RE: [Asterisk-Users] * and Cisco routers
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars Boegild Thomsen Sent: Tuesday, May 18, 2004 11:23 PM To: [EMAIL PROTECTED] Subject: RE: [Asterisk-Users] * and Cisco routers Well - I would assume that most Asterisk instances run on Linux boxes, so even if put directly on a public IP address it's quite possible to protect the machine and do various VPN setup's (including IPSec). Speaking of which - anybody got experience with VoIP and IPSec? I've never really used IPSec, but I would imagine it creates a significant delay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ronald R. McDaniel Sent: 19 May 2004 11:13 To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] * and Cisco routers Doug, I don't believe that it would be a good idea to leave the Asterisk box unprotected (without any firewall). This would leave you wide open for people to access your internal system through the Asterisk box. We have all been participating in a discussion about an article written by the ingenious Mr. Jim Louderback, technology writer for Ziff Davis, regarding the security risk of IP Telephony. As far as the cost of vpning the phones, maybe you could use LinkSys vpn routers ($129.00 / each) and cut the cost in half. If you didn't want to go the VPN route, you could setup access-list on your 3810 to only accept traffic from the known IP addresses of your home warriors. This is not the most secure, but it does provide some security and would probably block most half hearted attempts from wannabe hackers. You could sell your Cisco phones, install X-Lite (free softphone) and put the money from the Cisco phones toward vpning your network. There are several ways to go, I just wouldn't leave it wide open. I have a couple * boxes being used via IPSEC and they are functional, but it does add some delay because it's another hop thru the firewall. I don't notice a problem, but our bandwidth falls well short of Cisco's 80/20 golden rule. By placing it directly on the Internet, you can definitely use the edge routers to filter a lot of garbage and NAT 0 the * box on a DMZ (Speaking Cisco PIX). This way, you're protected by the firewall, but still have a real IP addressible box not going thru NAT which we know SIP doesn't do very well over. If using BGP as a routing protocol, consult your ISP's community list to see if they have special tagging for QOS and tag your VOIP. Many ways to approach it. Joe ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] * and Cisco routers
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars Boegild Thomsen Sent: Tuesday, May 18, 2004 11:23 PM To: [EMAIL PROTECTED] Subject: RE: [Asterisk-Users] * and Cisco routers [...] Speaking of which - anybody got experience with VoIP and IPSec? I've never really used IPSec, but I would imagine it creates a significant delay. I run one or more 7960's over several different VPN setups. The one that introduces the most latency is a cheap PIX (read: 501 or 506). A 515 is OK, a 515 with a crypto card is pretty acceptable. The best setup is a 1721 or better with a crypto card. I routinely run that config at each end using GRE over IPSec and have no problems (it introduces about 20 ms latency when properly configured.a cheap pix can introduce about 40 to 80 on average). One IPSec VPN connected between a 6509 MSFC-GigE-7206VXR-DS-3-7206VXR introduces only 12 ms latency on average. Of course that's nearly $30k worth of plumbing, so one would expect that kind of performance. Daryl ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[Asterisk-Users] * and Cisco routers
I am completely new to * ( I know read the archives but this is a little different case) I am trying to setup a Sip system out side my security firewalls for home users. I currently run a Cisco avvid solution internally but it's highly firwalled. I am planning on building a pri out of my 3745 cisco router and pluging it in to a 3810 which is on the outside setup with sip and running a * server to server the call on the outside to 7940 phones with the sip load. I don't care about VM that much other then to pass is back to my unity box over the very short PRI channel. I know this sounds really strange but I am not about to let my cisco CCM's even touch the net to make remote phones work and static vpning hardphones is getting a bit pricey at 550 a pop for pix boxes plus power supplys. I don't have a big problem with different ext as this would mainly be for out bound calls and my users can fwd there desk phone's DID to a ext that goes to there house. Basically this is a way for me to use up my 50-60 odd 7940 that I have in storage and to allow my sales teams to work from home on the companies bulk phone plan. Any ideas or comments would be great. Doug Block Chief Information Officer of Efast Funding 713-983-4055 (Direct) 888-338-3863 x 4055 (Toll Free) 713-983-4555 (Direct Fax) 832-483-4495 (Cell) BEGIN:VCARD VERSION:2.1 N:Block;Doug FN:Doug Block ([EMAIL PROTECTED]) TEL;WORK;VOICE:(713) 983-4055 TEL;HOME;VOICE:(713) 894-9829 TEL;CELL;VOICE:(832) 483-4495 EMAIL;PREF;INTERNET:[EMAIL PROTECTED] REV:20031024T200357Z END:VCARD
