[AusNOG] Remote Work - (SIP/Security/CGNAT)

Luke Iggleden luke at iggleden.com
Fri Nov 13 11:05:48 EST 2015


I've heard too many horror stories about certain open source SIP servers 
being compromised and bills into the 10's of thousands for having 
relaxed security. Ideally we want to keep these boxes locked down as 
much as possible.

We did look to GeoBlock the rest of the world and only accept known 
prefixes from the ISP's that were being used by the CGNAT boxes, but the 
audio never makes it back to the DSL tail in the remote location so a 
tunnel was the only option.

I'm thinking PLDT will be the only choice we will accept from now on. 
That seems to be a general consensus.

PLDT has a fibre option as well we could insist on, but it narrows the 
scope of workers.



On 13/11/2015 10:32 am, Matt Richards wrote:
>
>
> We too have staff in Manila. The phones in our Manila office (Eastern 
> Telecom) and also staff homes (PLDT) talk just fine to our Sydney PBX.
>
> Our SIP server is open to the world, but there's nothing wrong with 
> that as long as you have appropriate security in place (strong 
> passwords, fail2ban, etc).
>
> Matt.
>
> On 13/11/2015 12:12 p.m., Nick Stallman wrote:
>> We have two staff in the Philippines to extend our phone support hours.
>>
>> We haven't really had any issues except them using the same 
>> residential connection at the same time.
>> We solved that one by one of them using SIP and the other using IAX. 
>> IAX might solve some of your issues if you can use it.
>>
>> Our VoIP server is internet accessible however so we don't have 
>> dynamic IP / VPN issues.
>>
>> On 13/11/15 09:59, Luke Iggleden wrote:
>>> Hi Noggers,
>>>
>>> We've recently been tasked with assisting getting SIP running from 
>>> Australia to the Philippines for remote staff workers on DSL tails. 
>>> SIP server is in Sydney, behind Vocus transit.
>>>
>>> It appears that CGNAT is a hurdle, plus 350-450ms of latency, and 
>>> the inability to obtain a static IP on a 'residential' grade tail.
>>>
>>> We're now using Fortigate SSL VPN tunnel as a solution, and just 
>>> routing the SIP server down the split tunnel, but not sure if this 
>>> really makes the situation worse or not, and I'm looking to hear 
>>> other ideas and battle stories!
>>>
>>> What are people using out there to deliver a reliable service that 
>>> sounds good? -plus:
>>>
>>> - Get around CGNat RTP Audio/SIP transport issues
>>> - Ensure SIP server is not open to the world due to dynamic IP's 
>>> connecting
>>> - Keep the bandwidth requirements to a minimum - Assume low speed 
>>> DSL (2M/512k)
>>>
>>> Direct carrier links are not a possibility unfortunately as the 
>>> staff all work from home offices.
>>>
>>>
>>>
>>> Cheers,
>>>
>>> Luke
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>> -- 
>> Nick Stallman
>> Technical Director
>> Agentpoint Pty Ltd
>> The Real Estate Web Developers
>> Melbourne | Sydney | Miami
>> nick at agentpoint.com
>> www.agentpoint.com.au | www.zooproperty.com | www.ginga.com.au | 
>> www.business2.com.au
>>
>> Business2.com.au is a real estate agent information website that 
>> helps you understand Portals, Technology and comes with FREE tools to 
>> help your Agency become an online success!
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20151113/b7264acd/attachment.html>


More information about the AusNOG mailing list