[asterisk-bugs] [JIRA] (ASTERISK-21433) Add analogous support for 'alwaysauthreject' to chan_gulp and top level security settings

Tue Jul 2 12:11:03 CDT 2013

     [ https://issues.asterisk.org/jira/browse/ASTERISK-21433?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Digium Subversion closed ASTERISK-21433.
----------------------------------------

    Resolution: Fixed
    
> Add analogous support for 'alwaysauthreject' to chan_gulp and top level security settings
> -----------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-21433
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-21433
>             Project: Asterisk
>          Issue Type: New Feature
>      Security Level: None
>          Components: Channels/chan_gulp
>            Reporter: Matt Jordan
>            Assignee: Kevin Harwell
>              Labels: Asterisk12, NewSIP
>
> One of the more highly used (and frequently accused) features in {{chan_sip}} is the {{alwaysauthreject}} feature, which helps to prevent attackers from enumerating possible endpoints in Asterisk. The formula should go as follows:
> # Inbound malicious request hits Asterisk
> # Asterisk challenges the inbound request
> # Inbound malicious request hits Asterisk with challenge response
> # Asterisk determines that this request doesn't match a valid endpoint and returns a "403", regardless of the actual reason it would reject the request
> We need an analogous feature in {{chan_gulp}}. This will require the following:
> * A new "global security" object for sorcery. This should include both alwaysauthreject, as well as an ACL object (currently provided by res_sip_acl). Note that ACLs should be definable both at a 'global level', as well as for endpoints.
> * Creation of a new SIP module that provides security support for the SIP stack (say, {{res_sip_security}}). This should parse the global security options out and enable them.
> * Apply the global ACLs to all inbound requests. This can occur either in {{res_sip_security}} or in a separate module that builds on a framework that module provides.
> * When {{alwaysauthreject}} is enabled, create a 'bogus' endpoint that will match all unmatched request attempts. This should have a password that can never be matched (see chan_sip in 11.3.0+) and will always cause inbound requests to fail. This can occur either in {{res_sip_security}} or in a separate module that builds on a framework that module provides.
> Note that items such as the SIP Security Framework will have to also be ported over to chan_gulp, so having a security module that provides security services is probably needed.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira