Browse Category

Industry Insights

ITSPA updated recommendations for provisioning security

 

 

ITSPA has recently released a new guidance paper surrounding remote provisioning of phones and other SIP devices. This new document shares best common practices among ITSPA members to help ensure their provisioning infrastructure is secure.

ITSPA Chair Eli Katz stated

This is an excellent update to the existing guidance and should be considered a starting point rather than a complete solution. This is just a part of ITSPA’s ongoing work in tackling cyber-crime and fraud as well as driving up best practice within the membership. We must ensure the industry is one step ahead in the security battle.

Download: Recommendations for Device Provisioning Security (Version 2)

For a list of ITSPA Best Current Practice (BCP) documents visit: http://www.itspa.org.uk/members/best-practice-documents/

ProVu Sponsor Channel Leaders Conference

We’re proud to be sponsoring the Channel’s newest event! Join us in London on Tuesday 25th April for the first ever Channel Leaders Conference.

What is Channel Leaders?

Aimed at ICT Reseller Businesses, Channel Leaders is designed to combine practical knowledge with forward thinking strategic advice and discussion on how Channels can remain relevant to their customers both in the short term and in the future.

Throughout the day, you will have the opportunity to attend seminars and panel discussions from respected analysts and commentators – it’s a great opportunity to hear from Channel Leaders!

How can I attend?

Tickets are available through the Channel Leaders website. To save 50% simply get in touch and we will provide you with our exclusive discount code. But hurry, tickets are selling fast!

ITSPA Recommendations for secure deployment of an IP-PBX

 

logo

 

ITSPA has recently launched a new best practice paper ‘Recommendations for secure deployment of an IP-PBX’ (Version 3). This new document outlines configuration measures that should be implemented on an IP-PBX installed in a customer’s premises as well as the support that service providers can give to assist in the identification and avoidance of attacks.

The update forms part of ITSPA’s Best Current Practice (BCP) documents. This document follows an in-depth collaboration with members, including a range of service providers, security experts and vendors and forms part of ITSPA’s stream of work to ensure that the industry follow best practice to tackle telecommunications fraud.

For a list of ITSPA Best Current Practice (BCP) documents visit: http://www.itspa.org.uk/members/best-practice-documents/

Snom BBC News story

A story was published on the BBC News website today regarding a vulnerability in snom phones that could allow someone to eavesdrop on you.

http://www.bbc.co.uk/news/technology-35579273

If you read this story earlier today, you should re-read it as it has been substantially edited in the last hour or so.

I would just like to reassure customers that this is not news to either ourselves or snom. It is just a case of setting decent passwords on the phone and using up to date firmware. Devices must be set up correctly to operate in a secure fashion, snom phones actually do more to remind you to do this than any other phone – they have messages on the LCD screens and web interfaces.

Also, ProVu advise customers on security best-practices and we can provision a sensible set of default settings to your IP phones.

Snom publish a best-practices guide here:

http://wiki.snom.com/FAQ/How_do_I_secure_my_phone

The gist of this is to use recent firmware, set a strong HTTP password and leave hidden-tags turned on.

This advice pretty much fits with any SIP phone (indeed, any device you connect to your network).

It’s a shame snom have been singled out here because they do more than many to secure their phones.

Paul.

No snom devices affected by Heartbleed!

Notice supplied by snom UK on 23rd April. The snom development team gives the all-clear: Neither snom 3xx series, snom 7xx series nor snom 8xx devices are vulnerable to the security breach in OpenSSL!

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

snom UK

Yealink devices are not vulnerable to the Heartbleed bug

This advisory applies to all Yealink products using OpenSSL from version 1.0.1 to 1.01f. Notice supplied by Yealink UK on Weds 23rd June.

Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability results from a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension.

Through the vulnerability in OpenSSL versions from 1.0.1 to 1.0.1f, an attacker can capture memory from the host 64k at a time. The attacker can therefore possibly capture desired data such as the server’s private key, or a user’s password. This exploit is consistent with CVE: 2014-0160.

We have carefully inspected all versions of our products, and are pleased to announce that Yealink products are not affected by the Heartbleed OpenSSL vulnerability. We will update users if there are any changes in the future.

Yealink UK

Congratulations to all ITSPA awards 2013 winners


Ian, Alison, Moh and Darren having a great day at the ITSPA awards 2013 at the Houses of Parliament.

As proud sponsors of the award category Best Consumer VoIP, ProVu would like to congratulate all the finalist especially the award winners and highly commended entries:

Award Winners:
Best Consumer VoIP: Localphone
Best Business ITSP (Small Enterprise): iNet Telecoms (Voipfone)
Best Business ITSP (Medium Enterprise): Telappliant
Best Business ITSP (Corporate): Ciptex
Best VoIP CPE: Sangoma Technologies – NetBorder Lync Express
Best VoIP Infrastructure: Metaswitch Networks – Perimeta 3.3
Most Innovative VoIP Product/Service: Voxhub – Voxtop Apps Platform
ITSPA Members’ Pick: Mark Spencer for developing Asterisk

Highly Commended:
Best Consumer VoIP: BT
Best Business ITSP (Small Enterprise): VoiceHost
Best Business ITSP (Medium Enterprise): Voxhub
Best Business ITSP (Corporate): Timico
Best VoIP CPE: Grandstream Networks – GXP2200 Enterprise Application Phone for Android
Best VoIP Infrastructure: Genband – GENBAND Web Application Manager (WAM)
Most Innovative VoIP Product/Service: Alcatel-Lucent – OpenTouch Conversation

Panasonic products win awards from TMC in America

Panasonic SIP phones have won several awards from the TMC Labs media outlet in the USA.

First off, the KX-UT670 Android based media phone was given an exceptional innovation award.

Read the full press release on the Panasonic website

More info on the KX-UT670

If that wasn’t enough, the KX-UT248 also won the 2012 Internet Telephony (an industry magazine in the USA, published by TMC) Product of the Year Award.

Read the full article on the TMC website.

More info on the KX-UT248

So well done to Panasonic for making such an impact on their first foray in the SIP phone market.

ProVu have been the distributor for the phones in the UK for most of 2012 and have as usual, developed support for them in our phone provisioning and management systems.

Raspberry Pi and Asterisk

Asterisk running on Raspberry Pi

I’ve been playing around with a Raspberry Pi for a few weeks now and thought I’d see how well Asterisk Open Source PBX works on it.

<%ThickBox(http://blog.provu.co.uk/media/4/20120618-raspi.jpg|Raspberry Pi)%>Raspberry Pi running on my desk

I’ve tried a couple of different versions of Debian on this device and have settled with Raspbian since this makes use of the floating point co-processor that is emulated in the normal Debian Armel packages. It’s early days for Raspbian yet and all the Debian packages have to be re-compiled but most stuff seems to be done and it works very well. Raspbian should perform better for tasks relying on the not-very-powerful ARM11 CPU on the Raspberry Pi.

As for Asterisk, proper Debian packages already exist for the Armel compiled operating system and it is simply a case of running “apt-get install asterisk” on the Raspberry Pi and it installs and works.

At the moment there is no package for Raspbian and also, I wanted to try out Asterisk 10. So I compiled from source.

The steps I took were:

  • Download the source from the Asterisk website, extract the tar archive

  • I started from the “hexxeh” Raspbian image which can be found on the Raspbian website. This already comes with most tools needed to build software, if you have installed from somewhere else just make sure you have got the build-essential Debian package

  • You will also need to install these packages: libncurses5-dev, libsqlite3-dev, libssl-dev (or chan_sip will be automatically unselected, this isn’t needed if you don’t want SIP)

  • Possibly more packages if using a different image of Raspbian or you’ve built your own.

  • Now back in the Asterisk 10 source folder you just extracted, issue the command “./configure –disable-xmldoc”. The option is to allow it to continue without installing the libxml2 development package

  • Now before running the build, it’s a good idea to check the modules you need will actually be built, the command: “make menuselect” will bring up a text menu that allows you to check the modules. In particular make sure chan_sip in the channels section is selected!

  • After that simply run: “make”. This will now compile Asterisk and all the modules you’ve selected. This will take around an hour on the Raspberry Pi native hardware! Note: you can use a cross compiler on more powerful hardware to build packages much quicker.

  • Now run: “make install” which will install the compiled software

      • <%ThickBox(http://blog.provu.co.uk/media/4/20120618-raspbian_asterisk.png|Asterisk 10 running)%>Asterisk 10 running

      Now you have installed Asterisk, you can run “make samples” to generate sample Asterisk config or write your own.

      So how well does it work?
      Surprisingly well I thought for a CPU that is generally thought to be approximately equivalent to a Pentium II 300 MHz. I have not done serious load testing but I set up a conference bridge (using the new confbridge feature in Asterisk 10) and it very easily handled 4 local SIP extensions in a conference at once. It’ll be interesting to see how much transcoding it can handle.

      This doesn’t mean that we’re going to start selling IP-PBX based on the Raspberry Pi. The hardware is still a bit too new and untested for the time being and the software is still very much in development. The main reason though is that for low-end hardware to run a PBX off, things like Sheevaplug make more sense. This has a more powerful CPU, more memory and by the time you factor in storage, power & casing for the Raspberry Pi, a Sheevaplug isn’t much more expensive.

      The Raspberry Pi’s CPU is a couple of generations out of date ARM11 core with ARMv6 instruction set. Where the devices shines is the GPU attached to it. This is a Broadcom VideoCore GPU and is pretty impressive indeed. It’s intense graphical processing that the Pi does best, that fact it can decode 1080p30 h264 “HD” video is very impressive (and I have tested this too).

      So while it runs Asterisk quite nicely for just a few phones not doing very much, it seems a bit of a waste to use the Pi for this since it’s not using it’s powerful graphics engine at all. I need to think of some graphical uses for it! Perhaps a fancy OpenGL-ES based call centre wall board system.