[asterisk-users] Asterisk, SIP & Firewalls

Myles Wakeham myles at techsol.org
Wed Apr 27 12:16:50 CDT 2011 

Hi all,

I'm trying to get my head around our Asterisk network configuration. 
We've been using it for about 2 years now (home office) and it works 
great.  Its Asterisk 1.4.2 with SIP through external provider(s).

We have the Asterisk server behind our IPCop firewall, and have a 
dedicated IP address that comes to the firewall from our ISP (Cox) and 
that is routed to our Asterisk box using SIP ports, etc.  It works fine, 
connects without issue and we then have all of our SIP Phones throughout 
the house for the calls.  My wife & I run businesses from our home, so 
we have multiple numbers coming into Asterisk and with some fancy 
Asterisk scripting, etc. we have the one system acting as a phone system 
for 4 companies.  Works great.

Well there is one 'optimization' that I need to sort out.  There seems 
to be some latency between the Asterisk server (and the SIP Phones) and 
callers.  Depending on the caller's network (ie. POTS, Cell phone, other 
Voip, etc.) we find about 30% of the time that there is a small delay 
(about 1/2 a second) between us talking and the caller hearing it, which 
makes it sound like the caller is talking to an offshore company located 
in South Asia.  I have read numerous posts, discussions, etc. about this 
sort of thing and it seems that it has something to do with our 
Firewall, QoS, etc. and I'm entertaining moving the entire Asterisk 
server outside of our Firewall, and connecting the SIP phones to it on 
an entirely separate sub-net with a dedicated NAT router.

It kinda scares me though.  I know that SIP is an attractive 
attack-vector, and that there are scripts out there that target SIP 
devices.  I know I could run Fail2Ban on the server, which is fine 
(we're doing that anyway now), but before I go down this path, I wanted 
to get general feedback if we are using our Asterisk system using 'best 
practices' or whether it should never be sitting behind a Firewall, 
despite the fact that it is working pretty close to perfect as it is 
right now.  I just want to find a way to reduce the latency.

Does anyone have any thoughts about this?

Thanks in advance for any comments or suggestions.

Myles
-- 
-----------------------------
Myles Wakeham
Director of Engineering
Tech Solutions USA LLC
www.techsolusa.com
Phone +1-480-451-7440

More information about the asterisk-users mailing list