[Asterisk-Users] * and Cisco routers

Joseph Finley jfinley at prcontrol.com
Wed May 19 06:32:17 MST 2004


-----Original Message-----
From: asterisk-users-admin at lists.digium.com
[mailto:asterisk-users-admin at lists.digium.com] On Behalf Of Lars Boegild
Thomsen
Sent: Tuesday, May 18, 2004 11:23 PM
To: asterisk-users at lists.digium.com
Subject: RE: [Asterisk-Users] * and Cisco routers


Well - I would assume that most Asterisk instances run on Linux boxes, so
even if put directly on a public IP address it's quite possible to protect
the machine and do various VPN setup's (including IPSec).  Speaking of which
- anybody got experience with VoIP and IPSec?  I've never really used IPSec,
but I would imagine it creates a significant delay.

> -----Original Message-----
> From: asterisk-users-admin at lists.digium.com
> [mailto:asterisk-users-admin at lists.digium.com]On Behalf Of Ronald R. 
> McDaniel
> Sent: 19 May 2004 11:13
> To: asterisk-users at lists.digium.com
> Subject: Re: [Asterisk-Users] * and Cisco routers
>
>
> Doug,
>
> I don't believe that it would be a good idea to leave the Asterisk box 
> unprotected (without any firewall).  This would leave you wide open 
> for people to access your internal system through the Asterisk box.  
> We have all been participating in a discussion about an article 
> written by the ingenious Mr. Jim Louderback, technology writer for 
> Ziff Davis, regarding the security risk of IP Telephony.  As far as 
> the cost of vpning the phones, maybe you could use LinkSys vpn routers 
> ($129.00 / each) and cut the cost in half.  If you didn't want to go 
> the VPN route, you could setup access-list on your 3810 to only accept 
> traffic from the known IP addresses of your home warriors.  This is 
> not the most secure, but it does provide some security and would 
> probably block most half hearted attempts from wannabe hackers.  You 
> could sell your Cisco phones, install X-Lite (free softphone) and put 
> the money from the Cisco phones toward vpning your network.  There are 
> several ways to go, I just wouldn't leave it wide open.
>
>



I have a couple * boxes being used via IPSEC and they are functional, but it
does add some delay because it's another hop thru the firewall.  I don't
notice a problem, but our bandwidth falls well short of Cisco's "80/20"
golden rule.  By placing it directly on the Internet, you can definitely use
the edge routers to filter a lot of garbage and NAT 0 the * box on a DMZ
(Speaking Cisco PIX).  This way, you're protected by the firewall, but still
have a real IP addressible box not going thru NAT which we know SIP doesn't
do very well over.  If using BGP as a routing protocol, consult your ISP's
community list to see if they have special tagging for QOS and tag your
VOIP.  Many ways to approach it.  

Joe




More information about the asterisk-users mailing list