thunderbird -
If you have a commercial grade router/firewall, then you are in a different boat than most home users.
There is a huge difference between the DMZ implementations between commercial grade routers/firewalls and consumer routers.
Commercial grade routers/firewalls usually have a separate physical port that is used for the DMZ and is logically isolated from the LAN port(s), and those ports can be configured with their own set of firewall rules. This provides the needed protection between the DMZ and the LAN. Also, with the DMZ having it's own set of rules, you can open up the device as little or as much as is needed to get the job done.
On a consumer router (Linksys, Netgear, D-Link, Belkin, etc.) the DMZ device is completely open to the internet. The router sends all unsolicited requests directly to the device in the DMZ, and thus relies completely on the security measures on the device itself. The DMZ is also in the same network segment as the LAN and there is no isolation between the DMZ and the LAN. If the DMZ is compromised, there is nothing protecting the devices on the LAN from that compromised device.
In my opinion, putting a DMZ option in a consumer router should have never been added. Most consumers do not understand what a DMZ really is or the security implications when used.
Note: my post is meant to discuss DMZ in general and is not meant to be specific to the Ooma. I am not familiar enough to know how hardened the Ooma device is to potential internet attacks.
Why I would NOT Put Ooma in the DMZ
-
Lilly's_Closet
- Posts:108
- Joined:Wed May 19, 2010 11:10 am
Re: Why I would NOT Put Ooma in the DMZ
I can’t dispute your 5 attempts in 1 month because it’s your network and your equipment.
I also can’t speak to the quality of your Router’s logging or firewall or your routers ability accurately log identify and deter exploits. Your rules are preconfigured by the manufacture and based on the logic that whatever you paid for will buy you.
I can, however, speak to my equipment. My firewall is not an off the shelf product and is highly configurable and except for a few basic rules you have create your own rules based on your topology. Its and extension of what I do professionally and it gives me the ability to trap, isolate and monitor any network traffic from any Node on the network. During my 6 day trial with ooma in the DMZ I had 318 attempts at ooma.
Also please be aware that a SoHo Router, which is what most people have, does not perform like Commercial grade device that is more geared to the business market. For the average user they are paying 30-100 bucks and you are getting the logic that 30-100 bucks will buy you. A DMZ in a commercial grade router also works differently, than how a DMZ is usually implemented in a SoHo Router.
In closing, even if we have to agree to disagree on this topic I am glad that we had this opportunity to discuss the DMZ. You defined it for us and we talked about what it is what its not and how it can be used. We have presented different schools of though and supported our position.
There are a lot of things that need to be considered prior to implementing a DMZ on the average Home network, primarily because no one is administrating that network. Most setup the router witch in most cases consists of accepting the defaults, connecting to the internet and they are done…well if the internet brakes then they reboot the router and modem. But really they are done.
DMZ on the home network should be managed and in most cases the user does even know what it is much less how to manage it. It is not a decision that you just tell someone to do when you know they are not going to act on making sure they take the necessary security precautions is irresponsible. Basically you are just going to tell them to open up their network without advising them of the risks or workarounds or helping them identify their real network issue.
Prior to this thread many forum members were making the decision for other members by telling them….just stick it in the DMZ and the magic will happen. There is no magic in the DMZ.
A DMZ works because of a lack of security. If you have to put an ooma box in the DMZ to resolve your Ooma’s performance issues you are treating the effect not the cause of your issue.
If your ooma performs better in a DMZ your issue is more than likely associated with an issue with your router like closed ports, bad port redirection, a bad router or maybe even an aggressive firewall.
If your having this problem and your not technically inclined and the best advise you can get is to put Ooma in the DMZ do yourself a favor and buy yourself a new 40$-60 router from newegg.com. This will more than like fix your network issue and give you the same performance as if you were in the DMZ.
I also can’t speak to the quality of your Router’s logging or firewall or your routers ability accurately log identify and deter exploits. Your rules are preconfigured by the manufacture and based on the logic that whatever you paid for will buy you.
