asterisk users - Nov 2004 - VOIP security on an IAX connection.

Gentlemen and ladies of the Asterisk community.

I am considering implementing asterisk based IAX solution for a business
that handles a lot of sensitive data. Internal security will be no
worse than before as they plan on connecting to their current PBX to
handle switching. The asterisk boxes will just handle their trunks
between the offices. Other than VPN with a few levels of encryption on
the VPN any ideas on other good and affordable ways to implement
security on the IAX links?

Thanks.
lucas@eyeonsystems.com

lucas@eyeonsystems.com wrote:
>Gentlemen and ladies of the Asterisk community.
>
>I am considering implementing asterisk based IAX solution for a business
>that handles a lot of sensitive data. Internal security will be no
>worse than before as they plan on connecting to their current PBX to
>handle switching. The asterisk boxes will just handle their trunks
>between the offices. Other than VPN with a few levels of encryption on
>the VPN any ideas on other good and affordable ways to implement
>security on the IAX links?
>
>Thanks.
>lucas@eyeonsystems.com
>
Well, I think a vpn would do the trick.  Personally, I wouldn't even 
worry about encrypting the stream more than once, as long as you choose 
the right method. 

Add too many layers on, and you increase latency and possible packet 
loss.  Not good. 

Here, we are using openvpn, in the tls server/client model.  Keys are 
regenerated once an hour, so the best someone could do is sniff an 
hour's worth of data before they'd have to refigure the encryption.

If you are sure people are going to try breaking into the stream, you 
might wan to think about other security methods beyond encryption ( a 
really big bat, for example ).  Anything that adds latency is a "Bad 
Thing (tm)", and further, encrypting something more than once indicates, 
to me at least, that encryption is not the solution.

But what the hell, maybe I'm wrong.  Other opinions are certainly warrented.

Sean

IPSec, especially with PFS, should be all you need.

The 2.6 kernel comes with IPSec as part of the kernel, and suites such 
as OpenSWAN make it quite simple to set up secured links between two 
endpoints. Given that OpenSWAN is free, I don't see how it gets much 
more affordable. ;)

Keep in mind that all IPSec does is encrypt the link. It does not do 
routing, it does not provide DHCP address, etc. L2TPD (for Windows 
clients) and other protocols do that through the encrypted tunnel.

Look at the OpenSWAN site for more details:

http://www.openswan.org

Greg

lucas@eyeonsystems.com wrote:
> Gentlemen and ladies of the Asterisk community.
> 
> I am considering implementing asterisk based IAX solution for a business
> that handles a lot of sensitive data. Internal security will be no
> worse than before as they plan on connecting to their current PBX to
> handle switching. The asterisk boxes will just handle their trunks
> between the offices. Other than VPN with a few levels of encryption on
> the VPN any ideas on other good and affordable ways to implement
> security on the IAX links?
> 
> Thanks.
> lucas@eyeonsystems.com
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users@lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>