Eugen Leitl wrote:
I've been installing a Draytek Vigor 2900 router at work lately, and found a line of models which do VoIP (router with analog phone jacks on them). They also support VPN router-router, and come with DynDNS clients. I thought I've seen VoIP over VPN being mentioned, but I can't find it right now.
I've not seen, nor played with any of these, *BUT*, heed this warning which applies to all devices (and software?) that are 1) closed source and 2) offer some useful service which you'd be tempted to place inside your network, 3) are allowed to communicate with the outside world. I would highly suggest that if you chose to use one of these that you do so from a DMZ in your firewall to be safe. You don't know what OS/firmware lives there and whether it can be used via the VOIP network to spy on your internal network. You might need to add another NIC to your firewall, and depending on what else this needs, you might also need to provide a DHCP server for it. Set the firewall rules to make sure no packets from this device can go into your internal network. EVER. Don't just say, "Well this thing is its own router, it does VPN, it has a firewall (does it?) I can trust it." There will likely be features which it provides (perhaps a voice mail->email gateway?) which will tempt you to place it on the inside network instead of a DMZ. Don't! Find a way to secure your network and still provide for such features. [Or, if you use these boxes inside a corporate environment and actually care about this level of security and want several of these to talk to each other, build another network just for them. Depending on your needs, I'd also say, don't let them talk to the outside world, but if you do that, only nodes inside your VPN's will be able to communicate over VOIP.] If you trust this thing to do VOIP, enjoy, (Accepting possible spying on your phone calls by LEO/intel agencies, etc.) but don't trust it enough to put the ethernet end of it on your internal network. You never know when some bright kid takes one of these apart, disassembles the firmware and finds a backdoor to use against you. Why the tin-foil sounding rant? See yesterday's slashdot regarding the recent "hardwired" backdoor account in a Cisco Wifi router which has been exposed resulting in a call for a firmware update. You can bet that Cisco simply changed the backdoor password/hash instead of eliminating it. If they're not too scummy, they only made it harder to find: http://yro.slashdot.org/article.pl?sid=04/04/08/1920228&mode=thread&tid=126&tid=158&tid=172&tid=99