[asterisk-users] Asterisk, SIP Firewalls
Hi all, I'm trying to get my head around our Asterisk network configuration. We've been using it for about 2 years now (home office) and it works great. Its Asterisk 1.4.2 with SIP through external provider(s). We have the Asterisk server behind our IPCop firewall, and have a dedicated IP address that comes to the firewall from our ISP (Cox) and that is routed to our Asterisk box using SIP ports, etc. It works fine, connects without issue and we then have all of our SIP Phones throughout the house for the calls. My wife I run businesses from our home, so we have multiple numbers coming into Asterisk and with some fancy Asterisk scripting, etc. we have the one system acting as a phone system for 4 companies. Works great. Well there is one 'optimization' that I need to sort out. There seems to be some latency between the Asterisk server (and the SIP Phones) and callers. Depending on the caller's network (ie. POTS, Cell phone, other Voip, etc.) we find about 30% of the time that there is a small delay (about 1/2 a second) between us talking and the caller hearing it, which makes it sound like the caller is talking to an offshore company located in South Asia. I have read numerous posts, discussions, etc. about this sort of thing and it seems that it has something to do with our Firewall, QoS, etc. and I'm entertaining moving the entire Asterisk server outside of our Firewall, and connecting the SIP phones to it on an entirely separate sub-net with a dedicated NAT router. It kinda scares me though. I know that SIP is an attractive attack-vector, and that there are scripts out there that target SIP devices. I know I could run Fail2Ban on the server, which is fine (we're doing that anyway now), but before I go down this path, I wanted to get general feedback if we are using our Asterisk system using 'best practices' or whether it should never be sitting behind a Firewall, despite the fact that it is working pretty close to perfect as it is right now. I just want to find a way to reduce the latency. Does anyone have any thoughts about this? Thanks in advance for any comments or suggestions. Myles -- - Myles Wakeham Director of Engineering Tech Solutions USA LLC www.techsolusa.com Phone +1-480-451-7440 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk, SIP Firewalls
On Wed, 2011-04-27 at 10:16 -0700, Myles Wakeham wrote: Well there is one 'optimization' that I need to sort out. There seems to be some latency between the Asterisk server (and the SIP Phones) and callers. Depending on the caller's network (ie. POTS, Cell phone, other Voip, etc.) we find about 30% of the time that there is a small delay (about 1/2 a second) between us talking and the caller hearing it, which makes it sound like the caller is talking to an offshore company located in South Asia. I have read numerous posts, discussions, etc. about this sort of thing and it seems that it has something to do with our Firewall, QoS, etc. and I'm entertaining moving the entire Asterisk server outside of our Firewall, and connecting the SIP phones to it on an entirely separate sub-net with a dedicated NAT router. 1/2 second latency i dough it could be attributed to a firewall/qos, unless your Internet connection is saturated with p2p or some other high volume traffic (movie/radio streaming) or your firewall is running on some slow machine with too many rules for packet inspection etc. If that's the case moving asterisk to public ip wan't fix it. As a first indication you could add a qualify=yes in all your sip peers to see how long it takes them to talk to asterisk. It kinda scares me though. I know that SIP is an attractive attack-vector, and that there are scripts out there that target SIP devices. I know I could run Fail2Ban on the server, which is fine (we're doing that anyway now), but before I go down this path, I wanted to get general feedback if we are using our Asterisk system using 'best practices' or whether it should never be sitting behind a Firewall, despite the fact that it is working pretty close to perfect as it is right now. I just want to find a way to reduce the latency. Does anyone have any thoughts about this? 90% of the problems i see with asterisk security has to do with bad configuration, bad dialplans and bad security policies (weak passwords,no monitoring) etc. The other 10% can be protocol or asterisk security issues but usually these get fixed before script-kiddies get a chance to use them. In your case since all your sip traffic would be coming from a single IP address (of your provider) things are a bit easier to setup. IMHO try to avoid as much as you can exposing asterisk to a public ip/network and use it as a last resort method if everything else fails. Stelios -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Asterisk, SIP Firewalls
On Wed, Apr 27, 2011 at 1:16 PM, Myles Wakeham my...@techsol.org wrote: It kinda scares me though. I know that SIP is an attractive attack-vector, and that there are scripts out there that target SIP devices. I know I could run Fail2Ban on the server, which is fine (we're doing that anyway now), but before I go down this path, I wanted to get general feedback if we are using our Asterisk system using 'best practices' or whether it should never be sitting behind a Firewall, despite the fact that it is working pretty close to perfect as it is right now. I just want to find a way to reduce the latency. I have placed Asterisk outside the firewall / nat router to avoid the translation. I usually will setup the server with dual NICs. One has the public IP and another has the internal private IP. Set the default gateway to the public IP gateway. Then just configure iptables to firewall the server interfaces accordingly. This configuration allows Asterisk to sit directly on the Internet while keeping your internal phones from going out your nat router and back to Asterisk. Basically the best of both worlds. Ryan -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
