On 8/18/2012 8:00 AM, Tony Graziano wrote: > I keep hearing what I have been saying for a long time, put the > security in the firewall. My only point is this: When you start to > move the infrastructure into the cloud, it becomes more important to > build the security behaviors into the service and not on the > underlying platform. So I am searching for ways to do this "internal" > to sipx. > > When deploying in an environment like Amazon EC2, you cannot rate > limit. Using their firewall blocking or allowing only certain regions > takes thousands of manual entries. It's just not as easy as uploading > a script which you can do on your service (sipx). Why? Because cloud > security is not where it needs to be yet (IMO). > > I believe rate limiting is a good fallback position to have built into > the proxy since it will limit both call and registration attempts. I > never thought the Blacklist would do much other than to thwart > something that already got started, and that's OK. I think the > least performance hit to sipx would be to use iptables as the place to > use more extensive blacklists when the firewall capabilities are too > lacking. I agree with the rate limiting, on registration and call attempts that fail. The rate limiting can be in the form of a delayed response or just drop it. The delayed response could build into a denial of service though. Having the sipx services monitor an internal blacklist seems appropriate.
Then again, I am a big fan of fail2ban. It would make things easier for setting up fail2ban if there was a log file specifically for failed auth attempts (web/sip) and also failed call attempts... prevent those that try to place those long distance calls in the middle of the night or try random extensions. -- Regards -------------------------------------- Gerald Drouillard Technology Architect Drouillard & Associates, Inc. http://www.Drouillard.biz _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev/