I can, however, speak to my equipment. My firewall is not an off the shelf product and is highly configurable and except for a few basic rules you have create your own rules based on your topology. Its and extension of what I do professionally and it gives me the ability to trap, isolate and monitor any network traffic from any Node on the network. During my 6 day trial with ooma in the DMZ I had 318 attempts at ooma.
Also please be aware that a SoHo Router, which is what most people have, does not perform like Commercial grade device that is more geared to the business market. For the average user they are paying 30-100 bucks and you are getting the logic that 30-100 bucks will buy you. A DMZ in a commercial grade router also works differently, than how a DMZ is usually implemented in a SoHo Router.
In closing, even if we have to agree to disagree on this topic I am glad that we had this opportunity to discuss the DMZ. You defined it for us and we talked about what it is what its not and how it can be used. We have presented different schools of though and supported our position.
There are a lot of things that need to be considered prior to implementing a DMZ on the average Home network, primarily because no one is administrating that network. Most setup the router witch in most cases consists of accepting the defaults, connecting to the internet and they are done…well if the internet brakes then they reboot the router and modem. But really they are done.
DMZ on the home network should be managed and in most cases the user does even know what it is much less how to manage it. It is not a decision that you just tell someone to do when you know they are not going to act on making sure they take the necessary security precautions is irresponsible. Basically you are just going to tell them to open up their network without advising them of the risks or workarounds or helping them identify their real network issue.
Prior to this thread many forum members were making the decision for other members by telling them….just stick it in the DMZ and the magic will happen. There is no magic in the DMZ.
A DMZ works because of a lack of security. If you have to put an ooma box in the DMZ to resolve your Ooma’s performance issues you are treating the effect not the cause of your issue.
If your ooma performs better in a DMZ your issue is more than likely associated with an issue with your router like closed ports, bad port redirection, a bad router or maybe even an aggressive firewall.
If your having this problem and your not technically inclined and the best advise you can get is to put Ooma in the DMZ do yourself a favor and buy yourself a new 40$-60 router from newegg.com. This will more than like fix your network issue and give you the same performance as if you were in the DMZ.
Last edited by Lilly's_Closet on Mon Mar 21, 2011 6:25 am, edited 7 times in total.
-
Davesworld
- Posts:343
- Joined:Sun Sep 27, 2009 6:06 pm
- Location:Everett, Wa
- Contact:
Re: Why I would NOT Put Ooma in the DMZ
Thunderbird, you will get attempts even if none of your ports are visible outside your firewall. This is what port scanners do 24/7. They (not live humans but rather software, worms and so forth) systematically scan address ranges and start looking for ports. If you are allowed to be pinged from the internet, this tells them that there is something at that address and they will spend more time trying to find an open port. Also, any visible ports even when closed will let them know something exists at that address. If they scan and all packets are dropped plus they cannot ping you, they have no evidence that any computer actually exists at that address. If your firewall were to reject rather than drop uncommanded incoming packets, it is yet another indicator that they have something at that address. Even though I am completely stealth, some scanners will send me a dozen packets aimed at random ports before they give up and move to the next address in that block. It is argued that some services may not work correctly by being completely stealth but I have not run into this myself except some test tools that need to be able to ping me, I temporarily enable ping for these tests.
-
thunderbird
- Posts:6388
- Joined:Mon Nov 08, 2010 4:41 pm
Re: Why I would NOT Put Ooma in the DMZ
Balance:
I used to work for a large company that had a huge ISD department with people in several cities. Through the years we had many battles with the ISD people. There were times when ISD evoked such harsh network/computer security, that we were barely able to do our jobs. Sometimes if a printer quit, we were not enabled to change from the defective network printer to another functioning network printer. We couldn’t even change preferences in applications on our computers, or access required files in various servers. We needed to access sites all over the United States, and sometimes overseas but couldn’t. For a while it got so bad that many people would take work home and do it on their home computers. We used many other work-arounds.
