Asterisk security involves properly configuring files like SIP.conf and dial plans to prevent extension hopping and restrict access. It is also important to limit the default context, monitor the system, and use secure protocols to protect privacy. Hardening the system through practices like restricting ports and disallowing everything by default improves security.
Understanding and Troubleshooting ASA NATCisco Russia
Презентация с вебинара, организованного в рамках сообщества Cisco Support Community.
Приглашаем Вас на другие мероприятия Cisco Support Community, а также к участию в жизни нашего сообщества технической поддержки Cisco:
http://cs.co/CSCRu
Brief tour about the features of Asterisk 10, Asterisk 11 and Asterisk 12, as well as features that convert one application considered as PBX like a Framework of developer of voice applications, and a tool so powerful as flexible.
This document provides an introduction to installing and configuring the Asterisk PBX software. It begins with an agenda that covers installing Asterisk, the basics of how Asterisk works, configuring telephony hardware, basic configuration, codecs, system requirements, voicemail, conferencing, administration, and advanced topics. It then discusses downloading and compiling the required components of Asterisk including Zaptel, Libpri, and sounds. Finally, it reviews the basic configuration files needed to set up SIP endpoints and a simple dial plan.
The document compares the Cisco ASA 5505 and Juniper SSG 5 firewall appliances. The Cisco ASA 5505 has better throughput and hardware specifications, but the Juniper SSG 5 supports more VPN tunnels, VLANs, and unified threat management. The Cisco ASA 5505 is about 50% more expensive than the Juniper SSG 5 based on retail prices. Both devices can be managed through a web-based interface and have similar default configurations out of the box.
This document provides an overview and objectives for an E-Learning training course on building a complete PBX with Asterisk. The training will cover understanding and installing Asterisk, building a simple PBX with SIP phones and SIP trunks, configuring features like dialplans, IVRs and voicemail, and integrating applications. By the end of the course, students will have hands-on experience building their own basic Asterisk system. Various chapters include objectives, presentations on topics, and instructions for labs to gain practical experience configuring Asterisk.
This document provides a guide for configuring FlexVPN using IKEv2 on Cisco devices. It includes scenarios for setting up site-to-site VPNs between various Cisco products using IKEv2 and its features. The guide covers topics such as:
- Understanding IKEv2 constructs like proposals, policies, profiles and keyrings
- Configuring a basic site-to-site VPN between two routers using IKEv2 smart defaults
- Setting up a site-to-site VPN with IPv6 routing between two routers
- Various hub-and-spoke topologies using certificate and PSK authentication
Telephony Service Development on Asterisk PlatformHamid Fadishei
Asterisk is a major role player in the open source telecom world. In this workshop, participants will follow a step-by-step case study towards getting familiar with IVR service development on Asterisk platform using PHP programming language and AGI technology. The case study itself is a simple weather forecasting IVR service.
Asterisk is an open source framework for building communications applications. It can turn an ordinary computer into a communications server, powering IP PBX systems, VoIP gateways, and more. This document provides step-by-step instructions for compiling, installing, and configuring Asterisk on Linux to make a test call between a softphone and the Asterisk server using IAX2 protocol. Sample configuration files are provided and explained to configure modules, extensions, and SIP.
Understanding and Troubleshooting ASA NATCisco Russia
Презентация с вебинара, организованного в рамках сообщества Cisco Support Community.
Приглашаем Вас на другие мероприятия Cisco Support Community, а также к участию в жизни нашего сообщества технической поддержки Cisco:
http://cs.co/CSCRu
Brief tour about the features of Asterisk 10, Asterisk 11 and Asterisk 12, as well as features that convert one application considered as PBX like a Framework of developer of voice applications, and a tool so powerful as flexible.
This document provides an introduction to installing and configuring the Asterisk PBX software. It begins with an agenda that covers installing Asterisk, the basics of how Asterisk works, configuring telephony hardware, basic configuration, codecs, system requirements, voicemail, conferencing, administration, and advanced topics. It then discusses downloading and compiling the required components of Asterisk including Zaptel, Libpri, and sounds. Finally, it reviews the basic configuration files needed to set up SIP endpoints and a simple dial plan.
The document compares the Cisco ASA 5505 and Juniper SSG 5 firewall appliances. The Cisco ASA 5505 has better throughput and hardware specifications, but the Juniper SSG 5 supports more VPN tunnels, VLANs, and unified threat management. The Cisco ASA 5505 is about 50% more expensive than the Juniper SSG 5 based on retail prices. Both devices can be managed through a web-based interface and have similar default configurations out of the box.
This document provides an overview and objectives for an E-Learning training course on building a complete PBX with Asterisk. The training will cover understanding and installing Asterisk, building a simple PBX with SIP phones and SIP trunks, configuring features like dialplans, IVRs and voicemail, and integrating applications. By the end of the course, students will have hands-on experience building their own basic Asterisk system. Various chapters include objectives, presentations on topics, and instructions for labs to gain practical experience configuring Asterisk.
This document provides a guide for configuring FlexVPN using IKEv2 on Cisco devices. It includes scenarios for setting up site-to-site VPNs between various Cisco products using IKEv2 and its features. The guide covers topics such as:
- Understanding IKEv2 constructs like proposals, policies, profiles and keyrings
- Configuring a basic site-to-site VPN between two routers using IKEv2 smart defaults
- Setting up a site-to-site VPN with IPv6 routing between two routers
- Various hub-and-spoke topologies using certificate and PSK authentication
Telephony Service Development on Asterisk PlatformHamid Fadishei
Asterisk is a major role player in the open source telecom world. In this workshop, participants will follow a step-by-step case study towards getting familiar with IVR service development on Asterisk platform using PHP programming language and AGI technology. The case study itself is a simple weather forecasting IVR service.
Asterisk is an open source framework for building communications applications. It can turn an ordinary computer into a communications server, powering IP PBX systems, VoIP gateways, and more. This document provides step-by-step instructions for compiling, installing, and configuring Asterisk on Linux to make a test call between a softphone and the Asterisk server using IAX2 protocol. Sample configuration files are provided and explained to configure modules, extensions, and SIP.
This document provides an overview of using a Huawei 3G dongle with Asterisk to enable voice and SMS capabilities. It discusses the requirements, installation and configuration process, usage examples, and a case study. The key points are:
- A Huawei dongle supported by the chan_dongle Asterisk module can be used to add mobile connectivity for under $30.
- The dongle must be configured and the chan_dongle module installed and configured in Asterisk.
- Calls can be placed and received via the dongle, and SMS messages can be sent and received using Asterisk dialplan applications or the Asterisk CLI.
- A case study describes how
This document discusses Nexus Ansible which is a 1RU device that runs Cisco NX-OS and can be managed using Ansible. It provides resources for learning more about using Ansible with Cisco NX-OS including Cisco DevNet learning labs, GitHub code samples, Ansible documentation, and a list of NXOS network modules for Ansible. Virtual versions of Cisco Nexus 9000 that run NX-OS are also described that can be used on VMware, KVM, or VirtualBox for hands-on learning and development.
Tim McDonough Presentation for Qualcomm Snapdragon 820Low Hong Chuan
The Snapdragon 820 processor features several improvements that enhance performance and power efficiency compared to previous Snapdragon processors. It includes the first Snapdragon on a 14nm FinFET process, the new Kryo CPU architecture, upgraded Adreno 530 GPU and Hexagon 680 DSP. These components provide up to 2x higher performance and up to 30% lower power consumption than prior chips. The 820 also debuts Qualcomm's X12 LTE modem for faster connectivity and supports new wireless technologies. It is designed to power advanced mobile experiences with high quality graphics, imaging, audio and intuitive interactions.
