[asterisk-biz] PBX got Hacked

[Steve Totaro]

On Fri, Feb 13, 2009 at 1:46 PM, Gregory Boehnlein <damin at nacs.net> wrote:

> > > I think most experienced *nix administrators can handle their own
> > > IPTables, OpenVPN, and whatever else.
> > >
> >  I think maybe you misread my post. I don't think it's propaganda at
> > all. Switchvox, apparently, instructs you to put their device behind a
> > firewall. If you don't, then just like doing a poor plumbing job,
> > you're a prime candidate for "leaks" and things that come with "leaks"
> > down the line.
> >
> >  With regard to your post, "I think most experienced *nix
> > administrators can handle their own IPTables, OpenVPN, and whatever
> > else.". Yes. I totally agree, but as someone already raised the point,
> > how many of the authorized SwitchVox resellers actually have
> > "experienced *nix administrators" on staff?
>

There are plenty of consultants.  Once setup correctly, what else needs to
be done?


>   I sincerely doubt that's
> > one of their requirements to become a reseller, and while I do
> > understand it, I think to not have at least one of those types of
> > people on staff with those types of skills *should* be a requirement
> > for a good reseller.
>

Agreed, although I will never be a reseller with such draconian reseller
contracts.  It is not good for my customers nor me.


>
> I would have to agree with this assessment. Many of the installers that are
> out there trying to migrate from the Telephony world to the IP Converged
> world have absolutely no concept of Network security. Conversely, a lot of
> the Data focused service providers have little understanding of the world
> of
> Telephony.
>

I guess I am one of the lucky ones.  I am a CCNA and great at diagnosing
network issues and can also punch down a two hundred pair in my sleep.

>
> It is one of the most common problems that I run into in the field..
> Resellers and installers that have not done their homework, do not
> understand the complex engineering requirements of a Converged IP network
> and are just trying to stay afloat in a quickly shifting environment. In
> fact, I recently remarked to a co-worker that it seems that the majority of
> the consulting work that I'm doing is "Network Janitorial Services" where I
> am mopping up the complete messes created by clueless resellers.
>

I would say one third of my business is just that.  Not usually "the complex
engineering requirements of a Converged IP network."  Generally, they are
computer consultants that find Asterisk, decide it could be easy money,
charge too little, and wind up losing money by having to go back over and
over to fix issues, eventually dropping Asterisk/VoIP consulting because it
is a money pit without proper knowledge.  Let's face it, there are tons of
"Best Practices White Papers" on the net.


>
> That being said, Switchvox is an appliance. Think of it like a toaster that
> does one thing really well; make toast. In Switchvox's case, it is designed
> to make it easier to deploy IP and PSTN communications. They don't claim
> the
> system to be anything other than a PBX.


SwitchVox is merely a piece of software that has Asterisk "Under the Hood".
It can be installed on any platform.  I do not consider an HP DL380 an
"appliance".

The WRT54G and the like are "appliances" yet the devices running Linux are
truly awesome in what they can do beyond being an "appliance".


>
>
> Go ask Vodavi or Panasonic if they can provide firewalling services in
> their
> IP PBX products, and tell me what response you get.. More than likely they
> will give you a blank stare and ask "what is a firewall?".


Also ask them how much for a conference bridge.  Old paradigms are apples to
oranges.


>
>
> Here is the way that I view it. If I install a system for a customer, it is
> my obligation to inform the customer of their options and the liabilities
> inherent in any choices that they might make. That requires understanding
> of
> the system you are selling, and the architectures under which that system
> works best. If I don't know what I'm selling, how to secure it, install it,
> adhere to best-practices, then I'm ripping off my customer and shouldn't
> really be in the business of installing an IP system in the first place.
>
>
It is LAMP and Asterisk.  What is the other "magic" the box runs?  Non that
I am aware of.

OpenVPN bridges and IPTables that block all other ports is the way to go.


-- 
Thanks,
Steve Totaro
+18887771888 (Toll Free)
+12409381212 (Cell)
+12024369784 (Skype)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-biz/attachments/20090310/f167420e/attachment.htm