[OpenSIPS-Users] Could I build a "SIP firewall" with OpenSIPS?
Dan Ballance
tzewang.dorje at gmail.com
Wed Apr 13 16:43:33 CEST 2011
Hi there,
I am investigating OpenSIPS for use in my company's VOIP network.
I'm wondering if I could get a little advice on a design I am considering?
The problem:
We currently have a VOIP network built around a propriety SIP proxy which we
are discovering appears to have a number of security weaknesses. The most
significant of these is it's inability to tear down calls in progress once a
user's balance has hit zero and having no ability to limit the channels that
a user has open. This could potentially cripple our business due to the
losses we are experiencing from fraud.
A very early draft of my solution:
I have noticed the OpenSIPS module userblacklist (
http://www.opensips.org/html/docs/modules/1.6.x/userblacklist.html ) and
believe that this could solve our problems. I have other code running
elsewhere on our network which is able to identify fraudulent calls - I just
need a way of killing said calls and stopping the fraud in progress. It
seems with this module I could call a web service on the OpenSIPS server,
add and remove SIP uris from the blacklist database table and then call the
module MI function via XML-RPC to update the list and cut off the call. (At
least I am hoping it could do this - can the blacklist block calls in
progress?)
Assuming the userblacklist module will do what I hope, I have a question
about how to slot the OpenSIPS server into our network. In an ideal world, I
would run the OpenSIPS server in stateless mode so that is scales well, and
do nothing more with the SIP traffic apart from forward on non-blocked calls
to our existing propriety SIP proxy and block banned SIP uris from
progressing any further.
The main question I have is can the userblacklist module be run in stateless
mode and is it possible for OpenSIPS to forward on traffic to another SIP
proxy for registration. In effect I guess I am trying to build some kind of
SIP firewall out of OpenSIPS but I don't know if this is possible. Any
advice / constructive criticism from the knowledgeable people on this list
would be massively appreciated!
Sincerely,
Dan.
(If it's okay I will keep my surname and company name anonymous due to the
public nature of this list and the fraud problems that we have been
experiencing.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20110413/94727b4a/attachment.htm>
More information about the Users
mailing list