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Here are the basic steps to configure a router to use reflexive ACLs:
1. Create an internal ACL that looks for new outbound sessions and creates temporary reflexive ACEs
2. Create an external ACL that uses the reflexive ACLs to examine return traffic
3. Activate the named ACLs on the appropriate interfaces with the reflexive keyword
This allows the router to dynamically create temporary entries in the external ACL to allow established return traffic and provide true session filtering while preventing spoofing.
This document provides information about Intel's 5th generation Core processors, including:
- Performance improvements over previous generations including faster graphics, longer battery life, and higher efficiency.
- Details on the new Core M processors designed for 2-in-1 devices and ultrabooks with higher performance but lower power draw compared to 4th generation chips.
- Specifications for the new 5th generation Core i7, i5, i3, Pentium, and Celeron U-series low power processors including clock speeds, graphics capabilities, and other technical details.
The document discusses VoIP fraud, providing an overview of the problem, common types of attacks, and mitigation techniques. It notes that VoIP fraud costs telecom companies millions annually. Attacks include SIP scanning, signaling attacks, exploiting vulnerabilities in phones. Defenses include strong passwords, detecting malformed packets, banning IPs with failures, validating dialogs, and rate limiting. OpenSIPS can help through TLS, signatures, firewall integration and alerting systems to reduce damages from attacks.
Spenser Reinhardt's presentation on Securing Your Nagios Server.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
This document discusses using a USB dongle to integrate SMS and voice capabilities into an Asterisk PBX. It begins with requirements for the dongle and an overview of implementing different SMS and voice features. Steps for installing and configuring the chan_dongle module are provided. Troubleshooting tips and a case study of using 6 dongles to handle over 1500 SMS per day at a company are also included. The document concludes that dongles provide a simple, economic, and scalable solution to integrate mobile capabilities into Asterisk.
The document discusses various IPv6 security issues including vulnerabilities found in the Linux kernel's IPv6 stack, risks of exposing interface identifiers that could contain embedded information, and ways attackers could abuse router advertisements like setting a low hop limit or flooding networks with router advertisements. It also provides examples of analyzing IPv6 addresses and scanning for special interface identifiers.
This document provides configuration notes for using the Intel 82599 10G NIC's SRIOV functionality to assign virtual functions to a virtual machine on an Ubuntu Linux host. It outlines downloading the driver, declaring the number of virtual functions, verifying the modules and virtual functions are present on the host, creating an XML file to attach a virtual function to a VM, and verifying the VM can see the attached NIC.
This document provides an overview of firewall fundamentals and Cisco firewall solutions. It discusses the basics of standard and extended ACLs, stateful packet inspection, and zone-based policy firewalls. The key steps to configure Cisco's zone-based policy firewall using CLI are defined as: 1) create security zones, 2) define traffic classes with class-maps, 3) create policy maps to apply actions, and 4) apply policies to zone pairs and assign interfaces to zones.
02 asterisk - the future of telecommunicationsTran Thanh
Asterisk is an open-source private branch exchange (PBX) system that can be used to build voice over IP (VoIP) networks and systems. It allows users to reproduce standard PBX features and interact IP-based networks. Asterisk is hardware independent and can run on various operating systems. It provides implementations of basic PBX functionality and integrates with third-party telephony hardware and software.
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]APNIC
JPCERT/CC conducts an "IPv6 Security Test" to evaluate IPv6 network gear for security vulnerabilities. The test includes 15 cases that are automated using open source tools. Vendors can request the test package and submit results to JPCERT/CC, who will publish a list of secure products. The goal is to work with vendors to produce secure IPv6 implementations and help users identify robust options, with the tests re-evaluated every few years. JPCERT/CC is looking to expand the program internationally with additional participants and feedback.
The document discusses configuring Cisco ASA, an adaptive security appliance that combines firewall, intrusion prevention, and VPN capabilities. It can be used as a security solution for both small and large networks. The document outlines configuring an ASA on GNS3 by setting the interface, IP address, name, and security level. It also provides steps for configuring an ASA using ASDM, such as copying the ASDM image, setting the ASA to load ASDM on reboot, enabling the HTTP server, and launching the ASDM application in a browser.
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...PROIDEA
Radio-frequency (RF) remote controllers are widely used in multiple industrial applications like manufacturing, construction and transportation. Cranes, drillers and diggers, among others, are commonly equipped with RF controllers, which have become the weakest link in safety-critical IIoT applications. Our security assessment revealed a lack of important security features at different levels, with vendors using obscure proprietary protocols instead of standards. As a consequence, this technology appeared to be vulnerable to attacks like replay, command injection, e-stop abuse, malicious repairing and reprogramming. Together with ZDI, we ran into a 6-months responsible disclosure process and then released 10 security advisories. In this presentation, we share the findings of our research and make use of demos to discuss the problems in detail. We conclude providing recommendations for all parties involved in the life-cycle of these devices, from vendors to users and system integrators.
300 101 Dumps - Implementing Cisco IP RoutingSara Rock
Braindumpskey gives a free demo of Cisco 300-101 exam. 300-101 exam is also known as Implementing Cisco IP Routing. With the complete collection of questions & answers, Braindumpskey has gathered to take you through Cisco 300-101 dumps Answers for your Exam training. In this Cisco package, we have organized actual exam questions with their solutions so that you can prepare and pass the exam in your first try. If you are troubled about your Cisco 300-101 exam & you are not prepared so, now you don't need to take any pressure about it. Now get through us most updated 300-101 braindumps with 100% authentic answers.
Complete File Link:
http://braindumpskey.com/exam/300-101.html
Some people use the cloud. Others build one. This talk will be about building your own enteprise cloud.
When running a cloud 3 things are important: scaling, easy (cost effective) maintenance, and stability. These 3 points are very closely related through one subject: automation. Thanks to the easy automation tools like pxe boot (for booting a new setup) and puppet (for configuring a new system) setting up a new server was never this easy. But how can we use these tools to create a scalable infrastructure that is cost effective, stable and easy to maintain?
In this talk you will learn about how to design a scalable secure architecture and how to make the right tools work for you without going into to much detail.
Ignite 2015 EU - Technology Breakout Session "Security, Stability and Scalab...Elemica
This document outlines the business model, security, stability, and scalability of a sales conference in 2015. The business model utilizes Scala, Clojure, JavaScript, Akka, JVM, and other technologies. Security features include multi-factor authentication, encryption of data at rest and in motion. Stability is achieved through a store first approach, queue-based processing, and decoupled connectivity. Scalability is ensured by automatic provisioning of environments, scaling based on utilization, distributing traffic, and alarms to trigger scaling activities.
Fulfillment Breakout – Gary Neights, Elemica: “Demand-Side Order Automation M...Elemica
This document discusses optimizing transportation and logistics sourcing through strategic tendering. It recommends developing award scenarios upfront, knowing implementation costs, and focusing analyses on areas with the most potential gains. The best decisions balance current status with lowest cost while mitigating risks to quality, timeliness, and supply chain disruption. Historical data can provide insights into disturbances and reliability. Scenario modeling can quantify the financial impacts of objectives and constraints, like reducing carriers in a location. For small parcel shipping, the main players and their strong areas are identified. Rate structures have shifted from zones to more surcharges. Scenarios projecting 24-30% savings are presented based on consolidating carriers by region, country or direction. Reliability and
This document provides an overview of using a Huawei 3G dongle with Asterisk to enable voice and SMS capabilities. It discusses the requirements, installation and configuration process, usage examples, and a case study. The key points are:
- A Huawei dongle supported by the chan_dongle Asterisk module can be used to add mobile connectivity for under $30.
- The dongle must be configured and the chan_dongle module installed and configured in Asterisk.
- Calls can be placed and received via the dongle, and SMS messages can be sent and received using Asterisk dialplan applications or the Asterisk CLI.
