[asterisk-users] How Secure Is Asterisk
Nikolai Lusan
nikolai at lusan.id.au
Wed Oct 22 01:23:02 CDT 2008
On Mon, 2008-10-20 at 14:01 -0500, Steve Anness wrote:
> I am sure this has been discussed prior, however, I am sitting here
> and being asked this very question by my superiors.
Ahh stuperiors, don't you love the questions they ask? Almost as good as
the questions some "recruiters" (by this I mean the people who normally
recruit accountants or secretaries and think they can effectivly recruit
IT staff) ask.
> They are loving what I have done with our two Asterisk servers here;
> however, they keep asking me if it is secure or not. Of course, as
> with anything, I suspect that on a secure network they can be
> reasonably safe.
Are you after security of the host? the client? the application? or of
the data being transmitted? Depending on how you are making * available
and what you are after the network may play a role in making things
secure.
> However, realistically if I am using the asterisk server to make
> internal calls and discussion very private matters, how possible is it
> for someone to listen to calls? How good is the encryption if any
> over an IAX trunk?
There is no encryption on SIP or IAX. If you are only making internal
calls (i.e. there is no external exposure of *) then you could put the
phones and the server on their own physical [or virtual] LAN and
restrict access on this [V]LAN to known mac addresses (so just known IP
phones), this would help with the security of conversations ... it's
also worth noting that most decent modern switches will make it very
difficult to eavesdrop on a network connection that is not destined for
the listening host. As has been mentioned if you were able to run some
kind of VPN connection to the phones this would also be another step
towards security. Some of this will also come down to your dialplan and
what you let clients getaway with. If the server is facing a public
network you might want to stick a firewall in front of it.
The "security" of any application or solution is something that is
dependant on many separate, sometimes overlapping issues and is
something that is always changing. In this case I would be looking at
your network design and the configuration of * in total, but especially
the dialplan.
--
Nikolai Lusan <nikolai at lusan.id.au>
More information about the asterisk-users
mailing list