Applied VoIP Security

379 views

Published on

Applied VoIP Security & Reliability on Commodity Services, Hardware & Software

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
379
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • My goal: present lessons learned and solution highlights, give you enough to get started and ask me or the community questions, support worthy projects and providers
  • My goal: present lessons learned and solution highlights, give you enough to get started and ask me or the community questions, support worthy projects and providers
  • Love technology and people: teaching efficiency & communicationsExperience: SMB & Fortune 500 – generally on the SMB side, Rite Aid acquisition of Eckerd Drug (~1850 stores)Fascination telephones: age 5, kitchen phone pinched wire
  • Started out on Nortel, hands-on supportAvaya: RHEL, MySQL, SIP + proprietaryVery expensive, land-locked solutions: ~$32k for a 40-person officeStarting looking for a small office solution: discovered trixbox & AastraAsterisk can do almost always do everything the big boys can do
  • Everything that I will talk about in this case study is represented by one of these three companies
  • Lodging solutionsRapid growth predictedGeographically dispersed and needed to be able to connect easilyReservations, file sharing already in place in central coloNeeded something flexible & affordable to grow and scale with the business: Asterisk was the answer
  • Lodging solutionsRapid growth predictedGeographically dispersed and needed to be able to connect easilyReservations, file sharing already in place in central coloNeeded something flexible & affordable to grow and scale with the business: Asterisk was the answer
  • Failover strategy depends heavily on the client’s tolerance for downtime and the tolerance, in turn, of their clients for the same
  • Foxconn - around $160/each
  • Not going to cover PIAF and iptables/Fail2banOpenVPN – easy to phone home = easy provisioning
  • Viscosity does seem to have a quirk with network routing delay – anyone found anything better?
  • Applied VoIP Security

