SIP over the internet
-
@Dashrender said:
My quest is more on the, we're using SIP over the internet, why does it seem that encryption is the exception, not the rule?
Because it takes effort, in the end your calls are dumped onto the insecure PSTN, the other end isn't encrypted anyway and it has little security value. Moderate effort to nominal value means ... why would anyone care?
Sure if you are a government agent, a spy, are calling in Wall St. trades.... something where spending millions to hack your calls is worth it then by all means, encrypt. But if you are a normal person, it seems pretty silly.
-
And this is what I wanted from this conversation... pulling me off the ledge I was standing on.
I definitely understand the
There is a reasonable level of security that makes you not be low hanging fruit, do that stuff.
While I may still have a personal twing I can't seem to get over, I know I can push myself past it and implementation.
-
Where are you thinking of implementing the encryption? Between the PBX and the endpoint(s)? Where will the endpoint(s) be? Internal, external?
-
@scottalanmiller said:
Where are you thinking of implementing the encryption? Between the PBX and the endpoint(s)? Where will the endpoint(s) be? Internal, external?
Anywhere that SIP runs over the internet. i.e. from the SIP provider to my PBX and from my PBX to endpoints that are external (all if it's an all or nothing thing).
-
As a grad project for a security class we used a SIP-to-SIP connection over a common switch. While it wasn't hard to "eavesdrop" it took a significant amount of effort and processing power. Which was surprising to our group. It was in a controlled environment and we managed to do it in two ways. The first was SIP spoofing/poisoning, Where we responded to both sides of the conversations as the other side and recorded the packets going through. Classic man-in-the-middle attack on both end points. Noticeable lag on the end points though so you could quickly see that something wasn't right. The second was a kind of brute force. We sniffed the network and recorded every RTP packet that went through the network and then "manually" reordered them into the correct stream. It was a cool project and really illustrated how difficult "hacking" this actually is.
-
@Dashrender said:
Anywhere that SIP runs over the internet. i.e. from the SIP provider to my PBX ...
Rarely do you have a choice there. They provide what they provide. They don't normally bother with encryption because the IPs are locked on both ends (normally) providing all of the real world security that you normally need.
-
@coliver said:
As a grad project for a security class we used a SIP-to-SIP connection over a common switch. While it wasn't hard to "eavesdrop" it took a significant amount of effort and processing power. Which was surprising to our group. It was in a controlled environment and we managed to do it in two ways. The first was SIP spoofing/poisoning, Where we responded to both sides of the conversations as the other side and recorded the packets going through. Classic man-in-the-middle attack on both end points. Noticeable lag on the end points though so you could quickly see that something wasn't right. The second was a kind of brute force. We sniffed the network and recorded every RTP packet that went through the network and then "manually" reordered them into the correct stream. It was a cool project and really illustrated how difficult "hacking" this actually is.
Especially network hacking, which is what we are talking about here. This isn't breaking into a system but pulling packets off of the ISP's lines and recording them. If the attack happens from someone on your LAN, it's feasible. Do that on the ISP's network and things get really, really complicated.
-
@scottalanmiller said:
@Dashrender said:
Anywhere that SIP runs over the internet. i.e. from the SIP provider to my PBX ...
Rarely do you have a choice there. They provide what they provide. They don't normally bother with encryption because the IPs are locked on both ends (normally) providing all of the real world security that you normally need.
Well.. That doesn't solve Man-in-the-Middle.
-
@Dashrender said:
@scottalanmiller said:
@Dashrender said:
Anywhere that SIP runs over the internet. i.e. from the SIP provider to my PBX ...
Rarely do you have a choice there. They provide what they provide. They don't normally bother with encryption because the IPs are locked on both ends (normally) providing all of the real world security that you normally need.
Well.. That doesn't solve Man-in-the-Middle.
True. Are you suspecting your ISP of hijacking your connection? Where are you fearing the hijack existing?
-
You've made your point @scottalanmiller, and talked me off the ledge (mostly).
Am I worried about my ISP, no more than I have been since the confirmation of Prism. Though considering problems like the ones recently found in the WiFi used by hotels, etc that allow attackers to completely take over those devices, using security/encryption everyone should just be the norm... not having to worry about setting up my own VPN termination point, or buying someone else's would be pretty nice.