Than about eight years ago, the company commissioned an outside company to perform a study on how to improve the functioning of the different divisions in the company. A part of the study was how ISD functioned and how they effected their customers. The study found that ISD was actually costing the company huge amounts of money, because of their harsh security restrictions. You know what hit the fan. One of the ISD managers was directed to “loosen” security for our division. But the manager, used to getting his way, and he was so important the no one would/could touch him, though that he would teach a lessen. He had most security removed in our division, including firewalls, servers, networks, computers, etc. The next thing that happened was there was this worm going around, that disrupted our whole division. To make a long story short, the story goes that the company CEO marched the ISD manager into his office, fired him on the spot, and had security march him directly to his auto and off the property. All I know was that he was gone permanently. From that time on ISD was in the barrel. A few months later almost all of the ISD people were fired, and their functions were replaced by an outside vender. It was really sad because many of the ISD personal were very smart and very professional.
The moral of the story is that there must be a balance for everything, including network/computer/etc. security. There must be enough network/computer security to protect the network/computer/etc., but not too much network/computer/etc. security so that the network/computer equipment can function properly and the job can be done.
Some people have to connect their Ooma device behind their router, for many reasons. They find that their Ooma device won’t function properly, if their Ooma device’s static IP address isn’t placed in their router’s DMZ. And when their Ooma device is placed in their router’s DMZ, their Ooma phone service works great. These people certainly won’t go out and buy expensive equipment, when they can make a few software setting changes in their existing router to fix the problem. I haven’t heard any negative outcry from Ooma users that use the DMZ. In my case it works great.
When comparing the security risks of connecting an Ooma device directly to a modem; to the security risks for an Ooma device connected to a router’s LAN port, with the Ooma device using a static IP address and placed in the router’s DMZ; the security risks are almost the same. The Ooma device’s exposure to the Internet is almost the same. The exception is that many newer home and/or higher end routers will provide slightly better protection for a device placed in the router’s DMZ, using a static IP address; as compared to connecting the device directly to the modem. The Ooma router DMZ risks apply only to that one static IP address, assigned to the Ooma device by the router, which is placed in the router DMZ.
I wouldn’t worry about security either way the Ooma device is connected. But I’d make sure there is a mid level of security is turned on in the router, and all home computers on the router’s LAN has good firewall/virus protection software installed and configured.
One of the dangers of putting a device in a router’s DMZ, is failing to assign a static IP address to the intended device, before putting the device’s IP address in the DMZ.
An example is if an Ooma device’s non-static IP address is placed in the DMZ, after which the Ooma device is unpowered for a period of time. Than later a computer on the same router is powered. While the Ooma device is unpowered, the router could automatically assign the IP address that is in the DMZ, to the newly powered computer. Than that computer becomes exposed to the Internet and there could be security problems for that computer. So the rule is never place a device in the router DMZ without reserving a static IP address in the router, for the intended DMZ device first.
It’s always a good idea to run virus/firewall protection software on all of your computers, especially if you are concerned and unsure of how router static IP addresses are assigned etc.
Semantics:
Router manufactures use different terms to say the same things. They are just using different words. To be precise, my router doesn’t say Reject, it says Blocked. I don’t know if the term Blocked, used by my router manufacture, has the same meaning as Dropped.
I have never enabled WAN Ping Respond other than for testing. I believe this is why I have so few logged attempts on my Ooma Telo’s router DMZ static IP address.
I used to work for a large company that had a huge ISD department with people in several cities. Through the years we had many battles with the ISD people. There were times when ISD evoked such harsh network/computer security, that we were barely able to do our jobs. Sometimes if a printer quit, we were not enabled to change from the defective network printer to another functioning network printer. We couldn’t even change preferences in applications on our computers, or access required files in various servers. We needed to access sites all over the United States, and sometimes overseas but couldn’t. For a while it got so bad that many people would take work home and do it on their home computers. We used many other work-arounds.
