<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@MS Mincho";
panose-1:2 2 6 9 4 2 5 8 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>After seeing how easy toll fraud is on Asterisk, it’s certainly something I want to investigate with FreeSWITCH. We put proxies in front just to add an extra layer of checking because FS is so big (or, Sofia is so complete) we aren’t always sure what it’ll do in every case (SIP is a huge mess of a spec, and following it exactly definitely means toll fraud). <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I think a lot of security can be quickly added by having clear documentation showing how to configure FS for common scenarios, like a VoIP provider. (Disabling 302s, refers, forcing NAT handling on for SIP in all cases, etc.)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Another issue I know is just waiting for exploit is the argument passing style. Every application is forced to come up with its own syntax for cramming arguments and options together, each with its own (not formally documented) escaping rules. That’s just ripe for someone exploiting bugs in other code. (I’ve seen a real-world, production system rooted precisely from this style of bug.)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Or do you mean lower level things like C-style bugs? Stuff that doesn’t exist in typesafe memory-verified languages? ;)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Michael<o:p></o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></a></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> freeswitch-users-bounces@lists.freeswitch.org [mailto:freeswitch-users-bounces@lists.freeswitch.org] <b>On Behalf Of </b>Brian West<br><b>Sent:</b> Friday, February 17, 2012 8:45 PM<br><b>To:</b> FreeSWITCH Users Help<br><b>Subject:</b> [Freeswitch-users] FreeSWITCH Security Hardening Project<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>While sitting here in the hospital I have been talking to Philip Zimermann (ZRTP) via phone... And we have talked about a FreeSWITCH hardening project (NO JOKES PLEASE). This is taking FreeSWITCH and security to the MAX. I would like to start this project to make FreeSWITCH more secure in the long run. (not saying that its not secure now). Who would be interested in such a project?<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thanks,<o:p></o:p></p><div><p class=MsoNormal><span class=apple-style-span><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'>-- </span></span><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'><br><span class=apple-style-span>Brian West </span><br><span class=apple-style-span>FreeSWITCH Solutions, LLC</span><br><span class=apple-style-span>Phone: +1 (918) 420-9266 </span><br><span class=apple-style-span>Fax: +1 (918) 420-9267</span><br><span class=apple-style-span><a href="mailto:brian@freeswitch.org">brian@freeswitch.org</a></span><br><span class=apple-style-span><a href="http://www.freeswitch.org">http://www.freeswitch.org</a></span></span> <o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>