I am sure this has been discussed prior, however, I am sitting here and being asked this very question by my superiors. They are loving what I have done with our two Asterisk servers here; however, they keep asking me if it is secure or not. Of course, as with anything, I suspect that on a secure network they can be reasonably safe. However, realistically if I am using the asterisk server to make internal calls and discussion very private matters, how possible is it for someone to listen to calls? How good is the encryption if any over an IAX trunk? Steve Anness -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20081020/ec4bfc6f/attachment.htm
VPN IP phone? Then firewall up the asterisk to disable any outside access and place the vpn server with the asterisk in a locked cabinet . Sure that will stop someone trying to physically listen to their call. Or they can always use the good old landline or mobile phone and let the government listen to them too/ Sam -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Steve Anness Sent: Tuesday, October 21, 2008 3:02 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] How Secure Is Asterisk I am sure this has been discussed prior, however, I am sitting here and being asked this very question by my superiors. They are loving what I have done with our two Asterisk servers here; however, they keep asking me if it is secure or not. Of course, as with anything, I suspect that on a secure network they can be reasonably safe. However, realistically if I am using the asterisk server to make internal calls and discussion very private matters, how possible is it for someone to listen to calls? How good is the encryption if any over an IAX trunk? Steve Anness
You can tell your superiors with great confidence that 99% of the issues that fall under this conceptual umbrella have to do with the security of your network, not of Asterisk the application, as is true of most other security issues of concern to them. With regard to call tapping, that is most certainly true. On Mon, October 20, 2008 3:01 pm, Steve Anness wrote:> I am sure this has been discussed prior, however, I am sitting here and > being asked this very question by my superiors. They are loving what I > have > done with our two Asterisk servers here; however, they keep asking me if > it > is secure or not. Of course, as with anything, I suspect that on a secure > network they can be reasonably safe. However, realistically if I am using > the asterisk server to make internal calls and discussion very private > matters, how possible is it for someone to listen to calls? How good is > the > encryption if any over an IAX trunk? > > Steve Anness > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599
lol On Mon, Oct 20, 2008 at 3:34 PM, Sam Tam <samtam888 at gmail.com> wrote:> VPN IP phone? > Then firewall up the asterisk to disable any outside access and place the > vpn server with the asterisk in a locked cabinet . > > Sure that will stop someone trying to physically listen to their call. > Or they can always use the good old landline or mobile phone and let the > government listen to them too/ > Sam > > -----Original Message----- > From: asterisk-users-bounces at lists.digium.com > [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Steve Anness > Sent: Tuesday, October 21, 2008 3:02 AM > To: Asterisk Users Mailing List - Non-Commercial Discussion > Subject: [asterisk-users] How Secure Is Asterisk > > I am sure this has been discussed prior, however, I am sitting here and > being asked this very question by my superiors. They are loving what I > have > done with our two Asterisk servers here; however, they keep asking me if it > is secure or not. Of course, as with anything, I suspect that on a secure > network they can be reasonably safe. However, realistically if I am using > the asterisk server to make internal calls and discussion very private > matters, how possible is it for someone to listen to calls? How good is > the > encryption if any over an IAX trunk? > > Steve Anness > > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20081020/7a15909f/attachment.htm
There are no 100% solution but we can only do our best. -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of broadband Voice Sent: Tuesday, October 21, 2008 4:37 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] How Secure Is Asterisk lol On Mon, Oct 20, 2008 at 3:34 PM, Sam Tam <samtam888 at gmail.com> wrote: VPN IP phone? Then firewall up the asterisk to disable any outside access and place the vpn server with the asterisk in a locked cabinet . Sure that will stop someone trying to physically listen to their call. Or they can always use the good old landline or mobile phone and let the government listen to them too/ Sam -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Steve Anness Sent: Tuesday, October 21, 2008 3:02 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] How Secure Is Asterisk I am sure this has been discussed prior, however, I am sitting here and being asked this very question by my superiors. They are loving what I have done with our two Asterisk servers here; however, they keep asking me if it is secure or not. Of course, as with anything, I suspect that on a secure network they can be reasonably safe. However, realistically if I am using the asterisk server to make internal calls and discussion very private matters, how possible is it for someone to listen to calls? How good is the encryption if any over an IAX trunk? Steve Anness _______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com <http://www.api-digital.com/> -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
