[OpenSIPS-Users] Could I build a "SIP firewall" with OpenSIPS?

Dan Ballance tzewang.dorje at gmail.com
Wed Apr 13 16:43:33 CEST 2011


Hi there,

I am investigating OpenSIPS for use in my company's VOIP network.
I'm wondering if I could get a little advice on a design I am considering?

The problem:

We currently have a VOIP network built around a propriety SIP proxy which we
are discovering appears to have a number of security weaknesses. The most
significant of these is it's inability to tear down calls in progress once a
user's balance has hit zero and having no ability to limit the channels that
a user has open. This could potentially cripple our business due to the
losses we are experiencing from fraud.

A very early draft of my solution:

I have noticed the OpenSIPS module userblacklist (
http://www.opensips.org/html/docs/modules/1.6.x/userblacklist.html ) and
believe that this could solve our problems. I have other code running
elsewhere on our network which is able to identify fraudulent calls - I just
need a way of killing said calls and stopping the fraud in progress. It
seems with this module I could call a web service on the OpenSIPS server,
add and remove SIP uris from the blacklist database table and then call the
module MI function via XML-RPC to update the list and cut off the call. (At
least I am hoping it could do this - can the blacklist block calls in
progress?)

Assuming the userblacklist module will do what I hope, I have a question
about how to slot the OpenSIPS server into our network. In an ideal world, I
would run the OpenSIPS server in stateless mode so that is scales well, and
do nothing more with the SIP traffic apart from forward on non-blocked calls
to our existing propriety SIP proxy and block banned SIP uris from
progressing any further.

The main question I have is can the userblacklist module be run in stateless
mode and is it possible for OpenSIPS to forward on traffic to another SIP
proxy for registration. In effect I guess I am trying to build some kind of
SIP firewall out of OpenSIPS but I don't know if this is possible. Any
advice / constructive criticism from the knowledgeable people on this list
would be massively appreciated!

Sincerely,

Dan.

(If it's okay I will keep my surname and company name anonymous due to the
public nature of this list and the fraud problems that we have been
experiencing.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20110413/94727b4a/attachment.htm>


More information about the Users mailing list