[Serusers] prohibit gateway access - question

[Jiri Kuthan]

At 11:42 AM 3/15/2004, Klaus Darilion wrote:
>Hi!
>
>I've got a small problem and don't know how to solve it best, so I would appreciate your comments:
>
>I want to allow my ser users to call any IP destination for free and always, but I want to restrict access to the PSTN. Therefore, I authenticate, account and check if user is in PSTN group before forwarding to the gateway (local GW or the GW of an PSTN termination provider).
>
>But, for example if one of my users call 1234567 at anydomain.com and this domain resolvs to the IP address of the gateway, the request would be forwarded to the gateway, and the GW would accept the call as it comes from a trusted SIP proxy. How can I prevent this?


There are some techniques you may use to lower the risks by other means
than calling outside.

You may for example authenticate and account all calls to outbound domains
-- this way, only users of your domain will be able to make such calls and
will be accounted for (but group checks are not executed!).

A technique is to split SER in two proxies -- general-purpose proxy and 
gateway barrier proxy. The gateway barrier would avoid risky logic such 
as DNS resolution and do simply its ACL job.

Other rechnique an esteemed seruser deployed is to insert a secret prefix 
in SER to URIs considered to go to gateway and only accept such at the 
gateway. (I haven't given it a try yet, I would have to see if we need 
some extra work to mangle the prefix if it appears in gateway's contacts. 
Otherwise callers may be tempted to learn and  upload or provision such 
contacts.)

-jiri