Re: [SR-Users] Security hygiene for Kamailio

Davy, I would also weigh on the side of saying that Kamailio security, even in a best-practical, common denominator kind of way, is inextricably bound up in the specificity of how Kamailio is being used, the role it's playing as a network element, the topology in which it is participating, etc. Kamailio itself can handle a ridiculously large amount of SIP throughput with no issue, from DoS attacks, dictionary scans, etc. There's no serious danger of overwhelming Kamailio per se with message volume. In in its principal role as a proxy, a lot of thinking about securing Kamailio really pertains to the securing of endpoints behind Kamailio, that Kamailio is routing calls to/from, or is somehow representing. It can also be about preventing entities on which Kamailio relies for call processing in a heavily I/O-bound way, e.g. databases, from being overwhelmed. The reason it is possible to DoS a Kamailio server is because its relatively small pool of worker threads can become tied up with waiting on third-party services that can become overwhelmed by the requests. So, any security strategy is going to involve thinking about how to prevent those services or additional elements from becoming overwhelmed in their own right. The focus is seldom on Kamailio itself, but more on Kamailio as it relates to the zoo of other dependencies in which it is deployed to perform some sort of useful, integrated function. All this to say, I cannot see much value in a blanket dogma of security principles that are supposedly applicable to any deployment, in any context. -- Alex On 12/17/2013 11:27 AM, davy wrote: -- Alex Balashov - Principal Evariste Systems LLC 235 E Ponce de Leon Ave Suite 106 Decatur, GA 30030 United States Tel: +1-678-954-0670 Web: http://www.evaristesys.com/, http://www.alexbalashov.com/