*"Encrypting the configuration files is valuable if ..... in some content delivery system that is somehow isolated from the source data and you are concerned about that system being compromised."*
If I am not wrong, I think Reza is using this in an infrastructure setup (specific content delivery system) so encrypting config files are definitely useful. Vonage has used this setup heavily with PAP and other devices over the years. In fact the provisioning and encryption of Linksys units are very elaborate. Assuming Polycom provides the same type of encryption mechanisms, I would say it's a very needed/useful tool for an ITSP. *"Doesn't mean the implementation hasn't been crack, encryption is usually breached via side channels."* But that's what the security updates are for. Of course, it's never 100% but if it a "one time job" and "cheap" then why not... -Bruce On Tue, Apr 17, 2012 at 1:27 PM, Simon Ditner <[email protected]> wrote: > A lot of features exist without a good reason Bruce. > > I agree with the sentiment that it is mostly theatre. The system handling > the SIP registrations is the more likely target, and the data source it is > authenticating SIP registrations against, whether it's a .conf file, or > database, all of that is in cleartext at some point, whether in transit or > in process. > > Encrypting the configuration files is valuable if they are being cached > somewhere on disk, or in some content delivery system that is somehow > isolated from the source data and you are concerned about that system being > compromised. > > One pointer to anyone using HTTPS for transport with Polycoms -- ensure > that you have SSL key verification enabled in the polycom configurations, > otherwise the phone doesn't check that the certificate is from a trusted > authority (as much as they can be trusted), and is then vulnerable to > man-in-the-middle attacks. > > On Tue, Apr 17, 2012 at 11:05 AM, Bruce N <[email protected]> wrote: > > > @Duane, If the SDK (to encrypt) exists then it exists for a security > > reason. > > > > @Reza, I don't think Polycom people approved anyone from Taug to become > > channel partner. You should probably look elsewhere. > > > > -Bruce > > > > > > On Tue, Apr 17, 2012 at 12:28 AM, Duane <[email protected]> wrote: > > > > > On 04/17/12 14:21, Jason Rose wrote: > > > > > >> Hey Duane, > > >> > > >> Actually if you secure anything you are good to go, if you leave > > >> loopholes then you are delaying the inevitable... Yes new loopholes > are > > >> always found, but that is why being an IT manager anywhere is a full > > time > > >> job... > > >> > > >> > > > What you describe above is commonly called "security theatre", having > the > > > appearance of security but actually having brittle security, in this > case > > > someone is trying to secure against someone else having physical access > > to > > > the server. > > > > > > If you actually want security, you need to have a secure physical > server, > > > preferably on the same LAN and behind a decent firewall, otherwise you > > are > > > just fooling yourself and all it takes is a disgruntled employee wiping > > it > > > out remotely on you, either your's or the hosting company, or if you > are > > > getting it rebadged, any other number of middle men as well! > > > > > > > > > > ------------------------------**------------------------------**--------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > > >
