Manualshelf

System information

ManualsBrandsATech Machine ManualsComputer equipmentLIBRA-02 M
671672673674675676677678679680
Placing your VoIP system in a demilitarized zone (DMZ) can provide an additional
layer of protection for your LAN, while still allowing connectivity for relevant appli-
cations. Should your VoIP system be compromised, it will be much more difficult to
use it to launch an attack on the rest of your network, since it is not trusted. Regardless
of whether you deploy within a DMZ, any abnormal traffic coming out of the system
should be considered suspect.
Hardening your Asterisk server is critical. Not only are there perform-
ance benefits to doing this (running nonessential processes can eat up valuable CPU
and RAM resources), but the elimination of anything not required will reduce the
chance that an exploited vulnerability in the operating system can be used to gain access
and launch an attack on other parts of your network.
Running Asterisk as non-root is an essential part of system hardening. See Chapter 3
for more information.
Encryption
Asterisk 1.8 includes the ability to use both SIP TLS for the encryption of signaling and
SRTP for the encryption of the media between endpoints. More information about
encrypting SIP calls can be found in “Encrypting SIP calls” on page 150. Asterisk has
also supported encryption between endpoints using IAX2 since version 1.4). Informa-
tion about enabling encryption across IAX2 trunks can be found in “IAX encryp-
tion” on page 154.
Physical security
Physical security should not be ignored. All terminating equipment (such as switches,
routers, and the PBX itself) should be secured in an environment that can only be
accessed by authorized persons. At the user end (such as under desks), it can be more
difficult to deliver physical security, but if the network responds only to devices that it
is familiar with (e.g., restricting DHCP to devices whose MAC addresses are known),
the risk of unauthorized intrusions can be mitigated somewhat.
Conclusion
Over the last couple of years the telecom industry has embraced VoIP, which sets
Asterisk up to do quite well. While Asterisk has been doing VoIP for years (well over
a decade now), the integration of VoIP and traditional telephony into a single, powerful
platform has made Asterisk a major player in the telecommunications industry.
DMZ.
Server hardening.
638 | Appendix B:Protocols for VoIP