-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars Boegild Thomsen Sent: Tuesday, May 18, 2004 11:23 PM To: [EMAIL PROTECTED] Subject: RE: [Asterisk-Users] * and Cisco routers
Well - I would assume that most Asterisk instances run on Linux boxes, so even if put directly on a public IP address it's quite possible to protect the machine and do various VPN setup's (including IPSec). Speaking of which - anybody got experience with VoIP and IPSec? I've never really used IPSec, but I would imagine it creates a significant delay. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Ronald R. > McDaniel > Sent: 19 May 2004 11:13 > To: [EMAIL PROTECTED] > Subject: Re: [Asterisk-Users] * and Cisco routers > > > Doug, > > I don't believe that it would be a good idea to leave the Asterisk box > unprotected (without any firewall). This would leave you wide open > for people to access your internal system through the Asterisk box. > We have all been participating in a discussion about an article > written by the ingenious Mr. Jim Louderback, technology writer for > Ziff Davis, regarding the security risk of IP Telephony. As far as > the cost of vpning the phones, maybe you could use LinkSys vpn routers > ($129.00 / each) and cut the cost in half. If you didn't want to go > the VPN route, you could setup access-list on your 3810 to only accept > traffic from the known IP addresses of your home warriors. This is > not the most secure, but it does provide some security and would > probably block most half hearted attempts from wannabe hackers. You > could sell your Cisco phones, install X-Lite (free softphone) and put > the money from the Cisco phones toward vpning your network. There are > several ways to go, I just wouldn't leave it wide open. > > I have a couple * boxes being used via IPSEC and they are functional, but it does add some delay because it's another hop thru the firewall. I don't notice a problem, but our bandwidth falls well short of Cisco's "80/20" golden rule. By placing it directly on the Internet, you can definitely use the edge routers to filter a lot of garbage and NAT 0 the * box on a DMZ (Speaking Cisco PIX). This way, you're protected by the firewall, but still have a real IP addressible box not going thru NAT which we know SIP doesn't do very well over. If using BGP as a routing protocol, consult your ISP's community list to see if they have special tagging for QOS and tag your VOIP. Many ways to approach it. Joe _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
