On Wed, Sep 30, 2009 at 5:23 PM, rb4centos@gmail.com wrote:
-----Original Message----- From: Brian Mathis
The difference is that CentOS is a general-purpose OS that can be used for many things, and has a much bigger installed base. That makes it more of a target and would likely be included in scanning tools. A custom OS running on a PBX might also have vulnerabilities, but it's also probably not a big target because of the diversity of systems out there and relative limited utility one would have if such a system were compromised.
That you tend to tend to think of it as an "appliance" running the phone system does not change the fact that it's actually a full-blown server OS with the same issues as other servers.
But if you're not connected to the Internet none of of this means anything. CentOS/Asterisk *would* be an appliance under these conditions. There are no "server" vulnerabilities because you're not connected to a LAN.
Apologies if this is unreadable. I'm typing on my Centro and I do that very often.
"Not connected to the Internet", and "not connected to a LAN" are very different things. I doubt VOIP would work if the server was not connected to a LAN. There could be quite a few things on the LAN, depending on it's size, such as viruses, malware, and even users doing scans of the network. Don't assume that "out there" is insecure, and "in here" is secure. That's one of the biggest mistakes to make when creating a secure environment.