[asterisk-dev] [Code Review] 4379: Example configuration scenario - Super Awesome Company: Phase 1 - Patch 1

Steve Edwards asterisk.org at sedwards.com
Wed Feb 11 09:06:28 CST 2015

On Fri, 6 Feb 2015, rnewton wrote:

> I used MAC addresses as that is what we use as an example in our 
> security best practices document: 
> http://svnview.digium.com/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt?view=markup
> Perhaps this is a moot point. SAC's Asterisk system is behind NAT and 
> firewall, so we could change the spec to specify that IT has locked down 
> traffic between Asterisk and the public int ernet to only allow inbound 
> traffic from the ITSP addresses.
> Or, on Asterisk we can use ACL's to limit traffic allowed to the 
> internal network and ITSP addresses.
> With either of those approaches we should be able to use the less secure 
> extension numbered auth users.
> What would be the issues either of these approaches other than an 
> attacker on the internal network?

The issues are when some admin (through ignorance or mistake) 
misconfigures something that lets the 'default' configuration be 
exposed. Think security in layers. Each layer (OS, Asterisk, firewall) 
should protect itself as best it can.

Thanks in advance,
Steve Edwards       sedwards at sedwards.com      Voice: +1-760-468-3867 PST
Newline                                              Fax: +1-760-731-3000

More information about the asterisk-dev mailing list