[asterisk-dev] Asterisk Network Security Idea (using tcp_wrappers)
Hans Witvliet
hwit at a-domani.nl
Sun Mar 29 16:20:22 CDT 2009
On Sun, 2009-03-29 at 15:19 -0400, Joseph Benden wrote:
> On Mar 29, 2009, at 2:12 PM, Steve Edwards wrote:
>
> > I think Asterisk should "publish" the failure, but what happens
> > after that
> > would be outside the scope of a "open source PBX, telephony engine,
> > and
> > telephony applications toolkit."
>
> I agree. I think we keep cramming too much functionality into a
> monolithic entity. The UNIX mantra is to keep it simple and a single
> tool for a single task. Asterisk is a PBX, telephony engine, and
> telephony application toolkit. It is not a network security, with
> distributed ACL management, real-time analysis, etc.
>
> I think that Asterisk should somehow (tcp_wrappers for instance) use
> existing libraries and tools for network security and utilize other
> tools (DenyHosts for instance) in managing the former (tcp_wrappers).
>
> Asterisk will then have limited security implications. There is very
> little code added, tcp_wrappers has already underwent extensive
> testing, debugging, and security analysis. These other tools that
> manage the files required of tcp_wrappers, have already underwent the
> same.
>
> It also means that our community has less to maintain. Does everybody
> not agree that we've got a lot to maintain presently? :)
>
If you think too much security is already put in Asterisk, you might
contemplate creating a pam-module for it, and leave user-authentication
to pre-existing, well proven and tested elsewhere mechanisms, just like
the tct-wrappers.
hw
More information about the asterisk-dev
mailing list