<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

How to setup Encrypted Connections in Asterisk with Polycom Phones

Published on
11,146 Points
5,046 Views
1 Endorsement
Last Modified:
Approved
Community Pick
So you think no one can listen in on your VOIP conversations, eh? Well... if you haven't setup Secure Real Time Transport (SRTP), your voice communications can be hacked into by just about anyone!

First, let's talk about the intended audience for this article, and give some background on the technologies themselves.

Intended Audience


This topic is for advanced users of Asterisk and VoIP communications. It assumes not only a basic knowledge of the Asterisk and VoIP platform, but also of SIP, XML, and Polycom configurations.

In short, it's time to put your big-boy shorts on, and break out your best grep skills. If you're not a super-geek in the VoIP telephony world, this article won't serve you much immediately; however, concept-wise, it will certainly be a good read.

Platforms Discussed: A glossary of sorts...

Asterisk: Asterisk is an open source, Linux based PBX system. Commonly referred to as the Swiss Army Knife of Telephony, Asterisk is a tool kit, which when assembled in the hands of the right people, can provide a telephone communications platform unrivaled by any other proprietary platform.
Polycom: Polycom is one of the world's largest VoIP and Video conferencing solutions manufacturers. Polycom's phones are standardized, centrally provisionable, and rock-solid.
SIP: SIP stands for Session Initiated Protocol, which is a control protocol to setup VoIP tellephone calls.
SRTP: Secure Real Time Transfer Protocol. After SIP sets up the call, the actual voice and sound data is "shot" through the network using UDP packets to carry the voice. The "S" is what makes it secure. That, and the fact that it uses AES to encrypt the packets so they cannot be reassembled by a third party.
XML: eXtensible Markup Language. This file format is the successor to CSV (Comma Separated Values), and is the format for the configuration files used by Polycom Phones.
Linux: An open source operating system widely implemented across the internet. Comes with a Pengiun.

Next, let's debunk some common misconceptions:

Cell phones are not secure. They are, in fact, unbelievably insecure because they broadcast over regular radio / microwaves, and anyone can listen to your phone call with a hand held scanner you buy at Wal-Mart or Radio shack. Don’t believe me? Play around with the Uniden BC72XLT Handheld Scanner.
Landline phones are only semi-secure. The Patriot Act allows for warrantless wiretaps. You never know if some silly government official put you on a list so they can listen to your phone calls, and you might even get wiretapped by accident!
VoIP is secure, right? Wrong. VoIP traffic can be captured and reassembled and played back rather easily. Even if you have a point-to-point conversation, you are still running over an ISP who could be listening in.

The solution? Encrypt your traffic.

Asterisk allows for the encryption of VoIP traffic between two endpoints using SRTP (Secure Real-time Transport Protocol). Of course, this support is not built in natively.

To Get SRTP, install asterisk from the srtp svn in the following manner:

1. Prep the System

As usual, this is for an Ubuntu based system. Your setup may vary if you are using a different distro.
    #Setup the system

    apt-get install
    apt-get install subversion
    apt-get install make
    apt-get install linux-source
    apt-get install kernel-package
    apt-get install linux-kernel-headers
    apt-get install linux-headers linux-headers-`uname -r`

    #Install other needed stuff

    aptitude install libconfig-tiny-perl libcupsimage2 libcups2 libmime-lite-perl libemail-date-format-perl libfile-sync-perl libfreetype6 libspandsp1 libtiff-tools libtiff4 libjpeg62 libmime-types-perl libpaper-utils psutils libpaper1 ncurses ncurses-dev libncurses-dev libncurses-gst ncurses-term libnewt libnewt-dev libnewt-pic libxml2 libxml2-dev libspandsp-dev libspandsp1 bison

    #Change to the proper directory
    cd /usr/src/

    #Get SRTP
    #You can update the SRTP version by changing the VERSION value on the next line. Check http://srtp.sourceforge.net/download.html for the most current version
    number
    VERSION=1.4.2.tgz
    wget http://srtp.sourceforge.net/srtp-$VERSION
    tar -zxvf srtp-$VERSION
    cd srtp-$VERSION
    ./configure
    make
    make runtest
    make install

    cd /usr/src/

    # Get asterisk
    svn co http://svn.digium.com/svn/asterisk/team/group/srtp/ asterisk

    # Get DAHDI Kernel
    svn co http://svn.digium.com/svn/dahdi/linux/trunk dahdi-kernel

    # Get DAHDI Tools
    svn co http://svn.digium.com/svn/dahdi/tools/trunk dahdi-tools

    # Get libpri
    svn co http://svn.digium.com/svn/libpri/branches/1.4/ libpri

Open in new window

Compile The Asterisk Files
    # Compile libpri

    cd /usr/src/libpri
    make

    # Compile the DAHDI kernel
    cd /usr/src/dahdi-kernel
    make
    make install

    # Compile the tools
    cd /usr/src/dahdi-tools
    ./configure
    make
    make install
    make config

    # Compile asterisk
    cd /usr/src/asterisk
    ./configure
    make
    make install

    #Set asterisk to start automatically through init.d
    make config

    #Create sample files for a first time user. DO NOT run this if you already have configs you want to keep! They will be over written!
    make samples

