Security/Firewall Discussion

With respect, that is not really the job of a router, it should follow directions as given, If you have SPI and “helper” functions built in to your router then perhaps it works for you. Many so called “helpers/ALG” are just broken, consider yourself lucky if yours work.

http://www.voip-info.org/wiki/view/Routers+SIP+ALG

2 Likes

I’m not talking about a helper. I’m talking about basic firewall actions.

When you request a web-page, your firewall must leave open the port to get the response. If you don’t, the response will be blocked.

By the same token, when you send a SIP Registration, the router has to leave the port open for the recipient so that you can get a response, for a certain period of time. Most routers wait about 60 seconds. If you set qualify=yes, the OPTIONS message will keep the port open continually.

This isn’t a helper issue. It’s basic NAT/routing functionality. If you configure IPTables (the firewall used in CentOS and other Linux Distros) to allow related and established, it works essentially the same way.

How well does that work for your external extensions with no NAT rules?

2 Likes

This is not a fault of the firewall or router. Just because SIP helper functions work on the cheap “best buy” model of routers does not mean it’s easy when you move up to more advanced routers. pfsense is no child’s toy and can not be found at your local best buy. Does that mean it’s broken? No. Is that the fault of pfsense? No.

EdgeLite routers do the same thing. Does that mean they are broken as well? No.

Outbound pin-holing is not the same as inbound.

UPNP is a consumer technology because “you” can’t open ports right. The same applies to SIP ALG and Port Triggering. Do you think someone would have created those if people knew what they were doing?

I have a netgear router at my house. I can make calls in and out fine to a remote server whether SIP ALG is on or off… however I have to turn off SIP ALG so that my BLFs work. If that doesn’t make you think twice about what the f-- SIP ALG actually does… it should!

I use the Edegrouter Lite, and it works just fine without opening any ports.

I’m not talking about SIP ALG, helper functions, or UPNP. I’m also not talking about remote extensions.

I’m talking about an Asterisk box that connects to remote trunks using a registration string, where the Asterisk box is behind a router.

Opening ports and remembering where to route the return packets is a basic firewall/NAT function.

If you want remote extensions to connect to an Astersk box that is behind a NAT/Firewall, you certainly can open ports. But, you shouldn’t - you should use a VPN. If you absolutely must open ports for a remote extension, you should use Ward Mundy’s Travellin’ Man so that inbound packets aren’t allowed through IPTables unless they come from an approved source…

It’s not that easy in the real world, explaining and supporting dozens if not hundreds of external clients using everything from windoze to IOS to android to whatever, the “howtos” and the gotchas of VPN’s will spoil many of your days, just learn to set up your firewall/router correctly and securely and save yourself a whole skinload of pain, it’s not brain surgery and has been used successfully by many people here and elsewhere for 30 years and more, call it the internet if you want :slight_smile:

1 Like

Well, I support hundreds of external clients using everything from Windows to Android. Setting up a VPN is uber-easy with OpenVPN since it’s cross-platform. It’s even easier when you use Vyatta or an EdgeRouter and you set-up the VPN at the router level.

If you choose to keep your ports open to the world when you don’t need to, be prepared for a large phone bill. I guess Shain69 learned that the hard way…

And I’m pretty sure that NOBODY has been doing VOIP for 30 years. The first VOIP app wasn’t developed until 1991. SIP wasn’t finalized until 1999…

http://tools.ietf.org/html/rfc2543

Perhaps uber-easy for adhominem, not so much for real-world clients with their real world routers and their often impaired “humility impaired attitudes”, do you go to each of your clients and do it for them?

Shain69 only for lack of experience in the real world made about every error of commission and omission common for a newbie.

Before VOIP came IP networking (see ARPANET) soon followed by WWW in the 80’s , it was about that time that it was discovered that routers would be a good thing, Cisco opened it’s doors in 1986. They were not the first to build one.

Do I go out and do it for them? Of course not. I VPN in and do it remotely…

Catch 22 there surely, How do you VPN into a network without a VPN? Perhaps you mean SSH but the same arguments pertain there also.

OK, I’m done playing, please go with your own god, and have the best of luck with her.

1 Like

I require all of my customers to have an Edgerouter (or PepLink Router), and I configure it for VPN before I ship it to them… :smile:

I appreciate that you spelled god with a lowercase g… :slight_smile:

Then we can then agree that you original edict:-

Is only appropriate for your particular implementation of your idea of SIP over your highly restrictive intranet, one that I posit few would agree with as it just isn’t practical in the “real world”, most of us here use the internet, and can not afford to expose their clients to a couple of hundred dollars per route extra without mass insurrection, it’s hard enough to get $25 each :slight_smile:

1 Like

No, my edict is appropriate for everyone.