Than about eight years ago, the company commissioned an outside company to perform a study on how to improve the functioning of the different divisions in the company. A part of the study was how ISD functioned and how they effected their customers. The study found that ISD was actually costing the company huge amounts of money, because of their harsh security restrictions. You know what hit the fan. One of the ISD managers was directed to “loosen” security for our division. But the manager, used to getting his way, and he was so important the no one would/could touch him, though that he would teach a lessen. He had most security removed in our division, including firewalls, servers, networks, computers, etc. The next thing that happened was there was this worm going around, that disrupted our whole division. To make a long story short, the story goes that the company CEO marched the ISD manager into his office, fired him on the spot, and had security march him directly to his auto and off the property. All I know was that he was gone permanently. From that time on ISD was in the barrel. A few months later almost all of the ISD people were fired, and their functions were replaced by an outside vender. It was really sad because many of the ISD personal were very smart and very professional.
The moral of the story is that there must be a balance for everything, including network/computer/etc. security. There must be enough network/computer security to protect the network/computer/etc., but not too much network/computer/etc. security so that the network/computer equipment can function properly and the job can be done.
Some people have to connect their Ooma device behind their router, for many reasons. They find that their Ooma device won’t function properly, if their Ooma device’s static IP address isn’t placed in their router’s DMZ. And when their Ooma device is placed in their router’s DMZ, their Ooma phone service works great. These people certainly won’t go out and buy expensive equipment, when they can make a few software setting changes in their existing router to fix the problem. I haven’t heard any negative outcry from Ooma users that use the DMZ. In my case it works great.
When comparing the security risks of connecting an Ooma device directly to a modem; to the security risks for an Ooma device connected to a router’s LAN port, with the Ooma device using a static IP address and placed in the router’s DMZ; the security risks are almost the same. The Ooma device’s exposure to the Internet is almost the same. The exception is that many newer home and/or higher end routers will provide slightly better protection for a device placed in the router’s DMZ, using a static IP address; as compared to connecting the device directly to the modem. The Ooma router DMZ risks apply only to that one static IP address, assigned to the Ooma device by the router, which is placed in the router DMZ.
I wouldn’t worry about security either way the Ooma device is connected. But I’d make sure there is a mid level of security is turned on in the router, and all home computers on the router’s LAN has good firewall/virus protection software installed and configured.
One of the dangers of putting a device in a router’s DMZ, is failing to assign a static IP address to the intended device, before putting the device’s IP address in the DMZ.
An example is if an Ooma device’s non-static IP address is placed in the DMZ, after which the Ooma device is unpowered for a period of time. Than later a computer on the same router is powered. While the Ooma device is unpowered, the router could automatically assign the IP address that is in the DMZ, to the newly powered computer. Than that computer becomes exposed to the Internet and there could be security problems for that computer. So the rule is never place a device in the router DMZ without reserving a static IP address in the router, for the intended DMZ device first.
It’s always a good idea to run virus/firewall protection software on all of your computers, especially if you are concerned and unsure of how router static IP addresses are assigned etc.
Semantics:
Router manufactures use different terms to say the same things. They are just using different words. To be precise, my router doesn’t say Reject, it says Blocked. I don’t know if the term Blocked, used by my router manufacture, has the same meaning as Dropped.
I have never enabled WAN Ping Respond other than for testing. I believe this is why I have so few logged attempts on my Ooma Telo’s router DMZ static IP address.
-
Lilly's_Closet
- Posts:108
- Joined:Wed May 19, 2010 11:10 am
Re: Why I would NOT Put Ooma in the DMZ
All great things to think about and thank you for contributing your perspective and your stories to the thread but you always seem to tiptoe around the main focus of my discussion.
If you have to put an Ooma box in the DMZ to resolve your Ooma’s performance issues you are treating the effect not the cause of your issue.
Why not just help them resolve the real network issue? In the DMZ their issue is still there they just can't see it...
Most of the issues they experience can be resolved with troubleshooting the router no need to buy new equipment unless the router is bad....Before you say that I recommended replacing it please read the circumstances under which I did recommend replacing the router.
