Q: How can I restrict external access to FreePBX/Asterisk by MAC address so that only ‘our’ smartphones can use the system, either by assigning a MAC address to an extension so that authorization is by extension+password+MAC or by a global list of authorized MAC addresses?
Thanks - and here’s the backstory as to why…
We have just installed a trial of the latest FreePBX-1.817.210.58 iso (so Version 2.10) and all has gone great. Call in and out seem to route, and extension to extension are fine too. All this is on our physical LAN using Grandstream SIP phones with FreePBX/Asterisk NATed behind our router.
The intended use for this system is to allow out-workers to access the system for all business related calls (no more call allowances, reimbursements etc) specifically using SIPDroid on Android phones.
SIPDroid works fine in our testing, however, our Accounting dept. is having fits about access security. They do not trust ‘simple’ extension number / password security to stop hackers running up vast bills.
I have got ‘Fail2Ban’ installed and operational, but Accounting are realistic about people using very weak passwords, and I know from other contexts that you can’t restrict the ‘number of trys’ too much on soft keyboards which hide the password as its typed. People mis-key a lot.
I know from using Skifta <-> Windows Media Player on my own Android phone that you can restrict access by phone MAC address. So how do you do it here?
They are exactly right, it’s a huge exposure.
What network are you using? I am very interested that you are having good enough results to roll out.
The bottom line is you can’t filter by MAC address. It’s a networking issue. MAC addresses are only relevant on your local LAN segment. Once the phone is on another network and the traffic passes through a router the information is being transported at Layer 3 (OSI model), MAC addressing is a Layer 2 construct.
Also the fact you don’t have a fundamental understanding of network yet have exposed your system to the Internet has me concerned that you may be at risk.
My first suggestion is to utilize a security audit. If you have a network consultant they could work with an experienced telephony engineer to button up your network.
Realistically you have three ways to accomplish what you want to do:
1 - VPN… Mobile VPN’s are now a reality. Both Cisco and Juniper have very lightweight mobile SSL VPN clients. Personally I have had great luck with the Junos Pulse client from Juniper on Android devices.
2 - Careful access list selection. If you know the geographic boundaries and carrier of your users you should be able to reduce your footprint significantly.
3- Firewall with source domain access lists. Advanced Enterprise firewall have the ability to build access policies. As a for instance on the above mentioned Juniper device you can set a rule that is “allow inbound SIP from all devices at .sub.myvzw.com” that would allow only mobiles originating from Verizon PDSN’s.
I hope this information is useful to you. These are the best security questions that have been asked in quite awhile.
Thanks for the answers, and explaining about MAC availability. I had not realized that it was restricted to Layer 2.
And thanks for the concern about our network, but this is being tested in a walled garden so we are good as far as that is concerned.
It seems to me that the VPN route is the way to go. We are not geographically constrained, and can’t restrict by mobile carrier in any useful way.
I’ll ‘reply’ here on how successful we are in trying out that combination.