[asterisk-dev] Asterisk Network Security Idea (using tcp_wrappers)

[Joseph Benden]

On Mar 29, 2009, at 2:12 PM, Steve Edwards wrote:

> I think Asterisk should "publish" the failure, but what happens  
> after that
> would be outside the scope of a "open source PBX, telephony engine,  
> and
> telephony applications toolkit."

I agree. I think we keep cramming too much functionality into a  
monolithic entity. The UNIX mantra is to keep it simple and a single  
tool for a single task. Asterisk is a PBX, telephony engine, and  
telephony application toolkit. It is not a network security, with  
distributed ACL management, real-time analysis, etc.

I think that Asterisk should somehow (tcp_wrappers for instance) use  
existing libraries and tools for network security and utilize other  
tools (DenyHosts for instance) in managing the former (tcp_wrappers).

Asterisk will then have limited security implications. There is very  
little code added, tcp_wrappers has already underwent extensive  
testing, debugging, and security analysis. These other tools that  
manage the files required of tcp_wrappers, have already underwent the  
same.

It also means that our community has less to maintain. Does everybody  
not agree that we've got a lot to maintain presently? :)

I also don't think that we can accept the blame for system admins who  
have not properly learned who to take care of their machines. If they  
are broken into because they left Rsh exposed; is it really our fault?  
If they leave SIP wide open with no password and default context can  
place international calls; is it our fault?

I think we can give people the tools to do their job, but we cannot do  
their job for them. If we add tcp_wrappers, we give them a way to  
block access. If we give them the regular expression that works with  
DenyHosts, we give them a way to monitor and automatically manage the  
tcp_wrappers entries. They can use it or not. They can write their  
syslog entries to a pipe that DenyHosts uses, for more "real-time"  
management. The key is that we give the possibility for doing network  
security...

>
>
> The tcp wrappers, hosts.deny kind of approach seems too "single  
> server" to
> me.

I agree, but for the most part, this is Asterisk. Asterisk was founded  
around single-server. (waiting for flames! lol) I'll agree and say  
there are ways to cluster it, but it fundamentally is a single-server  
application. If it was intended for large massive scaling, the  
software would be architected differently, eg: using multicast for an  
overall manager of many VoIP components and different items can hot  
failover and scale by adding more boxes with more components. This is  
how all very scalable software is built: think Glassfish, ActiveMQ,  
Erlang/OTP, etc. (especially think about Erlang/OTP, as it is in the  
same domain as Asterisk.)

> Repeatedly parsing log files seems hackish (non-elegant) and not
> real-time enough.

I cannot think of any systems that don't work to some extent like  
this. The better ones will accept a pipe that is written to, so at  
least parsing happens fairly "real-time".

The only additional items that I seen is where the tool writes out  
IPTables rules directly - but this is too operating specific for  
Asterisk, and would not work with Solaris, Mac, FreeBSD.

Items like tcp_wrappers do work with the above operating systems.

Comments, suggestions, or ideas are welcomed!

Thanks,
-Joseph Benden