VOIP security

From Wildsong
Jump to navigationJump to search

Best practices

Keep your PBX behind a firewall.

Regularly review your dial plan and tune and test it.

Read and follow the advice in the Asterisk source code on best practices.

Remove unneeded modules

Limit services running on the PBX server

Use ACLs

Use VPNs between sites

Back up log files

Config files should not be world readable.

Tools

http://voipsa.org/Resources/tools.php

http://hackingvoip.com/sec_tools.html

SIPVicious http://sipvicious.org/

  • svmap - scanner
  • svwar - identify extensions
  • svcrack - exploit weak passwords
  • svreport - reporting tool

VOIPPack for Canvas

IaxPingPoker

Wireshark

sipsak

SIPp

vomit

Books and docs

Hacking VOIP Exposed

Hacking VOIP, No Starch Press, 2008

NIST SP800-58 "Secuiryt consideratoins for VOIP Systems"

Contacts

From Digium sponsored "Asterisk VOIP Security" 2009 webinar

VOIPSA = VOIP Security Alliance http://voipsa.org



Special agent Michael T McAndrews
FBI - Oklahoma City Division
[email protected]
405-290-7770