Hi, My company wants to put a SIP address on their website. The idea is that potential customers can call that address and will be forwarded to our main switchboard. It's fairly easy in theory because my asterisk server has a real IP address, so any calls to sip:<number>@asterisk-server.mycompany.com should connect just fine (except currently it will be blocked by the firewall). Our firewall knows nothing about SIP, so presumably I have to open port 5060 and all UDP high ports (in and out)? What are the security implications of doing this? Do I need to secure the asterisk server in the same way that I would for other publically accessible servers? (grsecurity + closing all non-essential ports + removing all suid programs and unnecessary daemons) Presumably I also need to setup proper contexts so that internet callers cannot access the PSTN or voicemail? Anybody have an example of this? Are there any particular security risks that I need to defend against? Would it be better to put a secured asterisk server outside the firewall and connect it to the internal one with IAX? Does this require less ports open on the firewall? Phil Skuse <phil.skuse@vicorp.com> **************************************************** Unix System Administrator, Vicorp Group Limited. Tel +44 (0)1753 660523 Fax +44 (0)1753 660501 The Telephony Engine Company http://www.vicorp.com ****************************************************
Stefano Finetti
2003-Apr-25 04:09 UTC
[Asterisk-Users] Internet Dial-in security questions
----- Original Message ----- From: "Skuse, Phil" <Phil.Skuse@vicorp.com> To: <asterisk-users@lists.digium.com> Sent: Friday, April 25, 2003 12:29 PM Subject: [Asterisk-Users] Internet Dial-in security questions> > sip:<number>@asterisk-server.mycompany.com > > should connect just fine (except currently it will be blocked by the > firewall). Our firewall knows nothing about SIP, so presumably I have to > open port 5060 and all UDP high ports (in and out)? > > What are the security implications of doing this? Do I need to secure the > asterisk server in the same way that I would for other publicallyaccessible> servers? (grsecurity + closing all non-essential ports + removing all suid > programs and unnecessary daemons) > > Presumably I also need to setup proper contexts so that internet callers > cannot access the PSTN or voicemail? Anybody have an example of this?You can override problems about the secuity in this way: I must open that ports only to the clients you want to let use the system. In other words, give'em the possibility to REGISTER on your * SIP server. Place them in a different context, a "Bunker" context in which they can *ONLY* make the calls you want let'em do. No outgoing, no voicemail includes. Assuming you're using ipchains or iptables for firewalling under linux, you should verify that the 5060 port and the udp ports are open only from specified sources. This has a problem inside: if your clients have dynamical ip address, you can't put on the source field of firewall. So, to avoid (or better, to bypass the problem) make sure you use a good authentication system for the sip clients.> > Are there any particular security risks that I need to defend against? > > Would it be better to put a secured asterisk server outside the firewalland> connect it to the internal one with IAX? Does this require less ports open > on the firewall?Basically, you can save some port, but there's the worst part of the medal: the "external" asterisk box will be attackable (unless you put a firewall on, and then you've again the same problem with the ports), and if someone takes control of your * box, he can then call everywhere using your lines passing over IAX. These are just my 2 cents, hoping to help you. -- Stefano
Thanks for the response.> I must open that ports only to the clients you want to let use the system.But the whole point is that we want to allow *anyone* to phone us - without prior arrangement. Surely this must be possible?> Place them in a different context, a "Bunker" context in which they can > *ONLY* make the calls you want let'em do. No outgoing, no voicemail > includes.Yes, I agree.> Assuming you're using ipchains or iptables for firewalling under linux,you> should verify that the 5060 port and the udp ports are open only from > specified sources. This has a problem inside: if your clients havedynamical> ip address, you can't put on the source field of firewall. > So, to avoid (or better, to bypass the problem) make sure you use a good > authentication system for the sip clients.Again, I want to allow *anyone* to call sip:<number>@asterisk-server.mycompany.com so I can't filter on source IP.>> Would it be better to put a secured asterisk server outside the firewalland>> connect it to the internal one with IAX? Does this require less portsopen>> on the firewall?> Basically, you can save some port, but there's the worst part of themedal:> the "external" asterisk box will be attackable (unless you put a firewall > on, and then you've again the same problem with the ports), and if someone > takes control of your * box, he can then call everywhere using your lines > passing over IAX.What I was trying getting at here was to find out whether IAX can use just a narrow range of ports - or whether it uses masses of them like SIP. Then the external * machine can have all the SIP ports open to the world, but can be firewalled from the rest of my network (apart from allowing IAX to the internal * server) to limit the damage if it gets compromised. Presumably I can configure the internal * so that IAX calls from the external one go into the bunker context?> These are just my 2 cents, hoping to help you.Thanks -- Stefano _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users
> What I was trying getting at here was to find out whether IAX can use just a > narrow range of ports - or whether it uses masses of them like SIP. Then the > external * machine can have all the SIP ports open to the world, but can be > firewalled from the rest of my network (apart from allowing IAX to the > internal * server) to limit the damage if it gets compromised. Presumably I > can configure the internal * so that IAX calls from the external one go into > the bunker context?IAX only uses a single port (4569 for IAX2 or 5036 for IAX original) Mark