[u-u] FreePBX expertese? Re: Business Internet Providers in Toronto?

Fri Feb 7 13:18:35 EST 2020

On 2020-02-07 12:47, D. Hugh Redelmeier wrote:

> | From: Hugh Gamble <hugh at phaedrav.com>
>
> | Anybody know and recommend some local FreePBX/Asterisk expertise?
>
> What's the current situation with VoIP privacy and security?
Well... for your own traffic, there are a lot of options.  VPNs are 
popular.  Asterisk supports SIP over TCP or even TLS.  Most carriers, 
however, don't support these... so your voice traffic is about as 
vulnerable as it was before you started using VoIP.  Unless you're going 
for absurdly cheap rates, you'll be dealing with someone who passes your 
traffic onto the regular phone network fairly locally.  That said, even 
Bell Canada does some LD arbitrage over plain VoIP... so ...
> When I played with this stuff long long ago, encryption wasn't normal
> with SIP.  The actual VoIP transport (negotiated by SIP) was RTP, and
> there was a secure version (SRTP) but no way to negotiate session
> keys.
>
> One problem was that SIP was envsioned as peer-to-peer so any crypto
> would have to be opportunistic.
It's better ... TLS is generally an zero config (assuming your certs are 
signed by known entities), but ...
> In the Real World, most VoIP seemed to end up client to ITSP and so
> cryptography could have been pre-arranged (but generally wasn't).  I
> never found an ITSP willing to connect through an IPsec tunnel.  VoIP
> clients (SIP phones and the like) were not secure either.
Well... you can, say, buy DSL from someone like me (or, I assume D'arcy 
or TS) where your VoIP would go via semi-private (bell-only) networking 
to your ITSP.  We tend to only advise secure protocols for people not 
using this configuration.
> Once your VoIP traffic gets to the ITSP, they need to ship it to its
> destination.  They generally use a mixture of the PSTN (Public
> Switched Telephone Network) and VoIP trunks of some kind.  What kind
> of security and privacy regime is used for those?
In my case, I pass most traffic over direct connections in 151 Front... 
but you're not really going to know for most.
> I would not want to run a business with my VoIP traversing the
> internet in the clear.  Remmeber: metadata also matters.
>
> There are priprietary VoIP programs that have varying levels of privacy
> but they tend not to have a gateway to the PSTN and they tend to lock you
> into their client software (no conventional handsets).  I certainly don't
> know what's available.

Well... therein lies the rub.  My advise would be to be very concerned 
where you're using a handset over the arbitrary internet.  At the very 
least, encrypting the meta data (SIP) protects you from fraud (where 
people try to seal your account to pass expensive traffic).  For my 
non-local (DSL) customers, I offer open-vpn termination with an open-vpn 
file that routes everything to my IPs through the VPN.  Takes care of 
clients that don't support fancier protocols, and will run on the 
dedicated handsets we hand out, too.

But... being fairly deep in the wholesale VoIP industry (and having been 
so for some time), I would say that your LD traffic is generally passed 
around without regards to security.  I have never had another carrier 
ask for a VPN or even and encrypted SIP connection.  Security tends to 
be simply static IPs.