[Asterisk-Users] Plugging Asterisk Security Holes....

Asterisk thisemailaddressisbogus at risehigh.com
Wed Mar 24 09:54:44 MST 2004

Hello Andrew, 

Thanks a lot for the detailed response. It's deffinately informative. 
I was wondering if you could discuss the IAX -- Ipsec setup you have?
Do you have a box outside of the Asterisk that takes care of the
or you have a PCI card of some kind? If so, did you have to muck with
the asterisk core in order to setup and tear down IPSec tunnels?

Sorry, lot of questions but my curiousity I building up more and more.
Security (specially in voice business) is another hot topic of interest
These days and I would love to know more about the process of (best)
securing voice channels.

Thanks to everyone who is participating in this discussion.


> Hello,
> I am interested in knowing if someone has done any work on
> IPSec

I've used IPSec on transcontiental links with IAX no problems.

> for Asterisk boxes. If so, it will be nice if we can all share our
> experiences here. I am perticularly interested in finding out which
> solution is the best for securing voice channels over the internet.

Experimention would most likely be the better bet.. I'd imagine there
wouldn't be 
much difference between IPSec/CIPE/VTUN etc, just which you find easier
to use.

> Assuming we use IAX protocol, does it make any difference?

IAX would be easier if you're going to implement firewalling/nat/other
situations. Plus if you trunk calls, you can reduce the encryption

As for where to do the encryption, a seperate box in front of asterisk
would most
likely be the better bet; however some people who have high loads with
on the asterisk boxes would care to comment?

> Another topic of interest is securing the box itself. Does a firewall
> (hardware outside of the box or a linux based firewall) suffice the

Depends what you are protecting against. If you want to assume some
services are
exploitable, you could try to break some of the exploits by firewalling
off all 
ports not used, and prevent all outgoing connections from your box
except for 
ports you use on that box. If you use netfilter, you can create rules
apply to user-ids as well, so you could allow asterisk more privileges.

If you code, it'd be worthwhile to look over the parts of the code you
(indeed, you may rely on it like logging info). There are some parts I
can think
of that would need a look over (but those I don't use.)

As for other security things, follow what you'd follow for other boxes.
You may
apply patches like grsecurity[1] or pax[2], you'd want to upgrade other

Granted, one of the more difficult things would be changing a working 
installation, so you'd want to lock everything down as much as
possible.. it 
may be feasible for you to just allow asterisk to connect to certain
hosts on
the internet.. do whatever you need to do so that you can trust the
system. ;)

[1] http://www.grsecurity.net
[2] http://pax.grsecurity.net

> Let's discuss some of the security issues around asterisk here.

Really; this are implementation issues.. are you following your
security policy, etc? ;) 

You could define a threat model, what you'd propose to do to counter
issues, but I think it would quickly become a not-asterisk* related
more relating to network access.

> Thanks a lot for your feedbacks and comments.
> James

Hope this helps,
Andrew Griffiths

* As this should be applied for other network services you'd use.
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
To UNSUBSCRIBE or update options visit:

More information about the asterisk-users mailing list