[Asterisk-Users] VOIP security on an IAX connection.
Steve Kann
stevek at stevek.com
Thu Nov 18 10:50:07 MST 2004
Sean Kennedy wrote:
> lucas at eyeonsystems.com wrote:
>
>> Gentlemen and ladies of the Asterisk community.
>>
>> I am considering implementing asterisk based IAX solution for a business
>> that handles a lot of sensitive data. Internal security will be no
>> worse than before as they plan on connecting to their current PBX to
>> handle switching. The asterisk boxes will just handle their trunks
>> between the offices. Other than VPN with a few levels of encryption on
>> the VPN any ideas on other good and affordable ways to implement
>> security on the IAX links?
>>
> Well, I think a vpn would do the trick. Personally, I wouldn't even
> worry about encrypting the stream more than once, as long as you
> choose the right method.
> Add too many layers on, and you increase latency and possible packet
> loss. Not good.
> Here, we are using openvpn, in the tls server/client model. Keys are
> regenerated once an hour, so the best someone could do is sniff an
> hour's worth of data before they'd have to refigure the encryption.
>
> If you are sure people are going to try breaking into the stream, you
> might wan to think about other security methods beyond encryption ( a
> really big bat, for example ). Anything that adds latency is a "Bad
> Thing (tm)", and further, encrypting something more than once
> indicates, to me at least, that encryption is not the solution.
>
> But what the hell, maybe I'm wrong. Other opinions are certainly
> warrented.
I use an OpenVPN tunnel as well, and IAX over that, and it works dandy.
I highly recommend it. It's definately the easiest to configure,
understand, and to get across diverse links. It is NAT-friendly, all
UDP, etc. In my opinion, OpenVPN is to IPSEC as IAX is to SIP or H323.
-SteveK
More information about the asterisk-users
mailing list