[VOIPSEC] Asterisk PBX - Security

[Russell Howe]

On Thu, Jun 01, 2006 at 08:09:17AM -0300, Daniel Mossinato wrote:
> Dear friends,
> 
> Good morning.
> This is my first post on this list, so I would like to introduce me.
> 
> My name is Daniel Mossinato and I'm an IT Mananger in Brazil, S?o Paulo.
> I'm running an Asterisk for the company where I work to use as an "internal 
> communicator". I have some extensions and no external lines wich means the 
> partners use this solution to talk between each other, nobody else.
> I have a new scenario since two of the partners will travel and they want 
> to use the extension outside of the company. The only solution I've found 
> is a VPN. They would connect from hotels or other offices and they concern 
> is about somebody listening the conversation.

A concern many share, and I see below you have come up with one
'solution', however I'm not sure this list is the most appropriate forum
for you. An asterisk user list would probably serve you better.

> Do you have any suggestion of a device which supports OpenVPN? It could be 
> an gateway (ATA) or a ip phone.
> I was trying with an Racoon VPN solution but I need some kind of roaming 
> vpn. When the device is plugged on the internet it automactly creates the 
> tunnel, doenst matter the ip where it is. Racoon seems to need to specify 
> the IP.

Racoon is an IKE daemon, and arranges keys for in-kernel IPsec code to
use in order to provide IPsec VPN connections (be it tunnel or transport
mode).

Protecting your VoIP traffic is certainly possible with a VPN, and
racoon should be able to operate in so-called 'roadwarrior' mode,
allowing it to accept connections from anywhere. FreeS/WAN (well, its
derivatives, since it's now a dead project) certainly can.

Provided the keying material checks out (either pre-shared secrets, RSA
public private keypair, X.509 certificates signed by a CA, etc), a VPN
connection can be formed.

I doubt you'll find OpenVPN support in any commercial products, although
it would be quite nice to see.

The other option I can think of (apart from using the hotel telephones,
which could be listened in on anyway...) is to use the VoIP protocols'
'native' encryption & authentication mechanisms.

The problem there is lack of common standards - whilst there is a common
(and fairly well-supported) standard for encryption of the voice traffic
(the 'media') in SRTP, there is a lack of standardisation (or should I
say too many standard methods) of negotiating the keying material for
use in SRTP. All have their advantages and disadvantages, and are
discussed ad nauseum on this list.

Personally, I'd say a VPN is probably the easiest fix for your problem,
provided you can get the call quality. It will allow you to provide
access to other services in a secure manner too.

So much of the VoIP world seems hung up on working around ubiquitous
brokenness (the infestation of NAT, the regulatory requirement for call
interception, etc) and the desire by telecoms companies to push out
products that much of the technical purity possible by using IP networks
(or even global data networks in general) seems lost.

Still, that could just be my misinterpretation - I'm very much a
bystander here (although yesterday we ordered a Nortel BCM400 and I'm
sure I'll have a chance to get some licenses ordered in order to try out
the VoIP features we've been promised it'll have). Sorry Dan, btw (a 3300 ICP
was also an option, but was rejected).

-- 
Russell Howe       | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?