Archive for April, 2009
April 20th, 2009
Over the coming weeks I will be spending one week each with a number of PC-based router/firewall products installed as the primary NAT gateway at my apartment. I will be reviewing them based on overall performance, interoperability with my SIP-based VoIP service, QoS capabilities, VPN capabilities, and any extra features that make them stand out from the crowd.
The test platform will be a Dell PowerEdge SC430 with a 1.6 GHz Intel Xeon dual core processor and 4GB of RAM. The current list of software to test is as follows:
I will also be testing “appliance” type routers based on what is available to me, which currently is as follows:
- Linksys WRT54GL (Linksys firmware 4.30.12)
- Linksys WRT54GL (Tomato 1.23)
- Linksys WRT54GL (DD-WRT v24 SP1 Mega)
- Linksys WRT54GL (OpenWRT Kamikaze 8.09)
- Cisco 1841 (IOS 12.4(23))
- Watchguard Firebox X Edge
- Edgewater Edgemarc 4500 (VOS 9.1.2)
The Watchguard is currently unknown due to not having the password for it and I may cut down the list of Linksys firmwares, but all of the rest will be tested.
Hardware or software suggestions for further testing are appreciated.
April 12th, 2009
With the Obama administration looking like they will be rolling back Bush era policies allowing doctors to refuse to perform certain procedures and/or refuse to prescribe or sell certain medications (let’s say RU-486 for example) the Internet’s political debate hotspots have erupted as expected. Over at the Something Awful forums I saw a great post that completely explains my position on this issue:
It’s a sad reflection on the influence of the religious right that this is even a noteworthy issue. If you work at Burger King, and one day you decide that you don’t like the Double Whopper and won’t serve it to people anymore (say, for reasons of their health), you get fired. If you’re an network administrator and one day decide that TCP/IP is the devil’s protocol and you won’t use it, you get fired. The list goes on. Giving people the legal medication they need is the job of the pharmacist and doctor. Their job is not “Make value judgments about my patients and then prescribe what medications I personally believe are good”. We have a central regulatory body that determines what medicines and procedures are legal to give out and perform. Doctors and pharmacists are expected to adhere to these. A pharmacist who decided that he would no longer give cancer patients their drugs or a doctor who decided he will substitute phrenology for a general exam would find themselves out of jobs in short order. The only reason this is an issue is because for some reason “It’s my religion!” is taken as a valid excuse for not doing your job.
If you are a pharmacist, it is your job to dispense medications as prescribed. Your personal morals have absolutely no legitimate influence on this. If you do not like this fact, find another job. What the right wing wants here would be equivalent to a pacifist joining the Marines and then complaining that they were being sent to war.
If you’re still convinced that this “religious freedom” is the right option, pretend you live in a small town with one local doctor. Now pretend that doctor is a Jehova’s Witness. Now think about what happens if you or a loved one needs a transfusion. Your local doctor would then be fully able to refuse to give you/your loved one a transfusion because it goes against their religion.
If you don’t like the job requirements, find another job. Don’t whine that you chose a job that conflicts with your beliefs. Put up or shut up, either way your morals don’t have any effect on me.
April 11th, 2009
Sjur Usken and Sandro Gauci have discovered a major flaw in the SIP implementations on a wide range of IP phones. The short explanation is that the phones do not verify where a proxy authentication request is coming from and happily return the SIP authentication information. It is hashed and salted, but the salt is chosen by the attacker, so a set of rainbow tables would make cracking it trivial. For full details, check out Sjur’s blog post (which spread fairly rapidly around the VoIP world) and his latest post showing the trace as he attacked a Cisco 7940 I set up for this purpose.
Until the phone vendors release fixed firmware (if they do) the only way to defend yourself from this is to not have phones exposed on public IP addresses. If they have to be for some reason (we all know SIP and NAT really don’t get along, and proper SIP aware NAT devices cost a fair bit) set firewall rules that prevent the phones from speaking SIP to any IPs that aren’t part of your VoIP system. Alternatively, in the event that every single phone on your system is statically addressed, the reverse could be done at the registrar side. It wouldn’t stop the attackers from finding the password, but it would prevent them from using it in any way.
The implications of an attacker gaining the SIP authentication information are of course severe, once they have that they can imitate the attacked phone and make calls to any number of regions potentially costing thousands of dollars in the course of a single night.
