Network Security - confusion over recent postings

Need extra help installing your Ooma Hub or Telo system? Let us know.
User avatar
Aveamantium
Posts:1352
Joined:Sat Jun 20, 2009 2:28 pm
Location:Loveland, Colorado
Re: Network Security - confusion over recent postings

Post by Aveamantium » Wed Jan 13, 2010 2:52 pm

Groundhound wrote:
feartheturtle wrote: modem>>router>>ooma
1) Just saw Groundhounds post - if you forward port 80 of the ooma's ip - and do not have the ooma in the routers' DMZ, is that considered safe? Can you then view the ooma setup from other computers in the routers' LAN?
In this case there is no use of DMZ in either the router or the Ooma, just forwarding port 80 from within Ooma back to the Ooma home port, and AFAIK it is safe - and yes you can view the Ooma setup from other computers in the router's LAN.
I have both my hub and telo set up this way and Groundhound's statement is the way I understand it as well...
Go AVS!

amoney
Posts:586
Joined:Tue Dec 22, 2009 9:43 pm

Re: Network Security - confusion over recent postings

Post by amoney » Wed Jan 13, 2010 4:02 pm

Listen carefully.

NO WHERE IN THE OOMA INSTRUCTIONS DOES IT TELL YOU TO CONFIGURE DMZ SETTINGS.

AS LONG AS YOU DO NOT JACK WITH YOUR ROUTER, EITHER OPTIONS 2A OR 2B WILL BE SECURE!!

IF YOU START MONKEYING AROUND WITH DMZ THAT IS ON YOUR HANDS NOT OOMAS.

End of thread.
Last edited by amoney on Wed Jan 13, 2010 4:10 pm, edited 1 time in total.
Comcast > Telo > WRT54G

indie_dev
Posts:32
Joined:Tue Jan 12, 2010 10:25 am

Re: Network Security - confusion over recent postings

Post by indie_dev » Wed Jan 13, 2010 4:08 pm

amoney wrote:Listen carefully.

NO WHERE IN THE OOMA INSTRUCTIONS DOES IT TELL YOU TO CONFIGURE DMZ SETTINGS.

AS LONG AS YOU DO NOT JACK WITH YOUR ROUTER, EITHER OPTIONS 2A OR 2B WILL BE SECURE!!

IF YOU START MONKEYING AROUND WITH DMZ THAT IS NOT OOMAS PROBLEM.

End of thread.
Its not that simple. Sorry.

The fact is that there ARE times when you will NEED the DMZ because Ooma sucks at being an arbiter of LAN traffic - in much the same way it cannot forward certain ports at all. It wasn't designed to be either. It also tries to mimic basic router functionality and specifically in the 2A config, asks the user to use it instead of a more robust router (which most people already have) device.

Obviously the Ooma engineers realized this - hence the reason a DMZ exists to begin with.

It is also the same reason that every single router has a DMZ. Documented or not is largely irrelevant.

Security threat or not, if there was no need for it, they would not have added it to the config interface. My thought is that the time taken to implement a half-a$$ed and security threat DMZ could have been spent doing a simple username+password security interface to the config interface. Priorities I suppose.

End of thread.

amoney
Posts:586
Joined:Tue Dec 22, 2009 9:43 pm

Re: Network Security - confusion over recent postings

Post by amoney » Wed Jan 13, 2010 4:30 pm

indie_dev wrote:
amoney wrote:Listen carefully.

NO WHERE IN THE OOMA INSTRUCTIONS DOES IT TELL YOU TO CONFIGURE DMZ SETTINGS.

AS LONG AS YOU DO NOT JACK WITH YOUR ROUTER, EITHER OPTIONS 2A OR 2B WILL BE SECURE!!

IF YOU START MONKEYING AROUND WITH DMZ THAT IS NOT OOMAS PROBLEM.

End of thread.
Its not that simple. Sorry.

The fact is that there ARE times when you will NEED the DMZ because Ooma sucks at being an arbiter of LAN traffic - in much the same way it cannot forward certain ports at all. It wasn't designed to be either. It also tries to mimic basic router functionality and specifically in the 2A config, asks the user to use it instead of a more robust router (which most people already have) device.

