On Thursday 05 May 2011, bilal ghayyad wrote: > Hi All; > > When the endpoint register on Asterisk or initiate a call, so they exchange > the sip username and password. What is the possibility that this will be > capture by the hacker and how to avoid this problem?
If the two devices are connected by Ethernet cables and are on 192.168.x.x or 10.x.x.x addresses, then nothing goes further than the router where your Internet connection comes in. And we're presuming anyone within your bounds is trustworthy. If one of the devices is connected wirelessly, then the passwords will be broadcast over the air (although they will be encrypted). In fact, if there is a wireless access point anywhere on the network, then it may *potentially* broadcast data and credentials even if the calls are not going through it, until it has built up a routing table. Wi-fi doesn't travel very far, but someone in your car park and who has your WPA2 key may be able to sniff packets. If the phone call is going over the public Internet, then it really should be tunnelled through a secure VPN. Otherwise, make sure the password is of as little use as possible to anyone who discovers it; for instance, put the offending extension into a context which can only make internal calls, or calls to carefully-selected external numbers. -- AJS Answers come *after* questions. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
