Hello I am rather new to Ooma (just tweaking my initial install now) but am considered fairly knowledgeable with network security.
#1 - Ooma not using a username and password for setup.ooma.com IS broken and a risk and I will tell you another reason why. Sometimes people open their networks up to others to use such as a WIFI router. Using config "2A" (modem---Ooma----Router) means that anyone behind the router can access setup.ooma.com, of course. The Ooma device should be fixed to make use of a secure username and password ASAP in my opinion.
Note on a potential workaround for those insisting on config "2A" who have insecure (or "grey") elements on their internal LAN. One idea to close the setup.Ooma.com (as well as the IP hole) might be to configure your router to redirect all DNS requests [for setup.ooma.com] to another IP so that they never reach Ooma from within the internal network at all. (despite how it might seem there are practical applications for this as well as ways to secure it reasonably)
Because someone has access to my internal network does not mean I necessarily want them to have control over my Ooma device. This is a faulty assumption, IMO.
#2 I saw someone suggest that in doing config 2B with the following layout:
Modem-----Router---------Ooma
users behind the router would be able to access setup.ooma.com. In my experience this is not true. Why? Because your router by default should not be routing requests to "setup.ooma.com" to Ooma. Instead it should be going to the name server. Further even if you access it via the IP address assigned to Ooma by your router (in config 2B) in my experience that will not give you access to Ooma setup. It appears only whatever is plugged into "HOME NETWORK" can access setup.ooma.com barring any other forwarding.
#3
I think Config 2B (Modem------Router----Ooma) is most secure (assuming you trust the ooma device itself not to act badly behind your internal network's router). The only weakness appears to be with QoS worries. The solution to this is to use the router's QoS settings to provide this function. I notice that Ooma in config 2B is able to transverse my basic dd-wrt router with a near stock config so it appears with most routers one does nto have to open up ports for basic functionality (though some NAT types and firewalls may need to have ports manually opened). I noticed Upnp did not seem to be in use here either....
#4 the documentation on exactly what ports Ooma uses seems a little poor or at least hard to find in my opinion and should be better presented. In fact, does anyone happen to have this info for the telo?
edit: added text "[for setup.ooma.com]" to workaround.
#1 - Ooma not using a username and password for setup.ooma.com IS broken and a risk and I will tell you another reason why. Sometimes people open their networks up to others to use such as a WIFI router. Using config "2A" (modem---Ooma----Router) means that anyone behind the router can access setup.ooma.com, of course. The Ooma device should be fixed to make use of a secure username and password ASAP in my opinion.
Note on a potential workaround for those insisting on config "2A" who have insecure (or "grey") elements on their internal LAN. One idea to close the setup.Ooma.com (as well as the IP hole) might be to configure your router to redirect all DNS requests [for setup.ooma.com] to another IP so that they never reach Ooma from within the internal network at all. (despite how it might seem there are practical applications for this as well as ways to secure it reasonably)
Because someone has access to my internal network does not mean I necessarily want them to have control over my Ooma device. This is a faulty assumption, IMO.
#2 I saw someone suggest that in doing config 2B with the following layout:
Modem-----Router---------Ooma
users behind the router would be able to access setup.ooma.com. In my experience this is not true. Why? Because your router by default should not be routing requests to "setup.ooma.com" to Ooma. Instead it should be going to the name server. Further even if you access it via the IP address assigned to Ooma by your router (in config 2B) in my experience that will not give you access to Ooma setup. It appears only whatever is plugged into "HOME NETWORK" can access setup.ooma.com barring any other forwarding.
#3
I think Config 2B (Modem------Router----Ooma) is most secure (assuming you trust the ooma device itself not to act badly behind your internal network's router). The only weakness appears to be with QoS worries. The solution to this is to use the router's QoS settings to provide this function. I notice that Ooma in config 2B is able to transverse my basic dd-wrt router with a near stock config so it appears with most routers one does nto have to open up ports for basic functionality (though some NAT types and firewalls may need to have ports manually opened). I noticed Upnp did not seem to be in use here either....
#4 the documentation on exactly what ports Ooma uses seems a little poor or at least hard to find in my opinion and should be better presented. In fact, does anyone happen to have this info for the telo?
edit: added text "[for setup.ooma.com]" to workaround.
Last edited by davidm on Thu Jan 21, 2010 10:48 pm, edited 1 time in total.