<br><br><div><span class="gmail_quote">2008/1/10, Robert Moskowitz <<a href="mailto:rgm@htt-consult.com">rgm@htt-consult.com</a>>:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Olivier wrote:<br>><br>> I thought that :<br>> 1. 802.1X was mainly when you plug your hardphone into your network,<br>802.1X-2001 was written to secure ports on a 802.3 switch. Originally<br>for PCs works just fine for phones. Really does NOT play with VLANs,
<br>but HP cheated (I know their lead engineers). 802.1X-2004 (you have to<br>watch it with IEEE standards naming) added the state machines necessary<br>to support 802.11i. This was a struggle and really is NOT right.<br>
802.1af is trying to fix that.<br>> 2. SRTP is an orthogonal issue as you could positively be looking to<br>> authenticate your network device and be confident that with<br>> authentified devices, risks are kept to an acceptable level
<br>I am a real security expert. I am one of the strong proponents to<br>security in depth and how layer 4 security cannot protect the device.</blockquote><div><br>I never you SHOULD NOT use SRTP but you DON'T HAVE TO
<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">When we were starting on 802.1AE (LinkSec), Norm Finn (a CISCO Fellow<br>and long time worker on
802.1 and other layer 2 standards) said it well:<br><br>Layer 2 security protects and addresses the liablities of the network owner<br>Layer 3 security protects and addresses the liablities of the system owner<br>Layer 4 security protects and addresses the liablities of the
<br>application owner<br>Data security (anything above 4) protects and addresses the liablities<br>of the data owner<br><br>Think about it. You are on a 802.11 phone. Anyone there</blockquote><div><br>That's the point : at least, you're certain those guys are using the devices you provided them with.
<br>So, for instance, you don't have an unkown PC spoofing hardphone.<br>You know which PC spoofed other devices and that PC user had to authenticate, some times before.<br>That's not perfect, mayby not enough, but this is what
802.1X is all about.<br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> can intercept<br>the 802.11 frames. They can attack your phone with
802.11 payloads.<br><br>Your call leaves the 802.11 cloud and backbones over 802.16! Even if<br>this is with parabolic radios, there is still plenty of room for<br>listeners. And the original 802.16 security was DOCSIS! Almost as weak
<br>as WEP; done at the same time that we were working on 802.11i (we have<br>to get something out, we will go back and fix it later).<br><br>Your call goes through some Telco's switches that MUST comply with CALEA<br>
or are owned by some foreign government or drug cartel. Well you get<br>the picture.<br><br>Protect the network (802.11i etal). Protect the phone (IPsec or HIP).<br>Protect the call (DTLS or TLS for SIP and SRTP).<br><br>
Any wonder why we still don't have good security? It is HARD to make it<br>easy.<br><br>> Am I wrong ?<br>Yes and No ;)<br><br><br>_______________________________________________<br>-- Bandwidth and Colocation Provided by
<a href="http://www.api-digital.com">http://www.api-digital.com</a> --<br><br>asterisk-users mailing list<br>To UNSUBSCRIBE or update options visit:<br> <a href="http://lists.digium.com/mailman/listinfo/asterisk-users">
http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br>