Jeffrey Walton
2014-Jul-26 12:23 UTC
[asterisk-users] Security Architecture or Security Evaluations Docs?
Does anyone know of Security Architecture or Security Evaluations documents that I could read? Searching is turning up no hits. For example, http://www.google.com/#q=security+evaluation+site:asterisk.org and http://www.google.com/#q=security+architecture+site:asterisk.org.
Patrick Laimbock
2014-Jul-26 13:18 UTC
[asterisk-users] Security Architecture or Security Evaluations Docs?
On 26-07-14 14:23, Jeffrey Walton wrote:> Does anyone know of Security Architecture or Security Evaluations > documents that I could read? > > Searching is turning up no hits. For example, > http://www.google.com/#q=security+evaluation+site:asterisk.org and > http://www.google.com/#q=security+architecture+site:asterisk.org.Assuming "security+evaluation" refers to Common Criteria, I'm not aware of any Common Criteria initiatives in relation to Asterisk (nor FreeSWITCH, OpenSIPS, Kamailio, Yate or any other Open Source VoIP project I'm aware of). Asterisk is a toolbox with many flexible building blocks and not a product like Cisco CallManager with pre-defined features set in stone. As such it doesn't really make sense to get Asterisk certified, if possible at all. It would be like trying to certify C or Python. If EALx certification is your requirement then have a look at the CallManager as iirc it's EAL1 certified. Re "asterisk+architecture", Asterisk Security related best practices are described here: http://svn.asterisk.org/svn/asterisk/trunk/README-SERIOUSLY.bestpractices.txt HTH, Patrick