[asterisk-users] Securing Asterisk - How to avoid sending, "SIP/2.0 603 Declined"
Paul Belanger
pabelanger at digium.com
Sat Jul 23 11:07:49 CDT 2011
On 11-07-23 11:48 AM, Patrick Lists wrote:
> On 07/23/2011 04:00 PM, Paul Belanger wrote:
>> A UAS rejecting an offer contained in an INVITE SHOULD return a 488
>> (Not Acceptable Here) response. Such a response SHOULD include a
>> Warning header field value explaining why the offer was rejected.
>
> If the choice is to get hacked/DDOS'ed/etc or compliance with an RFC
> created by people who had no appreciation for the rather ugly world out
> there then why not throw the RFC out of the window and *not* reject an
> invite with a 488? It sounds like an interesting option to add to
> "10"/trunk. Better secure than compliant & sorry. Why not do a little
> Microsoft Embrace & Extent? Like e.g. Sonus and Cisco do with their
> interpretation of SIP.
>
Personally, I don't see this as a solutions. SIP already provides some
ability to help with security (EG: TLS, SRTP) however that is basically
the extent of it.
The way I see it, it is outside the scope of SIP; it's a signaling
protocol. If 'security' is really something you want to establish, many
existing tools are available to handle this (EG: VPN, firewalls,
encryption, etc).
As previously mentioned, there is no easy, simple solution. Securing
ones services takes work (and time) to do it right. Most people don't
want to spend the effort monitoring it.
--
Paul Belanger
Digium, Inc. | Software Developer
twitter: pabelanger | IRC: pabelanger (Freenode)
Check us out at: http://digium.com & http://asterisk.org
More information about the asterisk-users
mailing list