Open in new window

2. Configure Asterisk for Secure Calls


Open up sip.conf, and directly under the [general] section add this line:
srtpcapable=yes

Open in new window

3. Configure the Dialplan

The next part is easy, you just need to tell Asterisk via dialplan code that you want SRTP used when certain extensions are dialed. You accomplish this by using SIPPEER to set a variable. Don’t worry about understanding that. You can just copy paste what I have below.
[local_stations]
    exten => _XXXX,1,Set(_SIPSRTP=${SIPPEER(${EXTEN},srtpcapable)})
    exten => _XXXX,n,Dial(SIP/${EXTEN})

Open in new window

The examples above will, for any given 4 digit extension, tell Asterisk to use SRTP if the endpoint supports it.

4. Configure Your Polycoms for SRTP

The last step is to configure your Polycom phones (the endpoints) for SRTP.  There are two types of secure setups that we are going to discuss: Full Security, and Half Security.

Full Security
Explanation

Full security denotes that all endpoints in the system must support SRTP or the calls will be dropped. This is most appropriate when you are using a closed system (one that you have complete control over) that does not use any sort of ITSP (unless your ITSP supports SRTP).

In the full security setup, the Polycom phones will accept no excuses for media transport. If, during the call setup, the phone sees that the endpoint does not support SRTP, it will just drop the call, and you will get a re-order.  Here's the code:
    sec.srtp.enable="1"
    sec.srtp.leg.enable="1"
    sec.srtp.offer="1"
    sec.srtp.require="1"

Open in new window


Half Security
Explanation

Half security (despite the not-so-secure sounding name) is a compromise. In a half security configuration, the Polycom phones will request SRTP as a priority; however, if the other endpoint does not support SRTP, it will still connect the call using standard RTP.

This setup is most useful if you have a phone that needs to be able to make both secured and unsecured calls.

For instance, let’s say you have a phone on an executive’s desk. He needs to be able to order a pizza, as well as call his partner on a secure, encrypted connection. In Asterisk, you would simply set this up as two extensions. One that lives in a context of extensions.conf where it can make all the phone calls it wants in an unsecured manner, but cannot dial the secure extension, and one that lives in a secure context that can only make secured calls.

The line indicators could be something like "4101" for the extension, and "Secure" for the SRTP line.

Under half security, he could use extension 4101 for regular calling, and then use the “secure” line to make encrypted called.  Here's the code:
    sec.srtp.enable="1"
    sec.srtp.leg.enable="1"
    sec.srtp.offer="1"
    sec.srtp.sessionParams.noAuth.offer="1"
    sec.srtp.sessionParams.leg.noAuth.offer="1"
    sec.srtp.sessionParams.leg.noAuth.require="1"
    sec.srtp.sessionParams.IP_4000.noAuth.offer="1"

Open in new window


Configuring SRTP it the Easy Way

www.phoneprovisioning.com allows you to configure half security automatically when you configure your phone using the free service.

When setting up your phone in the www.phoneprovisioning.com interface, just click the “Force SRTP” checkbox, and hit update. It will enforce SRTP on that particular phone.

Credits:
This article was originally published in the Polycom VoIP and Asterisk How To blog from www.phoneprovisioning.com. Reprinted here with permission.
1
Comment
Author:DrDamnit
1 Comment
LVL 50

Expert Comment

by:DanRollins
I agree that landline phones are not secure... but not just because a mistake could be made by a law-enforcement agency, but also because it is trivially easy for, say, an industrial spy to install an illegal wiretap.  It's probably better to set up for secure company phone traffic now, than to apologize to the boss later.
0

Featured Post

Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

Join & Write a Comment

If you, like me, have a dislike for using Online Subscription anti-spam services, then this video series is for you. I have an inherent dislike of leaving decisions such as what is and what isn't spamming to other people or services for me and insis…
Watch this simple and effective video tutorial to extract attachments from Outlook 2007 and try this easy method by yourself. No need to go anywhere, just watch the video and export attachments from Outlook in few simple steps. To know more, click h…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month