Date post: | 21-Jan-2015 |
Category: |
Documents |
Upload: | asterisk-community |
View: | 173 times |
Download: | 0 times |
APPLIED VOIP SECURITY & RELIABILITY ON COMMODITY SERVICES, HARDWARE & SOFTWARE
…a primer on what works in the real world
Informal Poll
Legacy PBX replacement / upgrade path?
VoIP in your enterprise?
Asterisk in your enterprise?
Just starting out with VoIP?
Presentation Overview
Review common business communications struggles
Asterisk lessons learned
“Mid-dive”
Solutions overview: Availability,
reliability, security
Software
Hardware
ITSPs we rely on
Measurement methods
Speaker Introduction
tapestry tech &Dennis Little
IRC: keycruncher
KeyCruncher.com
Dennis Little (KeyCruncher) Passion: “Technology Translator” &
Communications Head Business Communications
division Asterisk believer since 2005
tapestry technologies, LLC (tt) MyBusinessTelephone.com SME: Defense IT Policy, Training
Shout-out: Anteil, Inc.
Why believe in Asterisk?
tapestry tech &Dennis Little
IRC: keycruncher
KeyCruncher.com
Engineering support for a large, proprietary (Avaya) installation $400M organization, $40k
benevolent care / day Supporting 2,200+ staff and
3,000+ seniors in PA, MD & DE Serving 70,000+ families &
children per year A lot of FOSS software
underneath…
Full Disclosure
tapestry tech &Dennis Little
IRC: keycruncher
KeyCruncher.com
tapestry Affiliations Digium® Affiliate Asterisk® Integrator Polycom® Authorized Partner (VoIP) Xorcom® Certified Dealer (but we used them before we dealt
them)
My experience + struggles + solutions != the best way
Why Voice over IP? Why Asterisk? Quality
Flexibility & Scalability Connectivity, providers, contact center
location Contract commitments (or lack thereof) Easy path forward for legacy systems
Standards-based vs. proprietary
Return on Investment & cost savings
Case Study Overview
Lodging business Startup in 2009 with
4 staff in 2 states ? carriers, ? volume Robust, secure,
flexible Future = ?? Today: ~27 staff in 7
locations Remote colo w/
failover
SOUNDFAMILIAR?
Communications Problem OverviewProblem: SIP + NAT
traversal
Quality phone conversations
Security
Solution: Good protocol
understanding & network design
QoS on expensive data/voice lines
Least-privilege & encryption / encapsulation, firewalls, fail2ban, etc
Solution(s) Philosophy
FOSS where is makes business sense
FOSS where it is ready for prime time
Encryption.
Least-privilege.
Always have a failover and backup(s)
Requirements: Providers
Quality colo facilities
History of reliability & availability
ITSPs (always have a failover plan) Vitelity – flexibility, very good support,
reliable
Bandwidth.com – reputable, unlimited usage
Requirements: Security
Only allow necessary traffic VoIP provider should be able to tell you all of their subnets You should know all of yours
VPN tunnel everything – it was worth the overhead here
Follow VoIP security best practices & stay involved Community events & networking w/ like-minded folks Excellent documentation IRC / Mailing lists / RSS feeds VUC.me (VoIP Users Conference call: Friday, noon Eastern) On-going verification
Hardware
Servers: Dell R310 Telephones:
Polycom SoundPoint IP 335, 650, 670, 7000
Bria, X-Lite, Zoiper VPN routers: Foxconn
R10-D2 / Atom D510 SuperMicro 5015A (this solution is 100%
VoIP)
Foxconn R10-D2(image courtesy: NewEgg.com)
Software
Asterisk
iptables + Fail2ban (+ least-privileged access)
OpenVPN - E2E encryption, easy access control
Vyatta community edition
KVM VMs + DRBD – HA failover b/t call servers
OpenVPN
Easy access control for networks & road warriors
Two-factor authentication (certificate + password)
Routed & bridged modes Built-in support for OpenVPN in Vyatta Windows: OpenVPN GUI (non-admin in
Win7? Use subinacl utility) Mac OS X: Viscosity OpenVPN Access Server
Vyatta Network OS (~SBC)
Powerful, familiar CLI (ie: Linux, tab completion, contextual hints & help)
unionfs + RAMdisk to reduce writes on USB storage
QoS control – set aside for VoIP / data WAN failover – combine cheap circuits High Availability (free) & HA sync ($) Virtualized editions available $0 or low cost (web filtering requires
subscription)
interfaces { ethernet eth0 { duplex: "auto" speed: "auto" address 123.123.123.2 { prefix-length: 30 disable: false } firewall { in { name: "from-external" } local { name: "to-router" } } }
service { dhcp-server { shared-network-name "eth1_pool" { subnet 192.168.1.0/24 { start 192.168.1.65 { stop: 192.168.1.199 }
dns-server 209.218.76.2 dns-server 208.67.220.220 default-router: 192.168.1.1 lease: 86400 authoritative: "disable" } }
Topology Overview
KVM
Courtesy IBM:http://publib.boulder.ibm.com/infocenter/lnxinfo/v3r0m0/topic/liaat/kvm_over.jp
DRBD
Courtesy: http://www.drbd.org/uploads/pics/overview_02.gif
Requirements: Commodity Internet Consistently:
Low latency to the ITSP
0% packet loss
Adequate bandwidth for X calls
In general: DSL or fiber for voice, (shared) cable for all other
Requirements: Commodity Internet Quality measurement tools?
MyVoIPSpeed.visualWare.com
Requirements: Circuit Capacity How do we carve up the circuit?
REMEMBER: We are dealing with commodity internet (no SLA) ie: best-effort circuit delivery
Average of 5 tests over time
80-85% of performance from averages is what we assume
Determine set-asides accordingly (calculators)
Case Outcomes
Standardized carriers
Volume and trends insight – business intel.
Leverage with carriers to reduce rates
Cut call center hours by 3 hours each day
Failover between servers, sites and at the ITSP level works really well
Ability to go mobile when needed because of disasters
A few things to remember…
Security (least-privilege, fail2ban, VoIP best practices, etc.)
Test, test, test Failover != backup RAID != backup mirror != backup Educate and listen Lean on the work already done
AsteriskDocs.org, Asterisk.org, voip-info.org, …
any questions?
Before we wrap up…
Short Review
Solution: Providers, HW, SW, security
Thank you, Digium & tapestry technologies
Thank YOU for coming
Reminder: SURVEYS!
More questions? Dennis Little
tapestry technologies
IRC: KeyCruncherweb: [email protected](877) 372-6782
MyBusinessTelephone.com
Resources
FoxconnChannel.com
Polycom.com SuperMicro.com Digium.com PBXinaFlash.net OpenVPN.net / .se Vyatta.org Linux-KVM.org DRBD.org
Vitelity.com Bandwidth.com
Dennis Littletapestry technologies
IRC: KeyCruncherweb: [email protected](877) 372-6782