<br>Thanks Hans,<br>This is a good idea if i place the configuration files in database and database some where else...... <br><br>Now finally according to community feedback ...<br><br>I will use AGI at max and obfuscate the JAVA code. Place the remaining configuration in database. <br>
<br>Hans i think this will be a good trade off..<br><br><br><br><div class="gmail_quote">On Wed, Jul 7, 2010 at 2:08 PM, Hans Witvliet <span dir="ltr"><<a href="mailto:hwit@a-domani.nl">hwit@a-domani.nl</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><div class="h5">On Wed, 2010-07-07 at 12:12 +0600, ABBAS SHAKEEL wrote:<br>
> Thanks to Gordon and Paul for kind help.<br>
><br>
><br>
> Actually we have a limitation to place the Asterisk server in client<br>
> premises if the server is in there premises then this means they have<br>
> full control over it.<br>
><br>
><br>
> harddisk encryption seems a good option but no automated boot is big<br>
> issue :(<br>
><br>
><br>
> Is there some thing possible like that ?<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> On Tue, Jul 6, 2010 at 5:21 PM, Gordon Henderson <gordon<br>
> +<a href="mailto:asterisk@drogon.net">asterisk@drogon.net</a>> wrote:<br>
><br>
> On Tue, 6 Jul 2010, ABBAS SHAKEEL wrote:<br>
><br>
> > Hello Community,<br>
> ><br>
> > I have a question , I have been working with asterisk and<br>
> developed some<br>
> > successful applications. I am facing an issue of security<br>
> i.e. We deploy<br>
> > servers to client end. Now i dont want the client to see my<br>
> configuration<br>
> > files (Of course copy and distribute or replicate the logic<br>
> with out<br>
> > permission).<br>
> ><br>
> > Now the configuration files are stored in /etc/asterisk/*<br>
> (Of course we can<br>
> > specify a different location but at end we specify this in a<br>
> configuration<br>
> > file).<br>
> ><br>
> > Is there a way that the configuration files get encrypted or<br>
> some thing else<br>
> > so that some one who have system access can not copy the<br>
> configuration files<br>
> > data or look into that files.<br>
><br>
><br>
> The simple answer is that you can't prevent anyone copying it<br>
> if they have<br>
> physical access.<br>
><br>
> All you can do is make it hard.<br>
><br>
> If you wanted to encrypt them, you'd need to alter asterisk.<br>
><br>
> You could use something like trucrypt, or another whole disk<br>
> encryption<br>
> technology, but that'll require someone typing in a password<br>
> at boot time<br>
> making unattended reboots impossible.<br>
><br>
> Another way which I have seen is to do away with the dialplan<br>
> entirely and<br>
> do it all in a single big compiled AGI C program. (Ok, you<br>
> have minimal<br>
> dialplan to pump everything into it, but...) and don't<br>
> distribute the<br>
> source to the C program...<br>
><br>
> You need to work out just what it's worth to you if someone<br>
> does copy it.<br>
> Realistically, what's your target audience? Are your clients<br>
> the sort of<br>
> people likely to copy and and sell it on? For most businesses,<br>
> I'd guess<br>
> not.<br>
><br>
> Gordon<br>
<br>
</div></div>Before you embark on this way....<br>
Any disk encryption is of no use as long as it remains de-crypted while<br>
the server is running...<br>
It only protects you against snooping eyes incaes your hardware is<br>
stolen (most likely: laptops, usb-media)<br>
<br>
If you want to be 100% sure against unautorized access to your data, you<br>
might want to use two factor authentication. But the fact that you have<br>
to use a smartcard/token AND a passphrase implies that you can not<br>
restart your machine/asterisk without being physically there.<br>
[I mean, you might be creating your own denial of service]<br>
<br>
If you just want to protect your asterisk-machine against prying eyes, i<br>
would suggest to put all of your config (sip, iax, dialplan) into a<br>
database (on a other machine ofcourse) and use an encrypted connection<br>
(636, ldaps) to access it. It will protect to against data-theft if your<br>
machine is stolen, But that person might still be able to access the<br>
asterisk console _before he nicks the system_ and do a "sip show peers"<br>
and obtain your info in that way....<br>
<br>
So you better consider what you want to protect, against who, and at<br>
what acceptable costs....<br>
<br>
Security is a tricky business. It's easy to spend vast amount of time<br>
and money and not getting any additional security ;-)<br>
<br>
hw<br>
<font color="#888888"><br>
<br>
--<br>
</font><div><div></div><div class="h5">_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Best Regards<br>Shakeel Abbas<br><br>