If you don't trust your voip box you should not install it in your lan zone.
You should have a perimeter network; maybe your actual configuration is less 
dangerous than the one you propose.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

Il lunedì 5 luglio 2021 7:58 PM, Jonathan Thornburg <jthorn4...@gmail.com> ha 
scritto:

> Short summary:
>
> Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP
>
> phone system from internet attacks? If so, how did you do it? More
>
> generally, how do people protect VOIP phone systems (regardless of brand)
>
> from internet attacks?
>
> Details:
>
> My current home network topology is
>
> +--------------+
>
> (internet) --------| $ISP DSL |
>
> | modem/router |
>
> +--------------+
>
> | |
>
> | |
>
> +----------+ +-----------+
>
> | OpenBSD | | Omma Telo |.......... analog
>
> | firewall | | VOIP box | telephones
>
> +----------+ +-----------+
>
> | |
>
> +--------+ | |
>
> | Wifi |-----+ +------ wired client
>
> | access | (or network switch for
>
> | point | multiple wired clients)
>
> +--------+
>
> The OpenBSD firewall's pf is setup to NAT all the outbound traffic
>
> and to block any incoming traffic except replies to previous outbound
>
> traffic.
>
> This works, but isn't as secure as I'd like, because the OpenBSD pf only
>
> protects our computers; the Ooma Telo VOIP box is outside the firewall
>
> and is only "protected" by the $ISP DSL modem/router (whose security I
>
> don't at all trust). That is, I suspect that both the $ISP-provided
>
> DSL modem/router and the Ooma Telo VOIP box are ultimately "just" small
>
> embedded Linux boxes running less-than-fully-patched 10-year-old software,
>
> and are thus quite vulnerable to attack from the internet.
>
> So, as part of a forthcoming upgrade of the OpenBSD firewall hardware,
>
> I would like to move the Ooma box inside the firewall-protected network
>
> by switching to the following network topology:
>
> +--------------+
>
> (internet) --------| $ISP DSL |
>
> | modem/router |
>
> +--------------+
>
> |
>
> |
>
> +----------+ +-----------+
>
> | OpenBSD |----| Omma Telo |.......... analog
>
> | firewall | | VOIP box | telephones
>
> +----------+ +-----------+
>
> | |
>
> +--------+ | |
>
> | Wifi |-----+ +------ wired client
>
> | access | (or network switch for
>
> | point | multiple wired clients)
>
> +--------+
>
> This design would allow pf to protect the Ooma box as well as the
>
> local computers.
>
> The problem is that (as is pretty standard for VOIP systems) the Ooma
>
> Telo carries voice traffic on UDP packets, and the UDP port numbers
>
> can span a wide (dynamically-chosen) range, rather like ftp. The
>
> Ooma documentation says it needs the following ports:
>
> https://support.ooma.com/home/advanced-connections-and-service-ports/
>
> outgoing UDP/TCP 53, 1194, 1294
>
> outgoing TCP 80, 110, 443
>
> outgoing UDP 67, 123, 3480
>
> incoming UDP 10000 to 30000
>
> So, there are the usual problems of NAT with dynamically-chosen ports.
>
> And, the range of incoming ports (10000 to 30000) is much broader than
>
> I would like to leave open to the whole world. I can (will) try to
>
> restrict by IP source addresses, but Ooma offers no documentation on
>
> what IP addresses from their network may need to send me UDP packets
>
> for normal operation (notably, I don't know how incoming phone calls
>
> are signalled), so I will need to do some reverse engineering here
>
> (tcpdump to start with). If I'm lucky the incoming UDP packets will
>
> always come from IP addresses to which I've previously sent outgoing
>
> traffic (so that the normal pf state table will grok them).
>
> In any case, IP source addresses can be forged, so relying on them
>
> alone gives somewhat limited security. I don't know of an easy way
>
> to work around this. Do I need a full-fledged SIP proxy somewhere
>
> (either on the firewall or on a separate dedicated machine)?
>
> Overall, I would rather not have to re-invent the wheel here. What
>
> are other OpenBSD users doing to protect VOIP phone systems from
>
> incoming "nastygram" attacks?
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> -- "Jonathan Thornburg [remove color- to reply]" jthorn4...@pink-gmail.com
>
> on the west coast of Canada, eh?
>
> "There was of course no way of knowing whether you were being watched
>
> at any given moment. How often, or on what system, the Thought Police
>
> plugged in on any individual wire was guesswork. It was even conceivable
>
> that they watched everybody all the time." -- George Orwell, "1984"

Reply via email to