Page 1 of 2

Why I would NOT Put Ooma in the DMZ

Posted: Wed Mar 16, 2011 10:22 am
by Lilly's_Closet
When you put any client (PC, Ooma, ect) in the DMZ you expose it directly to the internet. Basically you’re opening the front door of that client to the internet. In certain circumstances, you will have no choice but to put a PC in the DMZ, in those circumstances the rule of thumb is to rely on various levels of protection if it is a PC (antivirus, windows built in permissions, encryption, windows Passwords firewall, windows defender ect) it is especially relevant because in the DMZ you will lose most of your routers built in firewall rules.

Agreed ooma uses tunneling and it would be difficult to break trough…well… even that depends on many factors, however, I would NOT recommend putting the Ooma box in a DMZ, unlike a PC you can’t add various levels of protection, if in fact its wide open.

Okay, so it's wide open, so what none of my precious documents are on my Ooma box? That's true as well but did you know that box on, really any ISP in the world, in a DMZ will be attacked all day every day, port scans, ping, requests, ect. This traffic can be detrimental because the ooma box has to handle it unnecessarily. For efficiency, this traffic should evaluated by your router’s firewall and never be passed to the ooma Device.

This in turn can to lead to a denial of service where you have to reboot the router, and poor network performance. Especially if someone likes your IP address . This happens more frequently that people realize, I mean really, who asks why you cannot connect to the internet…you just reboot the router and if that does not work then you reboot the modem.

In addition, if you have to put ooma or any network device in a DMZ because of performance issues, something else is wrong on your network. Putting that device, in the DMZ addresses the effect not the cause of your issue.

I say this not knowing what if any firewall and security the ooma box has. If it has security firewall rules and they work well then you do have some levels of protection based on how well it handles them but ultimately DMZ is really no different than plugging ooma directly into your modem In terms of exposure.

Also, what this really means is that if you have your router connected first and your ooma box is a client of that router (Modem  Router => Ooma) but you put your ooma in your routers DMZ you have just lost any additional protection that your router offered through its firewall.. So I guess if your happy with how ooma has implemented their security you have got no worries.

Forgive the rant I work in IT and DMZ is a bad word but admittedly, most people’s lives will not change if you put your ooma box in the DMZ but it is a bad network practice.

Re: Why I would NOT Put Ooma in the DMZ

Posted: Wed Mar 16, 2011 11:28 am
by nextbond
Well put. Same reasons my config is ooma -> router -> DSL modem

I have also set ooma Telo QoS to 0 (disabled) since I let my router prioritize the traffic.

Re: Why I would NOT Put Ooma in the DMZ

Posted: Wed Mar 16, 2011 11:45 am
by thunderbird
Ooma Port Forwarding Possible Security Risks Balanced Against Convenience?

The question should be “What would happen if a hacker from the Internet accessed someone’s Ooma Setup through an Ooma device’s home address port, forwarded using port 80”?

The hacker could probably at most change some settings and temporarily disrupt someone’s Ooma phone service. It’s not like shutting down NASA. Probably all-in-all it’s a pretty low security risk. Probably the convenience of being able to access the Ooma device’s Ooma Setup pages, from a computer connected to a router LAN port is worth the risk.

Of coarse the hacker would have to know/guess/figure-out some things before they got to the Ooma Setup pages.

By the way, most home routers allow port 80 to be accessed/open to the Internet, weather a device is placed in the router’s DMZ or not.

Omma uses a VPN tunnel, so the modem part of an Ooma device is well protected, using any configuration setup.

The real threat comes when placing a computer in the router’s DMZ which many people do for gaming, etc. Placing a computer in the router’s DMZ could compromise that computer’s security.

But most people, even if they use a router’s firewall for security, also have computer security software installed on each of their computers, and especially installed on their DMZ computer. I have used Norton Internet Security for years and it has done a great job for me.

Each person has to decide how they want to manage their home’s Internet Security and determine if certain possible risks are worth the convenience.

Re: Why I would NOT Put Ooma in the DMZ

Posted: Wed Mar 16, 2011 12:34 pm
by Lilly's_Closet

Thank you for your response as well as your perspective. In short, I will say that I am in agreement with some of your statements. I would summarize it this way, you can setup your ooma a variety of ways based on your environmental needs. However, introducing DMZ is NOT a necessary risk you need to take.

Also if you are putting your ooma box in your DMZ to fix your performance issues, that should be a short term fix not a solution because you have not fixed the issue on your network just the artifact that the issue created.

I have an Enterprise Management Firewall Appliance and Intrusion Detection running on my network, and I have placed and monitored Ooma box in a DMZ and outside of a DMZ and compared the traffic. The traffic request with ooma in a DMZ is horrifying compared to outside the DMZ. So my statements are based on experience and data I collected while deciding if I was going to put ooma directly within my network or put it on its own subnet. While security is always a concern for me that extra traffic from port scans pings. ect is not only a concern but unnecessary and undesired.

I would disagree with you about Gaming because it is less of a threat to me. When I put my LAN Party PC in motion, I can layer on the security even though it’s in the DMZ, that does not hold true for ooma.

Finally, I realize that for most this is outside of the scope of what’s easier and that most people will take the easier road… It’s kind of like when I attended to a wifi conference about 13 years ago. Wireless routers were just rolling out and they told us that the hardware venders were not enabling wireless security by default, I asked why and one vender responded "we just think that it’s going to be too hard for the average consumer." Judging by the number of unsecured wireless networks in my neighborhood I would say that he was correct and its 13 years latter.

In any case my network is locked down tight and yours should be too.

