Configuration Option 2A Security/Privacy Risk. PLEASE READ!

[amoney]

Sorry for the confusion everyone. It is a long post and I got the config naming convention incorrect. But thats the extent of it.

The sheet I got with the Telo indicated that 2B was the best option for QOS of the telephone traffic. That is the option that (a) poses a risk as described (b) will completely kill any advanced config that you have going on in your modem/router and thus you delegate all those tasks from your more capable modem/router to the vastly incapable Ooma device.

It's so cool when people set up up networking improperly, and then get all freaked out when they've accidentally exposed something. While you probably have a fair understanding of your home network's setup, you're missing understanding the setup of the ooma device vs the LAN port vs the DMZ and what is, or is not, exposed.

Phrased more simply, I'm sorry to say that you messed up. If set up properly, the web interface for the ooma device is NOT accessible outside of your home network. This is regardless of whether or not the ooma is in front of or behind the router.

There are several posts in this forum that describe how to set up the web interface and yet not expose it to the outside.

Wait. Is this the part where the local denizens try to attack the new guy? If that is the case, let me share some facts with you.

1. I'm not a n00b. So yes, I do this stuff for a living - and for much longer than most have had hot dinners.

2. My test experience is EXACTLY as I indicated or I wouldn't have posted about it. I ran the test several times.

3. If I wanted to make waves, I'd have created a post about it on my dev blog (which gets more traffic than this forum at any moment in time). But no, I simply wanted to make those smart enough to take their security/privacy seriously, be aware of the security risk. YMMV.

So please, refrain from making unqualified statements and go run the test yourself. You do NOT need a complex setup as mine. In fact, I sent this post to a friend of mine at Secunia and his first comment was that the fact that the OoMa interface had no password is the first sign of a security breach.

I don't care really, so go ahead and do what you want.

I am sorry, but no one is attacking you, in fact anyone that is on the offense is you. The fact that you insist that your in the biz is also a bit disconcerting.

Option 2B is behind your router, there is NO way anyone can see your LAN UNLESS if you monkey with the advance configuration of YOUR router, in which case your on your own. How can you blame Ooma for security changes you made to your router supposedly allows your LAN exposed to the public?

Please stop.

[Mike-o-Matic]

No need to be defensive indie_dev. You may be right or wrong (I don't know) but I'd still rather the issue were brought up and thoroughly explored. Thanks for writing up the description and the steps to reproduce it!!

[amoney]

Placing a device into the DMZ is not recommended!!! It never was.

[indie_dev]

OK, I ran the test again - and edited my first post for clarity. Sorry for the confusion.

This goes beyond "Don't use the DMZ". If it were that simple, I wouldnt' have wasted my time on this because the fact is that all routers and integrated modem/routers, have a DMZ. If you have to use it, then it usually means that you KNOW what you're doing. In most cases, the public generally uses the DMZ without fully knowing the dangers of doing so.

But thats not the extent of it.

The fact of the matter is

1. The Ooma device config page needs a security frontend. This should be pure common sense ESPECIALLY if they provide features which have the potential to expose the device to the Internet. All such devices - even some which have no Internet capabilities - have a security interface in the form of name+password - and they come with defaults.

2. Putting the Ooma device BETWEEN your modem/router CAN and WILL break most - if not all - of the router's functionality. That is functionality that the Ooma simply CANNOT match, let alone replace. As I discovered, you can't even forward some [standard] ports from the device to your router.

3. When folks can't get some of their devices (e.g. game consoles, game servers etc) to work, the first thing they're going to think of, is the DMZ. In fact there are several posts in this forum where people are doing just that. And since the Ooma device has NO security whatsoever, its [spotty] implementation of the DMZ is no comparison to the same option offered by routers or integrated modem/routers. You're not just sending traffic to a dedicated IP on your LAN, but rather you're exposing your ENTIRE network to the Internet.

4. The Ooma Telo "getting started" guide has several irregularities. One of them is the fact that they ask you to use Option 2A if you want it to prioritize your phone calls over other network traffic. Yet, further down in the Option 2B section, they say the same thing i.e. plugging your computer directly into the Ooma home network port allows it to prioritize phone calls. Also, there is no mention that if you're on a LAN - and your computer is connected to a router or switch, that solution is meaningless because unplugging that computer from LAN and plugging it into the Telo WILL separate it from the LAN and break connectivity because of its use of a different IP range.

