Short summary:
Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP
phone system from internet attacks? If so, how did you do it? More
generally, how do people protect VOIP phone systems (regardless of brand)
from internet attacks?
Details:
My current home network topology is
+--------------+
(internet) --------| $ISP DSL |
| modem/router |
+--------------+
| |
| |
+----------+ +-----------+
| OpenBSD | | Omma Telo |.......... analog
| firewall | | VOIP box | telephones
+----------+ +-----------+
| |
+--------+ | |
| Wifi |-----+ +------ wired client
| access | (or network switch for
| point | multiple wired clients)
+--------+
The OpenBSD firewall's pf is setup to NAT all the outbound traffic
and to block any incoming traffic except replies to previous outbound
traffic.
This works, but isn't as secure as I'd like, because the OpenBSD pf only
protects our computers; the Ooma Telo VOIP box is outside the firewall
and is only "protected" by the $ISP DSL modem/router (whose security I
don't at all trust). That is, I suspect that both the $ISP-provided
DSL modem/router and the Ooma Telo VOIP box are ultimately "just" small
embedded Linux boxes running less-than-fully-patched 10-year-old software,
and are thus quite vulnerable to attack from the internet.
So, as part of a forthcoming upgrade of the OpenBSD firewall hardware,
I would like to move the Ooma box inside the firewall-protected network
by switching to the following network topology:
+--------------+
(internet) --------| $ISP DSL |
| modem/router |
+--------------+
|
|
+----------+ +-----------+
| OpenBSD |----| Omma Telo |.......... analog
| firewall | | VOIP box | telephones
+----------+ +-----------+
| |
+--------+ | |
| Wifi |-----+ +------ wired client
| access | (or network switch for
| point | multiple wired clients)
+--------+
This design would allow pf to protect the Ooma box as well as the
local computers.
The problem is that (as is pretty standard for VOIP systems) the Ooma
Telo carries voice traffic on UDP packets, and the UDP port numbers
can span a wide (dynamically-chosen) range, rather like ftp. The
Ooma documentation says it needs the following ports:
https://support.ooma.com/home/advanced-connections-and-service-ports/
outgoing UDP/TCP 53, 1194, 1294
outgoing TCP 80, 110, 443
outgoing UDP 67, 123, 3480
incoming UDP 10000 to 30000
So, there are the usual problems of NAT with dynamically-chosen ports.
And, the range of incoming ports (10000 to 30000) is much broader than
I would like to leave open to the whole world. I can (will) try to
restrict by IP source addresses, but Ooma offers no documentation on
what IP addresses from their network may need to send me UDP packets
for normal operation (notably, I don't know how incoming phone calls
are signalled), so I will need to do some reverse engineering here
(tcpdump to start with). If I'm lucky the incoming UDP packets will
always come from IP addresses to which I've previously sent outgoing
traffic (so that the normal pf state table will grok them).
In any case, IP source addresses can be forged, so relying on them
alone gives somewhat limited security. I don't know of an easy way
to work around this. Do I need a full-fledged SIP proxy somewhere
(either on the firewall or on a separate dedicated machine)?
Overall, I would rather not have to re-invent the wheel here. What
are other OpenBSD users doing to protect VOIP phone systems from
incoming "nastygram" attacks?
--
-- "Jonathan Thornburg [remove color- to reply]" <jthorn4...@pink-gmail.com>
on the west coast of Canada, eh?
"There was of course no way of knowing whether you were being watched
at any given moment. How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork. It was even conceivable
that they watched everybody all the time." -- George Orwell, "1984"
