[asterisk-users] Asterisk Security: Allow only one phone per sip registration

Alex Vishnev alex9134 at gmail.com
Fri Oct 14 06:24:14 CDT 2011


the best way to handle large sip client base is using provisioning interface. Even though you can create configuration files and server them with asterisk+extensions, you need to consider security aspects of this approach as well. Using tftp or simple protocols to server config files works on LAN, but does not scale for large installs (my opinion). HTTP is a better choice, but then all the information is passed in clear. HTTPS is obviously a better choice with SSL, but if your devices can't handle SSL it will become a problem. A good solution is to provide a mix depending on your SIP client capabilities. In the configuration you can supply password/secret as other recommend and any other device specific configuration (i.e. preferred codec, DNS, etc). it really becomes a powerful tool. You also need to have a management capabilities to generate and update your configuration profile either for individual devices (i.e. changes users's secret) or in bulk (change DNS servers or proxy on 1000 SIP clients at once). SIP clients will also need to have capabilities to poll for this configuration on reboot or on regular poll intervals. If you are doing that on the poll interval, don't make it the interval too short (i.e. minutes). I would say 3-4 times a day is a good starting point. If your network is pretty static and not much information changes you can even make it 1-2 a day and experiment with your network load.

On Oct 14, 2011, at 7:09 AM, A J Stiles wrote:

> On Friday 14 October 2011, Muro, Sam wrote:
>> Hi there
>> 
>> Consider this. You have three SIP extension 200, 201 and 202 and you have
>> configured your phones, say Polycom 331 to those accounts. 200 being one
>> very sensitive individual.
>> 
>> Lets say, an insider, get a new phone or perhaps an xlite and configure it
>> with the same extension, 200. Asterisk will register it as 200 to the new
>> IP address.  Now extension 202 call 200. The hacker answers it and pretend
>> is the same person. Do what he want to do and thats it.
>> 
>> Question;
>> How can i stop this type of threat
> 
> Be careful who you employ and how you treat them  :)
> 
> Once someone has physical access to your equipment, all bets are off .....
> 
> -- 
> AJS
> 
> Answers come *after* questions.
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users




More information about the asterisk-users mailing list