[asterisk-dev] SIP, NAT, security concerns, oh my!

[Steve Totaro]

On Sun, Oct 23, 2011 at 6:06 AM, Artem Makhutov <artem at makhutov.org> wrote:
> Hi,
>
> Tilghman Lesher schrieb:
>>
>> On Sat, Oct 22, 2011 at 10:50 AM, Ryan Wagoner<rswagoner at gmail.com>
>>  wrote:
>>>
>>> On Sat, Oct 22, 2011 at 11:02 AM, Tilghman Lesher<tilghman at meg.abyt.es>
>>>  wrote:
>>>>
>>>> Here's another option:  send responses to _both_ ports while the
>>>> client is still unauthenticated.  This would have the effect of an
>>>> attacker being unable to distinguish between a peer existing and not,
>>>> while still allowing peers to be configured either with rport enabled or
>>>> rport-oblivious.
>>>>
>>>> That still leaves peers without authentication to be a problem, but
>>>> those are typically authenticated by other means, such as
>>>> possession of a particular IP address, or restricted to a context
>>>> without outward dialing capabilities.
>>>
>>> Your option of sending responses to both ports sounds interesting.
>>> However what happens if the client receives both responses? How much
>>> extra network traffic does this cause for a server with thousands of
>>> peers. Just like option 3 if you make this optional it could be a good
>>> choice for some use cases.
>>
>> It shouldn't actually be a problem; the second packet would be ignored,
>> because in UDP-based SIP, there's always a possibility that a packet is
>> lost (never received), so re-transmits are built into the protocol.  Thus,
>> a
>> SIP UA should always be prepared to receive an identical (in terms of
>> payload) packet.
>
> I don't like this idea. What if a phone is behind a nat router which is
> running a sip server?
> So in this case the sip server of the nat router will get one packet and
> also the phone behind the nat router will also receive one.
>
> Option 3 sounds fine for me.
>
> Regards, Artem
>

OpenVPN is the solution to all NAT issues.  With at least the SNOM 370
supporting it and the phone can be setup as a OpenVPN gateway as well,
for very small offices, it is a great phone.  Linux based and you
install their OpenVPN firmware and then setup the PC port on the phone
to bridge (that is what I do anyways) traffic, plug it into a switch,
configure whatever, no split tunnel, and completely secure site to
site VPN and no NAT issues, I would do this with something like a five
workstation office at most.

Alot of bang for the Buck with the SNOM 370.  If you already know
OpenVPN it is a breeze, and there are tons of howtos specific to the
SNOM, documentation is good too.

This could also be done with any number of other solutions from the
WRT54GS whatever, or just a little boxen for VoIP over the VPN tunnel,
and other traffic out the default gateway.  I just like to secure
small remote sites so I can monitor, administer, and enforce network
usage policy.  That is coming from a Private Military Company
background.  I don't want any data not going through a voice or data
tunnel to Equinix.  Then some small Top Secret installation in a
remote area doesn't wind up infecting their little LAN.

Set it up and put it in a fly-away quarter sized rugged rack with
casters.  This approach has saved days and days of troubleshooting
with people who cannot understand me by language or technology or
whatever.  It took a bit of work to plan the whole thing out, mesh the
systems to route over the tunnel with fault tolerance, but certainly a
worth the time.

Short, OpenVPN can get you around all SIP/NAT/Security issues, since
the tunnel is on a singe port, the big idea behind IAX2 but much
better, it is still SIP.

You can lock down everything using OpenVPN to prevent problems and
allow simple management of global networks.  All traffic passes
through a few devices, giving you almost total security at a few key
points.

Vyatta paid version in a VM or Bare Metal is my internet facing
firewall.  It is so powerful, cheap, and the dev team there is great.
They have helped me directly a number of times.

I like to have NTOP, Webmin and Asterisk on most of these boxen, but I
don't want to install a bunch of extra junk beyond the Vyatta ISO and
the packages I find handy.

That is my approach until IPV6 ever come out, or some other variant.

Thanks,
Steve Totaro

Thanks,
Steve Totaro