VPNs don’t cost “a couple hundred dollars.” OpenVPN is free, and runs on every platform, including Windows, iOS, Linux, and Android. It uses a unified configuration file, so if you have the config for any platform, you have the config files for every platform. You can even run it on a VMWare Player and redirect your entire network traffic through it if you want to.

My SIP is not limited to an intranet. I use SIP over the open internet to make and receive calls all day long. But, I haven’t forwarded a single port. My router is configured to allow related and established packets only. I also setup Iptables on my Asterisk box and block everything but LAN traffic and related/established on it as well.

Security is always inconvenient, but it is priceless.

It is never necessary to forward ports. NEVER FORWARD PORTS!!

If you are unwilling to spend the ten minutes it takes to configure a VPN, at least take the 2 minutes it takes to install Travellin’ Man…

http://nerdvittles.com/?p=815

Or you could just wait for this to happen…

You’re both doing it your own way and you’re both right. @AdHominem just because we don’t do it your way doesn’t mean we don’t know what we are doing. The gist I get here is that you are trying to persuade us that we are both wrong. The needless history lesson about SIP was… well needless.

Because this completely diverged from the original post I have split this topic from the original.

We can just agree to disagree.

In my time I have officially and unofficially been present in an undetermined amount of systems and networks. Security can only ever be best effort. The easiest resources to access are the ones where some admin was super confident they knew what they were doing. There is always someone smarter than you. The only way to be truly secure is to not own or use a server. If it has data on it, there is a security risk. We all can’t live in concrete bunkers with no wires in or out. So we have to do the best we can and assume it is not good enough.

2 Likes

Andrew, I’m certainly not saying that you’re doing it “wrong.”

But, I do feel very strongly about my position, and I see how it might come off that way.

No offense was intended, and I’m happy to agree to disagree with you.

I still owe you lunch the next time you come to OC, so please remember to let me know in advance.

:slight_smile:

How bout instead of just creating a post just to lambast us wicked openers of ports, why not use your zeal for the topic and educate us who do not know how to do do the OpenVPN setup and create a tutorial?

Because the tutorial has already been written. In fact, Ward Mundy just wrote another tutorial in the last week…

The most important advice was to never open port 80 or port 5060. “If you can access TCP ports 22 (SSH) and 80 (HTTP) and TCP/UDP port 5060 (SIP) of any of your Asterisk® and FreePBX-based servers anonymously from the Internet, you’re either nuts or rich.”

http://nerdvittles.com/?p=10779

There’s been an OpenVPN tutorial on the PIAF Forum for the last four years. Let me Google that for you…

Actually let me hopefully diffuse this. To my knowledge H.323 was the first ratified Voice of packet technology. Certainly it wasn’t IP. We were doing VoFR Voice over Frame Relay for paging system backhaul as early 1991. I think the product was a Micom Forerunner. On a 64k clear channel (no robbed bit signalling, single DS-0) point to point DDS service we used an 8k ADPCM (adaptive compression PCM) CODEC to squeeze a shocking 9600 baud maint. terminal, an order wire line (major props to anyone that knows what this we except Dicko) and 5 paging trunks.

The funny thing is the major problem was DTMF recognition down the trunks for voice mail and digital pagers. It was solved by the vendor with what I believe was the first hard, out of band DTMF extender. This thing was an ugly beast. It sat after the center tap xfer/relay on the 600 ohm 2 wire side of the hybrid. It was a field mod, you had to cut traces (techs could actually fix things back then not just whine and open tickets) and insert this board. It contained 8 analog notch filters for the DTMF fundamental row column tones to pull the DTMF out of the channel. The filters were pretty poor they drifted and were only about 24-30db deep so sometimes just enough DTMF would get through to screw the pooch.

Anyway once again I digressed. A DTMF detector sat in front of the filter. The data bus of the decoder went to some inexpensive uPU that put the data in a little message and send it to the far end where is was re-encoded.

So much has changed but has not. I would call digital voice a 60’s technology (North American Digital Hierarchy DS-X technology, TDM), compression over TDM, 70’s, Packet voice 80’s, Voice over X 90’s, softswitching 2000’s

Sometimes I am blown away I have been in the industry since the 70’s and am still relevant today. It was a great time to be in tech.