Network Security - confusion over recent postings

[feartheturtle]

OK people - I know there are several of you that understand networks better than I, but it sounds like there is some uncertainty amongst you concerning network security once an Ooma device (Hub or Telo) becomes part of a typical home network. In the past I was aware that there were two prime methods for installing the Ooma, but it seemed that either one was OK. The method I use happens to be the first one I tried, and I am very hesitant to "fix what isn't broke." But if there is as secuity issue, then maybe it is broke? I'm sure there are others like me who have seen some recent postings that make us a bit confused and uncomfortable.

Let me start by saying that my definition of a "typical home network" contains a router so that multiple devices can access the internet. My view of this network before an Ooma device is introduced is as follows:

Stand alone modem with single output connected to WAN port on router. LAN port(s) on router connected to computer and/or other devices. Here is the shorthand that I am used to seeing for this setup: modem>>router>>PC

Now after the Ooma device is installed we seem to have two variations (note that after the router I do not show a PC or other device connected to a router's LAN port, even though they probably are connected):

A) Ooma mounted between modem and router. Modem connected to either "To Internet" or "Modem" port on Ooma, then either the "Home Network" or "Home" port on Ooma connected to the WAN port on the router. Then the LAN port(s) on router connected to a computer and/or other devices. Here is the shorthand that I am used to seeing for this setup: modem>>Ooma>>router

B) Ooma mounted after the router. Modem connected to WAN port on router. Then one LAN port on router connected to Ooma. Other router LAN ports could be used for PC, game system, etc. In this configuration the "Home Network" or "Home" port on the Ooma is rarely used, usually only for initial setup purposes. Here is the shorthand that I am used to seeing for this setup: modem>>router>>Ooma


Now, is either one of these installation methods "insecure?" And if so, is it always insecure? Or is security affected when certain parameters inside the Ooma or router are set to certain values?

[indie_dev]

Really didn't need a new thread for this since now all the responses are going to be fragmented and spread throughout several threads.

Basically, neither method is insecure. What is insecure is

a) the fact that the Ooma interface has no security settings

b) how you setup your Ooma using Option 2A could result in a security breach

[Aveamantium]

Really didn't need a new thread for this since now all the responses are going to be fragmented and spread throughout several threads.

Basically, neither method is insecure. What is insecure is

a) the fact that the Ooma interface has no security settings

b) how you setup your Ooma using Option 2A could result in a security breach

What indie_dev said...

[feartheturtle]

indie_dev:
I was hoping someone would list the steps that makes a particular installation "insecure." I tried earlier to read the thread you reference and I still am not sure I understand what steps should be avoided.

[Groundhound]

I would add that it's possible to configure both methods in an insecure way. Bottom line is when you employ DMZ settings in either your router or your Ooma, you are bypassing some security features and you need to understand what is exposed when DMZ is used.

[indie_dev]

indie_dev:
I was hoping someone would list the steps that makes a particular installation "insecure." I tried earlier to read the thread you reference and I still am not sure I understand what steps should be avoided.

Don't use the DMZ in Ooma, no matter what anyone tells you or what goes wrong in your config.

I would add that it's possible to configure both methods in an insecure way. Bottom line is when you employ DMZ settings in either your router or your Ooma, you are bypassing some security features and you need to understand what is exposed when DMZ is used.

Yes, but exposing DMZ in the router is the lesser of two evils since port 80 doesn't resolve to anything - unless you are running a web server that sits on that port.

Unlike the Ooma which hosts its insecure (no username+password) interface on port 80 and is immediately accessible with DMZ and thus gives the entire world access to the Ooma (and the local LAN if the hacker knows what he's doing) interface sitting behind port 80.

[Groundhound]

I would add that it's possible to configure both methods in an insecure way. Bottom line is when you employ DMZ settings in either your router or your Ooma, you are bypassing some security features and you need to understand what is exposed when DMZ is used.

Yes, but exposing DMZ in the router is the lesser of two evils since port 80 doesn't resolve to anything - unless you are running a web server that sits on that port.

Unlike the Ooma which hosts its insecure (no username+password) interface on port 80 and is immediately accessible with DMZ and thus gives the entire world access to the Ooma (and the local LAN if the hacker knows what he's doing) interface sitting behind port 80.

Please read this post, it describes how the setup interface can be exposed with the Hub in the router's DMZ, in conjunction with the port forward trick (forward port 80 back to Ooma's Home port) setup in the Hub to view the interface from other computers on the network not connected to the Hub's Home port: http://www.ooma.com/forums/viewtopic.ph ... 74&start=0

[indie_dev]

I would add that it's possible to configure both methods in an insecure way. Bottom line is when you employ DMZ settings in either your router or your Ooma, you are bypassing some security features and you need to understand what is exposed when DMZ is used.

Yes, but exposing DMZ in the router is the lesser of two evils since port 80 doesn't resolve to anything - unless you are running a web server that sits on that port.

Unlike the Ooma which hosts its insecure (no username+password) interface on port 80 and is immediately accessible with DMZ and thus gives the entire world access to the Ooma (and the local LAN if the hacker knows what he's doing) interface sitting behind port 80.

Please read this post, it describes how the setup interface can be exposed with the Hub in the router's DMZ, in conjunction with the port forward trick (forward port 80 back to Ooma's Home port) setup in the Hub to view the interface from other computers on the network not connected to the Hub's Home port: http://www.ooma.com/forums/viewtopic.ph ... 74&start=0

I am familiar with no less then three instances on how to do it. In fact, one of which isn't even documented and I don't intend to document it for the reasons I mentioned in that thread I made yesterday.

So trust me when I tell you this: that link you are pointing to is only reference 1/3 of the breach.

[feartheturtle]

OK - so I will probably display my ignorance here, but what the heck!

modem>>ooma>>router
1) For what reason do people use the ooma DMZ? I assume they place the router's ip in the DMZ to allow router traffic to get to the internet unhindered, correct? Are they successful? Are there other reasons to use the ooma DMZ?

2) If you have the router in the ooma DMZ how can anyone outside your LAN view the ooma setup?

modem>>router>>ooma
1) Just saw Groundhounds post - if you forward port 80 of the ooma's ip - and do not have the ooma in the routers' DMZ, is that considered safe? Can you then view the ooma setup from other computers in the routers' LAN?

[Groundhound]

modem>>router>>ooma
1) Just saw Groundhounds post - if you forward port 80 of the ooma's ip - and do not have the ooma in the routers' DMZ, is that considered safe? Can you then view the ooma setup from other computers in the routers' LAN?

In this case there is no use of DMZ in either the router or the Ooma, just forwarding port 80 from within Ooma back to the Ooma home port, and AFAIK it is safe - and yes you can view the Ooma setup from other computers in the router's LAN.