[Asterisk-Users] Plugging Asterisk Security Holes....
thisemailaddressisbogus at risehigh.com
Wed Mar 24 09:54:44 MST 2004
Thanks a lot for the detailed response. It's deffinately informative.
I was wondering if you could discuss the IAX -- Ipsec setup you have?
Do you have a box outside of the Asterisk that takes care of the
or you have a PCI card of some kind? If so, did you have to muck with
the asterisk core in order to setup and tear down IPSec tunnels?
Sorry, lot of questions but my curiousity I building up more and more.
Security (specially in voice business) is another hot topic of interest
These days and I would love to know more about the process of (best)
securing voice channels.
Thanks to everyone who is participating in this discussion.
> I am interested in knowing if someone has done any work on
I've used IPSec on transcontiental links with IAX no problems.
> for Asterisk boxes. If so, it will be nice if we can all share our
> experiences here. I am perticularly interested in finding out which
> solution is the best for securing voice channels over the internet.
Experimention would most likely be the better bet.. I'd imagine there
much difference between IPSec/CIPE/VTUN etc, just which you find easier
> Assuming we use IAX protocol, does it make any difference?
IAX would be easier if you're going to implement firewalling/nat/other
situations. Plus if you trunk calls, you can reduce the encryption
As for where to do the encryption, a seperate box in front of asterisk
likely be the better bet; however some people who have high loads with
on the asterisk boxes would care to comment?
> Another topic of interest is securing the box itself. Does a firewall
> (hardware outside of the box or a linux based firewall) suffice the
Depends what you are protecting against. If you want to assume some
exploitable, you could try to break some of the exploits by firewalling
ports not used, and prevent all outgoing connections from your box
ports you use on that box. If you use netfilter, you can create rules
apply to user-ids as well, so you could allow asterisk more privileges.
If you code, it'd be worthwhile to look over the parts of the code you
(indeed, you may rely on it like logging info). There are some parts I
of that would need a look over (but those I don't use.)
As for other security things, follow what you'd follow for other boxes.
apply patches like grsecurity or pax, you'd want to upgrade other
Granted, one of the more difficult things would be changing a working
installation, so you'd want to lock everything down as much as
may be feasible for you to just allow asterisk to connect to certain
the internet.. do whatever you need to do so that you can trust the
> Let's discuss some of the security issues around asterisk here.
Really; this are implementation issues.. are you following your
security policy, etc? ;)
You could define a threat model, what you'd propose to do to counter
issues, but I think it would quickly become a not-asterisk* related
more relating to network access.
> Thanks a lot for your feedbacks and comments.
Hope this helps,
* As this should be applied for other network services you'd use.
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
To UNSUBSCRIBE or update options visit:
More information about the asterisk-users