On Tue, 2008-12-30 at 09:55 +0100, [email protected] wrote:
> Hi,
>
> we want to enhance our old Siemens Hicom 300 and replace it step by
> step. Therefore we decided to try out opensource solutions ourselves.
> One requirement is that the solution has to encrypt all data. So try
> let´s look at Asterisk was our first thought. Well, there seem to be
> unoffical patches for Asterisk 1.4.x with SRTP/SIPS support. So,
> unofficial. With 1.6.x the support for it hasn´t been fully
> integrated, yet.
>
> So, what´s next out there? => SIPxecs
> Nice GUI!!! Inbuilt HA support, very well. But what about encryption
> support? SRTP is end to end encryption as I understand, SIPS is used
> for signaling, but is it also end to end?
Strictly speaking, SIPS is not currently end-to-end. The base SIP spec
(RFC 3261) "required" that a sips: address be forwarded "securely" over
each hop when possible - if that sounds imprecise and weasel-wordy to
you, then you understand the current state of affairs. This has been
the subject of lots of recent work in the IETF, but those improvements
have not really made their way into any products that I know of yet.
If you can find phones that will encrypt the media (either SRTP or ZRTP
support), that will protect the content of your call - make it difficult
to listen in, even with access to your network. SIPS support would at
most add protection of the signaling information - which phones are
calling which other phones, but if an attacker has access to your
network, that's not hard to figure out because the attacker can just
look for the RTP streams anyway (you don't have to be able to read them
to see that they are there). In any event, while sipXecs has some
experimental support for secure signaling, it is poorly tested and _not_
considered supported functionality at this point.
> Talking about encryption, it seems there are many different scenarios
> to consider:
>
> Let´s look at our planed setup
>
> telefon network <--ISDN/S2M--> Patton 4960 <--ISDN/S2M--> Siemens
> Hicom 300
> Patton 4960 <--IP--> SIPxecs <--IP--> Snom 320
>
> 1. Incoming calls shoud be reached via landline:
>
> [e.g. telefon network --ISDN/S2M--> Patton 4960 --IP--> SIPxecs
> --IP--> Snom 320 users]
>
> So, what about encryption between the Patton 4960, the SIPxecs and der
> Snom 320? Is it possible to encrypt the whole path? Well, how? Is it
> supported with SIPxecs?
If the endpoints can secure the media, sipXecs will be transparent to
that. The sipXecs endpoints - voicemail, autoattendant, ACD, etc do
_not_ support secure media.
> 4. Another problem is the encryption of the voice and signaling data
> between our LAN and the SIP provider. Is it possible to encrypt all
> data between those with the SIPxecs solution? Do I need something
> additionally?
>
> [e.g SIP Provider <--encrypted SIP trunk ??? --> SIPxecs]
Does your provider support secure media?
See general discussion above.
A couple of bits to think about when considering VoIP security:
* How secure do you think your current system is? Have you
considered how much effort would be required to listen in on
your current system vs the level of effort that would be
required in a replacement system? Wiretapping a TDM system is
pretty easy.
* A great quote I ran across today:
[Security] just has to cost more to break than it would cost the
bad guys to bribe your cleaning lady. Stewart Baker
_______________________________________________
sipx-users mailing list
[email protected]
List Archive: http://list.sipfoundry.org/archive/sipx-users
Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users
