, on the other hand, detects the fingerprints and patterns of known attack tools at the Operating System level, and blocks them quickly, BEFORE they have a chance to try more than a few attempts! However, to make sure a legitimate error doesn’t lock you out, Responsive Firewall is designed to tolerate common errors (such as the misconfiguration of a phone with the wrong password) by detecting the pattern of such issues and not immediately locking that out, while still being able to block illegitimate break in attempts. (Too much fumbling can still result in getting locked out, but a lot of thought has been put into minimizing this while maintaining high security levels.)

This is, to put it simply, an incredible leap forward in VoIP security. There’s a new Sheriff in town ready to stand up to those brute force attacks of known extensions! Where needed, you can simply put your FreePBX server on the internet, or in the DMZ of your office network, and allow the System Firewall to correctly and securely manage your machine, blocking attacks as they’re detected, but still permitting approved clients through, all without you needing to raise a finger.

But, after all of this, Firewall is still not finished. This is an Open Source project. Everyone has access to it, everyone can read it, everyone can change it! If you think it’s missing something, tell us! If you think it’s doing something wrong, YELL at us (nicely)! If you think you can do it better, do it! Then make sure you click the ‘Pull Request’ button in Github so we can make it better for everyone!

I still have a couple of pending things on my todo list. The highest priority is to allow you, via User Manager, to assign firewall rules per user.

For example, you should be able to specify that Extension 300 only has access to UCP, but Extension 301 has access to the UCP, as well as WebRTC access to make calls from their browser. However, Extension 333 is the admin, so they have access to the main FreePBX Admin interface, as well as SSH access. All of these rules will be automatically applied and removed as their phone connects and disconnects.

Today there are some simple defaults (it opens up access to UCP when a phone has successfully navigated the Responsive Firewall and registered). We’ll also add additional integration to the VPN module, so once you’ve made a secure VPN connection from your computer, we’ll open up the external IP address and proper port that you’re coming from so that the phone itself can register, if the phone is not capable of making it’s own VPN connection.

To ensure the utmost security, the FreePBX Firewall module depends on an RPM package provided by the FreePBX Distro. This means you need to be running the FreePBX Distro (or another distro that is derived from FreePBX Distro) in order to run the module.

I’ll be reviewing what’s involved in making these bits of supporting technology available for other Linux distributions once I get back from Astricon and my other jet setting plans around the US over the next few weeks. In the meantime I’d love to see you try the new Firewall, and keep that feedback and those ideas coming, in the Forum thread!

Thanks for reading and I hope you like what I did!

FreePBX Zulu UC

Introducing Zulu UC…it’s Outlook and Browser integration for FreePBX and it’s coming soon!

Zulu UC is being built by the same team behind the world’s most popular open source PBX, FreePBX. It allows easy communication and collaboration integration with applications that people like you use everyday.

Get in on our pre-release promotion and license unlimited Zulu user connections for only $199 before October 31, 2015.

Click here to take advantage of this offer today!

Sangoma Technologies US
2414 Industrial Dr. Unit D – Neenah, WI 54956

Checklist: 6 Things to Consider When Choosing A Unified Communications System

Both the IT Services and Communications worlds continue to change dramatically. According to a 2015 Executive Report by IBM, the way humans communicate with each other has changed more in the last ten years, than it has in all the previous decades of human existence—combined. And it makes our collective job of providing high performance and flexible unified communications solutions both more exciting, and more challenging.

  • Open, seamless, ubiquitous is becoming the norm
  • Global VOIP migration continues full steam
  • Communications continue to be fragmented across different hardware and software

And it’s showing no signs of stopping. The VoIP subscriber base is expected to grow at a CAGR of 16.6% from 2014 to 2020, and the VoIP Services Market is expected to expand at 9.7% CAGR until 2020 due to adoption in both corporate and residential says Transparency Research.

The result is that more businesses—from mom and pop startups to global enterprises, are urgently working to analyze traditional analog systems and (at the very least) connect them to digital unified communications systems—or bypass/replace them entirely.

While historically there have been typically a handful of players in the market, Computer Weekly (and others) see an opportunity to open up the market with Microsofts Lync (Skype for Business) platform.

What to Consider When Selecting a UC System

With a number of solutions available, it’s important to develop a strategic unified communications plan that answers the critical business questions and needs. You used to be able to buy a box with some software in it, plug it in, configure it, and that was that. But businesses are smarter than ever—and already wading hip deep into UC. According to TechTarget, 63% of companies had at least one unified communications app in the cloud, with web conferencing topping the list.

Given this, and the proliferation of technology, it’s more important than ever to have a clear goal in mind when choosing a system. The following checklist will help guide you in your selection of a UC solution.

1. Is it new, or does it need to work with your old system?

Most organizations are looking to integrate new digital technology with something they already have something in place. Usually it’s made up of copper wires, a micro computer, logic and switching cards along with a few traditional telephones. Only a handful are looking to build a unified communications solution from the ground up.

Depending on which camp you’re in, you’ll have different needs. For example, if you have legacy analog technology, you might need an analog voice card to connect your phone system to the public switched telephone network (PSTN). If you don’t have a legacy system (or any system at all), then you move on to the next question…

2. To Build or to Buy PBX?

If you’re starting from scratch (or upgrading an old system), there are three ways you can go. And while there are grey areas where these solutions overlap, we’ll save the deep dive into the detail for another post.

  • Option 1: Onsite PBX hardware: A traditional approach, this classic approach can be attractive to users who are experience only with administering old technology. While the sound quality is solid, It’s expensive and limited in regards to features.
  • Option 2: Buy an IP PBX solution: There are a few approaches here. There are virtual VOIP solutions, cloud solutions, onsite prebuilt solutions.
  • Option 3: Build your own VOIP solution: Not an unpopular solution. For example, our Asterisk-based, FreePBX drives 2 MILLION IP PBX systems globally. Typically this includes managing your phone lines, phone carrier, trunk, and your SIP (Session Initiation Protocol) client. The phone lines and carrier are typically hardline, while the trunk is over IP and the SIP client is, well, SIP.

A lot of times, the choice to build or buy comes down to how much control and functionality of your system do you want. With Onsite PBX hardware and virtual solutions, you have little control of the system and features. With an onsite prebuilt or build your own, you have significantly more options. This ties into questions 3 – 6.

3. What PBX Features Do You Need?

If you only need basic call routing and switching, a basic PBX solution might be enough (and expensive) solution. But most companies really need something that provides more features like video, conferencing, support of BYOD environments, text, instant messaging, and integrate quickly, easily and securely with their existing network. Make a list of all your foreseeable requirements early on.

4. What Are Your Network Requirements?

What kind of network are you plugging your new PBX system into? Will your internet connection be able to handle the additional load of voice, data and video? Do you have a gateway in place to hand Quality of Service to allocate bandwidth to voice? Does your router support VOIP? Completely map out your existing network and identify support technology that can impact your choice of solution. Typically you want to choose a solution that will work relatively smoothly with your existing network.

5. What Level of Security Do You Need?

According to InformationAge, Security is one of the top three priorities for CIOs in 2015. Traditionally, analog communications systems were the most secure that a company could provide. But business demands more than what old school PBX systems give.

The demand—and the focus on security—have driven the need for unified communications to provide a holistically secure solution for business. A proper IP PBX system should protect you from attack, while keeping you compliant with any regulatory requirements you might face. This will might include taking steps like having a security policy in place, encrypting VOIP calls, and leveraging a session border controller (SBC) to manage digital traffic.

6. What Are Your Future Business Needs?

Do you anticipate growing the business? Will you add more employees, devices, communications apps? If so, you want to leverage a unified communications system that is flexible, and allows you to control the solution at a granular level.

Bridging Your Worlds

In many cases, when developing your unified communications solution, you’ll be faced with a hybrid scenario. You probably have some legacy hardware that you want to integrate with a solution like Skype for Business, along with an ever-changing BYOD policy. Are you considering building from scratch? If so, consider the 2 Million businesses and users that are currently leveraging our easy-to-use IP PBX Solution, FreePBX and download this white paper today!