Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IP Office Secure Connection 1

Status
Not open for further replies.
RW111

RW111

Programmer
Feb 28, 2004
25
0
0
GB
Just wondering how far you guys go to make IPO secure for administration, SIP trunk & SIP/h323 endpoint registration.

Is any one using certificates and if so can anyone explain step by step as to how use them on IPO?

As far as I can see, a certificate identifies the system to a connecting client device ( usually manager running on a PC ) and if its is a trusted certificate registered with a Certificate Authority both a public and private key are used to encrypt/decrypt data between system and pc.

Can I generate a certificate just for my maintained systems and add this certificate to all our engineers PC's so only they connect?

Can I make it so that unless you have a certificate installed you cannot administer the system?

Do I need a separate certificate for every system or could I have one master one used for all systems?

Do we need pay a CA for a certificate so as to have an exchange of public / private key?

Any disadvantages with certificates? ( apologies if the above sounds stupid, but not worked with certificates before )

With SIP endpoints, what methods have you used to stop hackers registering ( hacking passwords ). Ideally we would like to open up the firewall to allow any device ( hardphone / softphone ) to register but not simply rely on user/passwords. With other systems we can tie this down to MAC address?

Any advice would be great.

Thanks
 
Sort by date Sort by votes
IMHO, I think security relies on your VPN, not with your IPO, it's up to you whether you want your VPN a super secure or not.
 
Upvote 0 Downvote
Thanks for the reply, however I think there are more options than just VPN.We are maintain 100's of IP and would be interested on hearing a few different ideas on the above matters. but once again thanks for replying
 
Upvote 0 Downvote
With SIP endpoints, what methods have you used to stop hackers registering ( hacking passwords ). Ideally we would like to open up the firewall to allow any device ( hardphone / softphone ) to register but not simply rely on user/passwords. With other systems we can tie this down to MAC address?
Click to expand...

You should not do this at all!!!

Also you do not put an IPO on the public internet, it is not done and asking for problems.
In the bad there are guys and girsl who hack in to it because they make money with it.
You will not believe how fast this will happen.

Do not try to invent the wheel again and go for rock solid solutions that are already available.



BAZINGA!

I'm not insane, my mother had me tested!

 
Upvote 0 Downvote
Thanks for the input and I am well aware of the dangers of opening up Firewalls for SIP registration etc, which is why im after any recommendations on providing a flexible secure solution for users with lots of different types of endpoint hardware/software. When you refer "to rock solid solutions" I'm guessing that you are also referring to VPN.
Cheers
 
Upvote 0 Downvote
Indeed VPN is what i mean.
If a client wants to use SIP phones then you do not want the IPO on the internet.
Then probably a SBC is required for this.
The SBC should be able to black attacks so it will become more save for SIP extensions on the internet.


BAZINGA!

I'm not insane, my mother had me tested!

 
Upvote 0 Downvote
TLPeter is correct.

Wherever possible go for a VPN
Nat traversal for remote handsets is possible but should only be considered for occasional users (regular users are going to need a VPN for their computer anyway so it is sensible to have a secure one!)

these users can be tied down by MAC address if required.

Don not forward any more ports to the IPO than are absolutely required.

8.1 systems can be configured to connect to a openSSL VPN for remote admin if required (although I have not done this myself

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear
 
Upvote 0 Downvote

Thanks for info guys and comments on SIP registration.

Can anyone comment on if they have used certificates plse when administering IPO?

Thanks

 
Upvote 0 Downvote
I did not as i do not see the need for it at the moment.


BAZINGA!

I'm not insane, my mother had me tested!

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdul manaf
  • Question
Avaya IP Office Web Manager
Replies
2
Views
229
derfloh
derfloh
JJ L
  • Locked
  • Question
Avaya IP Office question
Replies
10
Views
214
ipohead
ipohead
sheldoom
  • Locked
  • Question
IP Office Replacing CM 3
Replies
5
Views
141
JayNEC
JayNEC
Dimorus
  • Locked
  • Question
ip office 406 and ip office 400 analog phones (downgrade)
Replies
4
Views
106
ipohead
ipohead
daken
  • Locked
  • News
PSN006301u - IP Office 12.0.0.0 Build 55 replaced with IP Office 12.0.0.0 Build 56 2
Replies
2
Views
80
IamaSherpa
IamaSherpa

Part and Inventory Search

Sponsor

Back
Top