[asterisk-users] Asterisk, SIP & Firewalls

Stelios Koroneos skoroneos at digital-opsis.com
Wed Apr 27 12:48:34 CDT 2011 


On Wed, 2011-04-27 at 10:16 -0700, Myles Wakeham wrote:
> Well there is one 'optimization' that I need to sort out.  There seems 
> to be some latency between the Asterisk server (and the SIP Phones) and 
> callers.  Depending on the caller's network (ie. POTS, Cell phone, other 
> Voip, etc.) we find about 30% of the time that there is a small delay 
> (about 1/2 a second) between us talking and the caller hearing it, which 
> makes it sound like the caller is talking to an offshore company located 
> in South Asia.  I have read numerous posts, discussions, etc. about this 
> sort of thing and it seems that it has something to do with our 
> Firewall, QoS, etc. and I'm entertaining moving the entire Asterisk 
> server outside of our Firewall, and connecting the SIP phones to it on 
> an entirely separate sub-net with a dedicated NAT router.
> 
1/2  second latency i dough it could be attributed to a firewall/qos,
unless your Internet connection is saturated with p2p or some other high
volume traffic (movie/radio streaming) or your firewall is running on
some slow machine with too many rules for packet inspection etc.
If that's the case moving asterisk to public ip wan't fix it.

As a first indication you could add a "qualify=yes" in all your sip
peers to see how long it takes them to "talk" to asterisk.



> It kinda scares me though.  I know that SIP is an attractive 
> attack-vector, and that there are scripts out there that target SIP 
> devices.  I know I could run Fail2Ban on the server, which is fine 
> (we're doing that anyway now), but before I go down this path, I wanted 
> to get general feedback if we are using our Asterisk system using 'best 
> practices' or whether it should never be sitting behind a Firewall, 
> despite the fact that it is working pretty close to perfect as it is 
> right now.  I just want to find a way to reduce the latency.
> 
> Does anyone have any thoughts about this?
> 

90% of the problems i see with asterisk security has to do with bad
configuration, bad dialplans and bad security policies (weak
passwords,no monitoring) etc.
The other 10% can be protocol or asterisk security issues but usually
these get fixed before script-kiddies get a chance to use them.

In your case since all your sip traffic would be coming from a single IP
address (of your provider) things are a bit easier to setup.

IMHO try to avoid as much as you can exposing asterisk to a public
ip/network and use it as a last resort method if everything else fails.


Stelios

More information about the asterisk-users mailing list