VPN VoIP
sunder
sunder at sunder.net
Fri Apr 9 14:56:18 PDT 2004
Eugen Leitl wrote:
> I've been installing a Draytek Vigor 2900 router at work lately, and found a
> line of models which do VoIP (router with analog phone jacks on them). They
> also support VPN router-router, and come with DynDNS clients. I thought I've
> seen VoIP over VPN being mentioned, but I can't find it right now.
I've not seen, nor played with any of these, *BUT*, heed this warning
which applies to all devices (and software?) that are 1) closed source and
2) offer some useful service which you'd be tempted to place inside your
network, 3) are allowed to communicate with the outside world.
I would highly suggest that if you chose to use one of these that you do so
from a DMZ in your firewall to be safe. You don't know what OS/firmware
lives there and whether it can be used via the VOIP network to spy on your
internal network.
You might need to add another NIC to your firewall, and depending on what
else this needs, you might also need to provide a DHCP server for it. Set
the firewall rules to make sure no packets from this device can go into
your internal network. EVER.
Don't just say, "Well this thing is its own router, it does VPN, it has a
firewall (does it?) I can trust it."
There will likely be features which it provides (perhaps a voice
mail->email gateway?) which will tempt you to place it on the inside
network instead of a DMZ. Don't! Find a way to secure your network and
still provide for such features.
[Or, if you use these boxes inside a corporate environment and actually
care about this level of security and want several of these to talk to each
other, build another network just for them. Depending on your needs, I'd
also say, don't let them talk to the outside world, but if you do that,
only nodes inside your VPN's will be able to communicate over VOIP.]
If you trust this thing to do VOIP, enjoy, (Accepting possible spying on
your phone calls by LEO/intel agencies, etc.) but don't trust it enough to
put the ethernet end of it on your internal network. You never know when
some bright kid takes one of these apart, disassembles the firmware and
finds a backdoor to use against you.
Why the tin-foil sounding rant? See yesterday's slashdot regarding the
recent "hardwired" backdoor account in a Cisco Wifi router which has been
exposed resulting in a call for a firmware update. You can bet that Cisco
simply changed the backdoor password/hash instead of eliminating it. If
they're not too scummy, they only made it harder to find:
http://yro.slashdot.org/article.pl?sid=04/04/08/1920228&mode=thread&tid=126&tid=158&tid=172&tid=99
More information about the cypherpunks-legacy
mailing list