[asterisk-users] Securing Asterisk
Alex Balashov
abalashov at evaristesys.com
Tue Jul 26 13:42:01 CDT 2011
On 07/26/2011 02:33 PM, Bruce B wrote:
> I would have to err on the side of CDR to say that the only difference
> in analogy you provided (SSH vs Asterisk) is that people lose much
> more $$$$$$$$ in VoIP than they ever did in SSH hacking. So, if this
> is an exceptional case bending a rule or two of RFC in favor of
> security won't harm specially if it's provided as an
> option.
Again:
_Applications are often conceptually distinct from the most
appropriate means of securing them._
Moreover, as Kevin Fleming pointed out, refraining from responding to
invalid credentials while continuing to responding to valid ones
simply shifts the presentation of the information, from the point of
view of the scanner. It doesn't accomplish your goal at all.
> After-all, RFC does stand for Referral For Comment as in always
> open to be improved.
Adopted ones are standards to be followed.
You're right, though; the IETF SIP working group welcomes incremental
improvements; submit yours and see what they think. If you get your
draft adopted, I am sure Digium would be more than happy to implement
it in chan_sip.
> I think it's a good idea if such a security "option" is provided by
> default in Asterisk knowing it can save a lot of headache. If
> budget is an issue maybe make it a bounty and watch support pouring
> in...........
The issue is not lack of resources, but rather that it's conceptually
incorrect behaviour, and that the UAS is the wrong place to solve this
problem.
The best advice that has been given in relation to this topic so far
came from Lee Howard earlier today:
http://lists.digium.com/pipermail/asterisk-users/2011-July/265012.html
--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/
More information about the asterisk-users
mailing list