I have Asterisk server providing phone service for my company. The server is behind a PIX-515 FW and is assigned a private address 192.168.11.X/24. With that said what is best to provide remote SIP phones (home offices) securely. If the solution is to put up another Asterisk server with a public IP address I am opposed to that. I am looking for the a secure reliable solution to set up remote SIP phones. Thanks in Advance. Regards, Michael DiMartino Director of MIS The telx Group, Inc. 17 State St, 33rd Floor New York, NY 10004 T: 212.480.3300 X2022 C: 646.207.6603
Benjamin on Asterisk Mailing Lists
2004-Oct-06 08:14 UTC
[Asterisk-Users] Asterisk and SIP phones
On Wed, 6 Oct 2004 09:57:18 -0400, Michael Di Martino <mdm@telx.com> wrote:> I have Asterisk server providing phone service for my company. > The server is behind a PIX-515 FW and is assigned a private address > 192.168.11.X/24. > > With that said what is best to provide remote SIP phones (home offices) > securely. > > If the solution is to put up another Asterisk server with a public IP > address I am opposed to that. > I am looking for the a secure reliable solution to set up remote SIP > phones.IPsec tunneling between your PIX and the remote sites where the remote phones are. rgds benjk -- Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Tokyo, Japan. NB: Spam filters in place. Messages unrelated to the * mailing lists may get trashed.
I do this with a softphone (xlite) from my XP box at home to my Pix. It works fairly well. It does add some latency but in most cases it is not noticable. I assume a dedicated device (Netscreen 5) would work well for your VPN end point at the home. W -----Original Message----- From: Benjamin on Asterisk Mailing Lists [mailto:benjk.on.asterisk.ml@gmail.com] Sent: Wednesday, October 06, 2004 8:15 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Asterisk and SIP phones On Wed, 6 Oct 2004 09:57:18 -0400, Michael Di Martino <mdm@telx.com> wrote:> I have Asterisk server providing phone service for my company. > The server is behind a PIX-515 FW and is assigned a private address > 192.168.11.X/24. > > With that said what is best to provide remote SIP phones (home > offices) securely. > > If the solution is to put up another Asterisk server with a public IP > address I am opposed to that. > I am looking for the a secure reliable solution to set up remote SIP > phones.IPsec tunneling between your PIX and the remote sites where the remote phones are. rgds benjk -- Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Tokyo, Japan. NB: Spam filters in place. Messages unrelated to the * mailing lists may get trashed. _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer
You can turn on the md5 protection. Sip.conf [5551212] .... auth=md5 md5secret=409ajlg0340j0h04jd0404jd0h04j (md5 Hash) You have to put the passwords in the phones. When a call is made to asterisk the PBX will send back and md5 hash that the phone must answer correctly. Also, pay for the static IP with the home office. Then put the static IP in the sip.conf file. Sip.conf [5551212] .... host=192.168.1.1 ... auth=md5 md5secret=409ajlg0340j0h04jd0404jd0h04j (md5 Hash) Race Vanderdecken PS. I am currently building a RADIUS based md5 registration, incoming and outgoing call SIP channel for asterisk. This channel requires every registration and call to verify with RADIUS first. -----Original Message----- From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of Michael Di Martino Sent: Wednesday, October 06, 2004 09:57 To: asterisk-users@lists.digium.com Subject: [Asterisk-Users] Asterisk and SIP phones I have Asterisk server providing phone service for my company. The server is behind a PIX-515 FW and is assigned a private address 192.168.11.X/24. With that said what is best to provide remote SIP phones (home offices) securely. If the solution is to put up another Asterisk server with a public IP address I am opposed to that. I am looking for the a secure reliable solution to set up remote SIP phones. Thanks in Advance. Regards, Michael DiMartino Director of MIS The telx Group, Inc. 17 State St, 33rd Floor New York, NY 10004 T: 212.480.3300 X2022 C: 646.207.6603 _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
what your saying is to setup a VPN tunnel between the Office and the users home? -----Original Message----- From: Wiley E. Siler [mailto:wsiler@e2020inc.com] Sent: Wednesday, October 06, 2004 11:22 AM To: Benjamin on Asterisk Mailing Lists; Asterisk Users Mailing List - Non-Commercial Discussion Subject: RE: [Asterisk-Users] Asterisk and SIP phones I do this with a softphone (xlite) from my XP box at home to my Pix. It works fairly well. It does add some latency but in most cases it is not noticable. I assume a dedicated device (Netscreen 5) would work well for your VPN end point at the home. W -----Original Message----- From: Benjamin on Asterisk Mailing Lists [mailto:benjk.on.asterisk.ml@gmail.com] Sent: Wednesday, October 06, 2004 8:15 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Asterisk and SIP phones On Wed, 