Remote Endpoint Security : Strategy & Evaluation

Asterisk Asterisk Support
1

My Asterisk system is stood up and it works so well that I would like to be able to remotely access it with either my SIP client on my Android device or a traditional Linksys ATA (SPA2102).

Before doing so, I am interested in understanding the key security issues. Is there a good cookbook out there that addresses this? I am particular concerned with secure Authentication and Authorization considerations. It sure would be nice to be able to travel in be able to securely access my home Asterisk system: Asterisk 1.8.6.0 on an ASUS RT-N16 router.

Update: I noticed that the configuration interface for the SPA2102 provides two fields for Authentication:

  1. Mini Certificate
  2. SRTP Private key

Here is a snapshot:

That being said,I am hoping that someone with experience using the Mini Certificate to secure remote endpoints (Linksys ATAs) to Asterisk would be able provide pointers to secure configuration knowledge URLs. A paper evaluating the security posture of the Magnusson SRTP implemention is here.

I am more concerned with securing credentials and not really concerned about privacy of the video \ audio, though it would be a bonus.

2

There are many ways and many sites defining asterisk security considerations. For reference you can check following:
voip-info.org/wiki/view/Asterisk+security

Also check the links given at the bottom of the page. I suggest you use VPN to connect to your server for additional security and then you can connect your sip phone to connect to asterisk. Open VPN type is better for mobility using cisco VPN client.
Hope this helps.

3

Fail-to-ban is a good idee, because it will block to many attemps to connect.
VPN good but not always possible.
Lock down all ports in iptables and only open whats nessary, where possible don’t use standard ports.

One question to group from my side is, can MD5 incription only be used between asterisk servers or can you use for devices aswell?

Rudi