[asterisk-users] Encrypting the Conversation

Mike Puchol mike at whisher.com
Mon Jul 10 04:53:49 MST 2006 

Hi Raymond,

Raymond McKay wrote:
> Agreed.  I have seen and heard of a lot of attempts to bring SRTP 
> support into Asterisk but the idea of SRTP just doesn't make sense to 
> me.  Asterisk, and VoIP servers in general, are meant to be 
> communications services not security services.  In my mind at least, it 
> would seem to make sense to let security hardware such as a router or 
> firewall handle such tasks as encryption and let the phone server handle 
> what it does, signaling and transcoding.  Otherwise, you end up with a 
> device that is not ever going to be optimized for security, handling 
> your security.  On top of that, you also are reducing the level of 
> scalability you can achieve on the phone server by adding yet another 
> chore to its duty roster.

I would have to strongly disagree - if Asterisk was toted as a kid's 
toy, and sold by Fisher Price, then maybe security has no importance. 
But, if Asterisk or any other VoIP platform, for that matter, is to be 
introduced into the enterprise, it *has* to provide security. Tapping a 
hard phone line requires physical access to it - tapping a VoIP line can 
be done from anywhere in the world, if the server is not secure enough. 
Just use the Monitor() command, and setup a cron job to compress to mp3 
and upload to an FTP server, and you have the perfect tap. It can even 
discriminate callers, called numbers and extensions, which conventional 
taps cannot!

That is at the server iself - you could then argue that the transit RTP 
could be tapped by a corrupt tech working for your ISP or provider, 
which could happen also with physical lines, the difference being that 
the RTP tap is so virtual it can be made to leave no trace. A physical 
tap can be found by a routine inspection on the lines, an RTP tap 
cannot. If we want Asterisk to be a step forward in the right direction, 
security concerns *must* be addressed at some stage.

Setting up a VPN and other security measures are fine, but they won't 
protect you from certain forms of tapping or compromise. Besides, if you 
put the onus of encryption on RTP, it can be made part of the standard 
and become universal. Otherwise, will your organization's VPN be 
compatible with mine?

Best regards,

Mike

More information about the asterisk-users mailing list