[indie_dev]

The ooma interface indeed does not have a password. For that matter, neither does my cable modem. Neither is designed to, nor are they set up to, be accessed from the outside.

Yes, but does your cable modem give you the ability to expose (knowingly or otherwise) ANYTHING connected to it to the Internet? No, it does not. Neither does my Motorola SB6120.

So that argument is moot as you are comparing Apples to Oranges.

My main point was, your post basically screams 'danger danger, will robinson' - ooma is insecure. I am reasonably certain that you have short-circuited your setup somehow which allows access to the interface from the outside.
focus on the DMZ setup specifically, as an earlier post suggests. I have a feeling that you have something in there that doesn't belong.

It is insecure. DMZ or not. If you don't see that, then I don't know what to tell you.

If you think that having a device like this - which has the capability to access the Internet - to NOT have a security interface is OK, then I'm sorry to say that you are clearly an example of why the Internet is rife with botnets, trojans and the like.

People - believe it or not - DO make mistakes. And all it takes is one such mistake to expose your machine and/or LAN to the internet via a NETWORK device that offers NO security protection whatsoever.

Thats it. I'm convinced that I should write a dev blog post about this so that this discussion is not just relegated to the realms of this forum because quite clearly some of you just either don't get it or you just choose to ignore and call everyone stupid for not doing it "your way".

[murphy]

Disconnect the cable that goes from your computer's second NIC to the Home port of the ooma.
Then rerun your tests.

[The Talker]

Folks like me that quite don't know this stuff find this informative. It's confusing sometimes to someone like me and I know many others too. Stop polluting threads with this personal nit nit nit nit. Keep the personal bantering out of this.
Keep to the topic, we'll read and decide for ourselves. I've read enough on this message board to mess me up even more than I was before I joined up.

[tommies]

This is a false alert.

172.27.35.105 is a private IP address, and any internet router(aka Cisco router) will reject them. If you ping them, you got 'Destination unreachable' unless it is in the range that your router issues, i.e. it is IN your private LAN.

IF the OP truly browsing fromt the internet (using the phone data plan) the result MUSH BE 'page not found.' The fact that his smart phone browser successfully load the page http://172.27.35.105 indicating that the smart phone is also have Wifi which connect to the router wireless ap. i.e. the phone is within the private LAN, no breach here. See blue highlight in quote below.

IF the OP using his public IP(probably his wife), which assigned by his ISP then this is another matter. However, in this situation, the forward rules are in play here, and without detail(screen shots of the forward rules of the telo and router) there is nothing I can say.

The router is set to obtain an IP address via DHCP from the cable modem.

The router is set to provide addresses to the LAN side via DHCP. It also has some rules for static IP allocation to machines that require it. In those cases, the IP is reserved in the router's DHCP table so that it never expires nor can it be revoked without manual intervention.

After I installed the Telo using Option 2B (Telo INTERNET port connected into spare router port) and it downloaded the update (less than 2 mins) and such, everything worked just fine.

But since the Ooma was assigned an IP address by the router and in a range that is totally different from the Ooma's own internal range, I could not access http://setup.ooma.com to see what settings were on the device. ooma setup only accessible from the HOME port, regardless of ip range.

So since my primary desktop has two network interfaces, I simply connected a spare RG45 cable into that second LAN port and into the Telo's HOME port and was able to access it.What OS do you have, Windows or 'nix? Beware that a bridge is auto connected by Window, a potential security risk here.

NOTE: that all the machines (as well as a pair of NAS devices) are connected to the switch (connected to the router). A PowerLine AV (a HomePlug device) bridge as well as a network printer are plugged directly into the spare (one of which the Telo is connected to) ports (it has four) in the router. The laptop (and other devices, e.g. smartphone, PSP etc) access the internet via wireless through the router.

As soon as I was able to access the Ooma config, it hit me. There is NO password on that Telo interface. And THAT is what sparked my research into what I consider to be a major privacy/security breach. again ooma setup is only accessible from the HOME port, not a major break IMHO, unleast you intentionally/accidentally allow it to be accessible from the WAN side

To test my theory, I ran a test using the second (and Ooma RECOMMENDED configuration)

Test with Option 2A (Ooma device BETWEEN the modem & router)

- turned OFF the Telo, modem, router

- connected the Ooma device as per Option 2A (HOME connects it to the router and INTERNET connects it to the modem)

- turned on the modem and waited for it to fully initialize (all relevant lights on etc)

- turned on the Ooma device

In the Ooma device config, I set it to DHCP (instead of automatic) and for it to use the internal MAC address. Saved everything.

Everything connected just fine. Made a phone call. Called myself from a cell phone. All OK.

I go to the Telo config page (172.27.35.1) - which I can now access just fine due to the new connection config and checked the status. All OK.

I could NOT access any services (e.g. web server, SVN etc) on machines located my LAN side machines from outside the Internet (using my smartphone via the cellular network). Why? Because their ports are forwarded by the router - which is now assigned a DHCP by the Telo and thus knows nothing about the inbound traffic from the Internet via the Telo.

I go to the Telo config page and set the DMZ to be the IP (172.27.35.105) address it had assigned to the router.

Still could not access any LAN services from the Internet. Conclusion: The Ooma device DMZ does NOT work correctly. Great.Uh, ooma is aware of the risk and temporary turn it off.

So I decided to try one test at a time. I started with my Subversion (SVN) port by adding it to the Telo's port forward page so that the port was forwarded to the 172.27.35.105 IP of the router. Then I tried it again from my smartphone. It worked.

I then added and tried my VPN, FTP, NAS etc ports. All worked when accessed from the internet as long as the ports were forwarded in the Telo to the router's IP address.

This is the part where I totally freaked out.

From the browser (Opera) on my smartphone, I input the router's 172.27.35.105 IP and was HORRIFIED when - from across the Internet - I was staring at the Telo config page - which was supposed to be sitting at 172.27.35.1 and not accessible outside the LAN.
172.27.35.105 is a private ip address, it won't get route from outside. Either you omit something or you are confuse here??? Does your smart phone have wifi and connect to your router wirelessly?

To make sure I wasn't losing my mind, I called my wife at work and asked her to do the same thing. She too was able to access the Telo's config page and was able to not only see ALL the config pages, including the previously configured ports that were forwarded, but also the landline phone number (I opted to keep my own landline) etc.
Then you need to review your forward rules in the telo AND your router, make sure everything is correct.

Went back to the Ooma device and deduced that since the router's IP was now in the DMZ, the Ooma config page is now accessible from the open web!! EDIT: Someone also posted about this here.

[tommies]

OK, I ran the test again - and edited my first post for clarity. Sorry for the confusion.

This goes beyond "Don't use the DMZ". If it were that simple, I wouldnt' have wasted my time on this because the fact is that all routers and integrated modem/routers, have a DMZ. If you have to use it, then it usually means that you KNOW what you're doing. In most cases, the public generally uses the DMZ without fully knowing the dangers of doing so.

But thats not the extent of it.

The fact of the matter is

1. The Ooma device config page needs a security frontend. This should be pure common sense ESPECIALLY if they provide features which have the potential to expose the device to the Internet. All such devices - even some which have no Internet capabilities - have a security interface in the form of name+password - and they come with defaults.
Agree.

2. Putting the Ooma device BETWEEN your modem/router CAN and WILL break most - if not all - of the router's functionality. That is functionality that the Ooma simply CANNOT match, let alone replace. As I discovered, you can't even forward some [standard] ports from the device to your router.
Yes, this is why I have my ooma behind my router, and this had been said many times over.

3. When folks can't get some of their devices (e.g. game consoles, game servers etc) to work, the first thing they're going to think of, is the DMZ. In fact there are several posts in this forum where people are doing just that. And since the Ooma device has NO security whatsoever, its [spotty] implementation of the DMZ is no comparison to the same option offered by routers or integrated modem/routers. You're not just sending traffic to a dedicated IP on your LAN, but rather you're exposing your ENTIRE network to the Internet.
let me guess, turn on DMZ, turn off your firewall, I'd seen enough of it. I have to give you two thumb up for this.

4. The Ooma Telo "getting started" guide has several irregularities. One of them is the fact that they ask you to use Option 2A if you want it to prioritize your phone calls over other network traffic. Yet, further down in the Option 2B section, they say the same thing i.e. plugging your computer directly into the Ooma home network port allows it to prioritize phone calls. Also, there is no mention that if you're on a LAN - and your computer is connected to a router or switch, that solution is meaningless because unplugging that computer from LAN and plugging it into the Telo WILL separate it from the LAN and break connectivity because of its use of a different IP range.
there is no user guide either, and any printed material is seriously outdated.

[indie_dev]

If any of what I have posted in this thread is confusing to you, please read this thread as well.

Network Security - confusion over recent postings