[asterisk-users] SIP secruity: username and password

[A J Stiles]

On Thursday 05 May 2011, bilal ghayyad wrote:
> Hi All;
>
> When the endpoint register on Asterisk or initiate a call, so they exchange
> the sip username and password. What is the possibility that this will be
> capture by the hacker and how to avoid this problem?

If the two devices are connected by Ethernet cables and are on 192.168.x.x or 
10.x.x.x addresses, then nothing goes further than the router where your 
Internet connection comes in.  And we're presuming anyone within your bounds 
is trustworthy.

If one of the devices is connected wirelessly, then the passwords will be 
broadcast over the air  (although they will be encrypted).  In fact, if there 
is a wireless access point anywhere on the network, then it may *potentially* 
broadcast data and credentials even if the calls are not going through it, 
until it has built up a routing table.  Wi-fi doesn't travel very far, but 
someone in your car park and who has your WPA2 key may be able to sniff 
packets.

If the phone call is going over the public Internet, then it really should be 
tunnelled through a secure VPN.  Otherwise, make sure the password is of as 
little use as possible to anyone who discovers it; for instance, put the 
offending extension into a context which can only make internal calls, or 
calls to carefully-selected external numbers.

-- 
AJS

Answers come *after* questions.