One question that has been asked, time and time again is the matter of single network card, and dual network card (Single NIC or Dual NIC) (Sony Vaio VGN-FZ battery).
As a personal preference I tend to lean towards Dual, for the simple reason that it helps to eliminate those God Awful NAT issues inherent within Voice over IP. However going down the Dual NIC route has it's own inherent drawbacks. The formost of this is the security issues(Sony VGP-BPS8 battery). Once you have a second NIC on a Public facing IP, you've given those nasty buggers a way in. So you'd need to firewall it. That in itself is no great issue, as CentOs (and by default most linux distros) come with a firewall (either iptables or ipchains) which can be configured to stop most nasties(Sony VGP-BPL9 battery).
Follow up:
However, they aren't foolproof. In terms of the linux firewall, the default action for the INPUT table (or chain) is ACCEPT. The first thing I normally do is set that to DROP or REJECT. DROP is most useful as it doesn't send any type of response, whereas REJECT does (ICMP Unreachable or ICMP Port Unreachable etc) (Sony VGP-BPL11 battery). The REJECT mechanism tells the source that there is a firewall in place, and that the port it's been trying to reach isn't there. But by process of elimiation, the hacker can scan for an available port, and hence gain access. Not what we want(Sony VGP-BPL15 battery).
If your Trixbox (FreePBX) isn't serving remote workers, then solution is relative straightforward. Configure your firewall's INPUT table (or chain) default action to DROP, and then allow only what you need(Sony VGN-FZ460E battery).
By default I only allow the following:
Port 2222 - SSH non standard port
Port 8443 - HTTPS non standard port
OK so we have management, but what about the SIP & RTP protocols(SONY VAIO VGN-FZ4000 Battery)?
Easy, as I'm not hosting remote workers, I only allow SIP & RTP between my Trixbox and my ITSP. Everything else is dropped.
With a single NIC setup, you can utilise your own firewall, but that also has it's inherent difficulties(Sony VGP-BPS13 battery). NAT is a royal pain in the butt when it comes to SIP & RTP, mainly because of the fact the NAT routers or firewalls only translate the packet source & destination, not any of the SIP headers (more on this in my next post). So the packet quite happily reaches it's destination, but the remote end tries to send back to your Internal address - cue one way audio, or no audion - common problems with VoIP(Sony Vaio VGN-FZ21M battery ).
This is where a SIP Aware Router or Firewall steps in, as these devices have what is known as an Application Layer Gateway (or ALG for short). These clever devices identify SIP & RTP packets, and translate the SIP headers, as well as the packet headers. So no more irritating NAT issues. There is, however one big downside to a Single NIC setup that no-one seems to take into account(Sony VGN-FZ150E battery).
Performance. On a single NIC, the card is dealing with the call-leg to the handset, and the call leg to the ITSP. Whilst it's possible to host many calls this way, the inherent in-efficiency of ethernet only gives you 30% of the 100M bandwidth avaialble(Sony VGN-FZ15 battery). Which effectively is 30M, half that (as you are dealing with 2 seperate streams) and you only have 15M to play with. Which to be fair, will quite happily handle 30-40 calls with no real issues at G.711, and maybe handle 60-80 calls using G.729. More than enough for most people(Sony Vaio VGN-FZ18M battery).
So in summary. Each "style" of deployment has it's own pro's and con's.
Dual NIC Pros:
NAT issues a removed
Takes advantage of the full available Ethernet bandwidth
Easier to manage from anywhere - No VPN (Sony Vaio VGN-FZ18G battery)
Dual NIC Cons:
Security is a big worry - reliance on built in Linux Firewall
Single NIC Pros:
Security isn't a big issue - reliance on existing firewall technology
Single point of management - one address to remember (Sony VGN-FZ11S battery)
Single NIC Cons:
Inherent issues with NAT - unless you are using a SIP Aware router/firewall
Ethernet bandwidth may pose issues as the deployment grows
Management only available from the LAN
So, there you have it. To my mind, by far the best way forward for *any* kind of VoIP PBX Deployment, is to utilise 2 NIC's and a SIP Aware Firewall / Router(Sony Vaio VGN-FZ38M battery). The 2 NIC's give you the full available Ethernet bandwidth (which admittedly should be sufficient for most deployments), the Firewall / Router does all the hard stuff with regards to NAT, and you should be able to manage your box from anywhere, whilst still keeping it secure(Sony Vaio VGN-FZ31S battery).
No comments:
Post a Comment