Protect ITSP Servers

I have read that you need SBC's for Cloud Edge services and also to protect from DoS attacks, but I was undering the following

Isn't it possible to initially start out an ITSP with your VoIP servers and have them protected by a firewall? The firewall will protect you from half open TCP SYN attacks, but if someone is just throwing a ton of bandwidth at you not even your Acme Packet SBC is going to be able to stop that.

Am I wrong here?

I looked at OpenSBC, but I don't think it mentions anything about protecting you from DoS Attacks or any kind of security.

Quote:

Isn't it possible to initially start out an ITSP with your VoIP servers and have them protected by a firewall?

Yes.

Remember that an SBC is a layer 5 device, an IP based firewall is layer 3.

Layer 3 IP protection will protect against a DoS attack.

That just leaves you requiring something to handle NAT traversal, call timing etc. These days the expression "SBC" can mean pretty much anything that resides on the cloud edge.

Quote:

I looked at OpenSBC, but I don't think it mentions anything about protecting you from DoS Attacks or any kind of security.

Just saw that OpenSBC can be installed on the same box as Vyatta. So that solves the firewall concern I had.

I forgot about the NAT Traversal which is the major issue.

But as for call timeing I thought the actual SIP Proxy would be the one that kept up with this since the SIP Proxy will be the one that receives the BYE SIP message?

From reading around it sounds like you can use all these open source VoIP programs for many things and have many different topology scenarios. Like for instance they mention that OpenSBC can be used as a B2BUA, yet I figured you would want your Openser box doing that or Asterisk/Freeswitch. And then with Kamailio/Opensips on their Features page it says "NAT traversal support for SIP and RTP traffic". So it sounds like it would be possible to use that software for your NAT Traversal issues (if you wanted the box sitting on the internet of course).

Thanks for all the info.

Quote:

But as for call timeing I thought the actual SIP Proxy would be the one that kept up with this since the SIP Proxy will be the one that receives the BYE SIP message?

But can you guarantee that you will receive that BYE message? SIP is just signalling remember. Really you want to be timing the media stream.

Quote:

OpenSBC can be used as a B2BUA, yet I figured you would want your Openser box doing that or Asterisk/Freeswitch

Openser is just a SIP proxy/registrar. So it can act as a SIP B2BUA only, on it's own.

You can use openSER and RTP proxy together, with NAT traversal, but I don't believe that RTP proxy has support for timing calls.

Thanks for the info Dean. Love the Forum