* Move LaTeX docs into a tex/ subdirectory of the doc/ dir

* Add a Makefile in doc/tex/ for generating PDF and HTML
* Add a README.txt file to doc/tex/ to document which tools are used and what
  web sites to visit for getting them.
* Update build_tools/prep_tarball to put the proper Asterisk version string
  in the automatically generated PDF for release tarballs


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@72982 65c4cc65-6c06-0410-ace0-fbb531ad65f3

1 files changed, 76 insertions, 0 deletions

diff --git a/doc/tex/security.tex b/doc/tex/security.tex
new file mode 100644
index 000000000..188f42cab
--- /dev/null
+++ b/doc/tex/security.tex
@@ -0,0 +1,76 @@
+\subsection{Introduction}
+
+PLEASE READ THE FOLLOWING IMPORTANT SECURITY RELATED INFORMATION.  
+IMPROPER CONFIGURATION OF ASTERISK COULD ALLOW UNAUTHORIZED USE OF YOUR
+FACILITIES, POTENTIALLY INCURRING SUBSTANTIAL CHARGES.
+
+Asterisk security involves both network security (encryption, authentication)
+as well as dialplan security (authorization - who can access services in 
+your pbx). If you are setting up Asterisk in production use, please make
+sure you understand the issues involved.
+
+\subsection{Network Security}
+
+If you install Asterisk and use the "make samples" command to install
+a demonstration configuration, Asterisk will open a few ports for accepting
+VoIP calls. Check the channel configuration files for the ports and IP addresses.
+
+If you enable the manager interface in manager.conf, please make sure that
+you access manager in a safe environment or protect it with SSH or other
+VPN solutions.
+
+For all TCP/IP connections in Asterisk, you can set ACL lists that
+will permit or deny network access to Asterisk services. Please check
+the "permit" and "deny" configuration options in manager.conf and
+the VoIP channel configurations - i.e. sip.conf and iax.conf.
+
+The IAX2 protocol supports strong RSA key authentication as well as
+AES encryption of voice and signalling. The SIP channel does not
+support encryption in this version of Asterisk.
+
+\subsection{Dialplan Security}
+
+First and foremost remember this:
+
+USE THE EXTENSION CONTEXTS TO ISOLATE OUTGOING OR TOLL SERVICES FROM ANY
+INCOMING CONNECTIONS.
+
+You should consider that if any channel, incoming line, etc can enter an
+extension context that it has the capability of accessing any extension
+within that context. 
+
+Therefore, you should NOT allow access to outgoing or toll services in
+contexts that are accessible (especially without a password) from incoming
+channels, be they IAX channels, FX or other trunks, or even untrusted
+stations within you network.  In particular, never ever put outgoing toll
+services in the "default" context.  To make things easier, you can include
+the "default" context within other private contexts by using:
+
+\begin{verbatim}
+	include => default
+\end{verbatim}
+
+in the appropriate section.  A well designed PBX might look like this:
+
+\begin{verbatim}
+[longdistance]
+exten => _91NXXNXXXXXX,1,Dial(Zap/g2/${EXTEN:1})
+include => local
+
+[local]
+exten => _9NXXNXXX,1,Dial(Zap/g2/${EXTEN:1})
+include => default
+
+[default]
+exten => 6123,Dial(Zap/1)
+\end{verbatim}
+
+DON'T FORGET TO TAKE THE DEMO CONTEXT OUT OF YOUR DEFAULT CONTEXT.  There
+isn't really a security reason, it just will keep people from wanting to 
+play with your Asterisk setup remotely.
+
+\subsection{Log Security}
+
+Please note that the Asterisk log files, as well as information printed to the
+Asterisk CLI, may contain sensitive information such as passwords and call 
+history.  Keep this in mind when providing access to these resources.