How to setup Encrypted Connections in Asterisk with Polycom Phones
Published on
11,487 Points
So you think no one can listen in on your VOIP conversations, eh? Well... if you haven't setup Secure Real Time Transport (SRTP), your voice communications can be hacked into by just about anyone!
First, let's talk about the intended audience for this article, and give some background on the technologies themselves.
This topic is for advanced users of Asterisk and VoIP communications. It assumes not only a basic knowledge of the Asterisk and VoIP platform, but also of SIP, XML, and Polycom configurations.
In short, it's time to put your big-boy shorts on, and break out your best grep skills. If you're not a super-geek in the VoIP telephony world, this article won't serve you much immediately; however, concept-wise, it will certainly be a good read.
Next, let's debunk some common misconceptions:
The solution? Encrypt your traffic.
Asterisk allows for the encryption of VoIP traffic between two endpoints using SRTP (Secure Real-time Transport Protocol). Of course, this support is not built in natively.
To Get SRTP, install asterisk from the srtp svn in the following manner:
Open up sip.conf, and directly under the [general] section add this line:
Full Security
Explanation
Full security denotes that all endpoints in the system must support SRTP or the calls will be dropped. This is most appropriate when you are using a closed system (one that you have complete control over) that does not use any sort of ITSP (unless your ITSP supports SRTP).
In the full security setup, the Polycom phones will accept no excuses for media transport. If, during the call setup, the phone sees that the endpoint does not support SRTP, it will just drop the call, and you will get a re-order. Here's the code:
Half Security
Explanation
Half security (despite the not-so-secure sounding name) is a compromise. In a half security configuration, the Polycom phones will request SRTP as a priority; however, if the other endpoint does not support SRTP, it will still connect the call using standard RTP.
This setup is most useful if you have a phone that needs to be able to make both secured and unsecured calls.
For instance, let’s say you have a phone on an executive’s desk. He needs to be able to order a pizza, as well as call his partner on a secure, encrypted connection. In Asterisk, you would simply set this up as two extensions. One that lives in a context of extensions.conf where it can make all the phone calls it wants in an unsecured manner, but cannot dial the secure extension, and one that lives in a secure context that can only make secured calls.
The line indicators could be something like "4101" for the extension, and "Secure" for the SRTP line.
Under half security, he could use extension 4101 for regular calling, and then use the “secure” line to make encrypted called. Here's the code:
Configuring SRTP it the Easy Way
www.phoneprovisioning.com allows you to configure half security automatically when you configure your phone using the free service.
When setting up your phone in the www.phoneprovisioning.com interface, just click the “Force SRTP” checkbox, and hit update. It will enforce SRTP on that particular phone.
Credits:
This article was originally published in the Polycom VoIP and Asterisk How To blog from www.phoneprovisioning.com. Reprinted here with permission.
First, let's talk about the intended audience for this article, and give some background on the technologies themselves.
Intended Audience
This topic is for advanced users of Asterisk and VoIP communications. It assumes not only a basic knowledge of the Asterisk and VoIP platform, but also of SIP, XML, and Polycom configurations.
In short, it's time to put your big-boy shorts on, and break out your best grep skills. If you're not a super-geek in the VoIP telephony world, this article won't serve you much immediately; however, concept-wise, it will certainly be a good read.
Platforms Discussed: A glossary of sorts...
Asterisk: Asterisk is an open source, Linux based PBX system. Commonly referred to as the Swiss Army Knife of Telephony, Asterisk is a tool kit, which when assembled in the hands of the right people, can provide a telephone communications platform unrivaled by any other proprietary platform.
Polycom: Polycom is one of the world's largest VoIP and Video conferencing solutions manufacturers. Polycom's phones are standardized, centrally provisionable, and rock-solid.
SIP: SIP stands for Session Initiated Protocol, which is a control protocol to setup VoIP tellephone calls.
SRTP: Secure Real Time Transfer Protocol. After SIP sets up the call, the actual voice and sound data is "shot" through the network using UDP packets to carry the voice. The "S" is what makes it secure. That, and the fact that it uses AES to encrypt the packets so they cannot be reassembled by a third party.
XML: eXtensible Markup Language. This file format is the successor to CSV (Comma Separated Values), and is the format for the configuration files used by Polycom Phones.
Linux: An open source operating system widely implemented across the internet. Comes with a Pengiun.
Next, let's debunk some common misconceptions:
Cell phones are not secure. They are, in fact, unbelievably insecure because they broadcast over regular radio / microwaves, and anyone can listen to your phone call with a hand held scanner you buy at Wal-Mart or Radio shack. Don’t believe me? Play around with the Uniden BC72XLT Handheld Scanner.
Landline phones are only semi-secure. The Patriot Act allows for warrantless wiretaps. You never know if some silly government official put you on a list so they can listen to your phone calls, and you might even get wiretapped by accident!
VoIP is secure, right? Wrong. VoIP traffic can be captured and reassembled and played back rather easily. Even if you have a point-to-point conversation, you are still running over an ISP who could be listening in.
The solution? Encrypt your traffic.
Asterisk allows for the encryption of VoIP traffic between two endpoints using SRTP (Secure Real-time Transport Protocol). Of course, this support is not built in natively.
