When I came across a blog on Huffington Post that called Asterisk out on the security of their open source VoIP platform I just had to know, is this true?
So I asked Asterisk (after I said “asked Asterisk” five times fast) and got this detailed response from David Duffet, Director of Worldwide Asterisk Community.
Duffett (@dduffett) explains that protecting your network is a not whole lot unlike fortifying your house against break-ins.
VoIP Supply: Who is the Asterisk VoIP platform designed for?
David Duffet: The Asterisk IP communications engine is for anyone that wants to create a flexible and powerful communications solution. Asterisk configuration is performed through a number of ascii text files, and this is why a number of pre-packaged IP PBX solutions based on Asterisk have become available that allow configuration via a web GUI.
VS: Why open source?
DD: When Mark Spencer (the creator of Asterisk and CTO of Digium) decided to make Asterisk an open source project, he did this in part to liberate the stodgy, closed world of telecoms, but also to allow (and encourage) contributions to Asterisk from people all over the world that are particularly keen to see Asterisk enhanced in specific directions (like conferencing and contact centre applications).
“VoIP systems built on the open-source telephone platform Asterisk are routinely subject to hacking attempts, and should be avoided. “
What VoIP security measures can Asterisk take to secure their systems from hackers?
DD: Although there are a number of places within Asterisk that could be configured to enhance security, I would like to make some more general points:
The mention of only Asterisk in point 5, regarding security, is extremely misleading.
To set the scene, PBXs, even before the advent of IP communications, have always been subject to attacks of one sort or another – all the way from people trying to hack into voicemail boxes to full scale toll fraud through PRIs or even analog lines.
*ANY* SIP IP PBX that has an open connection to the internet (i.e., not within a VPN, or not tied down to a specific IP address, or addresses) will be subject to hacking attempts.
Asterisk is certainly the most popular and established open source communications engine in the world, with millions of Asterisk-based IP PBXs out there – but they are by no means particularly prone to issues of this nature. Just like any type of system – it’s all in the implementation. If that is done in a sloppy way, it could lead to trouble.
There is lots of information around on the internet about certain brands of proprietary IP PBXs and potential vulnerabilities, but to focus on the PBX is to miss the main point about securing IP systems – and that is to ensure proper measures are taken at the network level, before thinking of applications running in the network like a PBX or a CRM system.
If you found a robber in your kitchen, you know that he would have broken into your house through the front door, back door or a window. The best thing to do would be to improve the security on the exterior of your house so as not to let the robber in! And so it is with your network… Stop the bad guys getting into your network in the first place!
Anything you can do in a given appliance or application like an IP PBX or a CRM system should be seen as a secondary line of defence.
Due to the power and flexibility of Asterisk, there are actually more things you can do on an Asterisk PBX to detect and prevent any form of compromise than there are on any other PBX solution. Of course, they must be implemented and adjusted by people that know what they are doing.