On Mon, Jun 13, 2016 at 10:29 PM, Andrew McGlashan wrote:

Setting up Asterix or FreePBX or anything similar is not something that
should be done lightly.  VoIP providers lose an awful lot of money if
there are any loop holes in their setup; perhaps even just a weak
password.  So, it is a serious risk situation, potentially; especially
when there are continual software updates to fix vulnerabilities in all
kinds of software.

I'm not saying don't do it, but I am saying that you have to understand
the risks and perhaps you would be better off not doing it.

Hi Andrew,

can you elaborate a bit about Asterisk/FreePBX security issues?

My general observation about proprietary PABXes I found so far:

- they get serviced by contractors

- passwords get never changed (mainly to make access "easier", and/or because the different built-in accounts and roles are not understood and so all management is done with the most powerful account)

- patching only happens when a feature cannot be used with the old version (e.g. a reporting or configuration tool requires a more recent version).
In fact I have never experienced a continuously serviced and upgraded PABX in my work experience.

So, as long as you follow the same bad practice, the main difference seems to be that your manager blames you instead of the servicing company;-)

Advantages of using Asterisk or similar:

- You can have two of them to test configuration changes,patching etc.

- You can snapshot them

- You get regular updates as all other systems in a setup that is using the same OS/distribution

- You may have a better understanding about the security risk because you are aware of it, know a bit of least privileged access etc.

IMHO the risk is more on the management side: managers without technical understanding do not care about what behind the scenes so capable staff is not able to establish best practice and critical maintenance does not happen.

Regards
Peter