VoIP and Teleworkers

dave-lew99 · 18 Apr 2011 at 14:50

Hello,

One of my colleages is about to/has started to work from home a lot more (due to various reasons) and i was wondering what other people do in terms of voice access.

At the moment the solution we've got is to use an IAX based soft-phone on his laptop, via the VPN to the asterisk IP-PBX, it's secure and it more or less works.

Ideally though, since he's not a road warrior most of the time, but in a fixed location, a proper desk phone would be better - but what would we do in terms of security.

I really don't fancy the idea of exposing either SIP or IAX to the internet so that means running over a VPN, we could give him a simple Cisco 800 or similar as a VPN endpoint but then that leaves it open to physical access - we don't want someone either accidentally or on purpose making high value international calls!

What do other people do? I'm guessing the answer is corporate mobile but thats not so feasable at the moment.

Skidilliplop · 18 Apr 2011 at 15:33

Using VPN is fine, and probably the best solution considering what PBX you're using. Bigger systems such as Avaya CM have some useful features for doing this, but not worth that jump for the sake of a single user.

In terms of securing it, you ought to be able to restrict and monitor calls made on your PBX. I'm not an expert in Asterisk but I'd have thought it possible to block international calls or at least log what people are doing and monitor these regularly to spot abuse.

Though it is somewhat a losing battle in terms of prevention, we have restricted Class of Service on all our phones that don't regularly need international or premium rate. However there are any number of international calling proxies that dodge this by having national rate numbers. We've had cases of people racking up £60 a call by being on the phone for an hour+. The only way to stop this is, unfortunately, is monitoring and review, then disciplinary action for the perpetrators.

dave-lew99 · 18 Apr 2011 at 16:26

Looks like the best bet is to give him a hardware VPN endpoint and he can have a mini lan in his home office with a physical handset and his laptop.

Via a routed subnet with limited access to internal resources (and those there is access to will be via authentication) it shouldn't be too bad.

Maybe dot1x on the endpoint too, for the laptop, with the phone only allowed near the PBX, or perhaps purchase a newer phone which supports dot1x, theres a few options to consider there.

We can sufficiently ACL it to prevent issues if his house got broken into and the endpoint stolen etc i think.

Staff abuse of phones isn't really a problem, we're all pretty trusted, and a small team, it's just for those accidental cases - like someones kids pick up the phone or something. There's plenty of config in asterisk to lock down calling privileges so we can look at that also.

Skidilliplop · 18 Apr 2011 at 16:51

I wouldn't worry about the endpoint getting nicked. Using a proper point to point VPN you would set his IP as a peer at your end so if someone pilfered it they'd still need to have his IP for the other half of the tunnel to work. Plus if it's passworded and secreted then 9/10 that pinch one will just ROM-MON it to resell it - Which will nuke the config anyway.

All this is assuming they get it plugged in and going before it's been reported to you and you've disabled the VPN altogether.

I wouldn't worry about that so much as ensuring he's got a stable connection to run it from.

dave-lew99 · 18 Apr 2011 at 17:21

Getting a static IP involves him (probably) changing ISP at his end, i don't think VM home broadband is going to give him one!, will have to use dynamic crypto maps instead, still as you say, easy enough to disable the config for that peer.

Still, can do it with certificates and so on, revoking the cert and disabling the VPN stops them getting in. I'm not too worried there.