-----Original Message----- From: Brian Mathis
The difference is that CentOS is a general-purpose OS that can be used for many things, and has a much bigger installed base. That makes it more of a target and would likely be included in scanning tools. A custom OS running on a PBX might also have vulnerabilities, but it's also probably not a big target because of the diversity of systems out there and relative limited utility one would have if such a system were compromised.
That you tend to tend to think of it as an "appliance" running the phone system does not change the fact that it's actually a full-blown server OS with the same issues as other servers.
But if you're not connected to the Internet none of of this means anything. CentOS/Asterisk *would* be an appliance under these conditions. There are no "server" vulnerabilities because you're not connected to a LAN.
Apologies if this is unreadable. I'm typing on my Centro and I do that very often.
On Wed, Sep 30, 2009 at 4:23 PM, rb4centos@gmail.com wrote:
-----Original Message----- From: Brian Mathis
The difference is that CentOS is a general-purpose OS that can be used for many things, and has a much bigger installed base. That makes it more of a target and would likely be included in scanning tools. A custom OS running on a PBX might also have vulnerabilities, but it's also probably not a big target because of the diversity of systems out there and relative limited utility one would have if such a system were compromised.
That you tend to tend to think of it as an "appliance" running the phone system does not change the fact that it's actually a full-blown server OS with the same issues as other servers.
But if you're not connected to the Internet none of of this means anything. CentOS/Asterisk *would* be an appliance under these conditions. There are no "server" vulnerabilities because you're not connected to a LAN.
Apologies if this is unreadable. I'm typing on my Centro and I do that very often.
...and I *don't* do that very often.
On Wed, Sep 30, 2009 at 5:23 PM, rb4centos@gmail.com wrote:
-----Original Message----- From: Brian Mathis
The difference is that CentOS is a general-purpose OS that can be used for many things, and has a much bigger installed base. That makes it more of a target and would likely be included in scanning tools. A custom OS running on a PBX might also have vulnerabilities, but it's also probably not a big target because of the diversity of systems out there and relative limited utility one would have if such a system were compromised.
That you tend to tend to think of it as an "appliance" running the phone system does not change the fact that it's actually a full-blown server OS with the same issues as other servers.
But if you're not connected to the Internet none of of this means anything. CentOS/Asterisk *would* be an appliance under these conditions. There are no "server" vulnerabilities because you're not connected to a LAN.
Apologies if this is unreadable. I'm typing on my Centro and I do that very often.
"Not connected to the Internet", and "not connected to a LAN" are very different things. I doubt VOIP would work if the server was not connected to a LAN. There could be quite a few things on the LAN, depending on it's size, such as viruses, malware, and even users doing scans of the network. Don't assume that "out there" is insecure, and "in here" is secure. That's one of the biggest mistakes to make when creating a secure environment.
On Wed, Sep 30, 2009 at 5:15 PM, Brian Mathis brian.mathis@gmail.com wrote:
"Not connected to the Internet", and "not connected to a LAN" are very different things. I doubt VOIP would work if the server was not connected to a LAN. There could be quite a few things on the LAN, depending on it's size, such as viruses, malware, and even users doing scans of the network. Don't assume that "out there" is insecure, and "in here" is secure. That's one of the biggest mistakes to make when creating a secure environment.
You're right. I was thinking like a phone tech -- that the VOIP system's wiring was still separate from the regular LAN.
Ron Blizzard wrote:
On Wed, Sep 30, 2009 at 5:15 PM, Brian Mathis brian.mathis@gmail.com wrote:
"Not connected to the Internet", and "not connected to a LAN" are very different things. I doubt VOIP would work if the server was not connected to a LAN. There could be quite a few things on the LAN, depending on it's size, such as viruses, malware, and even users doing scans of the network. Don't assume that "out there" is insecure, and "in here" is secure. That's one of the biggest mistakes to make when creating a secure environment.
You're right. I was thinking like a phone tech -- that the VOIP system's wiring was still separate from the regular LAN.
But even with old-school phone switches, your support contract would require software updates at regular intervals and unless you had redundant hot-failover equipment, that would involve scheduled downtime.