On Oct 20, 2008, at 12:01 PM, Steve Anness wrote:> I am sure this has been discussed prior, however, I am sitting here > and being asked this very question by my superiors. They are loving > what I have done with our two Asterisk servers here; however, they > keep asking me if it is secure or not. Of course, as with anything, > I suspect that on a secure network they can be reasonably safe. > However, realistically if I am using the asterisk server to make > internal calls and discussion very private matters, how possible is > it for someone to listen to calls? How good is the encryption if > any over an IAX trunk? >Steve, This question gets asked a lot and a majority of the time the phones in question are in cubicles or other open spaces. The answer is that it really depends on the someone, the situation, and how much an organization is willing to spend. Yes, it's possible to encrypt voice traffic between SIP phones, but there is no standard that works across vendors. In most cases, it is more practical and economical to follow network security best practices. What alternative solution would they use to encrypt the voice traffic between analog or digital phones? -- Eric Chamberlain -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20081021/c530cbb6/attachment.htm
On Mon, 2008-10-20 at 14:01 -0500, Steve Anness wrote:> I am sure this has been discussed prior, however, I am sitting here > and being asked this very question by my superiors.Ahh stuperiors, don't you love the questions they ask? Almost as good as the questions some "recruiters" (by this I mean the people who normally recruit accountants or secretaries and think they can effectivly recruit IT staff) ask.> They are loving what I have done with our two Asterisk servers here; > however, they keep asking me if it is secure or not. Of course, as > with anything, I suspect that on a secure network they can be > reasonably safe.Are you after security of the host? the client? the application? or of the data being transmitted? Depending on how you are making * available and what you are after the network may play a role in making things secure.> However, realistically if I am using the asterisk server to make > internal calls and discussion very private matters, how possible is it > for someone to listen to calls? How good is the encryption if any > over an IAX trunk?There is no encryption on SIP or IAX. If you are only making internal calls (i.e. there is no external exposure of *) then you could put the phones and the server on their own physical [or virtual] LAN and restrict access on this [V]LAN to known mac addresses (so just known IP phones), this would help with the security of conversations ... it's also worth noting that most decent modern switches will make it very difficult to eavesdrop on a network connection that is not destined for the listening host. As has been mentioned if you were able to run some kind of VPN connection to the phones this would also be another step towards security. Some of this will also come down to your dialplan and what you let clients getaway with. If the server is facing a public network you might want to stick a firewall in front of it. The "security" of any application or solution is something that is dependant on many separate, sometimes overlapping issues and is something that is always changing. In this case I would be looking at your network design and the configuration of * in total, but especially the dialplan. -- Nikolai Lusan <nikolai at lusan.id.au>
On 20 Oct 2008, at 20:01, Steve Anness wrote:> I am sure this has been discussed prior, however, I am sitting here > and being asked this very question by my superiors. They are loving > what I have done with our two Asterisk servers here; however, they > keep asking me if it is secure or not. Of course, as with anything, > I suspect that on a secure network they can be reasonably safe. > However, realistically if I am using the asterisk server to make > internal calls and discussion very private matters, how possible is > it for someone to listen to calls? How good is the encryption if > any over an IAX trunk?The IAX encryption (encryption=yes in iax.conf) is actually pretty good from what I can see. 3 things though: 1) you can't tell if it has happened - if the far end changes config to encryption=no nothing breaks, your calls just go through un-encrypted - I'd like a must_encrypt setting. 2) The keys are as strong as your iax passwords and the quality of / dev/random on your box. 3) The dialed number, caller id etc all go in the clear, the call setup is unencrypted. Only the body of the call is covered by the encryption. Also there are _no_ endpoints that implement it (except asterisk and our phonefromhere.com softphone) so the last yards to your user will not be protected. Tim.