Re: VPN VoIP
On Saturday 2004 April 10 12:12, Eugen Leitl wrote: Should I stick with Linux (there's /dev/random and VPN support in current kernels for the C3 Padlock engine, right?) with SELinux or try OpenBSD for a firewall type machine with hardware crypto support? For a firewall, I'd recommend OpenBSD over just about anything else. Unless of course, there is hardware you need to use that isn't supported under OpenBSD. -- Shawn K. Quinn
VPN VoIP
I've been installing a Draytek Vigor 2900 router at work lately, and found a line of models which do VoIP (router with analog phone jacks on them). They also support VPN router-router, and come with DynDNS clients. I thought I've seen VoIP over VPN being mentioned, but I can't find it right now. They're reasonably priced, and have pretty good online support: http://www.draytek.co.uk/support/ I've also been looking at them from vulnerabilities angle, but couldn't find much. Not even which embedded OS they run on. No glaring remote exploit holes yet reported. Everyone has seen http://www.skype.com/download_pda.html right? -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgp0.pgp Description: PGP signature
Re: VPN VoIP
On Fri, Apr 09, 2004 at 05:56:18PM -0400, sunder wrote: I've not seen, nor played with any of these, *BUT*, heed this warning which applies to all devices (and software?) that are 1) closed source and 2) offer some useful service which you'd be tempted to place inside your network, 3) are allowed to communicate with the outside world. I cited those routers as instances of consumer-type cheap VoIP with encryption, which thwarts goverment-mandated tapping by ISPs. Exploiting built-in backdoors or remotely exploitable vulnerabilities is a different threat model. I definitely hope routers with DynDNS/VPN/VoIP and POTS jacks will become more widespread, and use opportunistic encryption as default. I personally am not going to buy the router, as it is lacking functionality and flexibility of a Linux-based firewall. I'm waiting for a passively cooled ~GHz VIA C3 motherboard with two NICs and external fanless power supply to ditch my current proprietary, rather braindead firewall. I've already verified IDE-cf adapters do very nicely, and there are dedicated distros like http://www.nycwireless.net/pebble/ which don't wear down the flash with r/w on /tmp and similiar. Should I stick with Linux (there's /dev/random and VPN support in current kernels for the C3 Padlock engine, right?) with SELinux or try OpenBSD for a firewall type machine with hardware crypto support? -- Eugen* Leitl a href=http://leitl.org;leitl/a __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgp0.pgp Description: PGP signature
Re: VPN VoIP
Eugen Leitl wrote: I've been installing a Draytek Vigor 2900 router at work lately, and found a line of models which do VoIP (router with analog phone jacks on them). They also support VPN router-router, and come with DynDNS clients. I thought I've seen VoIP over VPN being mentioned, but I can't find it right now. I've not seen, nor played with any of these, *BUT*, heed this warning which applies to all devices (and software?) that are 1) closed source and 2) offer some useful service which you'd be tempted to place inside your network, 3) are allowed to communicate with the outside world. I would highly suggest that if you chose to use one of these that you do so from a DMZ in your firewall to be safe. You don't know what OS/firmware lives there and whether it can be used via the VOIP network to spy on your internal network. You might need to add another NIC to your firewall, and depending on what else this needs, you might also need to provide a DHCP server for it. Set the firewall rules to make sure no packets from this device can go into your internal network. EVER. Don't just say, Well this thing is its own router, it does VPN, it has a firewall (does it?) I can trust it. There will likely be features which it provides (perhaps a voice mail-email gateway?) which will tempt you to place it on the inside network instead of a DMZ. Don't! Find a way to secure your network and still provide for such features. [Or, if you use these boxes inside a corporate environment and actually care about this level of security and want several of these to talk to each other, build another network just for them. Depending on your needs, I'd also say, don't let them talk to the outside world, but if you do that, only nodes inside your VPN's will be able to communicate over VOIP.] If you trust this thing to do VOIP, enjoy, (Accepting possible spying on your phone calls by LEO/intel agencies, etc.) but don't trust it enough to put the ethernet end of it on your internal network. You never know when some bright kid takes one of these apart, disassembles the firmware and finds a backdoor to use against you. Why the tin-foil sounding rant? See yesterday's slashdot regarding the recent hardwired backdoor account in a Cisco Wifi router which has been exposed resulting in a call for a firmware update. You can bet that Cisco simply changed the backdoor password/hash instead of eliminating it. If they're not too scummy, they only made it harder to find: http://yro.slashdot.org/article.pl?sid=04/04/08/1920228mode=threadtid=126tid=158tid=172tid=99