Hi Henning,

I browsed the files but was unable to find one using Kamailio as SBC without exposing the Asterisk core.

Most examples indeed expose the node and let media flow directly (https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Building-A-Global-VoIP-Network.pdf - interesting solution with e/iBGP which we would also be able to deploy).

There was just a single presentation that I was able to locate that had the proxy only on the edge:

https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-Anti-Fraud-With-HTables.pdf

At least it looks like they are located behind the SBC.

After the research my impression is, that co-locating the B2BUA with the Edge-Proxy and firewall-ing it, seems best practice.

We will try to add some security by bridge-firewalling and BGP.

If anyone has a hint for a presentation with high-security edge-proxy, I would appreciate it. Thank you.

Kind regards,

Kevin

Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt <hw@kamailio.org>:

Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich:
> I am working successfully with Kamailio in my lab setup where Kamailio is
> the SBC for Asterisk.
> The network layout is looking like this:
>
> SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk
> <== PUBLIC NET ==> Carrier
>
> Each public network is reachable from the internet and has a local firewall
> with IP whitelists.
> The internal SIP transactions are UDP-only but for external phones I would
> like to also listen for TCP/TLS.
>
> For this layout to work with rtpproxy (before we move on to RTPengine), we
> have to enable mhomed in Kamailio.
> We also have some routing issues with packets leaving with the wrong IP via
> rtpproxy (when call between carrier and external phone needs to be bridged).
>
> Most examples show that Asterisk is deployed on the same network as the
> external interface of Kamailio (-> Asterisk exposed to the public network).
> In our tests, this works much better but I have great security concerns
> because this Asterisk instance itself does not need to be reachable from
> external.
>
> How do other users deploy Kamailio in front of Asterisk or similar as SBC
> to secure internals?
> There is lot of docs for Kamailio's config but IMHO less for the setup as
> DMZ (SBC) proxy.

Hello Kevin,

this is indeed a common setup to protect asterisk and to have also much
greater flexibility with regards to balancing and/or SIP message adaptions.

To get some ideas, have a look to the last years conferences available here:

https://www.kamailio.org/events/

There should be some talks about using Kamailio to in front of asterisk, the
talk name is usually in the file name.

I think even on this year cluecon Fred Posner did a talk about Kamailio as
Edge Proxy, and also on astricon there were some talks about this scenario if
I remember correctly.

You should also find in the Kamailio World or FOSDEM talks a lot of
information about this scenario. You find all the talks available from
Kamailio World in our youtube channel:

https://www.youtube.com/kamailioworld

Best regards,

Henning

--
Henning Westerholt
https://skalatan.de/blog/