- A case study describes how
This document discusses Nexus Ansible which is a 1RU device that runs Cisco NX-OS and can be managed using Ansible. It provides resources for learning more about using Ansible with Cisco NX-OS including Cisco DevNet learning labs, GitHub code samples, Ansible documentation, and a list of NXOS network modules for Ansible. Virtual versions of Cisco Nexus 9000 that run NX-OS are also described that can be used on VMware, KVM, or VirtualBox for hands-on learning and development.
Tim McDonough Presentation for Qualcomm Snapdragon 820Low Hong Chuan
The Snapdragon 820 processor features several improvements that enhance performance and power efficiency compared to previous Snapdragon processors. It includes the first Snapdragon on a 14nm FinFET process, the new Kryo CPU architecture, upgraded Adreno 530 GPU and Hexagon 680 DSP. These components provide up to 2x higher performance and up to 30% lower power consumption than prior chips. The 820 also debuts Qualcomm's X12 LTE modem for faster connectivity and supports new wireless technologies. It is designed to power advanced mobile experiences with high quality graphics, imaging, audio and intuitive interactions.
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Here are the basic steps to configure a router to use reflexive ACLs:
1. Create an internal ACL that looks for new outbound sessions and creates temporary reflexive ACEs
2. Create an external ACL that uses the reflexive ACLs to examine return traffic
3. Activate the named ACLs on the appropriate interfaces with the reflexive keyword
This allows the router to dynamically create temporary entries in the external ACL to allow established return traffic and provide true session filtering while preventing spoofing.
This document provides information about Intel's 5th generation Core processors, including:
- Performance improvements over previous generations including faster graphics, longer battery life, and higher efficiency.
- Details on the new Core M processors designed for 2-in-1 devices and ultrabooks with higher performance but lower power draw compared to 4th generation chips.
- Specifications for the new 5th generation Core i7, i5, i3, Pentium, and Celeron U-series low power processors including clock speeds, graphics capabilities, and other technical details.
The document discusses VoIP fraud, providing an overview of the problem, common types of attacks, and mitigation techniques. It notes that VoIP fraud costs telecom companies millions annually. Attacks include SIP scanning, signaling attacks, exploiting vulnerabilities in phones. Defenses include strong passwords, detecting malformed packets, banning IPs with failures, validating dialogs, and rate limiting. OpenSIPS can help through TLS, signatures, firewall integration and alerting systems to reduce damages from attacks.
Spenser Reinhardt's presentation on Securing Your Nagios Server.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
This document discusses using a USB dongle to integrate SMS and voice capabilities into an Asterisk PBX. It begins with requirements for the dongle and an overview of implementing different SMS and voice features. Steps for installing and configuring the chan_dongle module are provided. Troubleshooting tips and a case study of using 6 dongles to handle over 1500 SMS per day at a company are also included. The document concludes that dongles provide a simple, economic, and scalable solution to integrate mobile capabilities into Asterisk.
The document discusses various IPv6 security issues including vulnerabilities found in the Linux kernel's IPv6 stack, risks of exposing interface identifiers that could contain embedded information, and ways attackers could abuse router advertisements like setting a low hop limit or flooding networks with router advertisements. It also provides examples of analyzing IPv6 addresses and scanning for special interface identifiers.
This document provides configuration notes for using the Intel 82599 10G NIC's SRIOV functionality to assign virtual functions to a virtual machine on an Ubuntu Linux host. It outlines downloading the driver, declaring the number of virtual functions, verifying the modules and virtual functions are present on the host, creating an XML file to attach a virtual function to a VM, and verifying the VM can see the attached NIC.
This document provides an overview of firewall fundamentals and Cisco firewall solutions. It discusses the basics of standard and extended ACLs, stateful packet inspection, and zone-based policy firewalls. The key steps to configure Cisco's zone-based policy firewall using CLI are defined as: 1) create security zones, 2) define traffic classes with class-maps, 3) create policy maps to apply actions, and 4) apply policies to zone pairs and assign interfaces to zones.
02 asterisk - the future of telecommunicationsTran Thanh
Asterisk is an open-source private branch exchange (PBX) system that can be used to build voice over IP (VoIP) networks and systems. It allows users to reproduce standard PBX features and interact IP-based networks. Asterisk is hardware independent and can run on various operating systems. It provides implementations of basic PBX functionality and integrates with third-party telephony hardware and software.
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]APNIC
JPCERT/CC conducts an "IPv6 Security Test" to evaluate IPv6 network gear for security vulnerabilities. The test includes 15 cases that are automated using open source tools. Vendors can request the test package and submit results to JPCERT/CC, who will publish a list of secure products. The goal is to work with vendors to produce secure IPv6 implementations and help users identify robust options, with the tests re-evaluated every few years. JPCERT/CC is looking to expand the program internationally with additional participants and feedback.
The document discusses configuring Cisco ASA, an adaptive security appliance that combines firewall, intrusion prevention, and VPN capabilities. It can be used as a security solution for both small and large networks. The document outlines configuring an ASA on GNS3 by setting the interface, IP address, name, and security level. It also provides steps for configuring an ASA using ASDM, such as copying the ASDM image, setting the ASA to load ASDM on reboot, enabling the HTTP server, and launching the ASDM application in a browser.
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...PROIDEA
Radio-frequency (RF) remote controllers are widely used in multiple industrial applications like manufacturing, construction and transportation. Cranes, drillers and diggers, among others, are commonly equipped with RF controllers, which have become the weakest link in safety-critical IIoT applications. Our security assessment revealed a lack of important security features at different levels, with vendors using obscure proprietary protocols instead of standards. As a consequence, this technology appeared to be vulnerable to attacks like replay, command injection, e-stop abuse, malicious repairing and reprogramming. Together with ZDI, we ran into a 6-months responsible disclosure process and then released 10 security advisories. In this presentation, we share the findings of our research and make use of demos to discuss the problems in detail. We conclude providing recommendations for all parties involved in the life-cycle of these devices, from vendors to users and system integrators.
300 101 Dumps - Implementing Cisco IP RoutingSara Rock
Braindumpskey gives a free demo of Cisco 300-101 exam. 300-101 exam is also known as Implementing Cisco IP Routing. With the complete collection of questions & answers, Braindumpskey has gathered to take you through Cisco 300-101 dumps Answers for your Exam training. In this Cisco package, we have organized actual exam questions with their solutions so that you can prepare and pass the exam in your first try. If you are troubled about your Cisco 300-101 exam & you are not prepared so, now you don't need to take any pressure about it. Now get through us most updated 300-101 braindumps with 100% authentic answers.
Complete File Link:
http://braindumpskey.com/exam/300-101.html
Some people use the cloud. Others build one. This talk will be about building your own enteprise cloud.
When running a cloud 3 things are important: scaling, easy (cost effective) maintenance, and stability. These 3 points are very closely related through one subject: automation. Thanks to the easy automation tools like pxe boot (for booting a new setup) and puppet (for configuring a new system) setting up a new server was never this easy. But how can we use these tools to create a scalable infrastructure that is cost effective, stable and easy to maintain?
In this talk you will learn about how to design a scalable secure architecture and how to make the right tools work for you without going into to much detail.
Ignite 2015 EU - Technology Breakout Session "Security, Stability and Scalab...Elemica
This document outlines the business model, security, stability, and scalability of a sales conference in 2015. The business model utilizes Scala, Clojure, JavaScript, Akka, JVM, and other technologies. Security features include multi-factor authentication, encryption of data at rest and in motion. Stability is achieved through a store first approach, queue-based processing, and decoupled connectivity. Scalability is ensured by automatic provisioning of environments, scaling based on utilization, distributing traffic, and alarms to trigger scaling activities.
