[Asterisk-Users] Plugging Asterisk Security Holes....
andrewg at felinemenace.org
andrewg at felinemenace.org
Wed Mar 24 02:30:29 MST 2004
On Tue, Mar 23, 2004 at 07:53:46PM -0600, thisemailaddressisbogus at risehigh.com wrote:
> Hello,
>
> I am interested in knowing if someone has done any work on
>
> IPSec
I've used IPSec on transcontiental links with IAX no problems.
> for Asterisk boxes. If so, it will be nice if we can all share our
> experiences here. I am perticularly interested in finding out which
> solution is the best for securing voice channels over the internet.
Experimention would most likely be the better bet.. I'd imagine there wouldn't be
much difference between IPSec/CIPE/VTUN etc, just which you find easier to use.
> Assuming we use IAX protocol, does it make any difference?
IAX would be easier if you're going to implement firewalling/nat/other network
situations. Plus if you trunk calls, you can reduce the encryption needs.
As for where to do the encryption, a seperate box in front of asterisk would most
likely be the better bet; however some people who have high loads with encryption
on the asterisk boxes would care to comment?
>
> Another topic of interest is securing the box itself. Does a firewall
> (hardware outside of the box or a linux based firewall) suffice the need?
Depends what you are protecting against. If you want to assume some services are
exploitable, you could try to break some of the exploits by firewalling off all
ports not used, and prevent all outgoing connections from your box except for
ports you use on that box. If you use netfilter, you can create rules that
apply to user-ids as well, so you could allow asterisk more privileges.
If you code, it'd be worthwhile to look over the parts of the code you use,
(indeed, you may rely on it like logging info). There are some parts I can think
of that would need a look over (but those I don't use.)
As for other security things, follow what you'd follow for other boxes. You may
apply patches like grsecurity[1] or pax[2], you'd want to upgrade other boxes.
Granted, one of the more difficult things would be changing a working
installation, so you'd want to lock everything down as much as possible.. it
may be feasible for you to just allow asterisk to connect to certain hosts on
the internet.. do whatever you need to do so that you can trust the system. ;)
[1] http://www.grsecurity.net
[2] http://pax.grsecurity.net
>
> Let's discuss some of the security issues around asterisk here.
>
Really; this are implementation issues.. are you following your organsations
security policy, etc? ;)
You could define a threat model, what you'd propose to do to counter these
issues, but I think it would quickly become a not-asterisk* related issue,
more relating to network access.
> Thanks a lot for your feedbacks and comments.
>
> James
>
Hope this helps,
Andrew Griffiths
* As this should be applied for other network services you'd use.
More information about the asterisk-users
mailing list