I sense condescension from you. Is that intended? Naturally, I don't feel that it is warranted.
Not intended, it's just that this whole discussion frustrates me greatly. I think that any security measures should be implemented on the system side, and should not degrade the users' experience in any way. I don't see Travelin' Man as a viable solution, and I'm not real happy about the whole whitelist thing in the other thread. I think this is a case of "the good is the enemy of the best." I'll probably get stoned for saying this, but sometimes I see a tendency to release software that is "just barely good enough" and then leave it in that state. Doesn't matter if it delays calls going through, or requires users to jump through hoops, if it works at all let's move on to other things and not spend an extra few minutes or few hours to do it right.
To me, the SunshineNetworks Knock is an example of a great solution - it's easy to implement and once set up, users don't have to do or single thing or know how it works. I think there could be other great added layers of security, and it frustrates me that I'm not a coder so I can't write some of them myself (I'd definitely pursue my geographic restriction idea, for one thing - even if nobody else would use it, I would).
The other thing I notice is that in this forum there is a level of paranoia about security that I don't see anywhere else (I don't hang out on security-related sites, obviously). I know there are systems out there that have far less security than you would find in the Incredible PBX and yet have never sustained a successful attack. I'm certainly not against any reasonable security measure (reasonable being easy to implement, and never cutting off users' service unexpectedly, and never requiring users to do anything other than pick up the phone to make a call). I happen to think VPN's are a great idea for many reasons - they encrypt conversations, they solve a multitude of firewall-related issues, and they are inherently far more secure than a SIP connection. I wish we could get Linksys/Cisco to release firmware updates for their products that would include an OpenVPN client (if they needed additional firmware memory, they could remove some of the codecs that hardly anyone uses). It seems to me like a huge fail on the part of VoIP adapter manufacturers that they seem to care so little about security, but that's another rant altogether.
Still, sometimes I feel like Ward and a few others carry on like scolding nannies about security. I realize that VoIP system
do get hacked, but as I said in another post, there's a difference between a reasonably cautious "belt and suspenders" approach to security, and an overly paranoid "suit of armor" approach, where you have the system locked down so tight that no one wants to use it.
It occurs to me that Ward and the FreePBX developers and similar people in their shoes might have enough clout to talk to the people at Linksys/Cisco, Grandstream, and so on, and try to get them to include an OpenVPN client in their adapters. I think a couple of SIP phones (not adapters) already have that capability. I think right now, something like that would be the very best approach to this problem. It's too bad no one's ever managed to hack the PAP2 firmware (similar to what's been done with OpenWRT and Tomato for routers) and made some needed improvements, of which OpenVPN capability might be one.