Fulfillment Breakout – Gary Neights, Elemica: “Demand-Side Order Automation M...Elemica
This document discusses optimizing transportation and logistics sourcing through strategic tendering. It recommends developing award scenarios upfront, knowing implementation costs, and focusing analyses on areas with the most potential gains. The best decisions balance current status with lowest cost while mitigating risks to quality, timeliness, and supply chain disruption. Historical data can provide insights into disturbances and reliability. Scenario modeling can quantify the financial impacts of objectives and constraints, like reducing carriers in a location. For small parcel shipping, the main players and their strong areas are identified. Rate structures have shifted from zones to more surcharges. Scenarios projecting 24-30% savings are presented based on consolidating carriers by region, country or direction. Reliability and
Presented at the IT-faggruppen interest group of the The Danish Librarian (Workers) Union: http://blog.it-faggruppen.dk in Copenhagen, Denmark on March 15, 2010.
Security in the Cloud - AWS Symposium 2014 - Washington D.C. Amazon Web Services
Stephen Schmidt, AWS CISO and VP of Security Engineering, provides an overview of innovations in cloud security and the importance of security as an enabler for innovation in enterprises, but particularly in government and other highly regulated industries and segments.
ICANN is an organization that coordinates the Internet's unique identifier systems. The document discusses the framework for ensuring the security, stability, and resiliency of these identifier systems. It outlines functional areas like threat awareness, collaboration, analytics, and capability building. Coordination is needed across different stakeholders like domain operators, CERTs, and governments to address challenges like attacks against the DNS that can disrupt users.
Hard Lessons Learned from defending Adobe Creative Cloud on AWS! Insight into implementing a solid Security Architecture based on a mutual conversation between DevOps and SecOps!
Cloud computing is a style of computing where scalable IT capabilities are provided as a service over the Internet. It has various types including public, private, and hybrid clouds. Cloud computing has a layered structure including software, platform, and infrastructure services. Major applications of cloud computing include Amazon EC2 and S3 for infrastructure services, Google App Engine for platform services, and Dropbox for software services. Cloud computing has evolved from early concepts in the 1960s to widespread organizational adoption today.
The document discusses cloud computing, including definitions, history, trends, and applications. It defines cloud computing as providing scalable IT capabilities over the internet. The history section outlines key developments from the 1960s concept of computing as a utility to major companies launching cloud services starting in the late 1990s. Trends discussed include organizations increasingly using private and hybrid clouds, and clouds enabling more customizable and application-based sharing. The applications section provides examples of major public clouds like Amazon Web Services, Google App Engine, and Windows Azure.
Cloud Computing Overview And Predictions May 2009Brent Jackson
Cloud computing is the delivery of computing resources such as software, infrastructure, and platforms over the Internet. There are several types of cloud computing including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Cloud computing provides advantages like lower startup costs, scaling on demand, and less maintenance. However, challenges include security, reliability, and performance issues. Cloud computing is predicted to rapidly grow and become the dominant computing model for all but the largest enterprises.
Perspectives on Cloud COmputing - GoogleACMBangalore
The document discusses the evolution of computing from mainframes to personal computers to cloud computing. It argues that cloud computing will become more accessible by making clients (browsers, smartphones) more powerful and ensuring ubiquitous connectivity. The cloud's openness, accessibility and low costs have the potential to democratize information and tools for developing large-scale applications in India.
The document provides an overview and comparison of three major IT governance frameworks: ITIL, COBIT, and ISO 27001. ITIL focuses on IT service management and was originally developed by the UK government. COBIT is aimed at regulatory compliance and risk management. ISO 27001 contains information security standards and guidelines. Each framework takes a different approach, with ITIL emphasizing processes, COBIT control objectives, and ISO 27001 information security practices. Implementing the frameworks requires consideration of factors like organizational needs, budgets, and vendor expertise.
(SEC402) Intrusion Detection in the Cloud | AWS re:Invent 2014Amazon Web Services
If your business runs entirely on AWS, your AWS account is one of your most critical assets. Just as you might run an intrusion detection system in your on-premises network, you should monitor activity in your AWS account to detect abnormal behavior. This session walks you through leveraging unique capabilities in AWS that you can use to detect and respond to changes in your environment.
The document outlines a two-phased approach to implementing an ISO27001-compliant Information Security Management System (ISMS). Phase 1 involves scoping, designing and building the ISMS framework. Phase 2 implements, operates, monitors and improves the ISMS over four work streams and concludes with the ISMS becoming business as usual. The role at each phase involves various tasks like project management, facilitating, training and providing subject matter expertise to establish and continuously improve the ISMS.
What Everyone Ought To Know About Cloud Securitycraigbalding
The document discusses cloud security and decomposes cloud computing into objectives, models, and deployment types. It outlines key security controls for the cloud, including controls for abstraction of resources, elastic scaling, APIs, and the public/private/virtual private cloud deployment models. Concerns are raised about hypervisor security, cloud platform maturity, identity/federation, API security, billing changes, terms of service, and lack of visibility within public clouds. Short term recommendations include implementing detection of public cloud use, getting involved in business/IT cloud plans, and tracking cloud security standards and research.
The document discusses money transfer options on the Paytm application. It describes two types of transfers: peer-to-peer (P2P) transfers between individuals via scanning a QR code or sending to a mobile number, and peer-to-bank (P2B) transfers where a user can send money directly to a bank account. It also provides instructions for printing one's own QR code and making P2P transfers by either scanning a code or sending to a mobile number.
This document discusses securing an Asterisk PBX system. It covers configuring Asterisk for stability and performance, monitoring the Asterisk server, and hardening Asterisk security. Specific topics include optimizing the Asterisk configuration files to prevent extension hopping and restrict user access, using firewalls and NAT, running Asterisk as a non-root user, and monitoring the system with Nagios. The document provides recommendations for ensuring hardware reliability, updating for stability, and protecting the system from unauthorized access or denial of service attacks.
This document discusses securing an Asterisk PBX system. It covers configuring Asterisk for stability and performance, monitoring the Asterisk server, and hardening Asterisk security. Specific topics include optimizing the Asterisk configuration files to prevent extension hopping and restrict user access, setting up server monitoring with Nagios, securing the Asterisk processes as a non-root user, and using firewalls, chroot jails and Linux hardening to restrict access. Proper configuration of hardware, software updates and failover systems are also recommended for ensuring Asterisk reliability and uptime.
ADITECH CUSTOMER MEET-2015 was held at Hotel RAMADA, Millennium Business Park, Navi Mumbai. This event was sponsored by Intel and Innodisk Taiwan, Event was attended by 39 System Integrator partners from Mumbai, Pune, Delhi, Surat and Banglore. Intel has presented the IOT opportunities for SME. Innodisk has enlightened SI partners on latest technologies used in Industrial grade SSD. Aditech has demonstrated Industrial grade solutions and transportation solutions. Aditech's presentation was on Industrial grade Panel PC's and industrial communication. The event is ended with lucky draw and group photograph followed by networking dinner and ADITECH office visit
RTOS application verified by VeriFast, and future planKiwamu Okabe
The document discusses VeriFast, a verification tool for C and Java programs. It provides examples of how VeriFast has been used to verify real-time operating system (RTOS) applications and find bugs in the Linux kernel by analyzing programs annotated with preconditions and postconditions. Details are given on how to use VeriFast by writing assertions as comments in code and how it can statically verify programs using a style of "static design by contract". An RTOS called ChibiOS/RT is described and an example is shown of verifying state using VeriFast on an application running on this RTOS on a STM32 microcontroller board.
PNETLab is a network emulation tool that allows users to design virtual network topologies and labs. It supports over 1024 nodes and various Cisco devices. Features include topology design, multi-user access, port forwarding between virtual and real networks, and integration with Dynamips, IOL and Qemu images. Recommended system requirements and supported device types, images and applications are also documented.
