I've been installing a Draytek Vigor 2900 router at work lately, and found a line of models which do VoIP (router with analog phone jacks on them). They also support VPN router-router, and come with DynDNS clients. I thought I've seen VoIP over VPN being mentioned, but I can't find it right now. They're reasonably priced, and have pretty good online support: http://www.draytek.co.uk/support/ I've also been looking at them from vulnerabilities angle, but couldn't find much. Not even which embedded OS they run on. No glaring remote exploit holes yet reported. Everyone has seen http://www.skype.com/download_pda.html right? -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]
Eugen Leitl wrote:
I've been installing a Draytek Vigor 2900 router at work lately, and found a line of models which do VoIP (router with analog phone jacks on them). They also support VPN router-router, and come with DynDNS clients. I thought I've seen VoIP over VPN being mentioned, but I can't find it right now.
I've not seen, nor played with any of these, *BUT*, heed this warning which applies to all devices (and software?) that are 1) closed source and 2) offer some useful service which you'd be tempted to place inside your network, 3) are allowed to communicate with the outside world. I would highly suggest that if you chose to use one of these that you do so from a DMZ in your firewall to be safe. You don't know what OS/firmware lives there and whether it can be used via the VOIP network to spy on your internal network. You might need to add another NIC to your firewall, and depending on what else this needs, you might also need to provide a DHCP server for it. Set the firewall rules to make sure no packets from this device can go into your internal network. EVER. Don't just say, "Well this thing is its own router, it does VPN, it has a firewall (does it?) I can trust it." There will likely be features which it provides (perhaps a voice mail->email gateway?) which will tempt you to place it on the inside network instead of a DMZ. Don't! Find a way to secure your network and still provide for such features. [Or, if you use these boxes inside a corporate environment and actually care about this level of security and want several of these to talk to each other, build another network just for them. Depending on your needs, I'd also say, don't let them talk to the outside world, but if you do that, only nodes inside your VPN's will be able to communicate over VOIP.] If you trust this thing to do VOIP, enjoy, (Accepting possible spying on your phone calls by LEO/intel agencies, etc.) but don't trust it enough to put the ethernet end of it on your internal network. You never know when some bright kid takes one of these apart, disassembles the firmware and finds a backdoor to use against you. Why the tin-foil sounding rant? See yesterday's slashdot regarding the recent "hardwired" backdoor account in a Cisco Wifi router which has been exposed resulting in a call for a firmware update. You can bet that Cisco simply changed the backdoor password/hash instead of eliminating it. If they're not too scummy, they only made it harder to find: http://yro.slashdot.org/article.pl?sid=04/04/08/1920228&mode=thread&tid=126&tid=158&tid=172&tid=99
On Fri, Apr 09, 2004 at 05:56:18PM -0400, sunder wrote:
I've not seen, nor played with any of these, *BUT*, heed this warning which applies to all devices (and software?) that are 1) closed source and 2) offer some useful service which you'd be tempted to place inside your network, 3) are allowed to communicate with the outside world.
I cited those routers as instances of consumer-type cheap VoIP with encryption, which thwarts goverment-mandated tapping by ISPs. Exploiting built-in backdoors or remotely exploitable vulnerabilities is a different threat model. I definitely hope routers with DynDNS/VPN/VoIP and POTS jacks will become more widespread, and use opportunistic encryption as default. I personally am not going to buy the router, as it is lacking functionality and flexibility of a Linux-based firewall. I'm waiting for a passively cooled ~GHz VIA C3 motherboard with two NICs and external fanless power supply to ditch my current proprietary, rather braindead firewall. I've already verified IDE-cf adapters do very nicely, and there are dedicated distros like http://www.nycwireless.net/pebble/ which don't wear down the flash with r/w on /tmp and similiar. Should I stick with Linux (there's /dev/random and VPN support in current kernels for the C3 Padlock engine, right?) with SELinux or try OpenBSD for a firewall type machine with hardware crypto support? -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07078, 11.61144 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net [demime 1.01d removed an attachment of type application/pgp-signature]
Eugen Leitl wrote:
I cited those routers as instances of consumer-type cheap VoIP with encryption, which thwarts goverment-mandated tapping by ISPs. Exploiting built-in backdoors or remotely exploitable vulnerabilities is a different threat model. I definitely hope routers with DynDNS/VPN/VoIP and POTS jacks will become more widespread, and use opportunistic encryption as default.
Cool.
I personally am not going to buy the router, as it is lacking functionality and flexibility of a Linux-based firewall.
Hmm, I wonder if the VoIP standard is open enough that fully compatible linux implementations could be made and integrated with ALSA... I'm sure a simple analog circuit could be used to get an rj11 phone jack attached to audio in/out once this is done...
I'm waiting for a passively cooled ~GHz VIA C3 motherboard with two NICs and external fanless power supply to ditch my current proprietary, rather braindead firewall. I've already verified IDE-cf adapters do very nicely, and there are dedicated distros like http://www.nycwireless.net/pebble/ which don't wear down the flash with r/w on /tmp and similiar.
Shouldn't be a problem if you go the Solaris route and use tmpfs/swapfs with no real swap. (For those that don't know, Solaris mounts /tmp into virtual memor space, so if you've got tons of RAM, data written in /tmp is actually written in RAM.)
Should I stick with Linux (there's /dev/random and VPN support in current kernels for the C3 Padlock engine, right?) with SELinux or try OpenBSD for a firewall type machine with hardware crypto support?
I've had very good luck with OBSD so far (knock on fake wood?)... I'm very happy with pf... much nicer than iptables... I haven't used SELinux as a firewall, but have experimented with it. It's excellent in terms of security (if you don't mind the huge failure logs), but, it's a bitch to configure properly... I'd go for something between UML (User Mode Linux) and SELinux. Use SELINUX as the main host and UML to partition off untrusted applications in sandboxes (i.e. to run apache, etc.)
On Saturday 2004 April 10 12:12, Eugen Leitl wrote:
Should I stick with Linux (there's /dev/random and VPN support in current kernels for the C3 Padlock engine, right?) with SELinux or try OpenBSD for a firewall type machine with hardware crypto support?
For a firewall, I'd recommend OpenBSD over just about anything else. Unless of course, there is hardware you need to use that isn't supported under OpenBSD. -- Shawn K. Quinn
participants (3)
-
Eugen Leitl -
Shawn K. Quinn -
sunder