VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
maillist at lightspeed.ca
Guest
|
 Posted: Fri Nov 20, 2015 3:25 pm Post subject: [asterisk-users] Which router/firewall would you use for a v |
 |
|
Hi everyone.
We've got a fairly large base of customers who use our Asterisk server
for phone service in a virtual PBX kind of way, where the server is
security hardened and exposed to the internet for them to connect to
remotely with SIP and IAX. It's certainly not the sort of affair where
we're running it as a PBX just within the building. As a result, we see
network traffic coming through eth0 between 512 Kbps and about 3.0 Mbps,
depending on the time of day.
We haven't so far been using a hardware firewall/router on our server
network, but it's becoming increasingly clear that we need to. We have
enough experience to know that Asterisk is pretty sensitive when it
comes to network hardware in our situation - we've had to replace one
otherwise perfectly good 100 Mbps network switch because it simply
wasn't able to keep up with the amount of streaming audio we put through
it, and it badly affected voice quality. We have other traffic flowing
through our server network too, including a significant amount of e-mail
and web traffic, although that's not quite as sensitive to the quality
of our network hardware.
If you've got these large requirements for Asterisk, I'd love to hear
what you use for a router, and whether that router has met your needs.
It would also be nice to hear about what kinds of routers to avoid that
you may have tried in the past and found lacking.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
 |
webaccounts173 at jgoe...
Guest
|
| Posted: Fri Nov 20, 2015 3:59 pm Post subject: [asterisk-users] Which router/firewall would you use for a v |
|
|
| Quote: | Hi everyone.
We've got a fairly large base of customers who use our Asterisk server for phone service in a
virtual PBX kind of way, where the server is security hardened and exposed to the internet for
them to connect to remotely with SIP and IAX. It's certainly not the sort of affair where
we're running it as a PBX just within the building. As a result, we see network traffic coming
through eth0 between 512 Kbps and about 3.0 Mbps, depending on the time of day.
We haven't so far been using a hardware firewall/router on our server network, but it's
becoming increasingly clear that we need to. We have enough experience to know that Asterisk
is pretty sensitive when it comes to network hardware in our situation - we've had to replace
one otherwise perfectly good 100 Mbps network switch because it simply wasn't able to keep up
with the amount of streaming audio we put through it, and it badly affected voice quality. We
have other traffic flowing through our server network too, including a significant amount of
e-mail and web traffic, although that's not quite as sensitive to the quality of our network
hardware.
If you've got these large requirements for Asterisk, I'd love to hear what you use for a
router, and whether that router has met your needs. It would also be nice to hear about what
kinds of routers to avoid that you may have tried in the past and found lacking.
|
I am working at a scale of about 10 Mbps and I am using customized pfSense setups. Essentially,
I am also using Asterisk as a session border controller as part of the router/firewall. I am
using a multi step procedure to keep unwanted traffic away from the application software, which
includes geo IP filtering and blocking based on Snort alarms. So far I haven't seen the
necessity to block anything based on Asterisk logs, but I'll plan to add that feature to
pfBlockeNG as a custom IPv4 (and IPv6) list.
It's too early for recommendations or public demo software, but I am planning to add my SBC to
pfSense 2.3 superseding the current Asterisk package. If necessary, pfSense allows for traffic
shaping and a couple of other neat feature, that are usually not part of small firewalls.
jg
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
support at telium.ca
Guest
|
| Posted: Fri Nov 20, 2015 5:23 pm Post subject: [asterisk-users] Which router/firewall would you use for a v |
|
|
Well router and firewall are very different...it depends on what you are
trying to accomplish.
If you are trying to secure an Asterisk-based call center, get a real
security product. Look here for details:
http://www.voip-info.org/wiki/view/Asterisk+security
This covers firewall, Asterisk lock-down, and Asterisk specific security.
The average break-in/fraud cost is $25,000 per day. (watch the Astricon
videos for more details). So going cheap on security isn't a smart move for
a commercial installation.
If you just want a router/switch, figure out the simultaneous call capacity
x codec demands in bps, and there is your backplane switching speed
requirements. Even with 100 simultaneous calls at g711, a lower end Cisco
(3xx) router/switch will have no problem.
-M-
-----Original Message-----
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Ernie Dunbar
Sent: Friday, November 20, 2015 3:25 PM
To: Asterisk Users
Subject: [asterisk-users] Which router/firewall would you use for a
virtual-PBX Asterisk installation?
Hi everyone.
