Mac VoIP -- Build a Killer Telephony Server


macVoIP.com the web home of Ted Wallingford

Best Tech Strategy ~ Signal to Noise Blog ~ O'Reilly Network ~ VoIP Documentation ~ Software ~ Contact ~ About

Documentation | Asterisk Config Examples | Cisco VoIP Examples | How-tos

Build a Killer Telephony Server

Excerpted from my book VoIP Hacks (O'Reilly Media)

Using any old PC with Linux is great way to experiment and learn about IP-based telephony, but to implement a production server, you'll need some slightly bigger iron, and you'll need it hardened.

In my travels as a networking consultant, I get to visit a lot of enterprise data centers. These range from meager, stuffy, 100-degree closets crammed with desktop PCs that accidentally became servers, surrounded by a spaghetti pile of crummy cabling. Then there are the 2000-square-foot, raised-floor, uncomfortably cool server rooms with halon fire-prevention systems and row after row of racks filled with quad-processor servers.

When I have an opportunity to work in a modern, decked-out environment, I'm thankful I'm not crammed in an undersized, overheated closet searching in vain for a free port on an incorrectly-labeled Ethernet switch where I can plug in my PowerBook. It never ceases to amaze me just how little some folks seem to care about the environmental state of their critical data and communications equipment. As long as things keep running, I suppose they aren't likely to balk at the sorry state of their servers.

But with a critical application like telephony, which humans have come to expect 100% reliability from over many decades, a dilapidated hodgepodge of PC equipment sitting under a leaky roof just isn't going to work. A desktop-gone-server isn't going to cut it either.

Fortunately, you're about to find out how to build a voice server right. This means selecting the right PC or commercial telephone PBX chassis, connecting it to the right components, choosing the right operating system, and hardening it. This means following a principled philosophy of stability, high availability, and compatibility.

The Three Things that Matter Most in Telephony

When building server for an enterprise telephone system, there are three areas of focus to keep in mind. I put them in my personal order of importance, from most important to third-most:

Stability
The predictable, reliable operation of the server. Downtime should be non-existent and responsiveness should be instant.

High-availability
The server (and network) must be adequate to host realtime applications without a noticeable impact when server resources are shared among many users. The server must also be able to survive a hard disk or power supply failure without interruption to the hosted application.

Compatibility
The server, OS, and installed voice services must support well-known standards in order to be adaptable to changes in the business such as growth, strategic partnerships, and geographic moves.
Creating stability

To provide the utmost stability, a server's environment must be kept at a cool-room temperature of 65 to 75 degrees F. It should be kept dry (duh) and connected to a protected power source with a battery backup. Large environments should consider a backup power generator with an automatic transfer switch. The switches and routers that provide connectivity to the server should be on protected power, too.

The server should also be well-hardened against potential denial-of-service attacks-which you'll do shortly.

Creating high availability
To assure the server is always available and that its voice services aren't affected by internal hardware failures like failed disk drives and power supplies, you should design redundancy into each server. A RAID-5 disk array with 4 or more hard disks provides a “hot spare” so you can swap out a failed drive without having to shut down the server (you could also consider building a server with no hard disks, as in [Hack "#Build a SoftPBX with no Hard Drive"]). Redundant power supplies allow the same hot-swap ability in case a power supply bites the dust. There are other techniques for high-availability, too, like clustering.

Building in compatibility
If you want to future-proof your voice server, don't bother building it on software that doesn't support the open standards needed to make it interoperable with other servers. Specifically, your software needs to support SIP and RTP. This means sticking with a highly-compatible VoIP platform like Asterisk or sipX, or carefully evaluating a commercial solution.

Size and Select a Voice Server
If you've chosen a commercial softPBX like the Avaya Media Server or Cisco Call Manager, then you're pretty much pinned to the sizing guidelines provided by the manufacturer. When you build it yourself-on Linux or BSD-you've got total control over scalability.

That said, there's really no hard and fast rule for determining how much processor power your server needs. I've run small workgroup (5 - 10 user) Asterisk servers on Pentium II machines. A large workgroup with hundreds of phones connected would certainly need a much beefier computer.

VoIP can be a very light load on a PC, or an immense one. If you have five SIP phones connected to a single Asterisk server, all using the simplest codec (uLaw), a Linux server with a slower processor (Pentium II or newer) and 256 MB of RAM is probably just fine. But if you have 50 SIP phones using three or four different codecs and attaching to the PSTN, you'll need at least a 2.0 GHz Pentium IV or equivalent with a GB of RAM.

SIP-to-SIP calls are much less processor-intensive than SIP-to-Zaptel calls. Conference calls are more processor-intensive than normal two-party calls, and bandwidth-preserving codecs like G.729 are the biggest processor hogs of all. If you've a great need to support highly compressed codecs on a lot of phones, and you'll be attaching your Asterisk server to the PSTN or to legacy phones using Zaptel, you'll need more speed, more RAM, and then more speed again.

To relieve the burden on a softPBX, try offloading processor-intensive tasks to dedicated hardware. Try to maintain an all-SIP, all-uLaw environment on your softPBX. Let off-board equipment like SIP-to-PSTN gateways (such as the Clipcomm discussed in chapter 4) handle codec-processing tasks in order to preserve capacity on the softPBX.