Obviously the Ooma engineers realized this - hence the reason a DMZ exists to begin with.

Security threat or not, if there was no need for it, they would not have added it to the config interface. My thought is that the time taken to implement a half-a$$ed and security threat DMZ could have been spent doing a simple username+password security interface to the config interface. Priorities I suppose.

It is also the same reason that every single router has a DMZ. Documented or not is largely irrelevant.

End of thread.
So by your accounts and I dont disagree on this point, Ooma is not robust enough to handling advanced routing, OK. So then you place it behind your "real" router.

I dont see how Ooma is responsible for someone placing the device into the DMZ. The DMZ is created for the purpose of access from outside.

Again bottom line, if someones follows instrustions 2A or 2B everything is fine. If someone starts to configure advance settings the responsibility is theirs to understand security implications.

These threads were started because someone configured the advance settings in such a way that made them vulerable. In the biz, its called "your doing it wrong".

Last time, configure Ooma 2A or 2B (no messing with router settings) and you can not get to it from the outside!!!

The previous thread title is outright wrong and misleading making people who do not mess with advance settings thinking they are vulnerable.

And cant repeat myself enouogh that if one messes around with their router security it is their own fault if they make themselves vulnerable.

I tire of people in this society that dont take responsibility for their own actions.

To end with, if you want Ooma to be a robust router, then I suggest you put in a request into the suggestion box.
Comcast > Telo > WRT54G

indie_dev
Posts:32
Joined:Tue Jan 12, 2010 10:25 am

Re: Network Security - confusion over recent postings

Post by indie_dev » Wed Jan 13, 2010 4:50 pm

amoney wrote: I dont see how Ooma is responsible for someone placing the device into the DMZ. The DMZ is created for the purpose of access from outside.
Thats just a silly - silly - response.

Of course thats what the DMZ is for; but the discussions have nothing to do with it being a DMZ but rather the fact that the Ooma interface is NOT SECURE and so if you use the DMZ there is a serious security breach.
These threads were started because someone configured the advance settings in such a way that made them vulerable. In the biz, its called "your doing it wrong".
No. These threads started because someone FOUND that there were exploits in the Ooma config methods. No different from any other security exploit found in any software, including the OS we are all running.

I'm not sure what "biz" you're refering to, but in my biz there is no such thing as "your doing it wrong". It is either "You're doing it wrong" or "You're not doing it at all".
The previous thread title is outright wrong and misleading making people who do not mess with advance settings thinking they are vulnerable.
Most [sensible] people CLEARLY understand that if ANY part of a system is INSECURE, then the potential for a breach is a CLEAR AND PRESENT danger. Which part of this are you not getting?

Potts
Posts:84
Joined:Wed Dec 30, 2009 6:42 pm

Re: Network Security - confusion over recent postings

Post by Potts » Wed Jan 13, 2010 5:52 pm

Hell, Microsoft, Apple, Citi bank and Google to name a few all have hackers. How about cell phones!, magicJack, or software programs....... Like you people need to get a life...... If your worried about Network Secuity, cancel you internet.
Setup Dec. 2009. Cable Modem, (Hub and Scout purchase Amazon.Com) Router (Linksys WRT5465S2) Ooma Premier.

amoney
Posts:586
Joined:Tue Dec 22, 2009 9:43 pm

Re: Network Security - confusion over recent postings

Post by amoney » Wed Jan 13, 2010 6:16 pm

Potts wrote:Hell, Microsoft, Apple, Citi bank and Google to name a few all have hackers. How about cell phones!, magicJack, or software programs....... Like you people need to get a life...... If your worried about Network Secuity, cancel you internet.

Thank you.

Its a interesting to see INDIE_DEV to not comment about option 2A and 2B configuration in itself being secure. As I clearly remember the previous thread said that those options had security issue. Then in the fine print the user admittedly made CUSTOM changes to the router. So for the non technical person all they see is someone screaming security risk. When there is NOT if you dont monkey with the router.

The forum search here sucks in my opinion for some reason, now when anyone does a search they see a page full of this banter.

