diff options
author | Russell Bryant <russell@russellbryant.com> | 2007-07-02 22:27:46 +0000 |
---|---|---|
committer | Russell Bryant <russell@russellbryant.com> | 2007-07-02 22:27:46 +0000 |
commit | df1a340774efc74f80ab4d99fb01da958d3f18e2 (patch) | |
tree | 4c5b7a9ec6daf345dc48805fe38a7d941866ed93 /doc/tex/security.tex | |
parent | 94b934c8f66b617b05ccf528781b958e4c312d04 (diff) |
* Move LaTeX docs into a tex/ subdirectory of the doc/ dir
* Add a Makefile in doc/tex/ for generating PDF and HTML
* Add a README.txt file to doc/tex/ to document which tools are used and what
web sites to visit for getting them.
* Update build_tools/prep_tarball to put the proper Asterisk version string
in the automatically generated PDF for release tarballs
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@72982 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'doc/tex/security.tex')
-rw-r--r-- | doc/tex/security.tex | 76 |
1 files changed, 76 insertions, 0 deletions
diff --git a/doc/tex/security.tex b/doc/tex/security.tex new file mode 100644 index 000000000..188f42cab --- /dev/null +++ b/doc/tex/security.tex @@ -0,0 +1,76 @@ +\subsection{Introduction} + +PLEASE READ THE FOLLOWING IMPORTANT SECURITY RELATED INFORMATION. +IMPROPER CONFIGURATION OF ASTERISK COULD ALLOW UNAUTHORIZED USE OF YOUR +FACILITIES, POTENTIALLY INCURRING SUBSTANTIAL CHARGES. + +Asterisk security involves both network security (encryption, authentication) +as well as dialplan security (authorization - who can access services in +your pbx). If you are setting up Asterisk in production use, please make +sure you understand the issues involved. + +\subsection{Network Security} + +If you install Asterisk and use the "make samples" command to install +a demonstration configuration, Asterisk will open a few ports for accepting +VoIP calls. Check the channel configuration files for the ports and IP addresses. + +If you enable the manager interface in manager.conf, please make sure that +you access manager in a safe environment or protect it with SSH or other +VPN solutions. + +For all TCP/IP connections in Asterisk, you can set ACL lists that +will permit or deny network access to Asterisk services. Please check +the "permit" and "deny" configuration options in manager.conf and +the VoIP channel configurations - i.e. sip.conf and iax.conf. + +The IAX2 protocol supports strong RSA key authentication as well as +AES encryption of voice and signalling. The SIP channel does not +support encryption in this version of Asterisk. + +\subsection{Dialplan Security} + +First and foremost remember this: + +USE THE EXTENSION CONTEXTS TO ISOLATE OUTGOING OR TOLL SERVICES FROM ANY +INCOMING CONNECTIONS. + +You should consider that if any channel, incoming line, etc can enter an +extension context that it has the capability of accessing any extension +within that context. + +Therefore, you should NOT allow access to outgoing or toll services in +contexts that are accessible (especially without a password) from incoming +channels, be they IAX channels, FX or other trunks, or even untrusted +stations within you network. In particular, never ever put outgoing toll +services in the "default" context. To make things easier, you can include +the "default" context within other private contexts by using: + +\begin{verbatim} + include => default +\end{verbatim} + +in the appropriate section. A well designed PBX might look like this: + +\begin{verbatim} +[longdistance] +exten => _91NXXNXXXXXX,1,Dial(Zap/g2/${EXTEN:1}) +include => local + +[local] +exten => _9NXXNXXX,1,Dial(Zap/g2/${EXTEN:1}) +include => default + +[default] +exten => 6123,Dial(Zap/1) +\end{verbatim} + +DON'T FORGET TO TAKE THE DEMO CONTEXT OUT OF YOUR DEFAULT CONTEXT. There +isn't really a security reason, it just will keep people from wanting to +play with your Asterisk setup remotely. + +\subsection{Log Security} + +Please note that the Asterisk log files, as well as information printed to the +Asterisk CLI, may contain sensitive information such as passwords and call +history. Keep this in mind when providing access to these resources. |