RE: [Asterisk-Users] * and Cisco routers
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars Boegild Thomsen Sent: Tuesday, May 18, 2004 11:23 PM To: [EMAIL PROTECTED] Subject: RE: [Asterisk-Users] * and Cisco routers Well - I would assume that most Asterisk instances run on Linux boxes, so even if put directly on a public IP address it's quite possible to protect the machine and do various VPN setup's (including IPSec). Speaking of which - anybody got experience with VoIP and IPSec? I've never really used IPSec, but I would imagine it creates a significant delay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ronald R. McDaniel Sent: 19 May 2004 11:13 To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] * and Cisco routers Doug, I don't believe that it would be a good idea to leave the Asterisk box unprotected (without any firewall). This would leave you wide open for people to access your internal system through the Asterisk box. We have all been participating in a discussion about an article written by the ingenious Mr. Jim Louderback, technology writer for Ziff Davis, regarding the security risk of IP Telephony. As far as the cost of vpning the phones, maybe you could use LinkSys vpn routers ($129.00 / each) and cut the cost in half. If you didn't want to go the VPN route, you could setup access-list on your 3810 to only accept traffic from the known IP addresses of your home warriors. This is not the most secure, but it does provide some security and would probably block most half hearted attempts from wannabe hackers. You could sell your Cisco phones, install X-Lite (free softphone) and put the money from the Cisco phones toward vpning your network. There are several ways to go, I just wouldn't leave it wide open. I have a couple * boxes being used via IPSEC and they are functional, but it does add some delay because it's another hop thru the firewall. I don't notice a problem, but our bandwidth falls well short of Cisco's 80/20 golden rule. By placing it directly on the Internet, you can definitely use the edge routers to filter a lot of garbage and NAT 0 the * box on a DMZ (Speaking Cisco PIX). This way, you're protected by the firewall, but still have a real IP addressible box not going thru NAT which we know SIP doesn't do very well over. If using BGP as a routing protocol, consult your ISP's community list to see if they have special tagging for QOS and tag your VOIP. Many ways to approach it. Joe ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] * and Cisco routers
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars Boegild Thomsen Sent: Tuesday, May 18, 2004 11:23 PM To: [EMAIL PROTECTED] Subject: RE: [Asterisk-Users] * and Cisco routers [...] Speaking of which - anybody got experience with VoIP and IPSec? I've never really used IPSec, but I would imagine it creates a significant delay. I run one or more 7960's over several different VPN setups. The one that introduces the most latency is a cheap PIX (read: 501 or 506). A 515 is OK, a 515 with a crypto card is pretty acceptable. The best setup is a 1721 or better with a crypto card. I routinely run that config at each end using GRE over IPSec and have no problems (it introduces about 20 ms latency when properly configured.a cheap pix can introduce about 40 to 80 on average). One IPSec VPN connected between a 6509 MSFC-GigE-7206VXR-DS-3-7206VXR introduces only 12 ms latency on average. Of course that's nearly $30k worth of plumbing, so one would expect that kind of performance. Daryl ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] * and Cisco routers
Doug, I don't believe that it would be a good idea to leave the Asterisk box unprotected (without any firewall). This would leave you wide open for people to access your internal system through the Asterisk box. We have all been participating in a discussion about an article written by the ingenious Mr. Jim Louderback, technology writer for Ziff Davis, regarding the security risk of IP Telephony. As far as the cost of vpning the phones, maybe you could use LinkSys vpn routers ($129.00 / each) and cut the cost in half. If you didn't want to go the VPN route, you could setup access-list on your 3810 to only accept traffic from the known IP addresses of your home warriors. This is not the most secure, but it does provide some security and would probably block most half hearted attempts from wannabe hackers. You could sell your Cisco phones, install X-Lite (free softphone) and put the money from the Cisco phones toward vpning your network. There are several ways to go, I just wouldn't leave it wide open. Sincerely, Ronald R. McDaniel Southern Computer Services, Inc. [EMAIL PROTECTED] (251) 444-3136 office (251) 446-3137 fax (251) 294-1202 cell ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] * and Cisco routers
