[asterisk-users] How Secure Is Asterisk

Tim Panton thp at westhawk.co.uk
Wed Oct 22 05:16:37 CDT 2008


On 20 Oct 2008, at 20:01, Steve Anness wrote:

> I am sure this has been discussed prior, however, I am sitting here  
> and being asked this very question by my superiors.  They are loving  
> what I have done with our two Asterisk servers here; however, they  
> keep asking me if it is secure or not.  Of course, as with anything,  
> I suspect that on a secure network they can be reasonably safe.   
> However, realistically if I am using the asterisk server to make  
> internal calls and discussion very private matters, how possible is  
> it for someone to listen to calls?  How good is the encryption if  
> any over an IAX trunk?

The IAX encryption (encryption=yes in iax.conf) is actually pretty  
good from what I can see.
3 things though:
	1) you can't tell if it has happened - if the far end changes config  
to encryption=no
nothing breaks, your calls just go through un-encrypted - I'd like a  
must_encrypt setting.
	2) The keys are as strong as your iax passwords and the quality of / 
dev/random on your box.
	3) The dialed number, caller id etc all go in the clear, the call  
setup is unencrypted. Only
the body of the call is covered by the encryption.

Also there are _no_ endpoints that implement it (except asterisk and  
our phonefromhere.com softphone)
so the last yards  to  your user will not be protected.

Tim.



More information about the asterisk-users mailing list