Network Security - confusion over recent postings

[davidm]

Hello I am rather new to Ooma (just tweaking my initial install now) but am considered fairly knowledgeable with network security.

#1 - Ooma not using a username and password for setup.ooma.com IS broken and a risk and I will tell you another reason why. Sometimes people open their networks up to others to use such as a WIFI router. Using config "2A" (modem---Ooma----Router) means that anyone behind the router can access setup.ooma.com, of course. The Ooma device should be fixed to make use of a secure username and password ASAP in my opinion.

Note on a potential workaround for those insisting on config "2A" who have insecure (or "grey") elements on their internal LAN. One idea to close the setup.Ooma.com (as well as the IP hole) might be to configure your router to redirect all DNS requests [for setup.ooma.com] to another IP so that they never reach Ooma from within the internal network at all. (despite how it might seem there are practical applications for this as well as ways to secure it reasonably)

Because someone has access to my internal network does not mean I necessarily want them to have control over my Ooma device. This is a faulty assumption, IMO.

#2 I saw someone suggest that in doing config 2B with the following layout:

Modem-----Router---------Ooma

users behind the router would be able to access setup.ooma.com. In my experience this is not true. Why? Because your router by default should not be routing requests to "setup.ooma.com" to Ooma. Instead it should be going to the name server. Further even if you access it via the IP address assigned to Ooma by your router (in config 2B) in my experience that will not give you access to Ooma setup. It appears only whatever is plugged into "HOME NETWORK" can access setup.ooma.com barring any other forwarding.


#3
I think Config 2B (Modem------Router----Ooma) is most secure (assuming you trust the ooma device itself not to act badly behind your internal network's router). The only weakness appears to be with QoS worries. The solution to this is to use the router's QoS settings to provide this function. I notice that Ooma in config 2B is able to transverse my basic dd-wrt router with a near stock config so it appears with most routers one does nto have to open up ports for basic functionality (though some NAT types and firewalls may need to have ports manually opened). I noticed Upnp did not seem to be in use here either....

#4 the documentation on exactly what ports Ooma uses seems a little poor or at least hard to find in my opinion and should be better presented. In fact, does anyone happen to have this info for the telo?

edit: added text "[for setup.ooma.com]" to workaround.

[Groundhound]

Modem-----Router---------Ooma

users behind the router would be able to access setup.ooma.com. In my experience this is not true. Why? Because your router by default should not be routing requests to "setup.ooma.com" to Ooma. Instead it should be going to the name server. Further even if you access it via the IP address assigned to Ooma by your router (in config 2B) in my experience that will not give you access to Ooma setup. It appears only whatever is plugged into "HOME NETWORK" can access setup.ooma.com barring any other forwarding.

You can access setup for config 2B by forwarding TCP port 80 within Ooma back to the Ooma home port IP. This is a convenience that allows access to setup from any computer on the network via the Ooma modem port IP assigned by the router, but runs the risk of exposing setup to the Internet if the user also places the Ooma modem port IP into the router's DMZ.

[davidm]

#4 the documentation on exactly what ports Ooma uses seems a little poor or at least hard to find in my opinion and should be better presented. In fact, does anyone happen to have this info for the telo?

Update: I believe I found this info: viewtopic.php?f=4&t=168

It looks as if it basically uses port 1194 to setup a VPN which is how it is able to transverse most NAT enabled routers. Then other ports are used, 49000 - 50000 (among other standard services]. So using dd-wrt I set both 1194 and the port range 49,000 - 50,000 to "express" QoS. All seems fine but will test it tomorrow.

Groundhound- Thanks. I'm not interested in doing that (I will just plug in a LAN cable manually if I need access setup using config 2B) but will look into the options further out of curiousity.

[daet]

You can access setup for config 2B by forwarding TCP port 80 within Ooma back to the Ooma home port IP. This is a convenience that allows access to setup from any computer on the network via the Ooma modem port IP assigned by the router, but runs the risk of exposing setup to the Internet if the user also places the Ooma modem port IP into the router's DMZ.

And if you use dd-wrt, you can go one step further. Use DNSmasq to assign the CNAME "setup.ooma.com" to the IP address assigned by the router to the Telo (or Hub). And as long as that IP address is not in the router's DMZ, you can continue to access the Telo or Hub using "http://setup.ooma.com"

The DNSMasq options would be something like:
address=/telo.ooma.com/192.168.1.4
address=/hub.ooma.com/192.168.1.5

I have a Hub and a Telo, and access them as "hub.ooma.com" and "telo.ooma.com". They're not in series but independently connected to the router with assigned addresses.

DG

[amoney]

gah- lost my post- recap...

Ooma assumes the local LAN is trusted. There are no external security risks out of the box unless a user creates a security risk.

Is a login screen 100% secure. No. My point is to what point is Ooma responsible and where does the responsibility of the user start.

If people are creating a security risk, they need to take appropriate measures.

I am not disagreeing with wanting improvements, a login screen would be a benefit. I feel a better thread would be Safe networking practices which people would point out possible security risks etc.

Discussion on network security is very good to have.

[caseybea]

As a recommendation-- if anyone is THAT concerned about the ooma 'setup page' security, then don't set it up so that it's accessible to your home network, plain and simple. One has to specifically set this up to expose that page to your home network.

For the most part, once you have your ooma setup complete, and if for some reason you actually have to make a change in the ooma device-- that setup is most often a one-shot deal, then you're done.

Beyond that, the only real use of that interface is to check the status of the ooma box (which doesn't give you much more information than the little blue light does... ooma is either connected and online... or it's not, like last night )

For those concerned-- leave it disconnected. If you really need to connect to it at some future time, then hook up a laptop (or home pc) to the HOME port, make the connection, look/tweak whatever, done.

Personally, I don't see the ooma setup page thing as a risk; my internal network is quite secure, and I have zero fears that my wife or daughter are going to go in there and screw it up.

My $0.02.

[Groundhound]

Ooma assumes the local LAN is trusted. There are no external security risks out of the box unless a user creates a security risk.

Exactly. Ooma is targeted at residential use, where people with access are family members who aren't likely to want to take down your phone service (or whole network if option 2A). If someone is concerned about their family messing with setup, they should use option 2B with no port forwarding tricks and keep it in a secure location.