Page 234 - Asterisk™: The Future of Telephony
P. 234

DMZ.  Placing your VoIP system in a DMZ can provide an additional layer of protection
               for your LAN, while still allowing connectivity for relevant applications. Should your
               VoIP system be compromised, it will be much more difficult to use it to launch an attack
               on the rest of your network, since it is not trusted. Regardless of whether you deploy
               within a DMZ, any abnormal traffic coming out of the system should be suspect.
               Server hardening.  Hardening your Asterisk server is critical. Not only are there perform-
               ance benefits to doing this (running nonessential processes can eat up valuable CPU
               and RAM), the elimination of anything not required will reduce the chance that an
               exploited vulnerability in the operating system can be used to gain access and launch
               an attack on other parts of your network.
               Running  Asterisk  as  non-root  is  an  essential  part  of  system  hardening.  See  Chap-
               ter 11 for more information.

               Encryption
               Even though Asterisk does not yet fully support SRTP, it is still possible to encrypt VoIP
               traffic. For example, between sites a VPN could be employed. Consideration should
               be given to the performance cost of this, but in general this can be a very effective way
               to secure VoIP traffic and it is relatively simple to implement.

               Physical security
               Physical security should not be ignored. All terminating equipment (such as switches,
               routers, and the PBX itself) should be secured in an environment that can only be
               accessed by authorized persons. At the user end (such as under desks), it can be more
               difficult to deliver physical security, but if the network responds only to devices that it
               is familiar with (such as restricting DHCP to devices whose MAC is known), unau-
               thorized intrusion can be mitigated somewhat.

               Conclusion

               If you listen to the buzz in the telecom industry, you might think that VoIP is the future
               of telephony. But to Asterisk, VoIP is more a case of “been there, done that.” For As-
               terisk, the future of telephony is much more exciting. We’ll take a look at that vision a
               bit later, in Chapter 15. In the next chapter, we are going to delve into one of the more
               revolutionary and powerful concepts of Asterisk: AGI, the Asterisk Gateway Interface.














               206 | Chapter 8: Protocols for VoIP
   229   230   231   232   233   234   235   236   237   238   239