[asterisk-bugs] [JIRA] (ASTERISK-21433) Add analogous support for 'alwaysauthreject' to chan_gulp and top level security settings

Matt Jordan (JIRA) noreply at issues.asterisk.org
Mon Apr 15 16:21:01 CDT 2013 

Matt Jordan created ASTERISK-21433:
--------------------------------------

             Summary: Add analogous support for 'alwaysauthreject' to chan_gulp and top level security settings
                 Key: ASTERISK-21433
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-21433
             Project: Asterisk
          Issue Type: New Feature
      Security Level: None
          Components: Channels/chan_gulp
            Reporter: Matt Jordan


One of the more highly used (and frequently accused) features in {{chan_sip}} is the {{alwaysauthreject}} feature, which helps to prevent attackers from enumerating possible endpoints in Asterisk. The formula should go as follows:

# Inbound malicious request hits Asterisk
# Asterisk challenges the inbound request
# Inbound malicious request hits Asterisk with challenge response
# Asterisk determines that this request doesn't match a valid endpoint and returns a "403", regardless of the actual reason it would reject the request

We need an analogous feature in {{chan_gulp}}. This will require the following:

* A new "global security" object for sorcery. This should include both alwaysauthreject, as well as an ACL object (currently provided by res_sip_acl). Note that ACLs should be definable both at a 'global level', as well as for endpoints.
* Creation of a new SIP module that provides security support for the SIP stack (say, {{res_sip_security}}). This should parse the global security options out and enable them.
* Apply the global ACLs to all inbound requests. This can occur either in {{res_sip_security}} or in a separate module that builds on a framework that module provides.
* When {{alwaysauthreject}} is enabled, create a 'bogus' endpoint that will match all unmatched request attempts. This should have a password that can never be matched (see chan_sip in 11.3.0+) and will always cause inbound requests to fail. This can occur either in {{res_sip_security}} or in a separate module that builds on a framework that module provides.

Note that items such as the SIP Security Framework will have to also be ported over to chan_gulp, so having a security module that provides security services is probably needed.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list