Well - I would assume that most Asterisk instances run on Linux boxes, so even if put directly on a public IP address it's quite possible to protect the machine and do various VPN setup's (including IPSec). Speaking of which - anybody got experience with VoIP and IPSec? I've never really used IPSec, but I would imagine it creates a significant delay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ronald R. McDaniel Sent: 19 May 2004 11:13 To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] * and Cisco routers Doug, I don't believe that it would be a good idea to leave the Asterisk box unprotected (without any firewall). This would leave you wide open for people to access your internal system through the Asterisk box. We have all been participating in a discussion about an article written by the ingenious Mr. Jim Louderback, technology writer for Ziff Davis, regarding the security risk of IP Telephony. As far as the cost of vpning the phones, maybe you could use LinkSys vpn routers ($129.00 / each) and cut the cost in half. If you didn't want to go the VPN route, you could setup access-list on your 3810 to only accept traffic from the known IP addresses of your home warriors. This is not the most secure, but it does provide some security and would probably block most half hearted attempts from wannabe hackers. You could sell your Cisco phones, install X-Lite (free softphone) and put the money from the Cisco phones toward vpning your network. There are several ways to go, I just wouldn't leave it wide open. Sincerely, Ronald R. McDaniel Southern Computer Services, Inc. [EMAIL PROTECTED] (251) 444-3136 office (251) 446-3137 fax (251) 294-1202 cell ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] * and Cisco routers
I personally think firewalls are a stopgap measure for the real problem. A firewall and VPN are not a fool proof method of protection. Fix the real problem instead of hiding it. I usually dont use a real firewall but ACLs and other similar methods to lock down where/who can access a box. As for cisco routers we use ACL's to lock those where the asterisk box is the only one that can access it. bkw Doug, I don't believe that it would be a good idea to leave the Asterisk box unprotected (without any firewall). This would leave you wide open for people to access your internal system through the Asterisk box. We have all been participating in a discussion about an article written by the ingenious Mr. Jim Louderback, technology writer for Ziff Davis, regarding the security risk of IP Telephony. As far as the cost of vpning the phones, maybe you could use LinkSys vpn routers ($129.00 / each) and cut the cost in half. If you didn't want to go the VPN route, you could setup access-list on your 3810 to only accept traffic from the known IP addresses of your home warriors. This is not the most secure, but it does provide some security and would probably block most half hearted attempts from wannabe hackers. You could sell your Cisco phones, install X-Lite (free softphone) and put the money from the Cisco phones toward vpning your network. There are several ways to go, I just wouldn't leave it wide open. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] * and Cisco routers
It's a very small delay my avg from houston to tampa is about 70 ms over the tunnel and about 40 with out the tunnel on a good day. The thing that gets you is the lack of QOS over the Net so get some good pipes. This is using a vpn 3005 and a pix 506 with 168 bit encryptions on a nail vpn. If you want it over a windows cisco client I will have to get you that answer tomorrow as my Laptop is still at work but so far softphone on it work great with every softphone I have tried. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars Boegild Thomsen Sent: Tuesday, May 18, 2004 10:23 PM To: [EMAIL PROTECTED] Subject: RE: [Asterisk-Users] * and Cisco routers Well - I would assume that most Asterisk instances run on Linux boxes, so even if put directly on a public IP address it's quite possible to protect the machine and do various VPN setup's (including IPSec). Speaking of which - anybody got experience with VoIP and IPSec? I've never really used IPSec, but I would imagine it creates a significant delay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ronald R. McDaniel Sent: 19 May 2004 11:13 To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] * and Cisco routers Doug, I don't believe that it would be a good idea to leave the Asterisk box unprotected (without any firewall). This would leave you wide open for people to access your internal system through the Asterisk box. We have all been participating in a discussion about an article written by the ingenious Mr. Jim Louderback, technology writer for Ziff Davis, regarding the security risk of IP Telephony. As far as the cost of vpning the phones, maybe you could use LinkSys vpn routers ($129.00 / each) and cut the cost in half. If you didn't want to go the VPN route, you could setup access-list on your 3810 to only accept traffic from the known IP addresses of your home warriors. This is not the most secure, but it does provide some security and would probably block most half hearted attempts from wannabe hackers. You could sell your Cisco phones, install X-Lite (free softphone) and put the money from the Cisco phones toward vpning your network. There are several ways to go, I just wouldn't leave it wide open. Sincerely, Ronald R. McDaniel Southern Computer Services, Inc. [EMAIL PROTECTED] (251) 444-3136 office (251) 446-3137 fax (251) 294-1202 cell ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] * and Cisco routers
ACL's are no way near as secure as firewalls and VPNs. ACLs only look at IP address and ports. Spoof the IP address and find out the port and you can get in. I am not saying that this would be an easy task, it would be pretty difficult to do under most situations. Typically we use ACLs along with our firewalls when implementing security solutions for our customers. brian k. west I personally think firewalls are a stopgap measure for the real problem. A firewall and VPN are not a fool proof method of protection. Fix the real problem instead of hiding it. I usually dont use a real firewall but ACLs and other similar methods to lock down where/who can access a box. As for cisco routers we use ACL's to lock those where the asterisk box is the only one that can access it. bkw Ronald R. McDaniel Southern Computer Services, Inc. [EMAIL PROTECTED] (251) 444-3136 office (251) 446-3137 fax (251) 294-1202 cell ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] * and Cisco routers
