jueves, septiembre 07, 2006

Asterisk. The VoIP Future of your network

Here's your network's dirty little secret: Your PBX is old and outdated, and if you want to bring it into the modern era with IP telephony and VoIP, you're going to have to spend a bundle. Specialized switches and hardware and proprietary solutions don't come cheap, and they might not even offer all the telephony features you're looking for.
But there is an alternative, as thousands of businesses and network administrators have discovered. The open-source PBX Asterisk has been gaining a big following, offering surprisingly powerful telephony features on inexpensive hardware. Not only has it been saving companies money, but it has been able to integrate telephony with network applications in ways that previously might not have been possible.
But Asterisk isn't for everyone. And there are issues you need to confront if you plan a move to Asterisk. So here, in a nutshell, is what you need to know about Asterisk, along with advice from those who have already deployed it.
What is Asterisk?
Let's start with the basics: What exactly is Asterisk?
It's open-source PBX software that runs on a wide variety of operating systems, including Windows, Linux, Mac OS X, OpenBSD, FreeBSD and Sun Solaris. It can run on inexpensive, off-the-shelf hardware, and it includes high-end features such as interactive voice response, voice mail, conference calling and automatic call distribution and routing that have until now only been available on proprietary PBXs.
It's also exceedingly flexible. New functions can be created by writing scripts in Asterisks's language, by writing modules in C, and by writing scripts in Perl or other languages.
Particularly important is that it handles Voice over Internet Protocol (VoIP) calls, and works with a variety of VoIP protocols, including the Session Initiation Protocol (SIP) and H.323. It also functions as a gateway between IP phones and the PSTN.
All this means that it can be used to create powerful, programmable PBXs at a low cost, says Joshua Stephens, CEO of Switchvox, a San Diego-based integrator and provider of PBX systems, including many built using Asterisk.
"With Asterisk, you can build any phone system you want, it's irreplaceable when you need custom programming," he says. "It lets you build PBXs with the kinds of features that otherwise would cost many tens of thousands of dollars." In contrast, he says that entire, turnkey PBXs based on Asterisk can sell for under $1,000.
Cost is low because it can run on standard, off-the-shelf hardware, rather than high-end, proprietary systems. And because it's open source, licensing fees aren't expensive.
Why you should use Asterisk
The cost factor is one obvious reason for using an Asterisk PBX rather than a proprietary one. But there are other reasons as well, says Dale Laushman, president and CEO of the Denver-based Uptime Group, an IT and VoIP consultancy that has worked extensively with Asterisk.
"Even more important than cost is the flexibility of the system you can build with Asterisk," he contends. "You can make it do just about anything you want. With a traditional PBX, there are a pre-set number of features, and they're either on or off. With Asterisk, on the other hand, you have your hands on the source code, and you can customize it however you want. It can do things that normal IP PBXs simply can't."
He cites one example of such flexibility -- a PBX his company built for an after-hours urgent-care facility. It was a start-up and needed to hold down costs, but because it provided emergency care, it needed to make sure that every incoming call was answered quickly and was routed to the proper person. So Laushman's company used Asterisk's call-routing flexibility to build a sophisticated system that automatically routes calls to the right health care professional, based on a set of complicated rules.
Incoming calls are first routed to a doctor or nurse on duty at one of the facility's locations; if there is no answer in two rings, it automatically routes to two more people, one on a cell phone and one in the medical office. If neither of those people answer quickly, the call automatically routes to the public 911 emergency system.
"With a traditional, proprietary PBX, you'd have to hire a high-end consultant to do this kind of programming," he says. As for cost, he claims that the facility looked at several proprietary PBXs, and they cost "up over six figures," while the one he built for the company based on Asterisk "we put in for less than $30,000 dollars."
Denver-based 5280 Magazine has been using an Asterisk-based PBX for approximately six months, and systems administrator Jeff Panis says the magazine bought the system for its flexibility as well as relatively low cost. Among the features important to the magazine are that editors and the sales force can use softphones to retrieve their voicemail when they are out of the office.
In addition, voice messages are digitized and sent via e-mail, for easy access to them no matter where someone is. The system saves on hardware and licensing costs compared to traditional PBXs, and it saves on staff time as well, because users can make their own changes to their phones with a Web-based interface.
Users can forward incoming calls to external numbers, and have incoming calls automatically sent as media files via e-mail automatically, without having to ask an administrator to set up their phones to perform those tasks.
Asterisk can also tie into databases such as MySQL, which is the primary database 5280 Magazine uses for internal application development. The magazine is developing its own team management organization tool for its sales and marketing staff using MySQL, and it will be able to tie its Asterisk-based PBX into that system when the new application is complete.
"A big part of the choice was Asterisk's ability to expand and tie into other systems," Panis says. "Also, with Asterisk, you're not tied to paying big upgrade and licensing fees every time you need to upgrade."
Why you shouldn't use Asterisk
All this doesn't mean that Asterisk is for everyone. In fact, it isn't. To date, it has primarily been used by small and medium-size businesses, rather than for large enterprises with multiple offices and divisions in multiple locations. The Uptime Group, for example, has yet to build a deployment of that size.
"I've heard and read that you can chain Asterisk systems together to make much larger phone systems," Laushman says, but his company has no hands-on experience on doing it.
In addition, building and programming PBXs is not for the faint-hearted; few companies have the expertise to build a system in-house. So companies will have to rely on firms like the Uptime Group or Switchvox to build systems for them.
Support can be an issue as well; when an Asterisk-based system is installed by a consultant, a support contract will be needed. That means making sure that the company that builds the Asterisk system is solid and will be around for years, in order to provide support.
Finally, there are the cultural issues around using open-source software vs. commercial software. There are companies that still don't trust the open-source model, so any company leery of open source in general will want to stay away from Asterisk.
The future of Asterisk
It's clear that Asterisk is no flash in the pan and is here to stay.
Digium, based in Huntsville, Ala., is the primary creator of Asterisk, and claims that Asterisk has already been downloaded 1 million times. The company also says that there are 130 business partners building Asterisk-based solutions worldwide.
Digium also recently closed its first round of venture capital funding, $13.8 million from Matrix Partners, a VC firm that manages over $2.5 billion in assets, and has previously invested in start-ups ranging from Apple to JBoss to Sycamore Networks.
So if you're thinking of moving to an IP PBX, or upgrading an existing one, commercial-grade PBXs are not your only choice. Ultimately, you may not choose an Asterisk-based system, but it's worth your while to at least give the open-source PBX a first look.
For more information:
A Digium site with basic information, downloads, blog posts, etc.
A comprehensive wiki including news, reference, articles, books, tutorials, forums and other sections.
Trixbox Asterisk implementation, formerly called Asterisk@Home