Re: [Asterisk-Users] * and Cisco routers
Doug, I don't believe that it would be a good idea to leave the Asterisk box unprotected (without any firewall). This would leave you wide open for people to access your internal system through the Asterisk box. We have all been participating in a discussion about an article written by the ingenious Mr. Jim Louderback, technology writer for Ziff Davis, regarding the security risk of IP Telephony. As far as the cost of vpning the phones, maybe you could use LinkSys vpn routers ($129.00 / each) and cut the cost in half. If you didn't want to go the VPN route, you could setup access-list on your 3810 to only accept traffic from the known IP addresses of your home warriors. This is not the most secure, but it does provide some security and would probably block most half hearted attempts from wannabe hackers. You could sell your Cisco phones, install X-Lite (free softphone) and put the money from the Cisco phones toward vpning your network. There are several ways to go, I just wouldn't leave it wide open. Sincerely, Ronald R. McDaniel Southern Computer Services, Inc. [EMAIL PROTECTED] (251) 444-3136 office (251) 446-3137 fax (251) 294-1202 cell ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] * and Cisco routers
Well - I would assume that most Asterisk instances run on Linux boxes, so even if put directly on a public IP address it's quite possible to protect the machine and do various VPN setup's (including IPSec). Speaking of which - anybody got experience with VoIP and IPSec? I've never really used IPSec, but I would imagine it creates a significant delay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ronald R. McDaniel Sent: 19 May 2004 11:13 To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] * and Cisco routers Doug, I don't believe that it would be a good idea to leave the Asterisk box unprotected (without any firewall). This would leave you wide open for people to access your internal system through the Asterisk box. We have all been participating in a discussion about an article written by the ingenious Mr. Jim Louderback, technology writer for Ziff Davis, regarding the security risk of IP Telephony. As far as the cost of vpning the phones, maybe you could use LinkSys vpn routers ($129.00 / each) and cut the cost in half. If you didn't want to go the VPN route, you could setup access-list on your 3810 to only accept traffic from the known IP addresses of your home warriors. This is not the most secure, but it does provide some security and would probably block most half hearted attempts from wannabe hackers. You could sell your Cisco phones, install X-Lite (free softphone) and put the money from the Cisco phones toward vpning your network. There are several ways to go, I just wouldn't leave it wide open. Sincerely, Ronald R. McDaniel Southern Computer Services, Inc. [EMAIL PROTECTED] (251) 444-3136 office (251) 446-3137 fax (251) 294-1202 cell ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] * and Cisco routers
I personally think firewalls are a stopgap measure for the real problem. A firewall and VPN are not a fool proof method of protection. Fix the real problem instead of hiding it. I usually dont use a real firewall but ACLs and other similar methods to lock down where/who can access a box. As for cisco routers we use ACL's to lock those where the asterisk box is the only one that can access it. bkw Doug, I don't believe that it would be a good idea to leave the Asterisk box unprotected (without any firewall). This would leave you wide open for people to access your internal system through the Asterisk box. We have all been participating in a discussion about an article written by the ingenious Mr. Jim Louderback, technology writer for Ziff Davis, regarding the security risk of IP Telephony. As far as the cost of vpning the phones, maybe you could use LinkSys vpn routers ($129.00 / each) and cut the cost in half. If you didn't want to go the VPN route, you could setup access-list on your 3810 to only accept traffic from the known IP addresses of your home warriors. This is not the most secure, but it does provide some security and would probably block most half hearted attempts from wannabe hackers. You could sell your Cisco phones, install X-Lite (free softphone) and put the money from the Cisco phones toward vpning your network. There are several ways to go, I just wouldn't leave it wide open. ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