If I were to follow your logic and tell it in a story it would go something like this. A man goes to the doctor and tells his doctor my left arm hurts, the doctor says, okay use your right arm instead…
Of note, my wife just told me that she is going to put me in the DMZ and turn off the firewall if I don’t get ready for a dinner (she thinks that she is so funny but I think that she really means it this time) so that’s all for tonight
If you have to put an Ooma box in the DMZ to resolve your Ooma’s performance issues you are treating the effect not the cause of your issue.
Why not just help them resolve the real network issue? In the DMZ their issue is still there they just can't see it...
Most of the issues they experience can be resolved with troubleshooting the router no need to buy new equipment unless the router is bad....Before you say that I recommended replacing it please read the circumstances under which I did recommend replacing the router.
If I were to follow your logic and tell it in a story it would go something like this. A man goes to the doctor and tells his doctor my left arm hurts, the doctor says, okay use your right arm instead…
Of note, my wife just told me that she is going to put me in the DMZ and turn off the firewall if I don’t get ready for a dinner (she thinks that she is so funny but I think that she really means it this time) so that’s all for tonight
-
thunderbird
- Posts:6388
- Joined:Mon Nov 08, 2010 4:41 pm
Re: Why I would NOT Put Ooma in the DMZ
There are probably tens of thousands of Ooma customers using their router DMZ for their Ooma device to operate properly.
I have seen forum recommendations to place the Ooma device in the DMZ, in year 2008, very near Ooma's beginning.
I have never seen one post where anyone said there was a problem.
If you are using Internet and virus security, like Norton Internet Security, with the Norton Internet Security Network Security Map properly configured, with the Ooma IP "Trust Level" set to Restricted, on each of your computers, when placing the Ooma device in the DMZ, you will be okay. I have tried to access Ooma Setup through port forwarding using the reserved IP Ooma address that is in my DMZ. Unless Norton Internet Security is disabled, Norton blocks any Ooma LAN traffic to/from any other device on my LAN. I can't access Ooma Setup until I temporarily disable Norton Internet Security.
I have seen forum recommendations to place the Ooma device in the DMZ, in year 2008, very near Ooma's beginning.
I have never seen one post where anyone said there was a problem.
If you are using Internet and virus security, like Norton Internet Security, with the Norton Internet Security Network Security Map properly configured, with the Ooma IP "Trust Level" set to Restricted, on each of your computers, when placing the Ooma device in the DMZ, you will be okay. I have tried to access Ooma Setup through port forwarding using the reserved IP Ooma address that is in my DMZ. Unless Norton Internet Security is disabled, Norton blocks any Ooma LAN traffic to/from any other device on my LAN. I can't access Ooma Setup until I temporarily disable Norton Internet Security.
Re: Why I would NOT Put Ooma in the DMZ
Would you mind stating the source of your data? I'd be interested in reading this documentation.thunderbird wrote:There are probably tens of thousands of Ooma customers using their router DMZ for their Ooma device to operate properly.
Finally, you are acknowledging that by using the DMZ you are, in essence, weakening the very security a router/firewall provides and putting the rest of your network at risk. Are you not? Why else would you suggest the need to beef up the security of your LAN devices and protect them from each other?thunderbird wrote:If you are using Internet and virus security, like Norton Internet Security, with the Norton Internet Security Network Security Map properly configured, with the Ooma IP "Trust Level" set to Restricted, on each of your computers, when placing the Ooma device in the DMZ, you will be okay. I have tried to access Ooma Setup through port forwarding using the reserved IP Ooma address that is in my DMZ. Unless Norton Internet Security is disabled, Norton blocks any Ooma LAN traffic to/from any other device on my LAN. I can't access Ooma Setup until I temporarily disable Norton Internet Security.
I think you have proved our point. However, if you wish to foolishly continue advocating the use of the DMZ, you should also include your paragraph above letting the user know that they will have to take additional steps to protect the rest of their network. The user needs to know the risks involved in order to decide if your remedy is right for them. That is all I am asking.