If you are an Asterisk user, what do you see as the “security features” that it needs to have? I’m out here at the annual AstriCon event in Phoenix, Arizona, where on Thursday I am giving an “industry perspective” under the title: “Hacking and Attacking VoIP Systems – What You Need to Worry About” Given that I’m doing the talk under the VOIPSA banner, I’ll be giving my “standard” view on what the main threats are to VoIP, the tools that are out there to attack them and the best practices to protect against those threats. However, whenever I do this kind of “industry view” at a conference like this, I always try to include a section at the end that is specific to the audience.
So in this case, I thought I’d tack on a bit at the end about a “security roadmap” for Asterisk, i.e. what are the top 5 things that Asterisk developers should be thinking about. My slides are actually done (and I’m currently at 6 items on the list), but I’m not going to really post them here until I give my talk. (Come on, I have to have a bit of suspense, don’t I?) In the meantime, I thought I’d ask the question here on the blog:
What security features do you think are necessary in Asterisk?
Well, okay, I’ll list three obvious ones: 1) TLS-encrypted SIP; 2) SRTP (yes, there’s a patch, but it’s not in the main load); and 3) SRTP key exchange (sdes, DTLS, ZRTP, etc.)
But what are the other three on my list? And what would be on your list? (And if you list some great ones I haven’t thought of I’ll be sure to credit you in my preso.)
By the way, Thursday should be an interesting day (for me) here at AstriCon because there are actually three talks related to security. Obviously mine but then one right before me from someone named Mike Storella and titled “Realizing the Benefits of a Secure VoIP Telephony System” and one in the afternoon from a Patrick Young titled “Enterprise VoIP Security“. It will be entertaining to see if we are all reading from the same general pages. I’m also going to see if I can get their permission to record the sessions and put them out as Blue Box special editions. We’ll see.
In the meantime, if any of you reading this are attending AstriCon, feel free to drop me a note as I always enjoy meeting up with readers.