[asterisk-users] [asterisk-dev] SIP, NAT, security concerns, oh my!

[Steve Totaro]

On Sun, Oct 23, 2011 at 10:06 PM, Andrew Latham <lathama at gmail.com> wrote:
>> OpenVPN is the solution to all NAT issues.  With at least the SNOM 370
>> supporting it and the phone can be setup as a OpenVPN gateway as well,
>> for very small offices, it is a great phone.  Linux based and you
>> install their OpenVPN firmware and then setup the PC port on the phone
>> to bridge (that is what I do anyways) traffic, plug it into a switch,
>> configure whatever, no split tunnel, and completely secure site to
>> site VPN and no NAT issues, I would do this with something like a five
>> workstation office at most.
>>
>> Alot of bang for the Buck with the SNOM 370.  If you already know
>> OpenVPN it is a breeze, and there are tons of howtos specific to the
>> SNOM, documentation is good too.
>>
>> This could also be done with any number of other solutions from the
>> WRT54GS whatever, or just a little boxen for VoIP over the VPN tunnel,
>> and other traffic out the default gateway.  I just like to secure
>> small remote sites so I can monitor, administer, and enforce network
>> usage policy.  That is coming from a Private Military Company
>> background.  I don't want any data not going through a voice or data
>> tunnel to Equinix.  Then some small Top Secret installation in a
>> remote area doesn't wind up infecting their little LAN.
>>
>> Set it up and put it in a fly-away quarter sized rugged rack with
>> casters.  This approach has saved days and days of troubleshooting
>> with people who cannot understand me by language or technology or
>> whatever.  It took a bit of work to plan the whole thing out, mesh the
>> systems to route over the tunnel with fault tolerance, but certainly a
>> worth the time.
>>
>> Short, OpenVPN can get you around all SIP/NAT/Security issues, since
>> the tunnel is on a singe port, the big idea behind IAX2 but much
>> better, it is still SIP.
>>
>> You can lock down everything using OpenVPN to prevent problems and
>> allow simple management of global networks.  All traffic passes
>> through a few devices, giving you almost total security at a few key
>> points.
>>
>> Vyatta paid version in a VM or Bare Metal is my internet facing
>> firewall.  It is so powerful, cheap, and the dev team there is great.
>> They have helped me directly a number of times.
>>
>> I like to have NTOP, Webmin and Asterisk on most of these boxen, but I
>> don't want to install a bunch of extra junk beyond the Vyatta ISO and
>> the packages I find handy.
>>
>> That is my approach until IPV6 ever come out, or some other variant.
>>
>> Thanks,
>> Steve Totaro
>>
>> Thanks,
>> Steve Totaro
>
> I use a lot of Zentyal for OpenVPN plus networking fun.  I did hear
> from a snom engineer that they got the openvpn working with a limited
> functionality on the snom 300 and other models. Direct to you email
> because I wanted to mention your double signature...
>
> --
> ~ Andrew "lathama" Latham lathama at gmail.com http://lathama.net ~
>

Andrew,

I have one client setup to add the signature and the others are
manual.  On occasion, there is a double signature.  Thanks for
pointing it out, but content of the post is issue.  My signature is
extremely minimal, not spammy like many.

I don't know how you can have "Limited Functionality" with OpenVPN.
Not sure who you talked to or when, but it works great.

Read some of the howtos and see that you can use one phone to create a
site to site VPN using bridge-utils.

For real networking fun, I would not use a phone, the OpenVPN is just
for a what I said, one off sites or totally mobile hard phones.

Vyatta has training and 24/7 support for $1k per server.  The project
you pointed out looks cool from a couple of screenshots, I will load
it up on VMWare if there is an image.

Vyatta paid version is so cheap, a great business plan, the backing of
former Cisco execs, and is very robust.  GUI needs some work, that is
why I put NTOP and Webmin on it, but their engineer, the main guy, an
exec, and myself have had conference calls about additional
functionality.  They don't want to incorporate and will not support
other projects and are working on their own GUI, I totally understand.

I just ask for the tools to build from source and not "mess anything
up" from Vyatta's and my viewpoint.  Beyond that, I completely
understand where their demarc is from stock software to whatever I
build.

Just to point out that Vyatta is Sand Scrit and means "Open", I
thought that was cool.  They are very similar to Asterisk, at least as
far as having a commercial and open source offering.  I see Vyatta
staying the course, having legs, and not going the way of vapor.

Many places are using it now, I was surprised by some of the fortune
500s, and the job descriptions I get with Vyatta listed along with
Cisco.

Thanks,
Steve Totaro