We've got a fairly large base of customers who use our Asterisk server
for phone service in a virtual PBX kind of way, where the server is
security hardened and exposed to the internet for them to connect to
remotely with SIP and IAX. It's certainly not the sort of affair where
we're running it as a PBX just within the building. As a result, we see
network traffic coming through eth0 between 512 Kbps and about 3.0 Mbps,
depending on the time of day.
We haven't so far been using a hardware firewall/router on our server
network, but it's becoming increasingly clear that we need to. We have
enough experience to know that Asterisk is pretty sensitive when it
comes to network hardware in our situation - we've had to replace one
otherwise perfectly good 100 Mbps network switch because it simply
wasn't able to keep up with the amount of streaming audio we put through
it, and it badly affected voice quality. We have other traffic flowing
through our server network too, including a significant amount of e-mail
and web traffic, although that's not quite as sensitive to the quality
of our network hardware.
If you've got these large requirements for Asterisk, I'd love to hear
what you use for a router, and whether that router has met your needs.
It would also be nice to hear about what kinds of routers to avoid that
you may have tried in the past and found lacking.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
maillist at lightspeed.ca
Guest
|
| Posted: Mon Nov 23, 2015 2:17 pm Post subject: [asterisk-users] Which router/firewall would you use for a v |
|
|
Oh, don't worry about us going cheap on security. We use A2Billing
(along with some Fail2Ban configuration for bad logins) to limit the
number and cost of calls that can go out through a compromised SIP
account, so that when, not *if*, a customer's SIP account gets
compromised, the attacker gets cut off at the knees before they can even
get out the door. We've even added bogus connection charges on
international calls that get removed before we bill our customers, to
speed up the process and reduce our losses even further. Our customers
are even happy that these billing limits are in place.
No, this is all about playing nice with our load balancing software and
protecting databases and backend servers that have no business being
available to the public. But mostly it's about the load balancer
(IPTables on said servers can take care of "visible to the public). I
just want to make sure that the router we use will play nice with
Asterisk, since we've already seen network hardware that looks good on
paper, but fails miserably in practice. In fact, we see it so often with
individual customers' crap routers causing voice quality issues, that by
default we don't trust simple math.
So here I am, asking everyone what router they use, and whether you're
happy with the results when there's 100 simultaneous SIP calls in
progress. I want to know what happens when the rubber hits the road.
On 2015-11-20 14:22, Telium Technical Support wrote:
| Quote: | Well router and firewall are very different...it depends on what you
are
trying to accomplish.
If you are trying to secure an Asterisk-based call center, get a real
security product. Look here for details:
http://www.voip-info.org/wiki/view/Asterisk+security
This covers firewall, Asterisk lock-down, and Asterisk specific
security.
The average break-in/fraud cost is $25,000 per day. (watch the
Astricon
videos for more details). So going cheap on security isn't a smart
move for
a commercial installation.
If you just want a router/switch, figure out the simultaneous call
capacity
x codec demands in bps, and there is your backplane switching speed
requirements. Even with 100 simultaneous calls at g711, a lower end
Cisco
(3xx) router/switch will have no problem.
-M-
-----Original Message-----
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Ernie
Dunbar
Sent: Friday, November 20, 2015 3:25 PM
To: Asterisk Users
Subject: [asterisk-users] Which router/firewall would you use for a
virtual-PBX Asterisk installation?
Hi everyone.
We've got a fairly large base of customers who use our Asterisk server
for phone service in a virtual PBX kind of way, where the server is
security hardened and exposed to the internet for them to connect to
remotely with SIP and IAX. It's certainly not the sort of affair where
we're running it as a PBX just within the building. As a result, we see
network traffic coming through eth0 between 512 Kbps and about 3.0
Mbps,
depending on the time of day.
We haven't so far been using a hardware firewall/router on our server
network, but it's becoming increasingly clear that we need to. We have
enough experience to know that Asterisk is pretty sensitive when it
comes to network hardware in our situation - we've had to replace one
otherwise perfectly good 100 Mbps network switch because it simply
wasn't able to keep up with the amount of streaming audio we put
through
it, and it badly affected voice quality. We have other traffic flowing
through our server network too, including a significant amount of
e-mail
and web traffic, although that's not quite as sensitive to the quality
of our network hardware.
If you've got these large requirements for Asterisk, I'd love to hear
what you use for a router, and whether that router has met your needs.