FW: [Asterisk-Users] * and Cisco routers
I understand that softphone are the answer in fact I deploy a ton of the Ip comm version every week. I am under contract with the phones so I can't sell them and there no easy way out of the contract. As for 79XX's I have several office that have them working over a VPN backed in to our main office where the CCM's and GW's are with managable problem and for the most part they are fine. As for the hacker I am not to concert about them (yes I know this is stupid but where are they going to go besides in my little phone world as the sip system will hang off my big system) I just can't belive it's that hard to setup a sip system. Another note on the hacker security thing. I would be happy if could get it to work first with no outside PSTN connection then do a security audit on it and fix the holes. If the holes are to bad after the audit then well I have a nice prebuild system to let some one rent or borrow till the lease it up. Sorry about the tone but I have been dealing with CCM bugs all day long with cisco TAC (I bet most of you here have been suck with them before) --- As far as your investment is concerned, the phones have a used value. I can offer you $150/phone, but that's not the point. Putting the 79xx in the field is a bad idea. The 79xx was intended for the LAN, you know it, I should not have to sell you on the reason's why field servicing the phone is fraught with perrel. I like softphones. First, employees can't steal them, second, you don't have rewiring to worry about and 3rd, it's $15/employee for a decent headset. If you want to try IAX, see the attached softphone. I usually can get through any firewall/NAT with this little guy. It's not pretty, but it works great. The nice part about IAX is that it is so obscure that most hackers will ignore it as they want to crack SIP or H323. IAX is pretty safe. Regards, TL -Original Message- From: lists [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 10:43 PM To: 'Todd Lieberman' Subject: RE: [Asterisk-Users] * and Cisco routers The problem is I have 50-60 7940 just sitting in very large closet and I also have about 150 DIDs free. The other thing is I would have a very very hard time justifying new hardware. I am currently deploying cisco's Ip softphones which work great but what the hell do you do with 50-60 7940's that we paid 315 or less per? Doug Block Chief Information Officer of Efast Funding 713-983-4055 (Direct) 888-338-3863 x 4055 (Toll Free) 713-983-4555 (Direct Fax) 832-483-4495 (Cell) -Original Message- From: Todd Lieberman [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 8:23 PM To: [EMAIL PROTECTED] Subject: RE: [Asterisk-Users] * and Cisco routers Hi Doug, What your talking about is setting up 50-60 home networks, it' will consume your time. I suggest the IAXy ATA with the IAX2 protocol or some other NAT friendly protocol. 7940's are good on the LAN, not a WAN. If you like asterisk, look at: http://www.voxilla.com/modules.php?op=modloadname=Newsfile=articlesid=54 I have these in stock and could send you one to play with. I'll also buy your 7940's. TL -- Todd Lieberman [EMAIL PROTECTED] http://tlsolutions.net p. 215-495-0030 f. 215-495-0031 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of lists Sent: Tuesday, May 18, 2004 8:45 PM To: [EMAIL PROTECTED] Subject: [Asterisk-Users] * and Cisco routers I am completely new to * ( I know read the archives but this is a little different case) I am trying to setup a Sip system out side my security firewalls for home users. I currently run a Cisco avvid solution internally but it's highly firwalled. I am planning on building a pri out of my 3745 cisco router and pluging it in to a 3810 which is on the outside setup with sip and running a * server to server the call on the outside to 7940 phones with the sip load. I don't care about VM that much other then to pass is back to my unity box over the very short PRI channel. I know this sounds really strange but I am not about to let my cisco CCM's even touch the net to make remote phones work and static vpning hardphones is getting a bit pricey at 550 a pop for pix boxes plus power supplys. I don't have a big problem with different ext as this would mainly be for out bound calls and my users can fwd there desk phone's DID to a ext that goes to there house. Basically this is a way for me to use up my 50-60 odd 7940 that I have in storage and to allow my sales teams to work from home on the companies bulk phone plan. Any ideas or comments would be great. Doug Block Chief Information Officer of Efast Funding 713-983-4055 (Direct) 888-338-3863 x 4055 (Toll Free) 713-983-4555 (Direct Fax) 832-483-4495 (Cell) ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http
