Remote Working: Get rid of your VPN and use an SBC
This is the first of a series of blog posts this week about remote working - come back each day for something new!
Last week Chris from Crosstalk Solutions recorded a video titled "Telecommunications 101" on his YouTube channel. If you haven't watched it already, it's a good watch for those coming to remote working in light of COVID-19 - primarily being targeted at IT Admins who will currently be inundated with requests to enable access to internal systems for remote workers. His YouTube channel is full of fantastic content so it's worth subscribing.
The main TLDR of the video that I took away with me was about enabling VPN for VoIP calling and how some phones even support VPN built into them to enable security as well as access to PBXs that live behind firewalls. Now, while I don't disagree that VPNs have a place and that not everything can be available publicly on the internet in all the different industries these technologies are used; I do think it's high time that businesses started to look at whether phone systems should be openly available to all those who need them in todays society of remote working wherever you are in the world. And it doesn't have to cost the earth either.
Open Source vs Commercial
The simplest solution here is what we call an SBC - a Session Border Controller; and we can either make our own SBC using Open Source software or buy one in from a commercial entity. What is an SBC? In short, its an entrypoint of SIP traffic onto your network - whether thats SIP over UDP, TCP or TLS as well as the associated media and ultimately deals with allowing traffic or not into your internal network - a firewall of sorts for SIP. Now, I don't have much experience with commercial SBCs other than I know they exist from the major players as well as some players you might now have heard of like Telcobridges with their ProSBC product. Do your research, or if you don't have time to do your own research I can put you in touch with the right experts who can take care of everything for you.
Open Source is King
Instead of talking commercial solutions, I wanted to talk about using the Open Source tools available to you today which allow you to open up your business PBX to the outside world; primarily Kamailio and RTPEngine. For a long time, VoIP phone systems have been kept off the public internet through fear of the unknown - there are these bad people who want to abuse your phone system and hammer it looking for vulnerabilities and you hear all about them at VoIP conferences where you hear stories of thousands of dollars worth of fraud and you decided you just wanted to take the easy route of keeping the phone system behind a firewall.
I say, its high time businesses stopped being fearful and got on with enabling employees to work freely from wherever they are in the world. There are loads of steps you can take to do that. The simplest might sound like opening up your PBX to the internet and blocking traffic using tools like APIBAN.org (an excellent tool from my friends at LOD) but going from a system where there is no complexity of "public internet" to one now having to deal with it is harder than you think.
In comes the SBC. Some may say Kamailio isn't an SBC - but I believe when teamed up with RTPEngine it is a very capable and flexible one. An SBC is a really good answer to this particular problem for many reasons - you're still protecting your PBX behind a firewall and you're not changing how it interacts with your existing phones etc. You're just enabling those users that need remote access to be able to get it without altering your current system. Unfortunately there's no plug and play Kamailio and RTPEngine system available out there on the internet for you to download and start using within an hour. A super flexible solution but one that takes some time and probably someone that truly understands how to make it work - people such as Fred, Daniel and Henning from the Kamailio project are your best port of call for a secure, flexible SBC.
If your particular choice of OpenSER fork is OpenSIPS then you can do the same with OpenSIPS and RTPProxy
COVID-19
But we need a solution today Dan I hear you cry. Then maybe your best route would be Telcobridges' FreeSBC/ProSBC system - I have huge faith in the Telcobridges technical team. ProSBC is $1/session/server/year and includes media instead of just SIP which I would say is a must. If you don't want your PBX open to the internet, keep it hidden and let something else take the battering of intrusion attempts. Of course you could firewall off large parts of the world to reduce the battering of inbound traffic but that one time one of your employees is in Russia for a legitimate reason, and can't make/receive phone calls - you'll have long forgotten about that firewall rule in place won the SBC. We live in a remote age of working - allow your users/employees to indeed be remote.
Now, another reason for using a VPN would be "my media and signaling is now encrypted by the VPN tunnel" which is correct but in my opinion an unnecessary overhead. Tomorrow I'll talk about encrypting your SIP Signaling as well as your media so that no-one can listen in on those important conversations.
Nimble Ape can help you with your needs in this space; and if we can't we'll point you in the right direction of a trusted consultant who does. Thanks to Chris from Crosstalk Solutions for all he does on his YouTube channel.