It would also be nice to hear about what kinds of routers to avoid that
you may have tried in the past and found lacking.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
|
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
support at telium.ca
Guest
|
| Posted: Mon Nov 23, 2015 3:04 pm Post subject: [asterisk-users] Which router/firewall would you use for a v |
|
|
If you are focused on routing, we've used 4 Cisco SG300-28p in router mode -
economical way to handle vlans etc for ~100 POE phone sets, (with GB
interconnects). At the edge Cisco ASA-55xx work well, and we've done a few
deployments with Mikrotik routers that are quite inexpensive and performed
impresively for their cost.
From a security standpoint, consider what happened last summer when hackers
found an exploit in the FreePBX web interface. They rewrote the PBX
dialplan, disabled CDR's, and made unlimited calls to premium rate numbers.
This was a real wakeup call for FreePBX users who though Fail2Ban was a
security system, or CDR's could be used to catch compromised accounts.
Digium warns everyone that fail2ban is not a security system:
http://forums.asterisk.org/viewtopic.php?p=159984
If you don't want a security system on your PBX, see if your ITSP will limit
your account to $X/day, restrict routes, etc.
There are also some great Astricon videos online where they invite speakers
to talk about security. You'll see that fail2ban + A2Billing doesn't keep
out anyone except the script kiddies.
-----Original Message-----
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Ernie Dunbar
Sent: Monday, November 23, 2015 2:17 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Which router/firewall would you use for a
virtual-PBX Asterisk installation?
Oh, don't worry about us going cheap on security. We use A2Billing
(along with some Fail2Ban configuration for bad logins) to limit the
number and cost of calls that can go out through a compromised SIP
account, so that when, not *if*, a customer's SIP account gets
compromised, the attacker gets cut off at the knees before they can even
get out the door. We've even added bogus connection charges on
international calls that get removed before we bill our customers, to
speed up the process and reduce our losses even further. Our customers
are even happy that these billing limits are in place.
No, this is all about playing nice with our load balancing software and
protecting databases and backend servers that have no business being
available to the public. But mostly it's about the load balancer
(IPTables on said servers can take care of "visible to the public). I
just want to make sure that the router we use will play nice with
Asterisk, since we've already seen network hardware that looks good on
paper, but fails miserably in practice. In fact, we see it so often with
individual customers' crap routers causing voice quality issues, that by
default we don't trust simple math.
So here I am, asking everyone what router they use, and whether you're
happy with the results when there's 100 simultaneous SIP calls in
progress. I want to know what happens when the rubber hits the road.
On 2015-11-20 14:22, Telium Technical Support wrote:
| Quote: | Well router and firewall are very different...it depends on what you
are
trying to accomplish.
If you are trying to secure an Asterisk-based call center, get a real
security product. Look here for details:
http://www.voip-info.org/wiki/view/Asterisk+security
This covers firewall, Asterisk lock-down, and Asterisk specific
security.
The average break-in/fraud cost is $25,000 per day. (watch the
Astricon
videos for more details). So going cheap on security isn't a smart
move for
a commercial installation.
If you just want a router/switch, figure out the simultaneous call
capacity
x codec demands in bps, and there is your backplane switching speed
requirements. Even with 100 simultaneous calls at g711, a lower end
Cisco
(3xx) router/switch will have no problem.
-M-
-----Original Message-----
From: asterisk-users-bounces@lists.digium.com
[mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Ernie
Dunbar
Sent: Friday, November 20, 2015 3:25 PM
To: Asterisk Users
Subject: [asterisk-users] Which router/firewall would you use for a
virtual-PBX Asterisk installation?
Hi everyone.
We've got a fairly large base of customers who use our Asterisk server
for phone service in a virtual PBX kind of way, where the server is
security hardened and exposed to the internet for them to connect to
remotely with SIP and IAX. It's certainly not the sort of affair where
we're running it as a PBX just within the building. As a result, we see
network traffic coming through eth0 between 512 Kbps and about 3.0
Mbps,
depending on the time of day.
We haven't so far been using a hardware firewall/router on our server
network, but it's becoming increasingly clear that we need to. We have
enough experience to know that Asterisk is pretty sensitive when it
comes to network hardware in our situation - we've had to replace one
otherwise perfectly good 100 Mbps network switch because it simply
wasn't able to keep up with the amount of streaming audio we put
through
it, and it badly affected voice quality. We have other traffic flowing
through our server network too, including a significant amount of
e-mail
and web traffic, although that's not quite as sensitive to the quality
of our network hardware.
If you've got these large requirements for Asterisk, I'd love to hear
what you use for a router, and whether that router has met your needs.
It would also be nice to hear about what kinds of routers to avoid that
you may have tried in the past and found lacking.
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
|
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
