Page 233 - Asterisk™: The Future of Telephony
P. 233

Encrypting Audio with Secure RTP
               If you can sniff the packets coming out of an Asterisk system, you can extract the audio
               from the RTP streams. This data can be fed offline to a speech processing system, which
               can listen for keywords such as “credit card number” or “PIN”, and present that data
               to someone who has an interest in it. The stream can also be evaluated to see if there
               are DTMF tones embedded in it, which is dangerous because many services ask for
               password and credit card information input via the dialpad. In business, strategic in-
               formation could also be gleaned from being able to capture and evaluate audio.
               Using Secure RTP can combat this problem by encrypting the RTP streams; however,
               Asterisk does not support SRTP as of this writing. Work is under way to provide SRTP
               support (a patch exists in the trunk release, but it is not known as of this writing whether
               this will be back-ported to 1.4).


               Spoofing
               In the traditional telephone network, it is very difficult to successfully adopt someone
               else’s identity. Your activities can (and will) be traced back to you, and the authorities
               will quickly put an end to the fun. In the world of IP, it is much easier to remain
               anonymous. As such, it is no stretch to imagine that hordes of enterprising criminals
               will only be too happy to make calls to your credit card company or bank, pretending
               to be you. If a trusted mechanism is not discovered to combat spoofing, we will quickly
               learn that we cannot trust VoIP calls.


               What Can Be Done?

               The first thing to keep in mind when considering security on a VoIP system is that VoIP
               is based on network protocols, and needs be evaluated from that perspective. This is
               not to say that traditional telecom security should be ignored, but we need to pay
               attention to the underlying network.

               Basic network security
               One of the most effective things that can be done is to secure access to the voice network.
               The use of firewalls and VLANs are examples of how this can be achieved. By default,
               the voice network should be accessible only to those things that have a need. For ex-
               ample, if you do not have any softphones in use, do not allow client PCs access to the
               voice network.
               Segregating voice and data traffic.  Unless there is a need to have voice and data on the same
               network, there may be some value in keeping them separate (this can have other benefits
               as well, such as simplifying QoS configurations). It is not unheard of to build the in-
               ternal  voice  network  on  a  totally  separate  LAN,  using  existing  CAT3  cabling  and
               terminating on inexpensive network switches. It can be less expensive too.



                                                                           VoIP Security | 205
   228   229   230   231   232   233   234   235   236   237   238