I've scanned through the posts. I guess the meat of my question is if you put Ooma before the router or DMZ without having any port forward turned on to the setup page (home port), is there a real risk? Given that KGB, CIA is not after me and my home network.
Quote from Wikipedia:
"In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. The term is normally referred to as a DMZ by information technology professionals. It is sometimes referred to as a perimeter network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network".
Quote from CradlePoint:
DMZ means "Demilitarized Zone." If an application has trouble working from behind the router, you can expose one computer to the Internet and run the application on that computer.
When a LAN host is configured as a DMZ host, it becomes the destination for all incoming packets that do not match some other incoming session or rule. If any other ingress rule is in place, that will be used instead of sending packets to the DMZ host; so, an active session, virtual server, active port trigger, or gaming rule will take priority over sending a packet to the DMZ host. (The DMZ policy resembles a default gaming rule that forwards every port that is not specifically sent anywhere else.)
The router provides only limited firewall protection for the DMZ host. The router does not forward a TCP packet that does not match an active DMZ session, unless it is a connection establishment packet (SYN). Except for this limited protection, the DMZ host is effectively "outside the firewall". Anyone considering using a DMZ host should also consider running a firewall on that DMZ host system to provide additional protection.
Packets received by the DMZ host have their IP addresses translated from the WAN-side IP address of the router to the LAN-side IP address of the DMZ host. However, port numbers are not translated; so applications on the DMZ host can depend on specific port numbers.
DMZ IP Address:
Specify the LAN IP address of the LAN computer that you want to have unrestricted Internet communication. If this computer obtains its address Automatically using DHCP, then you may want to make a static reservation on the Basic → Network Settings page so that the IP address of the DMZ computer does not change".
This evening I was reviewing my router's logs. I found that in a month's time I had only five unauthorized connection attempts to the static IP address in my router’s DMZ, assigned to my Ooma Telo. Each one of the unauthorized connection attempts was rejected by the router.
I would suspect the low number of unauthorized connection attempts is because I use a commercial router using a medium level of security, although I think newer home routers, set to at least a medium level of security, would probably have similar results.
lbmofo as you can see using the information from Wikipedia & CradlePoint that DMZs probably aren't all that scary. If you read between the lines, in the articles above, you can see why even hacking the Home port of the Ooma device isn't all that straight forward. You have to know/guess some things to be able to do it. Than if someone got there, only some setting could be changed, which might cause the phone system to temporaily be disrupted.
The threat to an Ooma device in a DMZ is very low. An Ooma device connected behind a modem has probably slightly more risk that an Ooma device connected behind a router with its static IP address in the router's DMZ. I wouldn't worry about either connection setup.
I can’t dispute your 5 attempts in 1 month because it’s your network and your equipment.
I also can’t speak to the quality of your Router’s logging or firewall or your routers ability accurately log identify and deter exploits. Your rules are preconfigured by the manufacture and based on the logic that whatever you paid for will buy you.
I can, however, speak to my equipment. My firewall is not an off the shelf product and is highly configurable and except for a few basic rules you have create your own rules based on your topology. Its and extension of what I do professionally and it gives me the ability to trap, isolate and monitor any network traffic from any Node on the network. During my 6 day trial with ooma in the DMZ I had 318 attempts at ooma.
Also please be aware that a SoHo Router, which is what most people have, does not perform like Commercial grade device that is more geared to the business market. For the average user they are paying 30-100 bucks and you are getting the logic that 30-100 bucks will buy you. A DMZ in a commercial grade router also works differently, than how is a DMZ is usally implemented in a SoHo Router.
lbmofo -lbmofo wrote:I've scanned through the posts. I guess the meat of my question is if you put Ooma before the router or DMZ without having any port forward turned on to the setup page (home port), is there a real risk? Given that KGB, CIA is not after me and my home network.
I feel as though my original posts regarding the issue may have taken on a different course than what I intended.
I think everything would be OK by putting the Ooma device directly to the modem or in the DMZ of a router with the Ooma in it's default configuration (no port forwarding configured). I am not familiar enough with the Ooma device to think otherwise.
However, if you configure port forwarding on the Ooma device in order to make the setup page accessible on the Ooma's internet port for access from the router's LAN, and put the Ooma in your router's DMZ, then yes your Ooma's setup page is accessible from the internet. It is very trivial for someone from the internet to access it. All they would have to do is put your public IP address into their browser and there it is.
It has been pointed out that there isn't a lot that can be done on your setup page, but do you really want to put it out there anyway and take that chance? I just want people to understand the security implications of putting a device into the DMZ. If they understand the risks and still wish to do it, then more power to them.
In closing, even if we have to agree to disagree on this topic I am glad that we had this opportunity to discuss the DMZ. You defined it for us and we talked about what it is what its not and how it can be used. We have presented different schools of though and supported our position.
There are a lot of things that need to be considered prior to implementing a DMZ on the average Home network, primarily because no one is administrating that network. Most setup the router witch in most cases consists of accepting the defaults, connecting to the internet and they are done…well if the internet brakes then they reboot the router and modem. But really they are done.
DMZ on the home network should be managed and in most cases the user does even know what it is much less how to manage it. It is not a decision that you just tell someone to do when you know they are not going to act on making sure they take security precautions that is irresponsible. Basically you are just going to tell them to open up their network without advising them of the risks or workarounds or helping them identify their real network issue.
Prior to this thread many forum members were making the decisions for other members by telling them….just stick it in the DMZ and the magic will happen. There is no magic in the DMZ.
A DMZ works because of a lack of security. If you have to put an ooma box in the DMZ to resolve your Ooma’s performance issues you are treating the effect not the cause of your issue.
If your ooma performs better in a DMZ your issue is more than likely associated with an issue with your router like closed ports, bad port redirection, a bad router or maybe even an aggressive firewall.
If your having this problem and your not technically inclined and the best advise you can get is to put Ooma in the DMZ do yourself a favor and buy yourself a new 40$-60 router from newegg.com and. This will more than like fix your network issue and give you the same performance as if you were in the DMZ.