Want to save bandwidth in you Asterisk-based VoIP solution? Silence suppression is coming to Asterisk and you can help test it. This presentation tells you more about the Roibos project.
DEFCON 23 - Ian Latter - remote access the aptFelipe Prado
The document discusses a proof of concept for using a computer screen to extract and transmit data through encoding it in quick response (QR) codes displayed on the screen. It proposes a transport protocol called TGXf that could transmit binary data in a one-way flow between devices by encoding it using QR codes with error correction and embedding transport control frames and counters. The concept is presented as a potential security risk for unauthorized data extraction from remote access or offshore partners.
This document provides an introduction to installing and configuring the Asterisk PBX software. It begins with an agenda that covers installing Asterisk, the basics of how Asterisk works, configuring telephony hardware, basic configuration files like sip.conf and extensions.conf, and advanced topics like voicemail, conferencing and scaling. It then discusses downloading and compiling the required components like Zaptel and Libpri as well as configuring SIP endpoints. The document provides an overview of Asterisk's architecture and components and how to structure dial plans using contexts, extensions, applications and variables.
This document provides an introduction to installing and configuring the Asterisk PBX software. It outlines the agenda which includes installing Asterisk, an overview of Asterisk, configuring telephony hardware, basic configuration, codecs, system requirements, voicemail, conferencing, administration, and advanced topics. It then discusses downloading and compiling the required components, including Asterisk, Zaptel, and Libpri. Finally, it covers basic Asterisk configuration files locations, architecture, and setting up a simple system with SIP endpoints and a SIP gateway.
This document provides an introduction to installing and configuring the Asterisk PBX software. It begins with an agenda that covers installing Asterisk, the basics of how Asterisk works, configuring telephony hardware, basic configuration files like sip.conf and extensions.conf, and advanced topics like voicemail, conferencing and scaling. It then discusses downloading and compiling the required components like Zaptel and Libpri as well as configuring SIP endpoints. The document provides an overview of Asterisk's architecture and components and how to structure dial plans using contexts, extensions, applications and variables.
Radio-frequency (RF) remote controllers are widely used in multiple industrial applications like manufacturing, construction and transportation. Cranes, drillers and diggers, among others, are commonly equipped with RF controllers, which have become the weakest link in safety-critical IIoT applications.
Our security assessment revealed a lack of important security features at different levels, with vendors using obscure proprietary protocols instead of standards. As a consequence, this technology appeared to be vulnerable to attacks like replay, command injection, e-stop abuse, malicious repairing and reprogramming. Together with ZDI, we ran into a 6-months responsible disclosure process and then released 10 security advisories.
In this presentation, we share the findings of our research and make use of demos to discuss the problems in detail. We conclude providing recommendations for all parties involved in the life-cycle of these devices, from vendors to users and system integrators.
Asterisk is open-source software that allows the creation of voice over IP (VoIP) systems. It supports protocols like SIP and H.323 and can integrate with hardware from companies like Digium to connect to traditional phone networks. Asterisk has a modular design that allows it to be used in various configurations, from a full PBX to smaller applications like conferencing bridges. It has a large community for support and runs on Linux and other operating systems.
The Cisco C881-K9 router is a 1RU fanless router designed for small businesses and branch offices. It has 4 Ethernet ports, 1 WAN port, 1 console port, 2 integrated PoE ports, and 1 USB port. The C881-K9 provides security features like a firewall, intrusion prevention, and content filtering without additional licenses. It has a maximum performance of 15 Mbps and supports up to 256/768 MB of RAM and 128 MB of flash memory.
Cisco 1900 routers are designed for small branch networks and can evolve to support cloud-based services. They replaced the Cisco 1800 series and are now the most popular Cisco router. The Cisco 1900 series includes 1RU and 2RU models with up to 2 gigabit Ethernet WAN ports, an integrated service module slot, 11 LAN switch ports, hardware acceleration for encryption, an integrated wireless access point, and security features like intrusion prevention and content filtering.
The document discusses testing methodologies for Asterisk IP PBX systems. It describes using the Spirent Abacus 5000 system to generate SIP calls and measure the call setup rate and maximum concurrent calls the Asterisk system can handle. Two main tests are outlined: 1) measuring the call setup rate by varying the number of concurrent calls and 2) determining the maximum number of concurrent calls before call completion rates drop below 99.9%. The results of tests on various Asterisk configurations are presented. The conclusion emphasizes the importance of testing, optimization, and certifying performance for enterprise-grade Asterisk deployments.
This document discusses Wireshark, Asterisk, and configuring VoIP with these tools. It introduces Asterisk as software that allows creating a PBX, IVR, or other communication applications. Wireshark is presented as an open-source network packet analyzer. The document then covers configuring Asterisk call flows, references for Asterisk, and installing Asterisk, DAHDI, and Zoiper on Ubuntu to enable VoIP calling using SIP and G.711 codecs.
The document provides an overview of the Cisco ASR 9000 router platform, including:
- It uses 6 and 10 slot chassis that can accommodate various line cards up to 400 Gbps and is designed to scale to higher speeds.
- Key components include the Route Switch Processor (RSP) for control plane functions, multiple line cards, and a high performance switch fabric.
- The switch fabric provides redundant data planes and control planes to ensure high availability. It uses arbitration to allocate bandwidth and support multicast traffic replication.
- The line cards come in various configurations up to 80 Gbps and support different port densities and speeds. Future cards will enable 400 Gbps capabilities.
Intel Atom Processor Pre-Silicon Verification ExperienceDVClub
This document discusses the verification methodology and results for the Intel Atom processor. It describes the challenges of verifying a new microarchitecture with power management features on an aggressive schedule. The methodology involved cluster-level validation with functional coverage, architectural validation using an instruction set generator, and power management validation. Verification metrics like coverage and bug rates were tracked. The results included booting Windows and Linux 10 hours after receiving silicon, with few functional bugs found post-silicon that weren't corner cases. Debug and survivability features helped reduce escapes.
Using techniques like ARP spoofing and NAT, it is possible to acquire an IP address and internet access on a network without a DHCP server. By intercepting traffic between an existing node and gateway, one can insert themselves as the "man in the middle" and route traffic through a NAT configuration using the hijacked node's IP address. This allows acquiring internet access without a free IP address by multiplexing sessions through the NAT. Scanrand port scanning observations can also reveal network topology details like firewall locations through analysis of TTL values.
Similar to Asterisk security with kingasterisk (20)
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfflufftailshop
When it comes to unit testing in the .NET ecosystem, developers have a wide range of options available. Among the most popular choices are NUnit, XUnit, and MSTest. These unit testing frameworks provide essential tools and features to help ensure the quality and reliability of code. However, understanding the differences between these frameworks is crucial for selecting the most suitable one for your projects.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Generating privacy-protected synthetic data using Secludy and Milvus
Asterisk security with kingasterisk
1. Asterisk Stability & SecurityAsterisk Stability & Security
with kingasteriskwith kingasterisk
Protect your investmentProtect your investment
www.kingasterisk.comwww.kingasterisk.com
Skype : kingasteriskSkype : kingasterisk
2. IntroductionIntroduction
What if the server goes down ?What if the server goes down ?
What if someone hacks into your 8 e1What if someone hacks into your 8 e1
asterisk server and makes calls toasterisk server and makes calls to
inmarsat ?inmarsat ?
Inmarsat : 5 euro / min.Inmarsat : 5 euro / min.
In 24 hours, on 8 e1sIn 24 hours, on 8 e1s 1728000 euro1728000 euro
10. Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability
What is the cost of having no PBX serviceWhat is the cost of having no PBX service
for your company ?for your company ?