6 Oct 2004 09:57:18 -0400, Michael Di Martino <mdm@telx.com> wrote:> I have Asterisk server providing phone service for my company. > The server is behind a PIX-515 FW and is assigned a private address > 192.168.11.X/24. > > With that said what is best to provide remote SIP phones (home > offices) securely. > > If the solution is to put up another Asterisk server with a public IP > address I am opposed to that. > I am looking for the a secure reliable solution to set up remote SIP > phones.IPsec tunneling between your PIX and the remote sites where the remote phones are. rgds benjk -- Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Tokyo, Japan. NB: Spam filters in place. Messages unrelated to the * mailing lists may get trashed. _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
If you want to traverse your firewall? I assume that a NAT on the Pix would allow you to expose the correct ports for the * box and allow direct connect. However, that obviously opens the system to external attack. What I have done is to create a VPN tunnel which removes the need to allow a public presence of my * box. I VPN into my network then just start up the softphone like I was on the LAN. The suggestion by Ben which I expanded with the Netscreen idea is this. If you need to have a remote site with more than one phone, just create a VPN tunnel and pass your * traffic from one side to the other. This would also make available any network resources you needed shared such as a mail server, etc, etc... It is the basic, remote office setup that would allow a unified access model for people at either site. So Joe at office A gets network shares just like Bob at offce B. However, if you goal is just single user end points, a plain ole soft phone and XP/2K -> PIX VPN session will work just fine and be cheaper assuming you have the VPN license for the PIX. W -----Original Message----- From: Michael Di Martino [mailto:mdm@telx.com] Sent: Wednesday, October 06, 2004 8:35 AM To: Asterisk Users Mailing List - Non-Commercial Discussion; Benjamin on Asterisk Mailing Lists Subject: RE: [Asterisk-Users] Asterisk and SIP phones what your saying is to setup a VPN tunnel between the Office and the users home? -----Original Message----- From: Wiley E. Siler [mailto:wsiler@e2020inc.com] Sent: Wednesday, October 06, 2004 11:22 AM To: Benjamin on Asterisk Mailing Lists; Asterisk Users Mailing List - Non-Commercial Discussion Subject: RE: [Asterisk-Users] Asterisk and SIP phones I do this with a softphone (xlite) from my XP box at home to my Pix. It works fairly well. It does add some latency but in most cases it is not noticable. I assume a dedicated device (Netscreen 5) would work well for your VPN end point at the home. W -----Original Message----- From: Benjamin on Asterisk Mailing Lists [mailto:benjk.on.asterisk.ml@gmail.com] Sent: Wednesday, October 06, 2004 8:15 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Asterisk and SIP phones On Wed, 6 Oct 2004 09:57:18 -0400, Michael Di Martino <mdm@telx.com> wrote:> I have Asterisk server providing phone service for my company. > The server is behind a PIX-515 FW and is assigned a private address > 192.168.11.X/24. > > With that said what is best to provide remote SIP phones (home > offices) securely. > > If the solution is to put up another Asterisk server with a public IP > address I am opposed to that. > I am looking for the a secure reliable solution to set up remote SIP > phones.IPsec tunneling between your PIX and the remote sites where the remote phones are. rgds benjk -- Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Tokyo, Japan. NB: Spam filters in place. Messages unrelated to the * mailing lists may get trashed. _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Am Mittwoch, 6. Oktober 2004 15:57 schrieb Michael Di Martino:> I have Asterisk server providing phone service for my company. > The server is behind a PIX-515 FW and is assigned a private address > 192.168.11.X/24. > > With that said what is best to provide remote SIP phones (home offices) > securely. > > If the solution is to put up another Asterisk server with a public IP > address I am opposed to that. > I am looking for the a secure reliable solution to set up remote SIP > phones. >Acktually Asterisk lacks real security support. If a third party gets hold of that md5 hash it will be a matter of time to crack the password but this is only an authorisation problem. The next problem is that all voice data is sent unencrypted. I read about an analyze tool yesterday that's capable of decoding a lot of protocolls for debugging. You certainly don't want corporate calls decoded, do you? So the only sollution I would suggest, is to setup a secure vpn-connection that tunnels the data streams to your office. Jens