RE: [Asterisk-Users] * and Cisco routers
It's a very small delay my avg from houston to tampa is about 70 ms over the tunnel and about 40 with out the tunnel on a good day. The thing that gets you is the lack of QOS over the Net so get some good pipes. This is using a vpn 3005 and a pix 506 with 168 bit encryptions on a nail vpn. If you want it over a windows cisco client I will have to get you that answer tomorrow as my Laptop is still at work but so far softphone on it work great with every softphone I have tried. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars Boegild Thomsen Sent: Tuesday, May 18, 2004 10:23 PM To: [EMAIL PROTECTED] Subject: RE: [Asterisk-Users] * and Cisco routers Well - I would assume that most Asterisk instances run on Linux boxes, so even if put directly on a public IP address it's quite possible to protect the machine and do various VPN setup's (including IPSec). Speaking of which - anybody got experience with VoIP and IPSec? I've never really used IPSec, but I would imagine it creates a significant delay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ronald R. McDaniel Sent: 19 May 2004 11:13 To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] * and Cisco routers Doug, I don't believe that it would be a good idea to leave the Asterisk box unprotected (without any firewall). This would leave you wide open for people to access your internal system through the Asterisk box. We have all been participating in a discussion about an article written by the ingenious Mr. Jim Louderback, technology writer for Ziff Davis, regarding the security risk of IP Telephony. As far as the cost of vpning the phones, maybe you could use LinkSys vpn routers ($129.00 / each) and cut the cost in half. If you didn't want to go the VPN route, you could setup access-list on your 3810 to only accept traffic from the known IP addresses of your home warriors. This is not the most secure, but it does provide some security and would probably block most half hearted attempts from wannabe hackers. You could sell your Cisco phones, install X-Lite (free softphone) and put the money from the Cisco phones toward vpning your network. There are several ways to go, I just wouldn't leave it wide open. Sincerely, Ronald R. McDaniel Southern Computer Services, Inc. [EMAIL PROTECTED] (251) 444-3136 office (251) 446-3137 fax (251) 294-1202 cell ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] * and Cisco routers
ACL's are no way near as secure as firewalls and VPNs. ACLs only look at IP address and ports. Spoof the IP address and find out the port and you can get in. I am not saying that this would be an easy task, it would be pretty difficult to do under most situations. Typically we use ACLs along with our firewalls when implementing security solutions for our customers. brian k. west I personally think firewalls are a stopgap measure for the real problem. A firewall and VPN are not a fool proof method of protection. Fix the real problem instead of hiding it. I usually dont use a real firewall but ACLs and other similar methods to lock down where/who can access a box. As for cisco routers we use ACL's to lock those where the asterisk box is the only one that can access it. bkw Ronald R. McDaniel Southern Computer Services, Inc. [EMAIL PROTECTED] (251) 444-3136 office (251) 446-3137 fax (251) 294-1202 cell ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] * and Cisco routers
I'm not saying not to use them but firewalls and VPN are not very voip friendly. VPN adds latency and jitter and firewalls play hell with RTP ports. bkw - Original Message - From: Ronald R. McDaniel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 18, 2004 10:27 PM Subject: Re: [Asterisk-Users] * and Cisco routers ACL's are no way near as secure as firewalls and VPNs. ACLs only look at IP address and ports. Spoof the IP address and find out the port and you can get in. I am not saying that this would be an easy task, it would be pretty difficult to do under most situations. Typically we use ACLs along with our firewalls when implementing security solutions for our customers. brian k. west I personally think firewalls are a stopgap measure for the real problem. A firewall and VPN are not a fool proof method of protection. Fix the real problem instead of hiding it. I usually dont use a real firewall but ACLs and other similar methods to lock down where/who can access a box. As for cisco routers we use ACL's to lock those where the asterisk box is the only one that can access it. bkw Ronald R. McDaniel Southern Computer Services, Inc. [EMAIL PROTECTED] (251) 444-3136 office (251) 446-3137 fax (251) 294-1202 cell ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