What if you are an ISP and yourWhat if you are an ISP and your
customers can’t dial out ?customers can’t dial out ?
11.
12.
13. Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability
What if you experience:What if you experience:
- power outage ?- power outage ?
- a broken HD ?- a broken HD ?
- a broken Zaptel card ?- a broken Zaptel card ?
- a broken server ?- a broken server ?
- no Internet connectivity ?- no Internet connectivity ?
14. Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability
Power outage:Power outage:
Traditional phones are self powered.Traditional phones are self powered.
Solution: use a UPS to power the (PoE) phones,Solution: use a UPS to power the (PoE) phones,
the switches, PBX, modem, router,…the switches, PBX, modem, router,…
If you have a low power PBX, the phoneIf you have a low power PBX, the phone
system could run for hours on a small UPS.system could run for hours on a small UPS.
Don’t use Ethernet over power for missionDon’t use Ethernet over power for mission
critical phone lines.critical phone lines.
15. Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability
A broken HD ?A broken HD ?
Use raid > 0Use raid > 0
SCSI has a bigger mean time to failure.SCSI has a bigger mean time to failure.
Flashdisks, realtime, netboot, live CD’s.Flashdisks, realtime, netboot, live CD’s.
16.
17. Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability
A broken Zaptel card or a broken server ?A broken Zaptel card or a broken server ?
Make sure you have a replacement,Make sure you have a replacement,
(maybe even hot standby) with all the(maybe even hot standby) with all the
modules you need, jumpers already set,…modules you need, jumpers already set,…
18. Asterisk Stability – Hardware ReliabilityAsterisk Stability – Hardware Reliability
No Internet connectivity ?No Internet connectivity ?
Spare router / modem / switch ?Spare router / modem / switch ?
Failover Internet connection ?Failover Internet connection ?
Failover to / from PSTN ?Failover to / from PSTN ?
20. Asterisk Stability / Quality UpdatesAsterisk Stability / Quality Updates
Software related since Astricon ‘04Software related since Astricon ‘04
Real CVS-stable / CVS-head (Thanks Russell!)Real CVS-stable / CVS-head (Thanks Russell!)
Major cleanups / code audits.Major cleanups / code audits.
New h323 channel coming (chan_ooh323)New h323 channel coming (chan_ooh323)
Packet Loss ConcealmentPacket Loss Concealment
IAX2 / SIP jitter buffer (mantis 3854)IAX2 / SIP jitter buffer (mantis 3854)
A lot of libpri, chan_sip, chan_h323 changes forA lot of libpri, chan_sip, chan_h323 changes for
better compatibility / stability.better compatibility / stability.
DUNDi (easier load balancing with round robinDUNDi (easier load balancing with round robin
DNS)DNS)
OSPOSP
Kernel 2.6.11.xKernel 2.6.11.x
21. Changes in hardware reliabilityChanges in hardware reliability
New Zaptel hardware (te411p, te4xxp,New Zaptel hardware (te411p, te4xxp,
TDM, IAXy2, …).TDM, IAXy2, …).
New drivers with a lot of bug fixes andNew drivers with a lot of bug fixes and
optimizations.optimizations.
End of life for x100p and Tormenta cards.End of life for x100p and Tormenta cards.
Hardware echo cancellers -> lower CPUHardware echo cancellers -> lower CPU
load -> more calls it can handle beforeload -> more calls it can handle before
asterisk turns unstable.asterisk turns unstable.
22. * reliability / stability recommendations* reliability / stability recommendations
Use decent but not exotic hardwareUse decent but not exotic hardware
Put Zaptel on a different PCI-bus than Nics andPut Zaptel on a different PCI-bus than Nics and
video cards.video cards.
Read tutorials on interrupts, APIC and otherRead tutorials on interrupts, APIC and other
common problems.common problems.
Load test your setupLoad test your setup
Design a failover systemDesign a failover system
Noload unused modulesNoload unused modules
Use recent firmware Zaptel cardsUse recent firmware Zaptel cards
23. * reliability / stability recommendations* reliability / stability recommendations
Use a stable Asterisk version.Use a stable Asterisk version.
Take a common OS -> Linux.Take a common OS -> Linux.
Test software upgrades in a test lab.Test software upgrades in a test lab.
Stay away from experimental AsteriskStay away from experimental Asterisk
modules -> h323, skinny.modules -> h323, skinny.
Don’t patch production Asterisk servers.Don’t patch production Asterisk servers.
Keep your old Asterisk binaries after anKeep your old Asterisk binaries after an
upgrade for easy restore of known workingupgrade for easy restore of known working
versions.versions.
29. Dial plan securityDial plan security
- Extension hopping- Extension hopping
- CallerID based protections- CallerID based protections
- _.- _.
- Demo context- Demo context
- User access to the dial plan- User access to the dial plan
- Be careful with the default context- Be careful with the default context
- Limit simultaneous calls- Limit simultaneous calls
30. Extension hoppingExtension hopping
User can reach ANY extension in the currentUser can reach ANY extension in the current
context:context:
[internal][internal]
exten => intro,1,Background(question);exten => intro,1,Background(question);
exten => 1,spanish,Goto(Spanish)exten => 1,spanish,Goto(Spanish)
exten => 2,english,Goto(English)exten => 2,english,Goto(English)
exten => _XX.,1,Dial(ZAP/g1/${EXTEN});exten => _XX.,1,Dial(ZAP/g1/${EXTEN});
31. CallerID based protectionCallerID based protection
exten => _X.,1,GotoIf($[“$exten => _X.,1,GotoIf($[“$
{CALLERIDNUM}”=“32134”?3);{CALLERIDNUM}”=“32134”?3);
exten => _X.,2,Hangup();exten => _X.,2,Hangup();
exten => _X.,3,Dial(${EXTEN});exten => _X.,3,Dial(${EXTEN});
When not explicitly defined for eachWhen not explicitly defined for each
user/channel in zapata.conf, sip.conf, iax.conf,user/channel in zapata.conf, sip.conf, iax.conf,
the user can choose his own CallerID!the user can choose his own CallerID!
32. Inappropriate use of _.Inappropriate use of _.
_. Would match EVERYTHING!_. Would match EVERYTHING!
(also fax, hang up, invalid, timeout,….)(also fax, hang up, invalid, timeout,….)
Example:Example:
exten => _.,1,Playback(blah);exten => _.,1,Playback(blah);
exten => _.,2,Hangup;exten => _.,2,Hangup;
Causing a FAST LOOP.Causing a FAST LOOP.
(changed in CVS-head)(changed in CVS-head)
33. demo contextdemo context
Not a real security riskNot a real security risk
But… Someone might play with yourBut… Someone might play with your
system and use up your bandwidth, makesystem and use up your bandwidth, make
prank calls to Digium, make Mark Spencerprank calls to Digium, make Mark Spencer
very unhappy and cause him to introducevery unhappy and cause him to introduce
you to a very big shotgun…you to a very big shotgun…
34.
35. User access to the dialplanUser access to the dialplan
- AMP and other GUI’s might allow the- AMP and other GUI’s might allow the
ISP’s user to change a dial plan in his ownISP’s user to change a dial plan in his own
context. E.g.: hosted PBX’scontext. E.g.: hosted PBX’s
- Goto / GotoIf / dial(Local/…) -> context- Goto / GotoIf / dial(Local/…) -> context
hopping.hopping.
- System -> could do anything- System -> could do anything
36. Default contextDefault context
Example:Example:
[default][default]
Include outgoing;Include outgoing;
Include internal;Include internal;
OH OH OH, guest calls will go to the defaultOH OH OH, guest calls will go to the default
context!!!!!context!!!!!
37. Context usage:Context usage:
A call has two legs, the used context is theA call has two legs, the used context is the
context defined for that user/channel in thecontext defined for that user/channel in the
config file for that protocol.config file for that protocol.
E.g:E.g:
- Zap to sip call:Zap to sip call:
context set in zapata.conf is usedcontext set in zapata.conf is used
- SIP to IAX2 call:SIP to IAX2 call:
context in sip.conf is usedcontext in sip.conf is used
38. Context usage:Context usage:
In sip.conf, zapata.conf, iax2.conf…In sip.conf, zapata.conf, iax2.conf…
A default context is defined, if there is noA default context is defined, if there is no
specific context setting for this channel orspecific context setting for this channel or
user, than the default context is used!user, than the default context is used!
39. Limit simultaneous callsLimit simultaneous calls
Sometimes you don’t want a user to make multipleSometimes you don’t want a user to make multiple
simultaneous calls.simultaneous calls.
E.g.: prepay / calling cardsE.g.: prepay / calling cards
Solution: setgroup, checkgroup (don’t trust incominglimit.)Solution: setgroup, checkgroup (don’t trust incominglimit.)
exten => s,1,SetGroup(${CALLERIDNUM})exten => s,1,SetGroup(${CALLERIDNUM})
exten => s,2,CheckGroup(1)exten => s,2,CheckGroup(1)
Only good if the CallerID cannot be spoofed !!!!Only good if the CallerID cannot be spoofed !!!!
Consider using accountcode for this.Consider using accountcode for this.
40. Sip.confSip.conf
Default contextDefault context
Bindport, bindhost, bindipBindport, bindhost, bindip
[username] vs username=[username] vs username=
Permit, deny, maskPermit, deny, mask
Insecure=yes, very, noInsecure=yes, very, no
User vs peer vs friendUser vs peer vs friend
AllowguestAllowguest
AutocreatepeerAutocreatepeer
PedanticPedantic
Ospauth
Realm
Md5secretMd5secret
User authentication logicUser authentication logic
Username= vs [username]Username= vs [username]
41. Bindport, bindhost,bindipBindport, bindhost,bindip
If you only use sip for internal calls, don’tIf you only use sip for internal calls, don’t
put bindip=0.0.0.0 but limit it to the internalput bindip=0.0.0.0 but limit it to the internal
IP.IP.
Changing the bindport to a non 5060 portChanging the bindport to a non 5060 port
might save you from portscan sweeps formight save you from portscan sweeps for
this port.this port.
42. Permit, deny, maskPermit, deny, mask
Disallow everything, then allow per userDisallow everything, then allow per user
the allowed hosts or ranges.the allowed hosts or ranges.
(Multiple are allowed.)(Multiple are allowed.)
43. SIP.conf – insecure optionSIP.conf – insecure option
Insecure = …Insecure = …
No: the default, always ask for authenticationNo: the default, always ask for authentication
Yes: To match a peer based by IP address onlyYes: To match a peer based by IP address only
and not peer.and not peer.
Insecure=very ; allows registered hosts to callInsecure=very ; allows registered hosts to call
without re-authenticating, by ip addresswithout re-authenticating, by ip address
Insecure=port; we don’t care if the portnumber isInsecure=port; we don’t care if the portnumber is
different than when they registereddifferent than when they registered
Insecure=invite; every invite is accepted.Insecure=invite; every invite is accepted.
44. User vs Peer vs Friend in SIPUser vs Peer vs Friend in SIP
USER: never registers only makes callsUSER: never registers only makes calls
PEER: can register + can make calls.PEER: can register + can make calls.
[user1][user1]
type=usertype=user
[user1][user1]
type=peertype=peer
Is allowed and the same as type=friend if the otherIs allowed and the same as type=friend if the other
parameters are identical!!!parameters are identical!!!
45. AllowguestAllowguest=…=…
True: unauthenticated users will arrive inTrue: unauthenticated users will arrive in
the default context as defined in sip.confthe default context as defined in sip.conf
False: unauthenticated users will get aFalse: unauthenticated users will get a
permission denied error message.permission denied error message.
OSP: to allow guest access for voip trafficOSP: to allow guest access for voip traffic
coming from an OSP server.coming from an OSP server.
47. PedanticPedantic
Defaults to pedantic=noDefaults to pedantic=no
If enabled, this might allow a denial ofIf enabled, this might allow a denial of
service by sending a lot of invites, causingservice by sending a lot of invites, causing
a lot of (slow) DNS lookups.a lot of (slow) DNS lookups.
48. RealmRealm
Realm=Asterisk; Realm for digest
authentication
; Defaults to “Asterisk"
; Realms MUST be globally unique
according to RFC 3261
; Set this to your host name or domain name
49. How is authentication done?How is authentication done?
chan_sip.c: /* Whoever came up with thechan_sip.c: /* Whoever came up with the
authentication section of SIP can suck myauthentication section of SIP can suck my
%*!#$ for not putting an example in the%*!#$ for not putting an example in the
spec of just what it is you're doing a hashspec of just what it is you're doing a hash
on. */on. */
50. How is authentication done?How is authentication done?
Look at FROM header in SIP message for the username:Look at FROM header in SIP message for the username:
-> browse sip.conf for a type=user with that username-> browse sip.conf for a type=user with that username
If found -> check the md5If found -> check the md5
If not found,If not found,
-> browse sip.conf for a type=peer with that username-> browse sip.conf for a type=peer with that username
-> browse sip.conf for an (registered) IP where the request is coming from-> browse sip.conf for an (registered) IP where the request is coming from
if insecure=very, no more checks are doneif insecure=very, no more checks are done
if insecure=port, if they are willing to authenticate, even if they are callingif insecure=port, if they are willing to authenticate, even if they are calling
from a different port than they registered with. (used for NAT not using thefrom a different port than they registered with. (used for NAT not using the
same port number every time).same port number every time).
otherwise, check the md5 + allow/deny.otherwise, check the md5 + allow/deny.
If no peer found ? do we allow guest access (allowguest=true ?)If no peer found ? do we allow guest access (allowguest=true ?)
Yes? OK, allow send it to the default context, if not reject.Yes? OK, allow send it to the default context, if not reject.
51. Secret vs md5secretSecret vs md5secret
With SIP all passwords are md5 encryptedWith SIP all passwords are md5 encrypted
when sending the packets, but are storedwhen sending the packets, but are stored
in plaintext in sip.confin plaintext in sip.conf
[user][user]
Secret=blablaSecret=blabla
52. Secret vs md5secretSecret vs md5secret
echo - n "<user>:<realm>:<secret>" | md5sumecho - n "<user>:<realm>:<secret>" | md5sum
E.g.:E.g.:
echo -n "user:asterisk:blabla" | md5sumecho -n "user:asterisk:blabla" | md5sum
e1b588233e4bc8645cc0da24d8cb848de1b588233e4bc8645cc0da24d8cb848d
[user][user]
md5secret=e1b588233e4bc8645cc0da24d8cb848dmd5secret=e1b588233e4bc8645cc0da24d8cb848d
53. Username= vs [username]Username= vs [username]
[username] is for authentication a client[username] is for authentication a client
connecting to asterisk.connecting to asterisk.
Username=… is to have your asteriskUsername=… is to have your asterisk
server authenticate to another SIP server.server authenticate to another SIP server.
54. Iax.confIax.conf
auth=plaintext,md5,rsaauth=plaintext,md5,rsa
User authentication logicUser authentication logic
Default contextDefault context
[username] vs username=[username] vs username=
Permit, deny, maskPermit, deny, mask
Bindport, bindhost, bindipBindport, bindhost, bindip
User vs peer vs friendUser vs peer vs friend
55. iax.conf - authiax.conf - auth
Plaintext: passes are sent in plaintextPlaintext: passes are sent in plaintext
Md5: encrypt the password with md5Md5: encrypt the password with md5
RSA: use public key / private key – usesRSA: use public key / private key – uses
AES.AES.
