"The comment "This is also false if we discuss an actual SIP-Proxy implementation." is based on ONE implementation which you have configured and tested in an isolated environment compared to testing 4 different commercial implementations in carrier and enterprise environments respectively."

Nope :) I've seen about 30 different implementations of various sizes all in productive environment. Only one has been very easy to break in using only a username, since no password was requested.

I agree, that there are implementations as you describe, but I don't know any _actual_ product, no matter if OS or commercial, which doesn't use "www-authentication". If there is one, you shouldn't download/buy :)

"The point is that in certain cases VoIP implementations should use encryption. Do you prefer using telnet to administer your environment or ssh, even if it is switched?"

Of course SSH. Of course I really would like to use SIP/S or RTP/s. But always when talking about an unsecure LAN environment or if crossing network borders.

But what about securing your LAN completely on Layer 2 and 3??

This would mean: Implement security one time and use you automatically would use it for any IP service!

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1862/529#529