Select an OS and Harden It
If you're building a Linux voice server, there's not much pointing using an older Linux distribution. So get a recent revision of Fedora Core, burn it to CD-ROMs (four of them), and install it, keeping a few things in mind about all those optional software packages the installer will prompt you about:

o The more optional packages you install, the less room you'll have for things like voicemail and log files, both of which are important in the world of telephony, right?
o The more optional packages you install (like the X Window system), the more security risks you take. Security is a good thing, right?
o The more option packages you install, the less dedicated processing power your server will have for telephony purposes. (Starting to see a pattern here?)

Once Fedora Core is up and running, you're ready to start hardening. Though I've geared this towards an Asterisk server, it is principally accurate for any softPBX.

Why not use Windows for a phone server? Well, as it turns out, Windows doesn't support nearly the selection of free, high-quality telephony software like Asterisk, sipX, Open H.323, and other open-source, server-side stuff. It also turns out that Windows itself comes towing a rather pricey license fee. So I figured I'd stick to what you can download from the Net without breaking the bank. The less money you spend on licensing fees, the more you can spend on other parts of your telephony solution.

There are two basic aspects of the softPBX that need examination to harden a server: the software that's installed, and the software that's running. As far as hardening the software that's installed but not running, or not needed, the course of action is quite simple: remove it.

Remove unnecessary software
That means getting rid of Bind if you're not using it, removing Apache if it isn't needed, and unloading MySQL if you've no need for it. Just because the software isn't running doesn't mean it can't be used to facilitate a sophisticated security exploit, so remove it altogether if you don't absolutely need it.
Since we're dealing with Asterisk, there are a number of modules that you can disable in order to reduce the risk of security exploits. Asterisk provides modules for all kinds of signaling protocols and telephony applications, and you may not need them all. Use the noload directive in /etc/modules.conf in order to specify those that you'd like to disable:

noload => pbx_kdeconsole.so
noload => chan_modem.so

In this case, the two modules being disabled are the KDE log console module, which provides a graphical console for the KDE desktop environment, and the modem module, which is used for ISDN connectivity with Asterisk. Keeping unnecessary modules from loading also conserves memory on the server.

Clean up xinetd
xinetd is Fedora's catch-all daemon for telnet, finger, and a number of other Unix network applications. (It's the successor to inetd.) Its configuration files, in /etc/xinetd.d, are used to enable or disable support for a long list of network access services. Use this configuration directory to disable all but those that you absolutely need. Here's the contents of a file in this directory, /etc/xinetd.d/imap controlling the imap daemon::

service imap
{
        disable = yes
        socket_type             = stream
        wait                    = no
        user                    = root
        server                  = /usr/sbin/imapd
        log_on_success  += HOST DURATION
        log_on_failure  += HOST
}

This particular service is disabled, per the disable = yes line. Check all the files in this folder for the disable=yes line, or, if you prefer, you can altogether remove the config files for the services you don't need.

The idea is to eliminate unnecessary TCP/IP listeners, reducing the likelihood of an attacker discovering a vulnerability. So, if you don't need telnet, TFTP, talk, and finger, then, for goodness sake, disable them. The fewer services that have listening ports, the more secure your server will be.
Optimize the local firewall on the softPBX

In order to build a local firewall policy on the softPBX server, you'll need to identify which VoIP protocols you're using, and plan a policy based on the kind of TCP and UDP port access needed by each one. Table 7-1 lists the important protocols and their respective ports.

VoIP Protocol Port Numbers

SIP 5060 (TCP) and 5061 (TCP and UDP)
H.323 Both TCP and UDP on ports 2099 and 2517
H.332 Video (aka H.263) TCP and UDP on port 2979
MEGACO/H.2.48 TCP and UDP on ports 2944 and 2945
TFTP TCP and UDP on port 69
ASTMAN 5038 (TCP)
RTP Depends on configuration of capabilities negotiation preferences of the endpoint RTP implementation; Many RTP agents use 5000/5001, 5004/5005, 10000/10001, 8000/8001, or high-numbered ports
IAX 5036 (UDP)
RSVP TCP and UDP 3455
RTSP TCP and UDP on ports 1756, 1757, 4056, 4057 (RTSP can vary by session like RTP)

So, if you are using SIP, you need to permit inbound SIP signaling on UDP ports 5060 and 5061.
Consider the following iptables policy commands:

iptables -P INPUT -j DROP
iptables -A INPUT -p UDP --dport 5060-5061 -j ACCEPT
iptables -A INPUT -p UDP --dport 5036 -j ACCEPT
iptables -A INPUT -p UDP --dport 5004 -j ACCEPT
iptables -P OUTPUT -j ACCEPT

This set of iptables commands manipulates the kernel's firewall such that only RTP, IAX, and SIP traffic can be accepted by the server, while all outbound traffic (OUTPUT chain) is permitted. This policy is based only on UDP port numbers. If incoming traffic isn't on ports 5060, 5061, 5036, or 5004, it is dropped. A truly hardened server would restrict outbound traffic, too.
For more information about securing VoIP, refer to Switching to VoIP (O'Reilly).