martes, septiembre 05, 2006

Troyanos!

Cuánto y qué poco ha evolucionado todo! La tecnología ha avanzado, pero lo que hay detrás de ella, las motivaciones humanas, las maneras de engañar, de hacer el mal, es lo mismo desde hace siglos y siglos. Parece que el patrón no ha cambiado. En esta línea, es sorprendente ver cómo los problemas de seguridad en desktops (PCs y portátiles particulares y de empresa) se deben ocupar ahora de Troyanos y técnicas tan antiguas como el mundo.
En esta línea, es muy atractivo la alerta de hoy de "Hispasec", que reproduzco a continuación:

Troyano bancario captura en vídeo la pantalla del usuario

Se han detectado varios troyanos que realizan un vídeo de la pantalla del usuario mientras éste se autentica para entrar en su cuenta bancaria por Internet. Esta funcionalidad representa un salto cualitativo en la peligrosidad de los troyanos bancarios, y en especial contra los teclados virtuales implantados por muchas
entidades.
Son varias las entidades que, como medida de protección adicional, han implantado los denominados "teclados virtuales". Básicamente consisten en representaciones gráficas de teclados en pantalla, donde el usuario puede pulsar con el ratón los diferentes números o letras para introducir sus contraseñas, sin necesidad de utilizar el teclado físico.
Esta solución está destinada específicamente a mitigar los troyanos tipo "keyloggers" o capturadores de teclado, que son programas que capturan las teclas que el usuario introduce por el teclado físico-tradicional y se las envía a un tercero. De esta forma el atacante obtiene los usuarios y contraseñas que puede utilizar posteriormente para suplantar al usuario afectado.
Cómo suele ocurrir cuando una medida de seguridad se generaliza, no tardaron en aparecer troyanos bancarios que burlaban este tipo de protección. Desde aquellos que directamente se inyectaban en el navegador y capturaban el usuario y contraseña antes de que fuera enviado por HTTPS al servidor de la entidad, de manera independiente a si había sido introducido con el teclado físico o virtual, hasta los que fueron programados específicamente contra los teclados virtuales y se activan al hacer click con el ratón, almacenando la posición del cursor o realizando pequeñas capturas de pantalla.
En esta ocasión se ha detectado un nuevo troyano bancario que viene a representar un salto cualitativo en la peligrosidad de este tipo de especímenes, y sin duda una vuelta de rosca más en las técnicas utilizadas contra los teclados virtuales. La novedad reside en que el troyano tiene la capacidad de generar un vídeo que recoge toda la actividad de la pantalla mientras que el usuario está autenticándose en la banca electrónica.
El vídeo contiene sólo una sección de la pantalla, usando como referencia el puntero del ratón, pero lo suficientemente amplia para que el atacante pueda observar perfectamente los movimientos y pulsaciones que el usuario legítimo realiza en el teclado virtual, lo que permite obtener sin ninguna dificultad el usuario y contraseña introducidos.
Hemos elaborado un vídeo/flash donde puede verse en acción al troyano y observar como le llega la información al atacante, disponible en la dirección:
http://www.hispasec.com/laboratorio/troyano_video.htm

También pueden acceder a un análisis al detalle del espécimen, donde se disecciona en profundidad partes del código, se enumeran las entidades afectadas, y finalmente se obtienen algunas conclusiones, disponible en (PDF):
http://www.hispasec.com/laboratorio/troyano_bancario_captura_video.pdf