On Wed, Sep 30, 2009 at 5:34 PM, Les Mikesell lesmikesell@gmail.com wrote:
But even with old-school phone switches, your support contract would require software updates at regular intervals and unless you had redundant hot-failover equipment, that would involve scheduled downtime.
Not with Nortel. Patches were optional -- updates, new features and additional licenses were sold as separate products. That's in the PBX (Option) line of switches (almost all of which have been "dual core" -- redundant -- for about 25 years). In the Key System switches (Norstar), patches were unavailable, though you could buy keycodes to enable additional features. If you wanted to update you bought a new version of the software on a flash medium (if one was available).
Traditional telephone switches are expected to up 24/7 unless you are doing a major upgrade -- and that's usually scheduled months in advance. The goal is to achieve the "five 9s" (99.999% up time).
Ron Blizzard wrote:
On Wed, Sep 30, 2009 at 5:15 PM, Brian Mathis brian.mathis@gmail.com wrote:
"Not connected to the Internet", and "not connected to a LAN" are very different things. I doubt VOIP would work if the server was not connected to a LAN. There could be quite a few things on the LAN, depending on it's size, such as viruses, malware, and even users doing scans of the network. Don't assume that "out there" is insecure, and "in here" is secure. That's one of the biggest mistakes to make when creating a secure environment.
You're right. I was thinking like a phone tech -- that the VOIP system's wiring was still separate from the regular LAN.
Just to set your minds at ease (or not). I have a separate D-Link switch that does PoE (to power the snom phones) and vlans and set it up so that all the phones are on one vlan called VOIP. The * server single eth0 is also on this vlan, but does also belong to the rest of the office on another vlan called LAN. So - the snom phones (linux based) can only see the * server. The * server can see the rest of the LAN - so in theory anyone on the local LAN can scan and see the CentOS based * server. We are however a very small office and I get to see all connected PCs in action. As I have some questions about SIP security I was not prepared to have the snom phones in any way being accessible to / from the LAN (let alone the internet). Tks for comments and suggestions. Rob
On Thu, Oct 1, 2009 at 1:46 PM, Rob Kampen rkampen@kampensonline.com wrote:
Ron Blizzard wrote:
On Wed, Sep 30, 2009 at 5:15 PM, Brian Mathis brian.mathis@gmail.com wrote:
"Not connected to the Internet", and "not connected to a LAN" are very different things. I doubt VOIP would work if the server was not connected to a LAN. There could be quite a few things on the LAN, depending on it's size, such as viruses, malware, and even users doing scans of the network. Don't assume that "out there" is insecure, and "in here" is secure. That's one of the biggest mistakes to make when creating a secure environment.
You're right. I was thinking like a phone tech -- that the VOIP system's wiring was still separate from the regular LAN.
Just to set your minds at ease (or not). I have a separate D-Link switch that does PoE (to power the snom phones) and vlans and set it up so that all the phones are on one vlan called VOIP. The * server single eth0 is also on this vlan, but does also belong to the rest of the office on another vlan called LAN. So - the snom phones (linux based) can only see the * server. The * server can see the rest of the LAN - so in theory anyone on the local LAN can scan and see the CentOS based * server. We are however a very small office and I get to see all connected PCs in action. As I have some questions about SIP security I was not prepared to have the snom phones in any way being accessible to / from the LAN (let alone the internet). Tks for comments and suggestions. Rob
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
i like that layout. i would think instant messaging type access might still be doable to send short text messages to the phone display from workstations. Receptionist and those that want to check their voice mail from a web browser could be allowed.
Those HP Multi Function Printer & Scanner & Fax & copier machines can be very vulnerable because a hacker calls into the fax to compromise the fax machine which gives them full access to the inside of your Lan. i wonder how vulnerable Asterisk / Hylafax is to a dial-up rootkit. If so, even * connected to vlan and trunks would in theory still be vulnerable.
-
Brian Mathis -
Les Mikesell -
rb4centos@gmail.com -
Rob Kampen -
Rob Townley -
Ron Blizzard