[asterisk-bugs] [JIRA] (ASTERISK-21433) Add analogous support for 'alwaysauthreject' to chan_gulp and top level security settings
Matt Jordan (JIRA)
noreply at issues.asterisk.org
Mon Apr 29 14:11:38 CDT 2013
[ https://issues.asterisk.org/jira/browse/ASTERISK-21433?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matt Jordan reassigned ASTERISK-21433:
--------------------------------------
Assignee: Kevin Harwell
> Add analogous support for 'alwaysauthreject' to chan_gulp and top level security settings
> -----------------------------------------------------------------------------------------
>
> Key: ASTERISK-21433
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-21433
> Project: Asterisk
> Issue Type: New Feature
> Security Level: None
> Components: Channels/chan_gulp
> Reporter: Matt Jordan
> Assignee: Kevin Harwell
> Labels: Asterisk12, NewSIP
>
> One of the more highly used (and frequently accused) features in {{chan_sip}} is the {{alwaysauthreject}} feature, which helps to prevent attackers from enumerating possible endpoints in Asterisk. The formula should go as follows:
> # Inbound malicious request hits Asterisk
> # Asterisk challenges the inbound request
> # Inbound malicious request hits Asterisk with challenge response
> # Asterisk determines that this request doesn't match a valid endpoint and returns a "403", regardless of the actual reason it would reject the request
> We need an analogous feature in {{chan_gulp}}. This will require the following:
> * A new "global security" object for sorcery. This should include both alwaysauthreject, as well as an ACL object (currently provided by res_sip_acl). Note that ACLs should be definable both at a 'global level', as well as for endpoints.
> * Creation of a new SIP module that provides security support for the SIP stack (say, {{res_sip_security}}). This should parse the global security options out and enable them.
> * Apply the global ACLs to all inbound requests. This can occur either in {{res_sip_security}} or in a separate module that builds on a framework that module provides.
> * When {{alwaysauthreject}} is enabled, create a 'bogus' endpoint that will match all unmatched request attempts. This should have a password that can never be matched (see chan_sip in 11.3.0+) and will always cause inbound requests to fail. This can occur either in {{res_sip_security}} or in a separate module that builds on a framework that module provides.
> Note that items such as the SIP Security Framework will have to also be ported over to chan_gulp, so having a security module that provides security services is probably needed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the asterisk-bugs
mailing list