Anyways. We are looking at this topic clearly with two different view point. I am saying following the instructions with no other CUSTOMIZATIONS and the end user is fine (interesting enough there is a REAL concern over MYOOMA on their backend associating account access correctly). INDIE_DEV on the other hand is insisting a user customization that creats a security risk is the fault of Ooma's.

I just dont get it, by the same token if I customize my router I can in turn create a security risk for any of my LAN clients.

I will let INDIE_ have the last word I think I have said my peace.
Comcast > Telo > WRT54G

Potts
Posts:84
Joined:Wed Dec 30, 2009 6:42 pm

Re: Network Security - confusion over recent postings

Post by Potts » Wed Jan 13, 2010 7:17 pm

This topic was created by feartheturtle, not INDIE_DEV. If your concerns are in dealing with Network Security, than drop your Internet connection.
Setup Dec. 2009. Cable Modem, (Hub and Scout purchase Amazon.Com) Router (Linksys WRT5465S2) Ooma Premier.

feartheturtle
Posts:108
Joined:Tue Sep 08, 2009 5:02 am
Location:Maryland

Re: Network Security - confusion over recent postings

Post by feartheturtle » Wed Jan 13, 2010 8:44 pm

I just got back to the house, and I guess I'm not too surprised at what has been posted here. I was originally confused/concerned due to the thread that screamed about network security problems with setup 2A. It looks like most people who use this setup will be OK as long as they do not create a DMZ in the ooma device.

But can someone answer this question: What causes people to chose setup 2A (ooma between modem & router), and then configure a DMZ in the ooma? Is it because the ooma can hinder the performance of certain devices in a router's LAN?

So what to do? It seems like the best solution is to have the ooma behind the router, i.e. connect the ooma's "To Internet" or "Modem" port to an available LAN port on your router, then rely on your router to provide the QoS services for the ooma. And it also looks like one should avoid putting the ooma into your routers' DMZ, correct?

Perhaps there is not such a big security risk as I first thought.

User avatar
Aveamantium
Posts:1352
Joined:Sat Jun 20, 2009 2:28 pm
Location:Loveland, Colorado

Re: Network Security - confusion over recent postings

Post by Aveamantium » Wed Jan 13, 2010 9:06 pm

feartheturtle wrote:I just got back to the house, and I guess I'm not too surprised at what has been posted here. I was originally confused/concerned due to the thread that screamed about network security problems with setup 2A. It looks like most people who use this setup will be OK as long as they do not create a DMZ in the ooma device.

But can someone answer this question: What causes people to chose setup 2A (ooma between modem & router), and then configure a DMZ in the ooma? Is it because the ooma can hinder the performance of certain devices in a router's LAN?

So what to do? It seems like the best solution is to have the ooma behind the router, i.e. connect the ooma's "To Internet" or "Modem" port to an available LAN port on your router, then rely on your router to provide the QoS services for the ooma. And it also looks like one should avoid putting the ooma into your routers' DMZ, correct?

Perhaps there is not such a big security risk as I first thought.
If you have Setup 2A and you need access to your LAN from the WAN side to host games, FTP, E-Mail Server, etc. then you need to forward the appropriate ports to the router or you can put the routers IP in the DMZ of the Ooma device and all traffic will be passed to the router (lazy man's port forwarding).

For the second part, it depends on your needs... I used to have an ISP whose speeds were all over the place making it next to impossible to setup Qos in my router (WRT54GL running Tomato) since I had to put in a max upload/download speed. Ooma's Qos is nice in that it is conditional so it only works when you're on a call. This way I could put the lower end of my ISP speeds into the Ooma Qos and since it was conditional I wouldn't be losing out on the extra bandwidth when it was available.

Third part, using Setup 2B you shouldn't need to put the Ooma into the router's DMZ unless you have one way audio (RTP Traffic is getting blocked by the NAT of the router). Even then if you do put the Ooma's IP in the Router's DMZ and have not made any changes to the Ooma's setup then you should be ok.

Lastly, the security risk is there if you create it.
Go AVS!

Post Reply