Re: [asterisk-users] Securing Asterisk

Tue, 26 Jul 2011 11:42:11 -0700 

On 07/26/2011 02:33 PM, Bruce B wrote:


I would have to err on the side of CDR to say that the only difference
in analogy you provided (SSH vs Asterisk) is that people lose much
more $$$$$$$$ in VoIP than they ever did in SSH hacking. So, if this
is an exceptional case bending a rule or two of RFC in favor of
security won't harm specially if it's provided as an
option.


Again:


_Applications are often conceptually distinct from the most 
appropriate means of securing them._



Moreover, as Kevin Fleming pointed out, refraining from responding to 
invalid credentials while continuing to responding to valid ones 
simply shifts the presentation of the information, from the point of 
view of the scanner.  It doesn't accomplish your goal at all.



After-all, RFC does stand for Referral For Comment as in always
open to be improved.


Adopted ones are standards to be followed.


You're right, though;  the IETF SIP working group welcomes incremental 
improvements;  submit yours and see what they think.  If you get your 
draft adopted, I am sure Digium would be more than happy to implement 
it in chan_sip.



I think it's a good idea if such a security "option" is provided by
default in Asterisk knowing it can save a lot of headache. If
budget is an issue maybe make it a bounty and watch support pouring
in...........



The issue is not lack of resources, but rather that it's conceptually 
incorrect behaviour, and that the UAS is the wrong place to solve this 
problem.



The best advice that has been given in relation to this topic so far 
came from Lee Howard earlier today:


http://lists.digium.com/pipermail/asterisk-users/2011-July/265012.html

--
Alex Balashov - Principal
Evariste Systems LLC
260 Peachtree Street NW
Suite 2200
Atlanta, GA 30303
Tel: +1-678-954-0670
Fax: +1-404-961-1892
Web: http://www.evaristesys.com/

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
              http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users























					Reply via email to