Of Note... PPTP is exactly what I am using in the XP -> Pix example I proposed. It works well, is "more secure" than nothing as Ben said, and is cheap. True IPSec is the next level if you have the devices to setup a good tunnel. W -----Original Message----- From: Benjamin on Asterisk Mailing Lists [mailto:benjk.on.asterisk.ml@gmail.com] Sent: Wednesday, October 06, 2004 8:48 AM To: Michael Di Martino Cc: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Asterisk and SIP phones On Wed, 6 Oct 2004 11:35:07 -0400, Michael Di Martino <mdm@telx.com> wrote:> what your saying is to setup a VPN tunnel between the Office and the > users home?So? You said you were opposed to setting up another Asterisk box, which pretty much rules out IAX peering like [SIP-phone]---SIP--->[Asterisk]===IAX===>[Asterisk]---SIP---[SIP-phone] Yet you said you wanted something that is both *secure* and *reliable*. Well, venturing with SIP outside of a LAN is not secure and it ain't reliable either, so tunneling is the only thing that will get you those requirements fulfilled. Your PIX should support PPTP and if you want to use Xlite, I suppose it will run on a Windoze PC which has got PPTP built in. Not as good as IPsec, but better than sending SIP out naked. rgds benjk -- Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Tokyo, Japan. NB: Spam filters in place. Messages unrelated to the * mailing lists may get trashed. _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer
-----Original Message----- From: Benjamin on Asterisk Mailing Lists [mailto:benjk.on.asterisk.ml@gmail.com] Sent: Wednesday, October 06, 2004 12:21 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Asterisk and SIP phones On Wed, 6 Oct 2004 08:59:49 -0700, Wiley E. Siler <wsiler@e2020inc.com> wrote:> However, if you goal is just single user end points, a plain ole soft > phone and XP/2K -> PIX VPN session will work just fine and be cheaper > assuming you have the VPN license for the PIX.And if you don't have a VPN license for the PIX, don't bother making Cisco any richer, don't get a VPN license for the PIX. Get a Wolverine box instead. It's configuration file compatible with the PIX, so you will feel right at home but it's based on an embedded Linux (fitting into 32MB Flash) and FreeSwan/OpenSwan. Available as a software only build-you-own or ready made VPN router box. URL is http://www.vortech.net rgds benjk -- Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Tokyo, Japan. NB: Spam filters in place. Messages unrelated to the * mailing lists may get trashed. _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>.What would the issue be If I setup another Asterisk server w/ a public ip address?
With two boxes, you would need to pass traffic to the other * box in order for an "internal" call plan to work for all your users whether at home or abroad. That means that you would have to dual home (if possible) which would cause a potential security issue. Or you could NAT again and allow *-one to talk to *-two. Or you coud VPN from *-one to *-two. What are you trying to accomplish exactly? -----Original Message----- From: Michael Di Martino [mailto:mdm@telx.com] Sent: Wednesday, October 06, 2004 9:30 AM To: Benjamin on Asterisk Mailing Lists; Asterisk Users Mailing List - Non-Commercial Discussion Subject: RE: [Asterisk-Users] Asterisk and SIP phones -----Original Message----- From: Benjamin on Asterisk Mailing Lists [mailto:benjk.on.asterisk.ml@gmail.com] Sent: Wednesday, October 06, 2004 12:21 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [Asterisk-Users] Asterisk and SIP phones On Wed, 6 Oct 2004 08:59:49 -0700, Wiley E. Siler <wsiler@e2020inc.com> wrote:> However, if you goal is just single user end points, a plain ole soft > phone and XP/2K -> PIX VPN session will work just fine and be cheaper > assuming you have the VPN license for the PIX.And if you don't have a VPN license for the PIX, don't bother making Cisco any richer, don't get a VPN license for the PIX. Get a Wolverine box instead. It's configuration file compatible with the PIX, so you will feel right at home but it's based on an embedded Linux (fitting into 32MB Flash) and FreeSwan/OpenSwan. Available as a software only build-you-own or ready made VPN router box. URL is http://www.vortech.net rgds benjk -- Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Tokyo, Japan. NB: Spam filters in place. Messages unrelated to the * mailing lists may get trashed. _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>>.What would the issue be If I setup another Asterisk server w/ a public ip address? _______________________________________________ Asterisk-Users mailing list Asterisk-Users@lists.digium.com http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer
Michael Di Martino wrote:> I have Asterisk server providing phone service for my company. > The server is behind a PIX-515 FW and is assigned a private address > 192.168.11.X/24. > > With that said what is best to provide remote SIP phones (home offices) > securely. > > If the solution is to put up another Asterisk server with a public IP > address I am opposed to that. > I am looking for the a secure reliable solution to set up remote SIP > phones. >VPN as already suggested. One other way is a "session border control" device like the ones made by Kagoor Network, Jasomi or Ilocus. Cheers, Gilad