[Asterisk-Users] Re: 911 and lawsuits and redundancy

[Steven Critchfield]

On Wed, 2004-01-07 at 06:59, Rich Adamson wrote:
> > On Tue, 2004-01-06 at 21:08, Jonathan Moore wrote:
> > > These are good issues, but I am even thinking of something simpler and more
> > > common than crises. Such as this scenerio.
> > > 
> > > I need to update my Asterisk server that runs all my phones inorder to install a
> > >  kernel update that fixes a security bug. This is something I would consider
> > > happening on a regular basis with a voip enable system, whereas the traditional
> > > system might sit in a closet for 10 years never being touched. Let's say I don't
> > > want to stay at work until 2 am to reload the system when noone is there. How
> > > would you configure and * system(s so that you could take a system offline
> > > during working hours without taking out all or parts of the system? 
> > 
> > Since the current kernel bug release is for a local exploit, you only
> > have to worry about it if you have local users on that machine. If
> > security was that high on your priority list and you have users logging
> > into your PBX machine, you might need to revisit your security
> > procedures. 
> 
> Not intending to be disrespectful of _any_ on the list (or digress too
> much from the original 911 topic), but given the number of * systems that 
> have been deployed (and exposed) that still have default values & assumptions 
> within their configurations, security at the OS level should be the least 
> of one's concerns. In other words, of all the implementations that exist,
> how many can truly state they have analyzed/tested their systems to 
> ensure exploits of open iax & sip connections have been properly addressed?

All I can say is that on any of the production machines I have, I have
gone through and removed all channel drivers for channels I don't use,
therefore removing SIP,MGCP, H323, and skinny from even opening outside
ports. This was done as an after thought back when the potential SIP
exploit was uncovered. 

Interestingly enough, when I nmap my primary 2 asterisk boxes I don't
even see the IAX ports. Need to think about getting nmap patched for the
VoIP ports. Anyways, I only have ssh, smtp(outgoing only), auth, and
postgres showing up. I do know the IAX and IAX2 are there, but they are
tied to fixed addresses for endpoints. When I test, I have machines that
can run asterisk for the temporary times I want to test with more opened
up. They also are on predefined IP addresses that are strictly defined
in the primary machines.

That is how I am approaching my security for now.


-- 
Steven Critchfield  <critch at basesys.com>