[Freeswitch-users] FreeSWITCH Security Hardening Project
Michael Giagnocavo
mgg at giagnocavo.net
Sat Feb 18 18:27:36 MSK 2012
After seeing how easy toll fraud is on Asterisk, it's certainly something I want to investigate with FreeSWITCH. We put proxies in front just to add an extra layer of checking because FS is so big (or, Sofia is so complete) we aren't always sure what it'll do in every case (SIP is a huge mess of a spec, and following it exactly definitely means toll fraud).
I think a lot of security can be quickly added by having clear documentation showing how to configure FS for common scenarios, like a VoIP provider. (Disabling 302s, refers, forcing NAT handling on for SIP in all cases, etc.)
Another issue I know is just waiting for exploit is the argument passing style. Every application is forced to come up with its own syntax for cramming arguments and options together, each with its own (not formally documented) escaping rules. That's just ripe for someone exploiting bugs in other code. (I've seen a real-world, production system rooted precisely from this style of bug.)
Or do you mean lower level things like C-style bugs? Stuff that doesn't exist in typesafe memory-verified languages? ;)
-Michael
From: freeswitch-users-bounces at lists.freeswitch.org [mailto:freeswitch-users-bounces at lists.freeswitch.org] On Behalf Of Brian West
Sent: Friday, February 17, 2012 8:45 PM
To: FreeSWITCH Users Help
Subject: [Freeswitch-users] FreeSWITCH Security Hardening Project
While sitting here in the hospital I have been talking to Philip Zimermann (ZRTP) via phone... And we have talked about a FreeSWITCH hardening project (NO JOKES PLEASE). This is taking FreeSWITCH and security to the MAX. I would like to start this project to make FreeSWITCH more secure in the long run. (not saying that its not secure now). Who would be interested in such a project?
Thanks,
--
Brian West
FreeSWITCH Solutions, LLC
Phone: +1 (918) 420-9266
Fax: +1 (918) 420-9267
brian at freeswitch.org<mailto:brian at freeswitch.org>
http://www.freeswitch.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20120218/32ef1d8f/attachment.html
Join us at ClueCon 2011 Aug 9-11, 2011
More information about the FreeSWITCH-users
mailing list