RE: [Asterisk-Users] * and Cisco routers
The funny thing is that in my experience VoIP actually works quite well over the Internet. I am Danish but live in Malaysia, so I do quite a lot of VoIP calls between those two locations. That can't possibly get any worse on the public Internet. There are an average of 25 hops between Malaysia and Denmark, it litterally goes all the way round this little planet (from Malaysia via Hong Kong to US West Coast. Through US and from US East Coast to Denmark). Round-trip delay is usually around 550 ms (meaning somewhere around 260 ms one way). Yet in my experience having been running this for more than a year it is EXTREMELY rare that there are drop-outs or delays caused by the Internet. The last mile is important. If there are drop outs they are usually always caused by the misserable 382 kbps xDSL link I am stucked with here in Malaysia. But that part can be handled with proper QoS (queing in Linux). In short - even in the scenario described above - which must be considered an amost worst case scenario - the quality is generally more than OK and in general noticable better than GSM calls. I quite often use a call going that way to demonstrate the quality when I get concerns about poor quality of VoIP via the Internet. I saw a user survey a few years back that concluded that most people didn't really notice delays of less than 3-400 ms. Only around 500 ms most users noticed and was annoyed by it. And now judging from your comments IPSec shouldn't really be a problem either. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of lists Sent: 19 May 2004 12:11 To: [EMAIL PROTECTED] Subject: RE: [Asterisk-Users] * and Cisco routers It's a very small delay my avg from houston to tampa is about 70 ms over the tunnel and about 40 with out the tunnel on a good day. The thing that gets you is the lack of QOS over the Net so get some good pipes. This is using a vpn 3005 and a pix 506 with 168 bit encryptions on a nail vpn. If you want it over a windows cisco client I will have to get you that answer tomorrow as my Laptop is still at work but so far softphone on it work great with every softphone I have tried. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars Boegild Thomsen Sent: Tuesday, May 18, 2004 10:23 PM To: [EMAIL PROTECTED] Subject: RE: [Asterisk-Users] * and Cisco routers Well - I would assume that most Asterisk instances run on Linux boxes, so even if put directly on a public IP address it's quite possible to protect the machine and do various VPN setup's (including IPSec). Speaking of which - anybody got experience with VoIP and IPSec? I've never really used IPSec, but I would imagine it creates a significant delay. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ronald R. McDaniel Sent: 19 May 2004 11:13 To: [EMAIL PROTECTED] Subject: Re: [Asterisk-Users] * and Cisco routers Doug, I don't believe that it would be a good idea to leave the Asterisk box unprotected (without any firewall). This would leave you wide open for people to access your internal system through the Asterisk box. We have all been participating in a discussion about an article written by the ingenious Mr. Jim Louderback, technology writer for Ziff Davis, regarding the security risk of IP Telephony. As far as the cost of vpning the phones, maybe you could use LinkSys vpn routers ($129.00 / each) and cut the cost in half. If you didn't want to go the VPN route, you could setup access-list on your 3810 to only accept traffic from the known IP addresses of your home warriors. This is not the most secure, but it does provide some security and would probably block most half hearted attempts from wannabe hackers. You could sell your Cisco phones, install X-Lite (free softphone) and put the money from the Cisco phones toward vpning your network. There are several ways to go, I just wouldn't leave it wide open. Sincerely, Ronald R. McDaniel Southern Computer Services, Inc. [EMAIL PROTECTED] (251) 444-3136 office (251) 446-3137 fax (251) 294-1202 cell ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo