duncan at e-simple.co.nz Guest
|
Posted: Tue Jan 29, 2008 9:56 pm Post subject: [asterisk-users] Best practice security for internet access |
|
|
Hi All
For the scenario of a single asterisk server that needs to serve clients
on the net, as well as local office clients, I would be very interested
in people's views of the best method to handle security to prevent net
based attacks while still allowing the client access.
Some of the challenges I see are:
- preventing brute force and bot type attacks
- monitoring for unusual events and notifying and acting appropriately
- limiting damage if someone does get in
- avoiding a Denial or degradation of service on your asterisk platform
- making it easy for staff to use
Some of this can be done with
- firewall control - but its hard to limit where your clients will come
from, besides restricting ports
- scripts monitoring logs, I saw a recipe for checking password failures
then blocking that ip after x failures, I imagine this could get quite
sophisticated
- using separate restrictions for offnet users but this kind of makes it
harder for the staff members.
- using a proxy in front of asterisk for SIP, to limit the available
extensions and minimise the scanning impact on the asterisk box. I am
hoping this could detect and prevent illegitimate or poorly formed
requests or unknown user agents. Staff should be using a standard set.
- using iax softclients to shift the attack requirements - I don't know
much about how well these work
- running all clients over a vpn e.g open vpn, but this is not so good
for wireless handsets or other devices that can't do a vpn
I am interested in all views and recommendations
Thanks very much
Cheers Duncan |
|