[asterisk-dev] Asterisk Network Security Idea (using tcp_wrappers)

Hans Witvliet hwit at a-domani.nl
Sun Mar 29 16:20:22 CDT 2009


On Sun, 2009-03-29 at 15:19 -0400, Joseph Benden wrote:
> On Mar 29, 2009, at 2:12 PM, Steve Edwards wrote:
> 
> > I think Asterisk should "publish" the failure, but what happens  
> > after that
> > would be outside the scope of a "open source PBX, telephony engine,  
> > and
> > telephony applications toolkit."
> 
> I agree. I think we keep cramming too much functionality into a  
> monolithic entity. The UNIX mantra is to keep it simple and a single  
> tool for a single task. Asterisk is a PBX, telephony engine, and  
> telephony application toolkit. It is not a network security, with  
> distributed ACL management, real-time analysis, etc.
> 
> I think that Asterisk should somehow (tcp_wrappers for instance) use  
> existing libraries and tools for network security and utilize other  
> tools (DenyHosts for instance) in managing the former (tcp_wrappers).
> 
> Asterisk will then have limited security implications. There is very  
> little code added, tcp_wrappers has already underwent extensive  
> testing, debugging, and security analysis. These other tools that  
> manage the files required of tcp_wrappers, have already underwent the  
> same.
> 
> It also means that our community has less to maintain. Does everybody  
> not agree that we've got a lot to maintain presently? :)
> 

If you think too much security is already put in Asterisk, you might
contemplate creating a pam-module for it, and leave user-authentication
to pre-existing, well proven and tested elsewhere mechanisms, just like
the tct-wrappers.

hw



More information about the asterisk-dev mailing list