Hi guys,
[lengthy mail warning]
I wanted to share some thoughts on this topic and the way we use telephony in general.
In traditional telephony, a telephone is 'hooked up' to both a telephone number and a user at the same time. So at your house, you have a telephone and a number, and the whole family can pick up the phone. This is by design due to the 'fixed copper wire'
telephone systems.
Now today with VoIP, we are in a converged world, where the 'old school' copper wire system is no longer needed and thus the mandatory connection between house, number and telephone.
In strongly feel that the user and device (telephone) should be seperate and independent of each other. So, hot desking comes in to place. But next to hot desking also user ACL's. This will lead to the following 'rules':
1. A device as just a piece of hardware/software that can register and that's it. Only emergency numbers are allowed.
2. A user should be able to walk up to any device and log on with a PIN number.
3. Based on the user, a ACL level is being set, which determines what the user can do.
Back in 2005, I've created my own dialplan and AGI scripts so my Asterisk system was
'Hot Desk' and user ACL enabled. I've used the internal Asterisk database to set the following (example where 9011) is the extension of the device. So an extension is always a piece of hardware/software with no rights (except emergency numbers).
[database show]
/device_hotdesk/9011                              : 5501
/device_tech/9011                                 : SIP
/user_acl/9011                                    : 7
/user_hotdesk/9011                                : 1
Let me explain the details (as far as I can remember, doing this from memory)
/device_hotdesk/9011                              : 9011
This entry tells asterisk that the device known as extension '9011' in Asterisk is in use by user 5501
/device_tech/9011                                 : SIP
This entry tells asterisk what technology to use when dialing within the AGI script
/user_acl/9011                                    : 7
This entry tells asterisk what user ACL is set (ranging from 0 to 9, where 0 is only emergency calls). The various ACL contexts are included (include=>) per ACL/context
/user_hotdesk/9011                                : 1
This entry tells asterisk if the device/extension 9011 is in use by a user as a hot desk device. This is required to log off a previous device used by the user
So what has this to do with security?
Well, I don;t care for a device being registered to my Asterisk box. With the above way, I can use VERY strong passwords for device registration, for that will only happen once or with new devices. Security measure 1.
For a user to be able to log on to a device, they have to dial the 'log on' extension, as an expample '100'. Then they are greeted with an IVR that will request the user to enter his user PIN. If accepted, the device will be 'attached' to the user and the correct ACL/Contexts will be included for this user. Security measure 2 (PIN), Security measure 3 (Log on extension), security measure 4 (Correctly respond to IVR)
In order to prevent automatic brute force attacks on user PIN's. A very simple security question can be asked (random questions) on which the user will always know the answer, and punch some digits. e.g. How many sun''s are there, or how many states do the USA have. Security measure 5.
So instead of registering a device and have all rights, the above will require (in an easy way) 5 security measures to prevent unauthorized access to your dialplan and trunks. Next to this, you have real hot desking including MWI. I even demonstrated it on using Citrix and SUN Ray. A device MAC was 'attached' to a work desk computer MAC (in the asterisk database). The windows logon script passed username and password to Asterisk, where a script would logon the device with the correct credentials and voila, MWI went on for there were messages waiting for user 5011.
I should have the old dialplan somewhere but again it was back in 2005.
Am I making any sence?
guest
ps. A device will never be called, so 9011 is just a device, a user is called and one would dial 5501 to reach the user.