[asterisk-users] IEEE 802.1x capable sip phones

Robert Moskowitz rgm at htt-consult.com
Thu Jan 10 07:11:49 CST 2008 

Olivier wrote:
>
> I thought that :
> 1. 802.1X was mainly when you plug your hardphone into your network,
802.1X-2001 was written to secure ports on a 802.3 switch.  Originally 
for PCs works just fine for phones.  Really does NOT play with VLANs, 
but HP cheated (I know their lead engineers).  802.1X-2004 (you have to 
watch it with IEEE standards naming) added the state machines necessary 
to support 802.11i.  This was a struggle and really is NOT right.  
802.1af is trying to fix that.
> 2. SRTP is an orthogonal issue as you could positively be looking to 
> authenticate your network device and be confident that with 
> authentified devices, risks are kept to an acceptable level
I am a real security expert.  I am one of the strong proponents to 
security in depth and how layer 4 security cannot protect the device.  
When we were starting on 802.1AE (LinkSec), Norm Finn (a CISCO Fellow 
and long time worker on 802.1 and other layer 2 standards) said it well:

Layer 2 security protects and addresses the liablities of the network owner
Layer 3 security protects and addresses the liablities of the system owner
Layer 4 security protects and addresses the liablities of the 
application owner
Data security (anything above 4) protects and addresses the liablities 
of the data owner

Think about it.  You are on a 802.11 phone.  Anyone there can intercept 
the 802.11 frames.  They can attack your phone with 802.11 payloads.

Your call leaves the 802.11 cloud and backbones over 802.16!  Even if 
this is with parabolic radios, there is still plenty of room for 
listeners.  And the original 802.16 security was DOCSIS!  Almost as weak 
as WEP; done at the same time that we were working on 802.11i (we have 
to get something out, we will go back and fix it later).

Your call goes through some Telco's switches that MUST comply with CALEA 
or are owned by some foreign government or drug cartel.  Well you get 
the picture.

Protect the network (802.11i etal).  Protect the phone (IPsec or HIP).  
Protect the call (DTLS or TLS for SIP and SRTP).

Any wonder why we still don't have good security?  It is HARD to make it 
easy.

> Am I wrong ?
Yes and No  ;)

More information about the asterisk-users mailing list