To Get SRTP, install asterisk from the srtp svn in the following manner:
1. Prep the System
As usual, this is for an Ubuntu based system. Your setup may vary if you are using a different distro. #Setup the system
apt-get install
apt-get install subversion
apt-get install make
apt-get install linux-source
apt-get install kernel-package
apt-get install linux-kernel-headers
apt-get install linux-headers linux-headers-`uname -r`
#Install other needed stuff
aptitude install libconfig-tiny-perl libcupsimage2 libcups2 libmime-lite-perl libemail-date-format-perl libfile-sync-perl libfreetype6 libspandsp1 libtiff-tools libtiff4 libjpeg62 libmime-types-perl libpaper-utils psutils libpaper1 ncurses ncurses-dev libncurses-dev libncurses-gst ncurses-term libnewt libnewt-dev libnewt-pic libxml2 libxml2-dev libspandsp-dev libspandsp1 bison
#Change to the proper directory
cd /usr/src/
#Get SRTP
#You can update the SRTP version by changing the VERSION value on the next line. Check http://srtp.sourceforge.net/download.html for the most current version
number
VERSION=1.4.2.tgz
wget http://srtp.sourceforge.net/srtp-$VERSION
tar -zxvf srtp-$VERSION
cd srtp-$VERSION
./configure
make
make runtest
make install
cd /usr/src/
# Get asterisk
svn co http://svn.digium.com/svn/asterisk/team/group/srtp/ asterisk
# Get DAHDI Kernel
svn co http://svn.digium.com/svn/dahdi/linux/trunk dahdi-kernel
# Get DAHDI Tools
svn co http://svn.digium.com/svn/dahdi/tools/trunk dahdi-tools
# Get libpri
svn co http://svn.digium.com/svn/libpri/branches/1.4/ libpri
# Compile libpri
cd /usr/src/libpri
make
# Compile the DAHDI kernel
cd /usr/src/dahdi-kernel
make
make install
# Compile the tools
cd /usr/src/dahdi-tools
./configure
make
make install
make config
# Compile asterisk
cd /usr/src/asterisk
./configure
make
make install
#Set asterisk to start automatically through init.d
make config
#Create sample files for a first time user. DO NOT run this if you already have configs you want to keep! They will be over written!
make samples
2. Configure Asterisk for Secure Calls
Open up sip.conf, and directly under the [general] section add this line:
srtpcapable=yes
3. Configure the Dialplan
The next part is easy, you just need to tell Asterisk via dialplan code that you want SRTP used when certain extensions are dialed. You accomplish this by using SIPPEER to set a variable. Don’t worry about understanding that. You can just copy paste what I have below.[local_stations]
exten => _XXXX,1,Set(_SIPSRTP=${SIPPEER(${EXTEN},srtpcapable)})
exten => _XXXX,n,Dial(SIP/${EXTEN})
4. Configure Your Polycoms for SRTP
The last step is to configure your Polycom phones (the endpoints) for SRTP. There are two types of secure setups that we are going to discuss: Full Security, and Half Security.Full Security
Explanation
Full security denotes that all endpoints in the system must support SRTP or the calls will be dropped. This is most appropriate when you are using a closed system (one that you have complete control over) that does not use any sort of ITSP (unless your ITSP supports SRTP).
In the full security setup, the Polycom phones will accept no excuses for media transport. If, during the call setup, the phone sees that the endpoint does not support SRTP, it will just drop the call, and you will get a re-order. Here's the code:
sec.srtp.enable="1"
sec.srtp.leg.enable="1"
sec.srtp.offer="1"
sec.srtp.require="1"
Half Security
Explanation
Half security (despite the not-so-secure sounding name) is a compromise. In a half security configuration, the Polycom phones will request SRTP as a priority; however, if the other endpoint does not support SRTP, it will still connect the call using standard RTP.
This setup is most useful if you have a phone that needs to be able to make both secured and unsecured calls.
For instance, let’s say you have a phone on an executive’s desk. He needs to be able to order a pizza, as well as call his partner on a secure, encrypted connection. In Asterisk, you would simply set this up as two extensions. One that lives in a context of extensions.conf where it can make all the phone calls it wants in an unsecured manner, but cannot dial the secure extension, and one that lives in a secure context that can only make secured calls.
The line indicators could be something like "4101" for the extension, and "Secure" for the SRTP line.
Under half security, he could use extension 4101 for regular calling, and then use the “secure” line to make encrypted called. Here's the code:
sec.srtp.enable="1"
sec.srtp.leg.enable="1"
sec.srtp.offer="1"
sec.srtp.sessionParams.noAuth.offer="1"
sec.srtp.sessionParams.leg.noAuth.offer="1"
sec.srtp.sessionParams.leg.noAuth.require="1"
sec.srtp.sessionParams.IP_4000.noAuth.offer="1"
Configuring SRTP it the Easy Way
www.phoneprovisioning.com allows you to configure half security automatically when you configure your phone using the free service.
When setting up your phone in the www.phoneprovisioning.com interface, just click the “Force SRTP” checkbox, and hit update. It will enforce SRTP on that particular phone.
Credits:
This article was originally published in the Polycom VoIP and Asterisk How To blog from www.phoneprovisioning.com. Reprinted here with permission.
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.