Olivier wrote: > > I thought that : > 1. 802.1X was mainly when you plug your hardphone into your network, 802.1X-2001 was written to secure ports on a 802.3 switch. Originally for PCs works just fine for phones. Really does NOT play with VLANs, but HP cheated (I know their lead engineers). 802.1X-2004 (you have to watch it with IEEE standards naming) added the state machines necessary to support 802.11i. This was a struggle and really is NOT right. 802.1af is trying to fix that. > 2. SRTP is an orthogonal issue as you could positively be looking to > authenticate your network device and be confident that with > authentified devices, risks are kept to an acceptable level I am a real security expert. I am one of the strong proponents to security in depth and how layer 4 security cannot protect the device. When we were starting on 802.1AE (LinkSec), Norm Finn (a CISCO Fellow and long time worker on 802.1 and other layer 2 standards) said it well:
Layer 2 security protects and addresses the liablities of the network owner Layer 3 security protects and addresses the liablities of the system owner Layer 4 security protects and addresses the liablities of the application owner Data security (anything above 4) protects and addresses the liablities of the data owner Think about it. You are on a 802.11 phone. Anyone there can intercept the 802.11 frames. They can attack your phone with 802.11 payloads. Your call leaves the 802.11 cloud and backbones over 802.16! Even if this is with parabolic radios, there is still plenty of room for listeners. And the original 802.16 security was DOCSIS! Almost as weak as WEP; done at the same time that we were working on 802.11i (we have to get something out, we will go back and fix it later). Your call goes through some Telco's switches that MUST comply with CALEA or are owned by some foreign government or drug cartel. Well you get the picture. Protect the network (802.11i etal). Protect the phone (IPsec or HIP). Protect the call (DTLS or TLS for SIP and SRTP). Any wonder why we still don't have good security? It is HARD to make it easy. > Am I wrong ? Yes and No ;) _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
