[SR-Users] What is the typical network setup for kamailio?

Kevin Olbrich ko at sv01.de
Mon Aug 20 13:22:30 CEST 2018


Hi Henning,

I browsed the files but was unable to find one using Kamailio as SBC
without exposing the Asterisk core.
Most examples indeed expose the node and let media flow directly (
https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Building-A-Global-VoIP-Network.pdf
- interesting solution with e/iBGP which we would also be able to deploy).

There was just a single presentation that I was able to locate that had the
proxy only on the edge:
https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-Anti-Fraud-With-HTables.pdf
At least it looks like they are located behind the SBC.

After the research my impression is, that co-locating the B2BUA with the
Edge-Proxy and firewall-ing it, seems best practice.
We will try to add some security by bridge-firewalling and BGP.

If anyone has a hint for a presentation with high-security edge-proxy, I
would appreciate it. Thank you.

Kind regards,
Kevin


Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt <
hw at kamailio.org>:

> Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich:
> > I am working successfully with Kamailio in my lab setup where Kamailio is
> > the SBC for Asterisk.
> > The network layout is looking like this:
> >
> > SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk
> > <== PUBLIC NET ==> Carrier
> >
> > Each public network is reachable from the internet and has a local
> firewall
> > with IP whitelists.
> > The internal SIP transactions are UDP-only but for external phones I
> would
> > like to also listen for TCP/TLS.
> >
> > For this layout to work with rtpproxy (before we move on to RTPengine),
> we
> > have to enable mhomed in Kamailio.
> > We also have some routing issues with packets leaving with the wrong IP
> via
> > rtpproxy (when call between carrier and external phone needs to be
> bridged).
> >
> > Most examples show that Asterisk is deployed on the same network as the
> > external interface of Kamailio (-> Asterisk exposed to the public
> network).
> > In our tests, this works much better but I have great security concerns
> > because this Asterisk instance itself does not need to be reachable from
> > external.
> >
> > How do other users deploy Kamailio in front of Asterisk or similar as SBC
> > to secure internals?
> > There is lot of docs for Kamailio's config but IMHO less for the setup as
> > DMZ (SBC) proxy.
>
> Hello Kevin,
>
> this is indeed a common setup to protect asterisk and to have also much
> greater flexibility with regards to balancing and/or SIP message adaptions.
>
> To get some ideas, have a look to the last years conferences available
> here:
>
> https://www.kamailio.org/events/
>
> There should be some talks about using Kamailio to in front of asterisk,
> the
> talk name is usually in the file name.
>
> I think even on this year cluecon Fred Posner did a talk about Kamailio as
> Edge Proxy, and also on astricon there were some talks  about this
> scenario if
> I remember correctly.
>
> You should also find in the Kamailio World or FOSDEM talks a lot of
> information about this scenario.  You find all the talks available from
> Kamailio World in our youtube channel:
>
> https://www.youtube.com/kamailioworld
>
> Best regards,
>
> Henning
>
> --
> Henning Westerholt
> https://skalatan.de/blog/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20180820/f0ed3d77/attachment.html>


More information about the sr-users mailing list