Thanks Hans, This is a good idea if i place the configuration files in database and database some where else......
Now finally according to community feedback ... I will use AGI at max and obfuscate the JAVA code. Place the remaining configuration in database. Hans i think this will be a good trade off.. On Wed, Jul 7, 2010 at 2:08 PM, Hans Witvliet <h...@a-domani.nl> wrote: > On Wed, 2010-07-07 at 12:12 +0600, ABBAS SHAKEEL wrote: > > Thanks to Gordon and Paul for kind help. > > > > > > Actually we have a limitation to place the Asterisk server in client > > premises if the server is in there premises then this means they have > > full control over it. > > > > > > harddisk encryption seems a good option but no automated boot is big > > issue :( > > > > > > Is there some thing possible like that ? > > > > > > > > > > > > > > > > On Tue, Jul 6, 2010 at 5:21 PM, Gordon Henderson <gordon > > +aster...@drogon.net> wrote: > > > > On Tue, 6 Jul 2010, ABBAS SHAKEEL wrote: > > > > > Hello Community, > > > > > > I have a question , I have been working with asterisk and > > developed some > > > successful applications. I am facing an issue of security > > i.e. We deploy > > > servers to client end. Now i dont want the client to see my > > configuration > > > files (Of course copy and distribute or replicate the logic > > with out > > > permission). > > > > > > Now the configuration files are stored in /etc/asterisk/* > > (Of course we can > > > specify a different location but at end we specify this in a > > configuration > > > file). > > > > > > Is there a way that the configuration files get encrypted or > > some thing else > > > so that some one who have system access can not copy the > > configuration files > > > data or look into that files. > > > > > > The simple answer is that you can't prevent anyone copying it > > if they have > > physical access. > > > > All you can do is make it hard. > > > > If you wanted to encrypt them, you'd need to alter asterisk. > > > > You could use something like trucrypt, or another whole disk > > encryption > > technology, but that'll require someone typing in a password > > at boot time > > making unattended reboots impossible. > > > > Another way which I have seen is to do away with the dialplan > > entirely and > > do it all in a single big compiled AGI C program. (Ok, you > > have minimal > > dialplan to pump everything into it, but...) and don't > > distribute the > > source to the C program... > > > > You need to work out just what it's worth to you if someone > > does copy it. > > Realistically, what's your target audience? Are your clients > > the sort of > > people likely to copy and and sell it on? For most businesses, > > I'd guess > > not. > > > > Gordon > > Before you embark on this way.... > Any disk encryption is of no use as long as it remains de-crypted while > the server is running... > It only protects you against snooping eyes incaes your hardware is > stolen (most likely: laptops, usb-media) > > If you want to be 100% sure against unautorized access to your data, you > might want to use two factor authentication. But the fact that you have > to use a smartcard/token AND a passphrase implies that you can not > restart your machine/asterisk without being physically there. > [I mean, you might be creating your own denial of service] > > If you just want to protect your asterisk-machine against prying eyes, i > would suggest to put all of your config (sip, iax, dialplan) into a > database (on a other machine ofcourse) and use an encrypted connection > (636, ldaps) to access it. It will protect to against data-theft if your > machine is stolen, But that person might still be able to access the > asterisk console _before he nicks the system_ and do a "sip show peers" > and obtain your info in that way.... > > So you better consider what you want to protect, against who, and at > what acceptable costs.... > > Security is a tricky business. It's easy to spend vast amount of time > and money and not getting any additional security ;-) > > hw > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- Best Regards Shakeel Abbas
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
