APPLIED VOIP SECURITY & RELIABILITY ON COMMODITY SERVICES, HARDWARE & SOFTWARE

…a primer on what works in the real world

Informal Poll

Legacy PBX replacement / upgrade path?

VoIP in your enterprise?

Asterisk in your enterprise?

Just starting out with VoIP?

Presentation Overview

Review common business communications struggles

Asterisk lessons learned

“Mid-dive”

Solutions overview: Availability,

reliability, security

Software

Hardware

ITSPs we rely on

Measurement methods

Speaker Introduction

tapestry tech &Dennis Little

IRC: keycruncher

KeyCruncher.com

dennis@tapestrytech.com

Dennis Little (KeyCruncher) Passion: “Technology Translator” &

Communications Head Business Communications

division Asterisk believer since 2005

tapestry technologies, LLC (tt) MyBusinessTelephone.com SME: Defense IT Policy, Training

Shout-out: Anteil, Inc.

Why believe in Asterisk?

tapestry tech &Dennis Little

IRC: keycruncher

KeyCruncher.com

dennis@tapestrytech.com

Engineering support for a large, proprietary (Avaya) installation $400M organization, $40k

benevolent care / day Supporting 2,200+ staff and

3,000+ seniors in PA, MD & DE Serving 70,000+ families &

children per year A lot of FOSS software

underneath…

Full Disclosure

tapestry tech &Dennis Little

IRC: keycruncher

KeyCruncher.com

dennis@tapestrytech.com

tapestry Affiliations Digium® Affiliate Asterisk® Integrator Polycom® Authorized Partner (VoIP) Xorcom® Certified Dealer (but we used them before we dealt

them)

My experience + struggles + solutions != the best way

Why Voice over IP? Why Asterisk? Quality

Flexibility & Scalability Connectivity, providers, contact center

location Contract commitments (or lack thereof) Easy path forward for legacy systems

Standards-based vs. proprietary

Return on Investment & cost savings

Case Study Overview

Lodging business Startup in 2009 with

4 staff in 2 states ? carriers, ? volume Robust, secure,

flexible Future = ?? Today: ~27 staff in 7

locations Remote colo w/

failover

SOUNDFAMILIAR?

Communications Problem OverviewProblem: SIP + NAT

traversal

Quality phone conversations

Security

Solution: Good protocol

understanding & network design

QoS on expensive data/voice lines

Least-privilege & encryption / encapsulation, firewalls, fail2ban, etc

Solution(s) Philosophy

FOSS where is makes business sense

FOSS where it is ready for prime time

Encryption.

Least-privilege.

Always have a failover and backup(s)

Requirements: Providers

Quality colo facilities

History of reliability & availability

ITSPs (always have a failover plan) Vitelity – flexibility, very good support,

reliable

Bandwidth.com – reputable, unlimited usage

Requirements: Security

Only allow necessary traffic VoIP provider should be able to tell you all of their subnets You should know all of yours

VPN tunnel everything – it was worth the overhead here

Follow VoIP security best practices & stay involved Community events & networking w/ like-minded folks Excellent documentation IRC / Mailing lists / RSS feeds VUC.me (VoIP Users Conference call: Friday, noon Eastern) On-going verification

Hardware

Servers: Dell R310 Telephones:

Polycom SoundPoint IP 335, 650, 670, 7000

Bria, X-Lite, Zoiper VPN routers: Foxconn

R10-D2 / Atom D510 SuperMicro 5015A (this solution is 100%

VoIP)

Foxconn R10-D2(image courtesy: NewEgg.com)

Software

Asterisk

iptables + Fail2ban (+ least-privileged access)

OpenVPN - E2E encryption, easy access control

Vyatta community edition

KVM VMs + DRBD – HA failover b/t call servers

OpenVPN

Easy access control for networks & road warriors

Two-factor authentication (certificate + password)

Routed & bridged modes Built-in support for OpenVPN in Vyatta Windows: OpenVPN GUI (non-admin in

Win7? Use subinacl utility) Mac OS X: Viscosity OpenVPN Access Server

Vyatta Network OS (~SBC)

Powerful, familiar CLI (ie: Linux, tab completion, contextual hints & help)

unionfs + RAMdisk to reduce writes on USB storage

QoS control – set aside for VoIP / data WAN failover – combine cheap circuits High Availability (free) & HA sync ($) Virtualized editions available $0 or low cost (web filtering requires

subscription)

interfaces { ethernet eth0 { duplex: "auto" speed: "auto" address 123.123.123.2 { prefix-length: 30 disable: false } firewall { in { name: "from-external" } local { name: "to-router" } } }

service { dhcp-server { shared-network-name "eth1_pool" { subnet 192.168.1.0/24 { start 192.168.1.65 { stop: 192.168.1.199 }

dns-server 209.218.76.2 dns-server 208.67.220.220 default-router: 192.168.1.1 lease: 86400 authoritative: "disable" } }

Topology Overview

KVM

Courtesy IBM:http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/kvm_over.jp

DRBD

Courtesy: http://www.drbd.org/uploads/pics/overview_02.gif

Requirements: Commodity Internet Consistently:

Low latency to the ITSP

0% packet loss

Adequate bandwidth for X calls

In general: DSL or fiber for voice, (shared) cable for all other

Requirements: Commodity Internet Quality measurement tools?

MyVoIPSpeed.visualWare.com

Requirements: Circuit Capacity How do we carve up the circuit?

REMEMBER: We are dealing with commodity internet (no SLA) ie: best-effort circuit delivery

Average of 5 tests over time

80-85% of performance from averages is what we assume

Determine set-asides accordingly (calculators)

Case Outcomes

Standardized carriers

Volume and trends insight – business intel.

Leverage with carriers to reduce rates

Cut call center hours by 3 hours each day

Failover between servers, sites and at the ITSP level works really well

Ability to go mobile when needed because of disasters

A few things to remember…

Security (least-privilege, fail2ban, VoIP best practices, etc.)

Test, test, test Failover != backup RAID != backup mirror != backup Educate and listen Lean on the work already done

AsteriskDocs.org, Asterisk.org, voip-info.org, …

any questions?

Before we wrap up…

Short Review

Solution: Providers, HW, SW, security

Thank you, Digium & tapestry technologies

Thank YOU for coming

Reminder: SURVEYS!

More questions? Dennis Little

tapestry technologies

IRC: KeyCruncherweb: KeyCruncher.comdennis@tapestrytech.com(877) 372-6782

MyBusinessTelephone.com

Resources

FoxconnChannel.com

Polycom.com SuperMicro.com Digium.com PBXinaFlash.net OpenVPN.net / .se Vyatta.org Linux-KVM.org DRBD.org

Vitelity.com Bandwidth.com

Dennis Littletapestry technologies

IRC: KeyCruncherweb: KeyCruncher.comdennis@tapestrytech.com(877) 372-6782