VPN VoIP
sunder
sunder at sunder.net
Sat Apr 10 17:01:12 PDT 2004
Eugen Leitl wrote:
> I cited those routers as instances of consumer-type cheap VoIP with
> encryption, which thwarts goverment-mandated tapping by ISPs. Exploiting
> built-in backdoors or remotely exploitable vulnerabilities is a different
> threat model. I definitely hope routers with DynDNS/VPN/VoIP and POTS jacks
> will become more widespread, and use opportunistic encryption as default.
Cool.
> I personally am not going to buy the router, as it is lacking functionality
> and flexibility of a Linux-based firewall.
Hmm, I wonder if the VoIP standard is open enough that fully compatible
linux implementations could be made and integrated with ALSA... I'm sure a
simple analog circuit could be used to get an rj11 phone jack attached to
audio in/out once this is done...
> I'm waiting for a passively cooled ~GHz VIA C3 motherboard with two NICs and
> external fanless power supply to ditch my current proprietary, rather
> braindead firewall. I've already verified IDE-cf adapters do very nicely, and
> there are dedicated distros like http://www.nycwireless.net/pebble/ which
> don't wear down the flash with r/w on /tmp and similiar.
Shouldn't be a problem if you go the Solaris route and use tmpfs/swapfs
with no real swap. (For those that don't know, Solaris mounts /tmp into
virtual memor space, so if you've got tons of RAM, data written in /tmp is
actually written in RAM.)
> Should I stick with Linux (there's /dev/random and VPN support in current
> kernels for the C3 Padlock engine, right?) with SELinux or try OpenBSD for a
> firewall type machine with hardware crypto support?
I've had very good luck with OBSD so far (knock on fake wood?)... I'm very
happy with pf... much nicer than iptables... I haven't used SELinux as a
firewall, but have experimented with it. It's excellent in terms of
security (if you don't mind the huge failure logs), but, it's a bitch to
configure properly...
I'd go for something between UML (User Mode Linux) and SELinux. Use
SELINUX as the main host and UML to partition off untrusted applications in
sandboxes (i.e. to run apache, etc.)
More information about the cypherpunks-legacy
mailing list