[lug] IPsec (or other security) in Asterisk
Nate Duehr
nate at natetech.com
Fri Sep 14 12:16:56 MDT 2007
Michael J. Hammel wrote:
> I'm doing a little research on a project that might involve Asterisk.
> One of the key issues is VoIP security. It doesn't appear that IPsec is
> supported in Asterisk (based on their web site, at least). And there
> don't appear to be any other transport layer or higher security features
> (ssh, tls, ssl, or similar).
There's an RFC for doing SIP (well, really RTP) over TLS.
It's called "SRTP". Many phones support it.
I saw an internal note fly around that we support it now in our phones
on some later level of firmware flash.
Disclaimer: I work for Polycom. We make SIP phones.
> Anyone know if Asterisk supports or is intending to support security
> features for VoIP? Does Asterisk (or any application for that matter)
> need to specifically support IPsec or is this a feature of the
> networking stack that is configured outside the realm of the
> application? My limited understanding of IPsec is that it's the latter
> - outside the realm of the application.
Asterisk appears to not support it, since this bounty is still open:
http://www.voip-info.org/wiki-Asterisk+Bounty+SIP+encryption
But I don't really know.
Encrypting the whole network is an option, but difficult at the end-points.
Most companies I've seen with large SIP phone deployments seem to have
them VLAN'ed off from the rest of the network traffic (for QoS purposes)
onto a separate "phone" network. I think some of our phones support
VLAN tagging directly at the phone and even routing a second VLAN (your
usual corporate VLAN) through the second RJ45 on the phone to your
desktop PC... I think. I honestly don't work with the VoIP phone
products very much.
Most all companies doing SIP phones internally, maintain physical
control of their in-house networks (so folks aren't plugging sniffers in
to listen to RTP traffic - easy to do with Wireshark, etc...), they only
allow traffic for that one person's phone to go out any particular
switch port, and typically they don't have encryption on their phones,
yet...
Were you looking to encrypt from the phone on the desktop to the
Asterisk server on-site, or something else?
Going off-site, a VPN connection bridging the Asterisk server or a whole
network at the far side, to the local phone VLAN, seems the simplest way
to go. IPSec seems a bit overkill... but of course, anything can be done...
Nate
More information about the LUG
mailing list