[svn-commits] russell: branch group/security_events r195517 - /team/group/security_events/

SVN commits to the Digium repositories svn-commits at lists.digium.com
Tue May 19 10:45:26 CDT 2009 

Author: russell
Date: Tue May 19 10:45:23 2009
New Revision: 195517

URL: http://svn.asterisk.org/svn-view/asterisk?view=rev&rev=195517
Log:
Flesh out the security framework doc some more

Modified:
    team/group/security_events/security_events.txt

Modified: team/group/security_events/security_events.txt
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/security_events.txt?view=diff&rev=195517&r1=195516&r2=195517
==============================================================================
--- team/group/security_events/security_events.txt (original)
+++ team/group/security_events/security_events.txt Tue May 19 10:45:23 2009
@@ -1,24 +1,94 @@
--------------------------------------------------------------------------------
---- Random Thoughts -----------------------------------------------------------
--------------------------------------------------------------------------------
-
- - Try to detect if an auth attack is trying different passwords by using the
-   same nonce after some number of unsuccessful auth attempts
-
- - Log Subscribe to invalid exten?
-   -> request not allowed with meta data
-
- - RTP
-   -> invalid payload?
-   -> unexpected source addr?
-
- - Differentiate between security error events and informational events
-
- - Events must all be individually interpretable
-
--------------------------------------------------------------------------------
---- Events to log -------------------------------------------------------------
--------------------------------------------------------------------------------
+================================================================================
+===                     Asterisk Security Framework                          ===
+===                       asteriskteam at digium.com                            ===
+===                       (C) 2009 - Digium, Inc.                            ===
+================================================================================
+
+--------------------------------------------------------------------------------
+--- 0) Table of Contents -------------------------------------------------------
+--------------------------------------------------------------------------------
+
+    1) Introduction
+    2) Framework Overview
+    3) Events to Log
+    4) Security Log File Format
+    5) References
+
+--------------------------------------------------------------------------------
+--------------------------------------------------------------------------------
+
+--------------------------------------------------------------------------------
+--- 1) Introduction ------------------------------------------------------------
+--------------------------------------------------------------------------------
+
+    Attacks on Voice over IP networks are becoming increasingly more common.
+It has become clear that we must do something within Asterisk to help mitigate
+these attacks.
+
+    Through a number of discussions, we have decided that the best thing that we
+can do within Asterisk is to build a framework which recognizes and reports 
+events that could potentially have security implications.  We can then allow
+these events to be reported in easily interpretable ways so that we can build
+external tools that can apply business rules to these events and decide how to
+act on them.
+
+--------------------------------------------------------------------------------
+--------------------------------------------------------------------------------
+
+--------------------------------------------------------------------------------
+--- 2) Framework Overview ------------------------------------------------------
+--------------------------------------------------------------------------------
+
+    This section discusses the architecture of the Asterisk modifications being
+proposed.
+
+    There are two main components that we propose for the initial
+implementation of the security framework:
+    
+    - Security Event Generation
+    - Security Event Logger
+
+A) Security Event Generation
+
+    The ast_event API will be used for the generation of security events.  That
+way, the events will be in an easily interpretable format within Asterisk to
+make it easy to write modules that do things with them.  There will also be some
+helper data structures and functions to aid Asterisk modules in reporting these
+security events with the proper contents.
+
+    Section 3 of this document contains the current list of security events
+being proposed.  Each security event type has some required pieces of
+information and some other optional pieces of information.
+
+    Subscribing to security events from within Asterisk can be done by
+subscribing to events of type AST_EVENT_SECURITY.  These events have an
+information element, AST_EVENT_IE_SECURITY_EVENT, which identifies the security
+event sub-type (from the list described in section 3).  The result of the
+information elements in the events contain the required and optional meta data
+associated with the event sub-type.
+
+B) Security Event Logger
+
+    In addition to the infrastructure for generating the events, one module that
+is a consumer of these events will be implemented.
+
+    Asterisk trunk was recently updated to include support for dynamic logger
+channels.  This module will take advantage of this functionality to create a
+custom "security" logger channel.  Then, when this module is in use, logger.conf
+can configured to put security events into a file:
+    
+    security_log => security
+
+    The content of this file will be a well defined and easily interpretable
+format for external scripts to read and act upon.  The definition for the format
+of the log file is the subject of Section 4 of this document.
+
+--------------------------------------------------------------------------------
+--------------------------------------------------------------------------------
+
+--------------------------------------------------------------------------------
+--- 3) Events to log -----------------------------------------------------------
+--------------------------------------------------------------------------------
 
 (-) required
 (+) optional
@@ -100,5 +170,58 @@
  -> everything from inval account ID
  (-) expected host
 
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
+--------------------------------------------------------------------------------
+--------------------------------------------------------------------------------
+
+--------------------------------------------------------------------------------
+--- 4) Security Log File Format ------------------------------------------------
+--------------------------------------------------------------------------------
+
+TODO ...
+
+--------------------------------------------------------------------------------
+--------------------------------------------------------------------------------
+
+--------------------------------------------------------------------------------
+--- 5) References --------------------------------------------------------------
+--------------------------------------------------------------------------------
+
+Code:
+
+    Security event generation helper API: 
+     - main/security_events.c
+     - include/asterisk/security_events.h
+     - include/asterisk/security_events_defs.h
+
+    Security event logger
+     - res/res_security_log.c
+
+    Modules partially updated to generate security events:
+     - channels/chan_sip.c
+
+--------------------------------------------------------------------------------
+--------------------------------------------------------------------------------
+
+--------------------------------------------------------------------------------
+--- Random Thoughts ------------------------------------------------------------
+--------------------------------------------------------------------------------
+
+ - Try to detect if an auth attack is trying different passwords by using the
+   same nonce after some number of unsuccessful auth attempts
+
+ - Log Subscribe to invalid exten?
+   -> request not allowed with meta data
+
+ - RTP
+   -> invalid payload?
+   -> unexpected source addr?
+
+ - Differentiate between security error events and informational events
+
+ - Events must all be individually interpretable
+
+--------------------------------------------------------------------------------
+--------------------------------------------------------------------------------
+
+================================================================================
+================================================================================

More information about the svn-commits mailing list