I'm not saying not to use them but firewalls and VPN are not very voip friendly. VPN adds latency and jitter and firewalls play hell with RTP ports. bkw - Original Message - From: Ronald R. McDaniel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 10:27 PM Subject: Re: [Asterisk-Users] * and Cisco routers ACL's are no way near as secure as firewalls and VPNs. ACLs only look at IP address and ports. Spoof the IP address and find out the port and you can get in. I am not saying that this would be an easy task, it would be pretty difficult to do under most situations. Typically we use ACLs along with our firewalls when implementing security solutions for our customers. brian k. west I personally think firewalls are a stopgap measure for the real problem. A firewall and VPN are not a fool proof method of protection. Fix the real problem instead of hiding it. I usually dont use a real firewall but ACLs and other similar methods to lock down where/who can access a box. As for cisco routers we use ACL's to lock those where the asterisk box is the only one that can access it. bkw Ronald R. McDaniel Southern Computer Services, Inc. [EMAIL PROTECTED] (251) 444-3136 office (251) 446-3137 fax (251) 294-1202 cell ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] * and Cisco routers
The funny thing is that in my experience VoIP actually works quite well over the Internet. I am Danish but live in Malaysia, so I do quite a lot of VoIP calls between those two locations. That can't possibly get any worse on the public Internet. There are an average of 25 hops between Malaysia and Denmark, it litterally goes all the way round this little planet (from Malaysia via Hong Kong to US West Coast. Through US and from US East Coast to Denmark). Round-trip delay is usually around 550 ms (meaning somewhere around 260 ms one way). Yet in my experience having been running this for more than a year it is EXTREMELY rare that there are drop-outs or delays caused by the Internet. The last mile is important. If there are drop outs they are usually always caused by the misserable 382 kbps xDSL link I am stucked with here in Malaysia. But that part can be handled with proper QoS (queing in Linux). In short - even in the scenario described above - which must be considered an amost worst case scenario - the quality is generally more than OK and in general noticable better than GSM calls. I quite often use a call going that way to demonstrate the quality when I get concerns about poor quality of VoIP via the Internet. I saw a user survey a few years back that concluded that most people didn't really notice delays of less than 3-400 ms. Only around 500 ms most users noticed and was annoyed by it. And now judging from your comments IPSec shouldn't really be a problem either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of lists Sent: 19 May 2004 12:11 To: [EMAIL PROTECTED] Subject: RE: [Asterisk-Users] * and Cisco routers It's a very small delay my avg from houston to tampa is about 70 ms over the tunnel and about 40 with out the tunnel on a good day. The thing that gets you is the lack of QOS over the Net so get some good pipes. This is using a vpn 3005 and a pix 506 with 168 bit encryptions on a nail vpn. If you want it over a windows cisco client I will have to get you that answer tomorrow as my Laptop is still at work but so far softphone on it work great with every softphone I have tried. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars Boegild Thomsen Sent: Tuesday, May 18, 2004 10:23 PM To: [EMAIL PROTECTED] Subject: RE: [Asterisk-Users] * and Cisco routers Well - I would assume that most Asterisk instances run on Linux boxes, so even if put directly on a public IP address it's quite possible to protect the machine and do various VPN setup's (including IPSec). Speaking of which - anybody got experience with VoIP and IPSec? I've never really used IPSec, but I would imagine it creates a significant delay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ronald R. McDaniel Sent: 19 May 2004 11:13 To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] * and Cisco routers Doug, I don't believe that it would be a good idea to leave the Asterisk box unprotected (without any firewall). This would leave you wide open for people to access your internal system through the Asterisk box. We have all been participating in a discussion about an article written by the ingenious Mr. Jim Louderback, technology writer for Ziff Davis, regarding the security risk of IP Telephony. As far as the cost of vpning the phones, maybe you could use LinkSys vpn routers ($129.00 / each) and cut the cost in half. If you didn't want to go the VPN route, you could setup access-list on your 3810 to only accept traffic from the known IP addresses of your home warriors. This is not the most secure, but it does provide some security and would probably block most half hearted attempts from wannabe hackers. You could sell your Cisco phones, install X-Lite (free softphone) and put the money from the Cisco phones toward vpning your network. There are several ways to go, I just wouldn't leave it wide open. Sincerely, Ronald R. McDaniel Southern Computer Services, Inc. [EMAIL PROTECTED] (251) 444-3136 office (251) 446-3137 fax (251) 294-1202 cell ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo