Securing media streams in an Asterisk-based environment and evaluating the resulting performance cost

Clayton, Bradley

08 January 2007

When adding Confidentiality, Integrity and Availability (CIA) to a multi-user VoIP (Voice over IP) system, performance and quality are at risk. The aim of this study is twofold. Firstly, it describes current methods suitable to secure voice streams within a VoIP system and make them available in an Asterisk-based VoIP environment. (Asterisk is a well established, open-source, TDM/VoIP PBX.) Secondly, this study evaluates the performance cost incurred after implementing each security method within the Asterisk-based system, using a special testbed suite, named DRAPA, which was developed expressly for this study. The three security methods implemented and studied were IPSec (Internet Protocol Security), SRTP (Secure Real-time Transport Protocol), and SIAX2 (Secure Inter-Asterisk eXchange 2 protocol). From the experiments, it was found that bandwidth and CPU usage were significantly affected by the addition of CIA. In ranking the three security methods in terms of these two resources, it was found that SRTP incurs the least bandwidth overhead, followed by SIAX2 and then IPSec. Where CPU utilisation is concerned, it was found that SIAX2 incurs the least overhead, followed by IPSec, and then SRTP.

Asterisk (Computer file)

Computer networks -- Security measures

Internet telephony -- Security measures

VoIP : a corporate governance approach to avoid the risk of civil liability

Gerber, Tian Johannes

January 2012

Since the deregulation of Voice over Internet Protocol (VoIP) in 2005, many South African organizations are now attempting to leverage its cost saving and competitive values. However, it has been recently cited that VoIP is one of the greatest new risks to organizations and this risk is cited to increase Information Security insurance premiums in the near future. Due to the dynamic nature of the VoIP technology, regulatory and legislative concerns such as lawful interception of communications and privacy may also contribute to business risk. In order to leverage value from the VoIP implementation, an organization should implement the technology with knowledge of the potential risk of civil liability. This is further highlighted by the King III Report which indicates that the Directors of an organization should be ultimately responsible for Corporate Governance and, therefore, IT Governance and Information Security Governance. The report goes further to say that any newly implemented technology, such as VoIP, should comply with all South African legislation and regulations. This responsibility encourages the practice of both due care and due diligence. However, recent trends exercised by Information Security professionals, responsible for drafting Information Security policies and related procedures, often neglect the regulatory requirements and choose to only implement international best practices with no consideration of the risk of civil liability. Although these best practice frameworks may inadvertently comply with existing local legislation, a chance of an oversight is possible. Oversights may not only result in criminal sanctions, but also civil action due to losses or damages suffered. With regard to implementing VoIP, good Corporate Governance could potentially be ensured through the use of both identified regulations and relevant international best practices. This dissertation aims to aid organizations in avoiding or at least mitigating the risk of civil liability to better leverage VoIP’s value, through good Corporate Governance practices. This should aid in the exercise of due care and due diligence when implementing VoIP as a means of conducting business communication.

Internet telephony -- Security measures

Telecommunication policy -- South Africa

Securing softswitches from malicious attacks

Opie, Jake Weyman

January 2007

Traditionally, real-time communication, such as voice calls, has run on separate, closed networks. Of all the limitations that these networks had, the ability of malicious attacks to cripple communication was not a crucial one. This situation has changed radically now that real-time communication and data have merged to share the same network. The objective of this project is to investigate the securing of softswitches with functionality similar to Private Branch Exchanges (PBX) from malicious attacks. The focus of the project will be a practical investigation of how to secure ILANGA, an ASTERISK-based system under development at Rhodes University. The practical investigation that focuses on ILANGA is based on performing six varied experiments on the different components of ILANGA. Before the six experiments are performed, basic preliminary security measures and the restrictions placed on the access to the database are discussed. The outcomes of these experiments are discussed and the precise reasons why these attacks were either successful or unsuccessful are given. Suggestions of a theoretical nature on how to defend against the successful attacks are also presented.

Internet telephony -- Security measures

Computer networks -- Security measures

Digital telephone systems

Computer network protocols

TCP/IP (Computer network protocol)

Switching theory