[asterisk-users] IEEE 802.1x capable sip phones

Olivier oza-4h07 at myamail.com
Thu Jan 10 07:53:40 CST 2008 

2008/1/10, Robert Moskowitz <rgm at htt-consult.com>:
>
> Olivier wrote:
> >
> > I thought that :
> > 1. 802.1X was mainly when you plug your hardphone into your network,
> 802.1X-2001 was written to secure ports on a 802.3 switch.  Originally
> for PCs works just fine for phones.  Really does NOT play with VLANs,
> but HP cheated (I know their lead engineers).  802.1X-2004 (you have to
> watch it with IEEE standards naming) added the state machines necessary
> to support 802.11i.  This was a struggle and really is NOT right.
> 802.1af is trying to fix that.
> > 2. SRTP is an orthogonal issue as you could positively be looking to
> > authenticate your network device and be confident that with
> > authentified devices, risks are kept to an acceptable level
> I am a real security expert.  I am one of the strong proponents to
> security in depth and how layer 4 security cannot protect the device.


I never you SHOULD NOT use  SRTP but you DON'T HAVE TO

When we were starting on 802.1AE (LinkSec), Norm Finn (a CISCO Fellow
> and long time worker on 802.1 and other layer 2 standards) said it well:
>
> Layer 2 security protects and addresses the liablities of the network
> owner
> Layer 3 security protects and addresses the liablities of the system owner
> Layer 4 security protects and addresses the liablities of the
> application owner
> Data security (anything above 4) protects and addresses the liablities
> of the data owner
>
> Think about it.  You are on a 802.11 phone.  Anyone there


That's the point  : at least, you're certain those guys are using the
devices you provided them with.
So, for instance, you don't have an unkown PC spoofing hardphone.
You know which PC spoofed other devices and that PC user had to
authenticate, some times before.
That's not perfect, mayby not enough, but this is what 802.1X is all about.

can intercept
> the 802.11 frames.  They can attack your phone with 802.11 payloads.
>
> Your call leaves the 802.11 cloud and backbones over 802.16!  Even if
> this is with parabolic radios, there is still plenty of room for
> listeners.  And the original 802.16 security was DOCSIS!  Almost as weak
> as WEP; done at the same time that we were working on 802.11i (we have
> to get something out, we will go back and fix it later).
>
> Your call goes through some Telco's switches that MUST comply with CALEA
> or are owned by some foreign government or drug cartel.  Well you get
> the picture.
>
> Protect the network (802.11i etal).  Protect the phone (IPsec or HIP).
> Protect the call (DTLS or TLS for SIP and SRTP).
>
> Any wonder why we still don't have good security?  It is HARD to make it
> easy.
>
> > Am I wrong ?
> Yes and No  ;)
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080110/9b240039/attachment.htm

More information about the asterisk-users mailing list