diff options
author | russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-07-02 22:27:46 +0000 |
---|---|---|
committer | russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b> | 2007-07-02 22:27:46 +0000 |
commit | 3357366474ad27c72b2f26c759f85c5d34dbdc84 (patch) | |
tree | 4c5b7a9ec6daf345dc48805fe38a7d941866ed93 /doc/security.tex | |
parent | 9e3b3287a4eb9ae29bc9e3f808162f3382d404b6 (diff) |
* Move LaTeX docs into a tex/ subdirectory of the doc/ dir
* Add a Makefile in doc/tex/ for generating PDF and HTML
* Add a README.txt file to doc/tex/ to document which tools are used and what
web sites to visit for getting them.
* Update build_tools/prep_tarball to put the proper Asterisk version string
in the automatically generated PDF for release tarballs
git-svn-id: http://svn.digium.com/svn/asterisk/trunk@72982 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'doc/security.tex')
-rw-r--r-- | doc/security.tex | 76 |
1 files changed, 0 insertions, 76 deletions
diff --git a/doc/security.tex b/doc/security.tex deleted file mode 100644 index 188f42cab..000000000 --- a/doc/security.tex +++ /dev/null @@ -1,76 +0,0 @@ -\subsection{Introduction} - -PLEASE READ THE FOLLOWING IMPORTANT SECURITY RELATED INFORMATION. -IMPROPER CONFIGURATION OF ASTERISK COULD ALLOW UNAUTHORIZED USE OF YOUR -FACILITIES, POTENTIALLY INCURRING SUBSTANTIAL CHARGES. - -Asterisk security involves both network security (encryption, authentication) -as well as dialplan security (authorization - who can access services in -your pbx). If you are setting up Asterisk in production use, please make -sure you understand the issues involved. - -\subsection{Network Security} - -If you install Asterisk and use the "make samples" command to install -a demonstration configuration, Asterisk will open a few ports for accepting -VoIP calls. Check the channel configuration files for the ports and IP addresses. - -If you enable the manager interface in manager.conf, please make sure that -you access manager in a safe environment or protect it with SSH or other -VPN solutions. - -For all TCP/IP connections in Asterisk, you can set ACL lists that -will permit or deny network access to Asterisk services. Please check -the "permit" and "deny" configuration options in manager.conf and -the VoIP channel configurations - i.e. sip.conf and iax.conf. - -The IAX2 protocol supports strong RSA key authentication as well as -AES encryption of voice and signalling. The SIP channel does not -support encryption in this version of Asterisk. - -\subsection{Dialplan Security} - -First and foremost remember this: - -USE THE EXTENSION CONTEXTS TO ISOLATE OUTGOING OR TOLL SERVICES FROM ANY -INCOMING CONNECTIONS. - -You should consider that if any channel, incoming line, etc can enter an -extension context that it has the capability of accessing any extension -within that context. - -Therefore, you should NOT allow access to outgoing or toll services in -contexts that are accessible (especially without a password) from incoming -channels, be they IAX channels, FX or other trunks, or even untrusted -stations within you network. In particular, never ever put outgoing toll -services in the "default" context. To make things easier, you can include -the "default" context within other private contexts by using: - -\begin{verbatim} - include => default -\end{verbatim} - -in the appropriate section. A well designed PBX might look like this: - -\begin{verbatim} -[longdistance] -exten => _91NXXNXXXXXX,1,Dial(Zap/g2/${EXTEN:1}) -include => local - -[local] -exten => _9NXXNXXX,1,Dial(Zap/g2/${EXTEN:1}) -include => default - -[default] -exten => 6123,Dial(Zap/1) -\end{verbatim} - -DON'T FORGET TO TAKE THE DEMO CONTEXT OUT OF YOUR DEFAULT CONTEXT. There -isn't really a security reason, it just will keep people from wanting to -play with your Asterisk setup remotely. - -\subsection{Log Security} - -Please note that the Asterisk log files, as well as information printed to the -Asterisk CLI, may contain sensitive information such as passwords and call -history. Keep this in mind when providing access to these resources. |