Mike Puchol wrote:
I would have to strongly disagree - if Asterisk was toted as a kid's
toy, and sold by Fisher Price, then maybe security has no importance.
But, if Asterisk or any other VoIP platform, for that matter, is to be
introduced into the enterprise, it *has* to provide security. Tapping
a hard phone line requires physical access to it - tapping a VoIP line
can be done from anywhere in the world, if the server is not secure
enough. Just use the Monitor() command, and setup a cron job to
compress to mp3 and upload to an FTP server, and you have the perfect
tap. It can even discriminate callers, called numbers and extensions,
which conventional taps cannot!
I, for one, believe encryption should be at the end point and not at
the switch/PBX level. We must always assume that the transit medium is
compromised. That's why end-to-end fax and analog phone encryption
devices exist.
My take on how to implement VoIP security:
a. Endpoints should initiate the key exchange independent of the PBX.
b. Keep the PBX out of the media path.
c. Avoid media transcoding, e.g. IP to/from TDM is a no go - because one
end is not secured.
d. Avoid hard coded keys.
Recently, I had a discussion with some tech guys from a big name vendor.
I was rather shocked by their concept of security:
a. Phones are fitted with keys from the factory. No one except the
factory knows the keys.
b. Or use a centralized certificate directory accessible by the PBX.
c. IP phones can communicated with TDM endpoints (digital/analog phones
and PSTN) with the PBX doing the encryption/decryption.
d. It's possible for a voice logger to record the calls (presumably by
accessing the certificate directory or getting the key from the PBX).
I believe they chose this implementation primarily to interoperate with
the TDM portions of the PBX like the voicemail, IVR and PSTN. I just
feel that it's the wrong approach. Any compromise is a chink in the
armor. Quoting Bruce Schneier: 'Security is a process, not a product.'
Just my $0.02
Leo
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
