For starters use a separate vlan for the phones.
On Mon, Jul 5, 2021 at 2:02 PM Jonathan Thornburg <jthorn4...@gmail.com> wrote:
>
> Short summary:
>
> Has anyone used an OpenBSD firewall (pf) to protect an Ooma Telo VOIP
> phone system from internet attacks? If so, how did you do it? More
> generally, how do people protect VOIP phone systems (regardless of brand)
> from internet attacks?
>
>
> Details:
>
> My current home network topology is
>
> +--------------+
> (internet) --------| $ISP DSL |
> | modem/router |
> +--------------+
> | |
> | |
> +----------+ +-----------+
> | OpenBSD | | Omma Telo |.......... analog
> | firewall | | VOIP box | telephones
> +----------+ +-----------+
> | |
> +--------+ | |
> | Wifi |-----+ +------ wired client
> | access | (or network switch for
> | point | multiple wired clients)
> +--------+
>
> The OpenBSD firewall's pf is setup to NAT all the outbound traffic
> and to block any incoming traffic except replies to previous outbound
> traffic.
>
> This works, but isn't as secure as I'd like, because the OpenBSD pf only
> protects our computers; the Ooma Telo VOIP box is outside the firewall
> and is only "protected" by the $ISP DSL modem/router (whose security I
> don't at all trust). That is, I suspect that both the $ISP-provided
> DSL modem/router and the Ooma Telo VOIP box are ultimately "just" small
> embedded Linux boxes running less-than-fully-patched 10-year-old software,
> and are thus quite vulnerable to attack from the internet.
>
> So, as part of a forthcoming upgrade of the OpenBSD firewall hardware,
> I would like to move the Ooma box inside the firewall-protected network
> by switching to the following network topology:
>
> +--------------+
> (internet) --------| $ISP DSL |
> | modem/router |
> +--------------+
> |
> |
> +----------+ +-----------+
> | OpenBSD |----| Omma Telo |.......... analog
> | firewall | | VOIP box | telephones
> +----------+ +-----------+
> | |
> +--------+ | |
> | Wifi |-----+ +------ wired client
> | access | (or network switch for
> | point | multiple wired clients)
> +--------+
>
> This design would allow pf to protect the Ooma box as well as the
> local computers.
>
> The problem is that (as is pretty standard for VOIP systems) the Ooma
> Telo carries voice traffic on UDP packets, and the UDP port numbers
> can span a wide (dynamically-chosen) range, rather like ftp. The
> Ooma documentation says it needs the following ports:
> https://support.ooma.com/home/advanced-connections-and-service-ports/
> outgoing UDP/TCP 53, 1194, 1294
> outgoing TCP 80, 110, 443
> outgoing UDP 67, 123, 3480
> incoming UDP 10000 to 30000
>
> So, there are the usual problems of NAT with dynamically-chosen ports.
>
> And, the range of incoming ports (10000 to 30000) is much broader than
> I would like to leave open to the whole world. I can (will) try to
> restrict by IP source addresses, but Ooma offers no documentation on
> what IP addresses from their network may need to send me UDP packets
> for normal operation (notably, I don't know how incoming phone calls
> are signalled), so I will need to do some reverse engineering here
> (tcpdump to start with). If I'm lucky the incoming UDP packets will
> always come from IP addresses to which I've previously sent outgoing
> traffic (so that the normal pf state table will grok them).
>
> In any case, IP source addresses can be forged, so relying on them
> alone gives somewhat limited security. I don't know of an easy way
> to work around this. Do I need a full-fledged SIP proxy somewhere
> (either on the firewall or on a separate dedicated machine)?
>
> Overall, I would rather not have to re-invent the wheel here. What
> are other OpenBSD users doing to protect VOIP phone systems from
> incoming "nastygram" attacks?
>
> --
> -- "Jonathan Thornburg [remove color- to reply]" <jthorn4...@pink-gmail.com>
> on the west coast of Canada, eh?
> "There was of course no way of knowing whether you were being watched
> at any given moment. How often, or on what system, the Thought Police
> plugged in on any individual wire was guesswork. It was even conceivable
> that they watched everybody all the time." -- George Orwell, "1984"
>
