[Asterisk-Users] VOIP security on an IAX connection.

[Steve Kann]

Sean Kennedy wrote:

> lucas at eyeonsystems.com wrote:
>
>> Gentlemen and ladies of the Asterisk community.
>>
>> I am considering implementing asterisk based IAX solution for a business
>> that handles a lot of sensitive data. Internal security will be no
>> worse than before as they plan on connecting to their current PBX to
>> handle switching. The asterisk boxes will just handle their trunks
>> between the offices. Other than VPN with a few levels of encryption on
>> the VPN any ideas on other good and affordable ways to implement
>> security on the IAX links?
>>
> Well, I think a vpn would do the trick.  Personally, I wouldn't even 
> worry about encrypting the stream more than once, as long as you 
> choose the right method.
> Add too many layers on, and you increase latency and possible packet 
> loss.  Not good.
> Here, we are using openvpn, in the tls server/client model.  Keys are 
> regenerated once an hour, so the best someone could do is sniff an 
> hour's worth of data before they'd have to refigure the encryption.
>
> If you are sure people are going to try breaking into the stream, you 
> might wan to think about other security methods beyond encryption ( a 
> really big bat, for example ).  Anything that adds latency is a "Bad 
> Thing (tm)", and further, encrypting something more than once 
> indicates, to me at least, that encryption is not the solution.
>
> But what the hell, maybe I'm wrong.  Other opinions are certainly 
> warrented.


I use an OpenVPN tunnel as well, and IAX over that, and it works dandy.

I highly recommend it.  It's definately the easiest to configure, 
understand, and to get across diverse links.  It is NAT-friendly, all 
UDP, etc.  In my opinion, OpenVPN is to IPSEC as IAX is to SIP or H323.

-SteveK