QUESTION How do THEY do? (PROVIDERS)

[Giulio]

Hi, I'm just curious:
How do Providers do to let users connect only using "username" and "password", without apparentrly make them connect via a VPN or similar?
Is it so difficult/dangerous trying to configure my "home/soho" PIAF to accept connections that way?
Actually I installed (last night I succeeded) neorouter... running apparentrly fine, but still with some difficult.

Thanks
Giulio

 

[Cynjut]

Most providers use IP address authentication with the remote systems to keep script-kiddies off their network.

 

[Giulio]

hi,
but if I connect with a cell phone...my IP will change...and it seems they have no problem with it...

 

[Cynjut]

Huh?

Cell phones use a universally unique identifier that's built into the replaceable SIM card in the phone.

I'm now pretty sure I don't understand the question.

 

[Giulio]

Ok:
I subscribed an account with i.e. Messagenet.
When on the internet the cell phone has an IP address, just like any personal computer or any NIC.
I use to connect CsipSimple using the cell phone internet (i.e. Vodaphone)
I have non need to configure a VPN to connect to Messagenet. On CSIpSimple I config an account with Messagenet and only give UserID and Password...
Do they use to open ports on the Internet? Which way are they "sure" I am the correct user?
So... how can I config my Incrediblepbx/PIAF to be sure/solid enough w/o using a VPN?

I succeeded in configuring NeoRouter with PIAF, but if the VPN link goes down (due to the cell line), I have to reconnect (it is not automatic)...
That is why I wanted to understand if there is some "other" way to be safe...

Thanks
G

 

[briankelly63]

http://nerdvittles.com/?p=9452

check out Travlin Man

 

[billsimon]

"They" typically have session border controllers fronting their SIP network, acting as proxy and/or registrar. The SBC hides the topology of the network behind it and acts as a firewall and dummy-blocker so that brute force attacks and other junk do not get through.

Yes, it is possible to do as they do with your own Asterisk server and put it out on the Internet with the SIP protocol open. You will be immediately scanned and soon brute-force-attacked and otherwise generally annoyed, but if you have a secure dial plan and strong passwords, generally OK. But with more secure options available (TM as one example), why risk it.

 

[Giulio]

I agree.
I configured TM3... registered with a dyn-dns.
the Dyndns client is not so solid...not allways updating the IP.. sometimes has some error... :-/
with no-ip...
I'm looking a more solid system..partners do not want to look at the cell software...
G

 

[bobkoure]

If you don't want to use travelin' man (the reason you'd use dyndns) you could investigate some other solutions. I'm no expert so I'm not recommending any of 'em

• fail2ban
• knockr (looks like Ward's integrated the old Sunshine Networks method into IncrediblePBX)
• IAX on an alternate port (Zoiper clients can do this)
• SRTP / ZRTP (basically SIP over TLS - again, Zoiper clients can do this)
• Vitelity's "mobile as an extension" solution

Speaking as a 'network guy', your PBX needs to be behind a competent hardware firewall that can block any IPs that are scanning you (IMO best to use alternate ports with this). Whitelist the ranges your mobile clients can possibly be connecting from. Some mobile networks are now making static IPs available to mobile clients (e.g. Verizon).