    1. 1. APPLIED VOIP SECURITY &RELIABILITY ON COMMODITYSERVICES, HARDWARE &SOFTWARE …a primer on what works in the real world
    2. 2. Informal Poll Legacy PBX replacement / upgrade path? VoIP in your enterprise? Asterisk in your enterprise? Just starting out with VoIP?
    3. 3. Presentation Overview Review common  Solutions overview: business  Availability, communications reliability, security struggles  Software Asterisk lessons learned  Hardware  ITSPs we rely on “Mid-dive”  Measurement methods
    4. 4. Speaker Introductiontapestry tech  Dennis Little (KeyCruncher)&Dennis Little  Passion: “Technology Translator” & Communications  Head Business Communications divisionIRC:  Asterisk believer since 2005keycruncherKeyCruncher.com  tapestry technologies, LLC (tt)dennis@tapestrytech.c  MyBusinessTelephone.comom  SME: Defense IT Policy, Training  Shout-out: Anteil, Inc.
    5. 5. Why believe in Asterisk?tapestry tech  Engineering support for a&Dennis Little large, proprietary (Avaya) installation  $400M organization, $40k benevolent care / dayIRC:  Supporting 2,200+ staff and 3,000+keycruncher seniors in PA, MD & DEKeyCruncher.com  Serving 70,000+ families & childrendennis@tapestrytech.com per year  A lot of FOSS software underneath…
    6. 6. Full Disclosuretapestry tech  tapestry Affiliations&Dennis Little  Digium® Affiliate Asterisk® Integrator  Polycom® Authorized Partner (VoIP)  Xorcom® Certified Dealer  (but we used them before we dealtIRC:keycruncher them)KeyCruncher.comdennis@tapestrytech.c  My experience + struggles +om solutions != the best way
    7. 7. Why Voice over IP? WhyAsterisk? Quality Flexibility & Scalability  Connectivity,providers, contact center location  Contract commitments (or lack thereof)  Easy path forward for legacy systems Standards-based vs. proprietary Return on Investment & cost savings
    8. 8. Case Study Overview Lodging business Startup in 2009 with 4 staff in 2 states ? carriers, ? volume Robust, secure, flexible Future = ?? Today: ~27 staff in 7 locations Remote colo w/ failover
    9. 9. Communications ProblemOverviewProblem: Solution: SIP + NAT traversal  Good protocol understanding & network design Quality phone  QoS on expensive conversations data/voice lines Security  Least-privilege & encryption / encapsulation, firewall s, fail2ban, etc
    10. 10. Solution(s) Philosophy FOSS where is makes business sense FOSS where it is ready for prime time Encryption. Least-privilege. Always have a failover and backup(s)
    11. 11. Requirements: Providers Quality colo facilities History of reliability & availability ITSPs (always have a failover plan)  Vitelity – flexibility, very good support, reliable  Bandwidth.com – reputable, unlimited usage
    12. 12. Requirements: Security Only allow necessary traffic  VoIP provider should be able to tell you all of their subnets  You should know all of yours VPN tunnel everything – it was worth the overhead here Follow VoIP security best practices & stay involved  Community events & networking w/ like-minded folks  Excellent documentation  IRC / Mailing lists / RSS feeds  VUC.me (VoIP Users Conference call: Friday, noon
    13. 13. Hardware Servers: Dell R310 Telephones:  Polycom SoundPoint IP 335, 650, 670, 7000 Foxconn R10-D2 (image courtesy: NewEgg.com)  Bria, X-Lite, Zoiper VPN routers: Foxconn R10-D2 / Atom D510 SuperMicro 5015A (this solution is 100% VoIP)
    14. 14. Software Asterisk iptables + Fail2ban (+ least-privileged access) OpenVPN - E2E encryption, easy access control Vyatta community edition KVM VMs + DRBD – HA failover b/t call servers
    15. 15. OpenVPN Easy access control for networks & road warriors Two-factor authentication (certificate + password) Routed & bridged modes Built-in support for OpenVPN in Vyatta Windows: OpenVPN GUI (non-admin in Win7? Use subinacl utility) Mac OS X: Viscosity OpenVPN Access Server
    16. 16. Vyatta Network OS (~SBC) Powerful, familiar CLI (ie: Linux, tab completion, contextual hints & help) unionfs + RAMdisk to reduce writes on USB storage QoS control – set aside for VoIP / data WAN failover – combine cheap circuits High Availability (free) & HA sync ($) Virtualized editions available $0 or low cost (web filtering requires subscription)
    17. 17. interfaces { service { ethernet eth0 { dhcp-server { duplex: "auto" shared-network-name "eth1_pool" { speed: "auto" subnet 192.168.1.0/24 { address 123.123.123.2 { start 192.168.1.65 { prefix-length: 30 stop: 192.168.1.199 disable: false } } dns-server firewall { 209.218.76.2 in { dns-server 208.67.220.220 name: "from- default-router:external" 192.168.1.1 } lease: 86400 local { authoritative: "disable" name: "to-router" } } } } }
    18. 18. Topology Overview
    19. 19. KVM Courtesy IBM: http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/kvm_over.jp
    20. 20. DRBD Courtesy: http://www.drbd.org/uploads/pics/overview_02.gif
    21. 21. Requirements: CommodityInternet Consistently:  Low latency to the ITSP  0% packet loss  Adequate bandwidth for X calls In general: DSL or fiber for voice, (shared) cable for all other
    22. 22. Requirements: CommodityInternet Quality measurement tools?  MyVoIPSpeed.visualWare.com
    23. 23. Requirements: Circuit Capacity How do we carve up the circuit?  REMEMBER: We are dealing with commodity internet (no SLA) ie: best-effort circuit delivery  Average of 5 tests over time  80-85% of performance from averages is what we assume  Determine set-asides accordingly (calculators)
    24. 24. Case Outcomes Standardized  Failover between carriers servers, sites and at Volume and trends the ITSP level works insight – business really well intel.  Ability to go mobile Leverage with when needed carriers to reduce because of disasters rates Cut call center hours by 3 hours each day
    25. 25. A few things to remember… Security (least-privilege, fail2ban, VoIP best practices, etc.) Test, test, test Failover != backup RAID != backup mirror != backup Educate and listen Lean on the work already done AsteriskDocs.org, Asterisk.org, voip- info.org, …
    26. 26. Before we wrap up…any questions?
    27. 27. Short Review Solution:  More questions? Providers, HW, SW,  Dennis Little security tapestry technologies IRC: KeyCruncher Thank you, Digium web: & tapestry KeyCruncher.com technologies dennis@tapestrytech.c om Thank YOU for (877) 372-6782 coming MyBusinessTelephone. com
    28. 28. Resources FoxconnChannel.co  Vitelity.com m  Bandwidth.com Polycom.com SuperMicro.com Dennis Little Digium.com tapestry technologies PBXinaFlash.net IRC: KeyCruncher OpenVPN.net / .se web: KeyCruncher.com Vyatta.org dennis@tapestrytech.co m Linux-KVM.org (877) 372-6782 DRBD.org

    ×