VOIP security: Difference between revisions

From Wildsong
Jump to navigationJump to search
Brian Wilson (talk | contribs)
Created page with "== Best practices == Keep your PBX behind a firewall. Read and follow the advice in the Asterisk source code on best practices. == Vulnerability testing tools == SIPVicio..."
 
Brian Wilson (talk | contribs)
 
(6 intermediate revisions by the same user not shown)
Line 3: Line 3:
Keep your PBX behind a firewall.
Keep your PBX behind a firewall.


Read and follow the advice in the Asterisk source code on best practices.  
Regularly review your dial plan and tune and test it.


== Vulnerability testing tools ==
Read and follow the advice in the Asterisk source code on best practices.
 
Remove unneeded modules
 
Limit services running on the PBX server
 
Use ACLs
 
Use VPNs between sites
 
Back up log files
 
Config files should not be world readable.
 
== Tools ==
 
http://voipsa.org/Resources/tools.php
 
http://hackingvoip.com/sec_tools.html


SIPVicious http://sipvicious.org/
SIPVicious http://sipvicious.org/
Line 17: Line 35:


IaxPingPoker
IaxPingPoker
Wireshark
sipsak
[[SIPp]]
vomit
== Books and docs ==
Hacking VOIP Exposed
Hacking VOIP, No Starch Press, 2008
NIST SP800-58 "Secuiryt consideratoins for VOIP Systems"


== Contacts ==
== Contacts ==
Line 22: Line 56:
From Digium sponsored "Asterisk VOIP Security" 2009 webinar
From Digium sponsored "Asterisk VOIP Security" 2009 webinar


VOIPSA = VOIP Security Alliance
VOIPSA = VOIP Security Alliance http://voipsa.org
 
 





Latest revision as of 19:12, 19 June 2016

Best practices

Keep your PBX behind a firewall.

Regularly review your dial plan and tune and test it.

Read and follow the advice in the Asterisk source code on best practices.

Remove unneeded modules

Limit services running on the PBX server

Use ACLs

Use VPNs between sites

Back up log files

Config files should not be world readable.

Tools

http://voipsa.org/Resources/tools.php

http://hackingvoip.com/sec_tools.html

SIPVicious http://sipvicious.org/

  • svmap - scanner
  • svwar - identify extensions
  • svcrack - exploit weak passwords
  • svreport - reporting tool

VOIPPack for Canvas

IaxPingPoker

Wireshark

sipsak

SIPp

vomit

Books and docs

Hacking VOIP Exposed

Hacking VOIP, No Starch Press, 2008

NIST SP800-58 "Secuiryt consideratoins for VOIP Systems"

Contacts

From Digium sponsored "Asterisk VOIP Security" 2009 webinar

VOIPSA = VOIP Security Alliance http://voipsa.org



Special agent Michael T McAndrews
FBI - Oklahoma City Division
[email protected]
405-290-7770