Mailinglist Archive: opensuse (770 mails)

< Previous Next >
Re: [opensuse] connecting my telephone to the internet
  • From: Per Jessen <per@xxxxxxxxxxxx>
  • Date: Sat, 25 Aug 2012 17:13:02 +0200
  • Message-id: <k1aq1u$nh7$1@saturn.local.net>
Carlos E. R. wrote:

On 2012-08-25 16:06, Per Jessen wrote:
Carlos E. R. wrote:

I don't have field experience with asterisk, only some training.
Reading the documentation I understood it was a risk, but I don't
recall exactly why. On a bussiness you might get a call from a
longtime and good client, dispatch a cargo to be charged 30 days
later, and then learn it was a fired employee or someone from a
rival company, faking the ID on the phone. Yes, it is social
engineering, but trusting the number you see in your terminal is
part of the issue.

But that goes for POTS too, it isn't specific to Asterisk or VOIP.

At least here the ID via POTs could be trusted, the network was
closed.

I don't think anyone has ever called me using purely VoIP, but
running an Asterisk server that refuses inbound SIP calls seems like
having a POTS PBX that doesn't accept external calls.

No, you accept calls identified by the Telco.

Which nowadays includes Skype calls with CLID=000. It also includes
calls with suppressed or unavailable CLID. I guess calls with
suppressed CLID could still be known by the telco.

Carlos, I see no real difference:

a) accepting calls identified by the Telco.
b) accepting calls identified by the IP-address and CLID.

They both include all kinds of unidentified/able calls.
I would like to be able to ignore all calls with suppressed CLID, but
unfortunately some banks practice that by default. (and apparently the
employee cannot manually "un-suppress" it).

One security risk with Asterisk is perhaps external SIP-clients. We
have a number of people who primarily work from home. They're all
have office phones at home, connected to the Asterisk box over VoIP
over the internet.

Two risks -

1) the SIP sign-on (userid+password) is, AFAIK, not encrypted, so it
could be intercepted, giving someone access to use our internal
system. 2) brute force attack trying to guess the password. It is
easily countered, but we had a case last year where someone managed
to guess a SIP userid+password. It meant a slightly higher
phone-bill that month :-)

You can encrypt both login data and conversations (two separate
configs). We did that during my training.

You're right, SIP can be done with TLS, but I don't think our Asterisk
supports it (1.4.x, it's back-level).



--
Per Jessen, Zürich (24.0°C)

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups