[asterisk-users] asterisk security....again
Kevin P. Fleming
kpfleming at digium.com
Mon Feb 28 07:38:00 CST 2011
On 02/28/2011 07:27 AM, Rizwan Hisham wrote:
> Any suggestions on encrypting the sip and rtp. I have done some googling
> on it. looks like it is not supported by most end point devices or
> service providers. But still your thoughts will be appreciated on this
> subject.
You cannot protect a remote SIP endpoint from attacks via your server;
that SIP endpoint is an endpoint itself, and if it can receive IP
packets from attackers, it will process them. These packets don't go
through your server, and encrypting the legitimate traffic between your
server and the remote endpoint isn't going to make any difference at all.
The *only* way to address attacks like this is to modify the
configuration of the remote endpoint to ignore all incoming packets that
aren't from your server(s). Even that is not a perfect solution, though,
because the attacker (if they are actually aware of your server and
customers) can spoof the IP addresses of your server(s) in order to get
the remote endpoints to at least accept an INVITE (they can't place a
successful call through them using spoofing though).
--
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
skype: kpfleming | jabber: kfleming at digium.com
Check us out at www.digium.com & www.asterisk.org
More information about the asterisk-users
mailing list