Monday, July 05, 2021

Re: how to use OpenBSD firewall (pf) to protect Ooma Telo VOIP phone system

If you don't trust your voip box you should not install it in your lan zone.
You should have a perimeter network; maybe your actual configuration is less dangerous than the one you propose.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

Il lunedì 5 luglio 2021 7:58 PM, Jonathan Thornburg <jthorn4242@gmail.com> ha scritto:

> Short summary:
>
> Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP
>
> phone system from internet attacks? If so, how did you do it? More
>
> generally, how do people protect VOIP phone systems (regardless of brand)
>
> from internet attacks?
>
> Details:
>
> My current home network topology is
>
> +--------------+
>
> (internet) --------| $ISP DSL |
>
> | modem/router |
>
> +--------------+
>
> | |
>
> | |
>
> +----------+ +-----------+
>
> | OpenBSD | | Omma Telo |.......... analog
>
> | firewall | | VOIP box | telephones
>
> +----------+ +-----------+
>
> | |
>
> +--------+ | |
>
> | Wifi |-----+ +------ wired client
>
> | access | (or network switch for
>
> | point | multiple wired clients)
>
> +--------+
>
> The OpenBSD firewall's pf is setup to NAT all the outbound traffic
>
> and to block any incoming traffic except replies to previous outbound
>
> traffic.
>
> This works, but isn't as secure as I'd like, because the OpenBSD pf only
>
> protects our computers; the Ooma Telo VOIP box is outside the firewall
>
> and is only "protected" by the $ISP DSL modem/router (whose security I
>
> don't at all trust). That is, I suspect that both the $ISP-provided
>
> DSL modem/router and the Ooma Telo VOIP box are ultimately "just" small
>
> embedded Linux boxes running less-than-fully-patched 10-year-old software,
>
> and are thus quite vulnerable to attack from the internet.
>
> So, as part of a forthcoming upgrade of the OpenBSD firewall hardware,
>
> I would like to move the Ooma box inside the firewall-protected network
>
> by switching to the following network topology:
>
> +--------------+
>
> (internet) --------| $ISP DSL |
>
> | modem/router |
>
> +--------------+
>
> |
>
> |
>
> +----------+ +-----------+
>
> | OpenBSD |----| Omma Telo |.......... analog
>
> | firewall | | VOIP box | telephones
>
> +----------+ +-----------+
>
> | |
>
> +--------+ | |
>
> | Wifi |-----+ +------ wired client
>
> | access | (or network switch for
>
> | point | multiple wired clients)
>
> +--------+
>
> This design would allow pf to protect the Ooma box as well as the
>
> local computers.
>
> The problem is that (as is pretty standard for VOIP systems) the Ooma
>
> Telo carries voice traffic on UDP packets, and the UDP port numbers
>
> can span a wide (dynamically-chosen) range, rather like ftp. The
>
> Ooma documentation says it needs the following ports:
>
> https://support.ooma.com/home/advanced-connections-and-service-ports/
>
> outgoing UDP/TCP 53, 1194, 1294
>
> outgoing TCP 80, 110, 443
>
> outgoing UDP 67, 123, 3480
>
> incoming UDP 10000 to 30000
>
> So, there are the usual problems of NAT with dynamically-chosen ports.
>
> And, the range of incoming ports (10000 to 30000) is much broader than
>
> I would like to leave open to the whole world. I can (will) try to
>
> restrict by IP source addresses, but Ooma offers no documentation on
>
> what IP addresses from their network may need to send me UDP packets
>
> for normal operation (notably, I don't know how incoming phone calls
>
> are signalled), so I will need to do some reverse engineering here
>
> (tcpdump to start with). If I'm lucky the incoming UDP packets will
>
> always come from IP addresses to which I've previously sent outgoing
>
> traffic (so that the normal pf state table will grok them).
>
> In any case, IP source addresses can be forged, so relying on them
>
> alone gives somewhat limited security. I don't know of an easy way
>
> to work around this. Do I need a full-fledged SIP proxy somewhere
>
> (either on the firewall or on a separate dedicated machine)?
>
> Overall, I would rather not have to re-invent the wheel here. What
>
> are other OpenBSD users doing to protect VOIP phone systems from
>
> incoming "nastygram" attacks?
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> -- "Jonathan Thornburg [remove color- to reply]" jthorn4242@pink-gmail.com
>
> on the west coast of Canada, eh?
>
> "There was of course no way of knowing whether you were being watched
>
> at any given moment. How often, or on what system, the Thought Police
>
> plugged in on any individual wire was guesswork. It was even conceivable
>
> that they watched everybody all the time." -- George Orwell, "1984"

No comments:

Post a Comment