[asterisk-users] Suggestion for a new asterisk setup.

Colin Anderson ColinA at landmarkmasterbuilder.com
Fri Jan 12 14:25:09 MST 2007 

>In the current setup, asterisk is behind a different nat/firewall than
>the LAN phones.  The phones are using sccp.  If the asterisk box is
>compromised, it is not on the local LAN.  This is what I think he
>doesn't want to give up.

Oho, now I see. Well, there's the philisophical endless debate about
security vs easy access. It's quite true that SIP will have a more
compromise-able footprint than SCCP, which is quite obscure these days. In
the end, your choices are a security-through-obscurity using SCCP and a
seperate NAT, or standards based, modern, cleaner implementation with a
single Asterisk box port-forwarded or dual-homed. 

SCCP pros and cons:

Pros:

-Works today
-Protocol does not have large attack surface simply because it is obscure

Cons:

-Obscure. Any issue with SCCP will be difficult to research as time goes on,
isn't Cisco dropping it?
-SCCP will go bye-bye eventually in Asterisk just like ADSI then you are
painted in a corner forever with a 1.2.X box

SIP pros and cons:

Pros:

-Modern, interop (mostly) guaranteed 
-Not painted into a corner with respect to 3rd party stuff
-Security risks are well understood and can be mitigated through prudent
configuration
-Thousands of people hammer on SIP millions of times a day, if something
comes up with respect to security, you're going to hear about it. 
-Well understood firewall/DMZ guidelines and advice.
-SIP will never go bye-bye. I can see SIP running 50 years from now. 

Cons:

-NAT of course
-Attack surface area larger
-More people trying to do bad things with it

Your first idea has merit, that of 2 seperate boxes. 1 in the LAN, 1 outside
the LAN, tied together with IAX. I say IAX because you can use the Switch()
directive to shunt inbound calls from Box A to Box B and change dialplan
logic based on if they are at the office or outside. Later versions of
Asterisk I belive support MWI through IAX. Advantage is, if outside box gets
compromised, no big deal. Disadvantage is, 2 dialplans, 100% more points of
failure.

Maybe what you need for your security guy is some sort of executive summary
as to the state of the Union with respect to SIP security, what the risks
are, how they can be mitigated. SIP when set up halfassed is horribly
insecure, but when set up correctly it has no more or no less attack surface
area than httpd. Because otherwise you will never get this thing done and
you may as well put in a Meridian and issue cell phones.

good luck

More information about the asterisk-users mailing list