[Asterisk-Users] secure

Altus Syman altus at stormcorp.co.za
Wed Sep 29 07:03:38 MST 2004


So if I have 2 networkcards,on for the inernal lan and one for the 
publick ip,I only need to open IAX2's ports on publick interface not ony 
RTP ports.This will happen between the internal interface and the phones?


Matthew Boehm wrote:

>The SIP signaling and RTP transmission only occur between the phone and *
>right?
>So as long as all ports to/from the phones (ie: firewall) and the * box are
>open, there shouldn't be any problems right?
>
>
>Matthew
>----- Original Message ----- 
>From: "Benjamin on Asterisk Mailing Lists" <benjk.on.asterisk.ml at gmail.com>
>To: "Asterisk Users Mailing List - Non-Commercial Discussion"
><asterisk-users at lists.digium.com>
>Sent: Wednesday, September 29, 2004 8:29 AM
>Subject: Re: [Asterisk-Users] secure
>
>
>  
>
>>On Wed, 29 Sep 2004 14:17:10 +0200, Altus Syman <altus at stormcorp.co.za>
>>    
>>
>wrote:
>  
>
>>>My question is how do I secure asterisk/sip.
>>>I got a firewall only allowing tcp/udp 5060?
>>>      
>>>
>>In that case you are blocking the voice traffic.
>>
>>Although SIP is advertised as a VoIP protocol, it doesn't handle any
>>voice at all. It only handles signalling. Voice is handled by another
>>protocol, RTP, and by default the ports RTP uses for the voice traffic
>>are determined at random.
>>
>>Therefore, you will need to either customise your setup and fix the
>>RTP ports at both ends or you will have to open up all ports that RTP
>>could possibly be using (typically 10000-20000, sometimes 5000-8000).
>>
>>Personally, if you are concerned about security, I would recommend you
>>don't use SIP over the WAN. Use IAX between the servers.
>>Alternatively, use IPsec and build a tunnel between the two servers.
>>
>>See also my other post in another thread called "NAT Traversal" or
>>something like that.
>>
>>rgds
>>benjk
>>
>>-- 
>>Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya,
>>Tokyo, Japan.
>>
>>NB: Spam filters in place. Messages unrelated to the * mailing lists
>>may get trashed.
>>_______________________________________________
>>Asterisk-Users mailing list
>>Asterisk-Users at lists.digium.com
>>http://lists.digium.com/mailman/listinfo/asterisk-users
>>To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>    
>>
>
>_______________________________________________
>Asterisk-Users mailing list
>Asterisk-Users at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-users
>To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20040929/d155a5ff/attachment.htm


More information about the asterisk-users mailing list