[Asterisk-Users] Open Ports

Sat Dec 18 05:17:22 MST 2004

On Saturday 18 December 2004 11:40, Rich Adamson wrote:

> > But, to return to my initial question, what's the security risk in
> > leaving your Asterisk server open to UDP packets from the world?
> >
> > I regard it like a mail server - a firewall allowing TCP packets through
> > to port 25 cannot protect against an application vulnerability in the
> > MTA; the application server itself has to be secure for your system to be
> > safe.   Same goes for a web server, or an Asterisk server.
>
> If you have a small number of remote locations passing through the
> firewall, and, you write your inbound firewall rules to allow specific
> Ip addresses, and, you forward those to a specific internal Ip address,
> then there isn't much of a security issue.
>
> However, if you open all udp ports (eg, 10000 - 20000) inbound _and_
> you happen to have other services running on that box that _might_ use
> those ports, then you're allowing access to those other services as
> well. (How many trojans, etc, happen to use ports in that range?)

I agree entirely - and I regard keeping your system free from trojans as an 
application security matter, not a network security matter (which is what 
firewalls are).

Make sure you know what applications are running on a machine (and make sure 
you trust them) before you open it to the Internet.   A firewall can't help 
against an application exploit.

Regards,

Antony.

-- 
Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

                                                     Please reply to the list;
                                                           please don't CC me.