56. User vs Peer vs friendUser vs Peer vs friend
USER: can only accept callsUSER: can only accept calls
PEER: can only make callsPEER: can only make calls
FRIEND: can do bothFRIEND: can do both
[user1][user1]
type=usertype=user
[user1][user1]
type=peertype=peer
Is allowed!!!Is allowed!!!
57. How is authentication done?How is authentication done?
In iax2: (cvs-head!!)In iax2: (cvs-head!!)
Pseudocode:Pseudocode:
Is username supplied ?Is username supplied ?
-> yes -> matched against iax.conf users starting bottom to top.-> yes -> matched against iax.conf users starting bottom to top.
user found ?user found ?
-> yes : is IP in allowed / disallowed list ?-> yes : is IP in allowed / disallowed list ?
yes –> does password match ?yes –> does password match ?
yes -> does requested context match a context=… line?yes -> does requested context match a context=… line?
-> no -> is a password given ?-> no -> is a password given ?
-> yes : Asterisk will look bottom to top for a user with this password,-> yes : Asterisk will look bottom to top for a user with this password,
-> if the context matches, or there is no context specified, and the-> if the context matches, or there is no context specified, and the
host is in the allowed lists (allow / deny) then the call is accepted.host is in the allowed lists (allow / deny) then the call is accepted.
-> no: Asterisk will look bottom to top for a user without password.-> no: Asterisk will look bottom to top for a user without password.
-> if the context matches, or there is no context specified, and the-> if the context matches, or there is no context specified, and the
host is in the allowed lists (allow / deny) then the call is accepted.host is in the allowed lists (allow / deny) then the call is accepted.
58.
59. Add a last entry in iax.conf with noAdd a last entry in iax.conf with no
password to force nosecret access into apassword to force nosecret access into a
specific context.specific context.
If you use realtime, don’t have any userIf you use realtime, don’t have any user
without a password and withoutwithout a password and without
permit/deny.permit/deny.
61. Manager.confManager.conf
No encryption is used, even the passwordNo encryption is used, even the password
is sent in plaintext.is sent in plaintext.
Don’t enable it on a public IP.Don’t enable it on a public IP.
UseUse http://www.stunnel.org/http://www.stunnel.org/
Watch out with management programsWatch out with management programs
with direct interface to the manager.with direct interface to the manager.
Limit the privileges per user (especially theLimit the privileges per user (especially the
system!!!).system!!!).
65. Asterisk has no write permissions for itsAsterisk has no write permissions for its
config files and is running as non root ?config files and is running as non root ?
In the unlikely event of someone breakingIn the unlikely event of someone breaking
in through Asterisk, your dial plan is stillin through Asterisk, your dial plan is still
vulnerable through the CLI or thevulnerable through the CLI or the
manager.manager.
Asterisk with limited read / write permissionsAsterisk with limited read / write permissions
66. Asterisk in chrootAsterisk in chroot
Changes the root directory visible toChanges the root directory visible to
asterisk to e.g. /foo/barasterisk to e.g. /foo/bar
Pretty useless if asterisk is running as rootPretty useless if asterisk is running as root
and perl or gcc is available.and perl or gcc is available.
67. Asterisk in a jailAsterisk in a jail
Changes the rootChanges the root
directory visible todirectory visible to
Asterisk.Asterisk.
Limits theLimits the
commands /commands /
programs any user inprograms any user in
this jail can execute tothis jail can execute to
a list you specify.a list you specify.
Expansion of chroot.Expansion of chroot.
68. Zaptel kernel modulesZaptel kernel modules
Zaptel is module only, cannot be put into theZaptel is module only, cannot be put into the
kernel.kernel.
Hackers like to hide in a module, they canHackers like to hide in a module, they can
backdoor a module, compile it, load it in memorybackdoor a module, compile it, load it in memory
and remove all traces on the disk.and remove all traces on the disk.
You could have the kernel check an md5 for theYou could have the kernel check an md5 for the
Zaptel modules.Zaptel modules.
I think Matt Frederickson compiled them in theI think Matt Frederickson compiled them in the
kernel before.kernel before.
69. Firewalling / shaping / NATFirewalling / shaping / NAT
Block everything except the ports youBlock everything except the ports you
really want. (5060, 4569, …)really want. (5060, 4569, …)
RTP ports are a big pita (see rtp.conf)RTP ports are a big pita (see rtp.conf)
Sidenote: you might want to check your ISPSidenote: you might want to check your ISP
is not blocking anything in the rangeis not blocking anything in the range
defined in RTP.confdefined in RTP.conf
70. Limit access to tty9Limit access to tty9
safe_asterisk opens a console on tty9.safe_asterisk opens a console on tty9.
This does not require a password and willThis does not require a password and will
provide a root shell to anyone passing by.provide a root shell to anyone passing by.
(by using !command on the CLI).(by using !command on the CLI).
Remove the offending line, or don’t useRemove the offending line, or don’t use
safe_asterisksafe_asterisk
71. Linux HardeningLinux Hardening
GRsec (2.6.x)GRsec (2.6.x)
Openwall (2.4.x)Openwall (2.4.x)
Remove all unneeded things.Remove all unneeded things.
72. Remote loggingRemote logging
Remote syslogRemote syslog
Put Asterisk log files (and other log files onPut Asterisk log files (and other log files on
a remote server).a remote server).
73. TripwireTripwire
Make hashes of all the important files onMake hashes of all the important files on
the server and check them for changesthe server and check them for changes
you didn’t do.you didn’t do.
74. Limit server processesLimit server processes
An Asterisk server should be only:An Asterisk server should be only:
- OS + ASTERISK.OS + ASTERISK.
- No databaseNo database
- No APACHENo APACHE
- No PHPNo PHP
(If you really need those, and don’t have enough(If you really need those, and don’t have enough
servers, don’t put them on a public IP andservers, don’t put them on a public IP and
firewall them!!!!)firewall them!!!!)
77. Call Encryption - SIPCall Encryption - SIP
SRTP -> method to encrypt voice packets.SRTP -> method to encrypt voice packets.
TLS -> method to encrypt signalingTLS -> method to encrypt signaling
packets.packets.
Both are not yet supported by asterisk.Both are not yet supported by asterisk.
Bounty on voip-info.org.Bounty on voip-info.org.
78. Call Encryption – IAX2Call Encryption – IAX2
30/12/2004 2:0730/12/2004 2:07
Modified Files: chan_iax2.c iax2-parser.cModified Files: chan_iax2.c iax2-parser.c
iax2-parser.h iax2.h Log Message: Minoriax2-parser.h iax2.h Log Message: Minor
IAX2 fixes, add incomplete-but-very-IAX2 fixes, add incomplete-but-very-
basically-functional IAX2 encryption.basically-functional IAX2 encryption.
It would support any type of encryption youIt would support any type of encryption you
like. -> Doesn’t work yet.like. -> Doesn’t work yet.
79. Call Encryption – GeneralCall Encryption – General solutionsolution
Send you packets through a VPN orSend you packets through a VPN or
tunnel.tunnel.
Use only UDP tunnels to avoid delays.Use only UDP tunnels to avoid delays.
Known to work:Known to work:
IPSEC, VTUN, OPENVPN.IPSEC, VTUN, OPENVPN.
80. Call Encryption – Tunnel solutionCall Encryption – Tunnel solution
Advantage, CPU expensive encryptionAdvantage, CPU expensive encryption
can happen on dedicated machine.can happen on dedicated machine.
Disadvantage: doesn’t work onDisadvantage: doesn’t work on
hardphones or ATA’s without adding anhardphones or ATA’s without adding an
extra server in front of them.extra server in front of them.