Security


A named ACL is an Access Control List that can be manipulated after configuration and live in it’s own name space. The NACL module manage a list of NACL objects that can be used by other modules, like channel drivers, manager and dialplan apps.

Several SIP devices can share the same access control list and there will be one for the whole SIP channel. An external application that reads the security events in 1.8 can manipulate the NACLs in real time through AMI and block/unblock devices. There’s also an API so that Asterisk modules can modify NACLs internally. Applications can be added, so that NACLs can be manipulated through the dialplan. Call in, identify yourself and add yourself to an NACL for the next call…

Amongst the future ideas are NACLs that can be set by referring to a DNS name and use the DNSmgr to stay up to date with DNS. That requires some changes to the ACL.c api that will happen in the trunk version only.

I have also been playing with the idea of having a callback so that an app will know when a NACL is matched or some sort of counters to measure activity per time period and trigger alarms. Kamailio has one implementation of something like this in the pike module.

A lot of security-related ideas for Asterisk has been based on named ACLs, so I thought that was a starting point and a good holiday hack šŸ™‚ The code is in the deluxpine branches for your testing!

Feedback and comments are, as always, welcome./olle

TheĀ documentĀ “TheĀ useĀ ofĀ theĀ SIPSĀ URIĀ SchemeĀ inĀ theĀ SessionĀ InitiationĀ ProtocolĀ (SIP)”Ā isĀ nowĀ approved by the IESG as a proposed standard. This is an update to RFC3261 that clears up a lot of the issues that has been open in regards to the SIPS: URL scheme.Now we need some clarifications on the “;transport=tls” use and implementation notes, so that all application developers can start working with fixing the applications.I did not realize how bad the situation was until last SIPit where I participated in a TLS interoperability test.Ā Ā There where too many opinions on how to implement and support TLS in SIP, and too many non-interoperable implementations.Ā A missing piece in many implementations, is DNS NAPTR support. NAPTR plays a very important role in secure SIP connection setups.Ā Ā Ā The biggest question still remains: What’s a secure call?Ā For Asterisk, we have to do a lot of work here to implement security in the dialplan. But at least we have one document that more clearly explains SIPS: to work with now!

I am proud to report that Alec Saunders reportĀ  that Infoworld reports that Yahoo is going to test OpenID. This is an important step for OpenID. I believe OpenID is a very good example of not trying to solve the whole puzzle with one solution, but build a small building block that moves us forward. I’ve blogged earlier about the importance of OpenID and how it relates to Enum and iname and… All the other solutions out there. I need an OpenID speaker for Bob 2.0 – anyone out there?Alec writes:

Infoworld reports this morning that Yahoo appears close to becoming an identity provider for OpenID. This, of course, is the next step in a full implementation. You can already use OpenID to log into Yahoo properties like Flickr, for instance.

We’ve all been there. You remembered you created an account on xxxyyyzzz.com, but
can’t remember the password or the account name. You search through your e-mail,
but can’t remember who sent you that confirmation mail. And you have enough of them.
That’s it. You’re note going to create yet another digital identity.

Identity on the net is an important issue. On one side, you got to be careful of the
electronic trail you leave. On the other hand, you need to make it easier on yourself
and limit the number of account names and passwords you use, so you end up
using the same password everywhere. I’ve reached the point that if I can’t
register the username ollej, my interest fades away… I don’t want help from my
web browser to remember, but I know a lot of people do. Changing to another
computer is a crisis situation for them. And letting the web browser handle
your accounts is not a very secure solution.

Identify is an important part of the security framework. It’s about claiming to
be someone (or something) and be able to prove it. This is very often called
AUTHENTICATION.

But that’s not all of it. There are different needs for how you prove your identity
in different situations. The requirement of a 100% correct identity is lower
on Facebook than some other sites, like your Internet bank. A few years ago
some people claimed that all secure transactions on the net required
200% security, being tied to your social security number. That was proven
itself to be incorrect – and you have to compare with daily life. How many
times have you asked your collegues for a passport and a DNA-test?

(more…)

« Previous Page