Hi Raymond, Raymond McKay wrote:
Agreed. I have seen and heard of a lot of attempts to bring SRTP support into Asterisk but the idea of SRTP just doesn't make sense to me. Asterisk, and VoIP servers in general, are meant to be communications services not security services. In my mind at least, it would seem to make sense to let security hardware such as a router or firewall handle such tasks as encryption and let the phone server handle what it does, signaling and transcoding. Otherwise, you end up with a device that is not ever going to be optimized for security, handling your security. On top of that, you also are reducing the level of scalability you can achieve on the phone server by adding yet another chore to its duty roster.
I would have to strongly disagree - if Asterisk was toted as a kid's toy, and sold by Fisher Price, then maybe security has no importance. But, if Asterisk or any other VoIP platform, for that matter, is to be introduced into the enterprise, it *has* to provide security. Tapping a hard phone line requires physical access to it - tapping a VoIP line can be done from anywhere in the world, if the server is not secure enough. Just use the Monitor() command, and setup a cron job to compress to mp3 and upload to an FTP server, and you have the perfect tap. It can even discriminate callers, called numbers and extensions, which conventional taps cannot!
That is at the server iself - you could then argue that the transit RTP could be tapped by a corrupt tech working for your ISP or provider, which could happen also with physical lines, the difference being that the RTP tap is so virtual it can be made to leave no trace. A physical tap can be found by a routine inspection on the lines, an RTP tap cannot. If we want Asterisk to be a step forward in the right direction, security concerns *must* be addressed at some stage.
Setting up a VPN and other security measures are fine, but they won't protect you from certain forms of tapping or compromise. Besides, if you put the onus of encryption on RTP, it can be made part of the standard and become universal. Otherwise, will your organization's VPN be compatible with mine?
Best regards, Mike _______________________________________________ --Bandwidth and Colocation provided by Easynews.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
