[Asterisk-Users] Internet Dial-in security questions
Skuse, Phil
Phil.Skuse at vicorp.com
Fri Apr 25 07:41:20 MST 2003
Thanks for the response.
> I must open that ports only to the clients you want to let use the system.
But the whole point is that we want to allow *anyone* to phone us - without
prior arrangement. Surely this must be possible?
> Place them in a different context, a "Bunker" context in which they can
> *ONLY* make the calls you want let'em do. No outgoing, no voicemail
> includes.
Yes, I agree.
> Assuming you're using ipchains or iptables for firewalling under linux,
you
> should verify that the 5060 port and the udp ports are open only from
> specified sources. This has a problem inside: if your clients have
dynamical
> ip address, you can't put on the source field of firewall.
> So, to avoid (or better, to bypass the problem) make sure you use a good
> authentication system for the sip clients.
Again, I want to allow *anyone* to call
sip:<number>@asterisk-server.mycompany.com so I can't filter on source IP.
>> Would it be better to put a secured asterisk server outside the firewall
and
>> connect it to the internal one with IAX? Does this require less ports
open
>> on the firewall?
> Basically, you can save some port, but there's the worst part of the
medal:
> the "external" asterisk box will be attackable (unless you put a firewall
> on, and then you've again the same problem with the ports), and if someone
> takes control of your * box, he can then call everywhere using your lines
> passing over IAX.
What I was trying getting at here was to find out whether IAX can use just a
narrow range of ports - or whether it uses masses of them like SIP. Then the
external * machine can have all the SIP ports open to the world, but can be
firewalled from the rest of my network (apart from allowing IAX to the
internal * server) to limit the damage if it gets compromised. Presumably I
can configure the internal * so that IAX calls from the external one go into
the bunker context?
> These are just my 2 cents, hoping to help you.
Thanks
--
Stefano
_______________________________________________
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list