[Asterisk-Users] Internet Dial-in security questions

Stefano Finetti ssfinetti at lynxautomotive.it
Fri Apr 25 04:09:13 MST 2003 

----- Original Message ----- 
From: "Skuse, Phil" <Phil.Skuse at vicorp.com>
To: <asterisk-users at lists.digium.com>
Sent: Friday, April 25, 2003 12:29 PM
Subject: [Asterisk-Users] Internet Dial-in security questions


>
> sip:<number>@asterisk-server.mycompany.com
>
> should connect just fine (except currently it will be blocked by the
> firewall). Our firewall knows nothing about SIP, so presumably I have to
> open port 5060 and all UDP high ports (in and out)?
>
> What are the security implications of doing this? Do I need to secure the
> asterisk server in the same way that I would for other publically
accessible
> servers? (grsecurity + closing all non-essential ports + removing all suid
> programs and unnecessary daemons)
>
> Presumably I also need to setup proper contexts so that internet callers
> cannot access the PSTN or voicemail? Anybody have an example of this?

You can override problems about the secuity in this way:

I must open that ports only to the clients you want to let use the system.

In other words, give'em the possibility to REGISTER on your * SIP server.
Place them in a different context, a "Bunker" context in which they can
*ONLY* make the calls you want let'em do. No outgoing, no voicemail
includes.

Assuming you're using ipchains or iptables for firewalling under linux, you
should verify that the 5060 port and the udp ports are open only from
specified sources. This has a problem inside: if your clients have dynamical
ip address, you can't put on the source field of firewall.
So, to avoid (or better, to bypass the problem) make sure you use a good
authentication system for the sip clients.

>
> Are there any particular security risks that I need to defend against?
>
> Would it be better to put a secured asterisk server outside the firewall
and
> connect it to the internal one with IAX? Does this require less ports open
> on the firewall?

Basically, you can save some port, but there's the worst part of the medal:
the "external" asterisk box will be attackable (unless you put a firewall
on, and then you've again the same problem with the ports), and if someone
takes control of your * box, he can then call everywhere using your lines
passing over IAX.


These are just my 2 cents, hoping to help you.

--
Stefano

More information about the asterisk-users mailing list