Thanks to a code contribution from Ranch Networks, there is now a new firewall module in the open source Asterisk IP PBX that dynamically opens and closes ports as needed.
In addition to the security code, Ranch has also announced a new lineup of VoIP appliances that integrate a dynamic firewall and bandwidth allocation together with Asterisk.
The dynamic firewall extensions for Asterisk, called net-sec, open and close port dynamically as needed in order to provide a higher degree of security for the IP PBX. That’s not to say that versions of Asterisk lacking net-sec are necessarily insecure.
Kevin P. Fleming senior software engineer at Digium and co-maintainer of Asterisk explained that Digium has always considered Asterisk to be fairly secure. Part of that belief is rooted in the fact that, historically speaking, Asterisk has had an extremely small number of security advisories.
However, there is always room for security improvement and that’s where the new Ranch-contributed code fits in.
“In the traditional scenario, where you are providing publicly available SIP services to the world, your Asterisk server is quite exposed, as you have to have large numbers of UDP ports open for media sessions, and they’re just open all the time,” Fleming told VoIPplanet.com
Fleming added that a potential attacker could relatively easily attack the Asterisk server with a DoS (denial of service) attack by streaming media at those open ports—which Asterisk will normally throw away.
“This technique says, no we’ll not have any of those ports open except when we absolutely need to, and then we’ll open them and it will only be open to the peer that we are communicating with,” Fleming said. “So even when we open up the port to accept media no one else will see that port as being open.’
The new security additions are currently available as a separate download, together with version 1.2.2 of Asterisk. Version 1.2.2 is the second point release in the 1.2.x branch of Asterisk, which was released last November.
The plan, according to Fleming, is for net-sec to be merged back into a single distribution for the next point release version 1.2.3 . Currently there is a point release of the open source version of Asterisk every three to four weeks.
Net-sec will not be part of the Business Edition of Asterisk until its next full release, which is expect by April of this year. The Business Edition is a version of Asterisk that has gone through enhanced stability testing and is also on a low frequency for updates.
The changes introduced by net-sec are more than just simply adding a firewall connection. “It’s not only a new module but it also requires modifications to the SIP channel driver so it would know at what points during the SIP negotiation to invoke the functionality in the firewall,” Fleming said.
Ranch Networks has contributed the net-sec code under the GNU GPL license, the same under which Asterisk is licensed.
In addition to the code contribution, Ranch is rolling out a new line of integrated, PBX-controlled VoIP appliances that provide enhanced security, bandwidth management, VPN, accounting, and switching. While the ‘RN’ family is designed to work with leading IP PBXs, Ranch is rolling out the Asterisk version first, “as it allow us to leverage a vast growing user base, a focused and enterprising reseller channel, and avoid the red tape of the proprietary PBX vendors,” according to Ram Ayyakad, Ranch Networks founder and CEO.
In total there are four new RN appliances from Ranch Networks—from the small-office RN300 on the low end (with three 10/100Mb ports) to the RN40 at the high end (with 10Gb ports)—ranging in price from $750 all the way up to $20,000.