To each his or her own but knowledge is power :cool:

Re: Why I would NOT Put Ooma in the DMZ

Posted: Wed Mar 16, 2011 1:13 pm
by tomcat
Lilly's_Closet wrote:Wireless routers were just rolling out and they told us that the hardware venders were not enabling wireless security by default, I asked why and one vender responded "we just think that it’s going to be too hard for the average consumer." Judging by the number of unsecured wireless networks in my neighborhood I would say that he was correct and its 13 years latter. In any case my network is locked down tight.
This is true. It generates less support calls for the manufacturers when consumers can make it work out of the box. Manufacturers also do not provide proper documentation to educate the consumer about security and how to set up the product to take advantage of the security features. That's right - they will boldly mark DO NOT EAT on that little bag of Chicklets that comes with your router, but nowhere will it warn that you need to secure your wifi. :) Although, over the last few months, some of the router manufactures are taking some steps to implement security. But still not enough in my opinion.

Re: Why I would NOT Put Ooma in the DMZ

Posted: Wed Mar 16, 2011 6:12 pm
by gail
Please excuse this newbie question (a little knowledge can be a bad thing), but is anyone here saying that using port 80 forwarding when putting an ooma behind a home router -so that one could more easily access the ooma's setup page on a web browser- is a bad thing... ie. something which would unnecessarily expose the ooma to hacking, pings, etc. ?
I am afraid that I don't know enough about networking to put what has been said above in perspective. Thanks in advance.

Re: Why I would NOT Put Ooma in the DMZ

Posted: Wed Mar 16, 2011 6:38 pm
by Lilly's_Closet
If your PC and Ooma are connected to LAN ports on your router you should be able to access the ooma Setup page directly via the Ooma’s IP address and depending on your equipment more than likely you will not have to do a port forward.

But to answer your initial question no this thread discusses placing Ooma in a DMZ.

Re: Why I would NOT Put Ooma in the DMZ

Posted: Thu Mar 17, 2011 1:38 am
by Davesworld
Voip fraud is at an all time high and most cases are from ATA's wide open on the net.

Ooma only uses VPN for sip signaling which uses barely measurable bandwidth whether on a call or not, it's in bytes, not KB it's so small. The voice portion is carried over RTP as is always the case. As far as Ooma's built in firewall, it's conventional enough and of course uses NAT. The biggest issue is that the oomas are ATA's with limited albeit fairly healthy levels of processing power and should not be wasting cycles on non VOIP related loads plus the amount of throughput is very limited by this lack of power. If you put another firewall/router behind the OOMA, you are double NATTED, this is a big networking no no. If you are hell bent on using the ooma upstream of your lan then you might as well just get a switch so you only have ONE NAT between your pc's and the internet. Using an Ooma BEFORE a router defeats the entire purpose of having a good firewall/router. You want the good firewall/router to protect you from the big bad old web, not an ATA with some firewalling built in.

On the fraud subject again. Worst case scenario is having your VOIP service used for calling cards that are often sold by those who broke into your system so you end up shouldering any overage costs for someone else's calls. The market for this is huge and ever prevalent. This is one reason I do not use a credit card for auto recharge in any VOIP service and I never allow a larger prepay balance than I could afford to lose even though I am well protected.

Re: Why I would NOT Put Ooma in the DMZ

Posted: Thu Mar 17, 2011 9:02 am
by Lilly's_Closet
Hi Dave,

I would not stay that "fraud" this is the “biggest issue” rather that its one of the issues associated with placing ooma in the DMZ or installing Oooma Directly to your modem. There are many issues some that we have been discussed and others that we have not begun to discuss.

In addition, I am not sure that you understood my post with regard to traffic from Ooma. The ooma box will use the same amount of traffic for VOIP weather it is in a DMZ or not. The extra traffic I am talking about is the one generated when ooma is placed in a DMZ and has to fend for itself. A good Router/Firewall will filter a good portion of it out so it would never get to your network.

With regard to double NAT ing…hmm in its real world application …not so much.

This is what I mean. First, the difference in communication would be measured in milliseconds on a double NAT, so for the most part it is going to be transparent to the user. If it is not there is something else wrong on your network.

Second, your packets are going through a variety of different NAT & non NATed situations as they travel up and down the internet and back and forth on your network. For the most part that process is transparent to you. So what you are really talking about is an additional NAT situation, this should be transparent to the user.

The only argument that I see is, theoretically its going to take longer to access resources stored on the other network. Not true, on a home network because all your resources are local to your network so you are only limited by your local Netwok's connection speed wired or wireless and the abilities of your routing device not the the other NAT. The only resource outside your network is the Internet and we already agreed that that NAT from your ISP should be transparent to you.

Finding and maintaining resources like PC’s, networks, printers, and creating and managing shares and security, in an enterprise environment would be the greater challenge in a double NAT. However, you will find them there as well.

The practice if frowned upon but unavoidable in a variety of circumstances. The difference is that a double NAT can serve as an additional layer of security while putting ooma in the DMZ only serves to remove several layers of Security.

Re: Why I would NOT Put Ooma in the DMZ

Posted: Thu Mar 17, 2011 4:55 pm
by thunderbird
Infromation Only:

Quote from Wikipedia:
"In computer security, a DMZ, or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external services to a larger untrusted network, usually the Internet. The term is normally referred to as a DMZ by information technology professionals. It is sometimes referred to as a perimeter network. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network".

Quote from CradlePoint:
"DMZ Host:
DMZ means "Demilitarized Zone." If an application has trouble working from behind the router, you can expose one computer to the Internet and run the application on that computer.

When a LAN host is configured as a DMZ host, it becomes the destination for all incoming packets that do not match some other incoming session or rule. If any other ingress rule is in place, that will be used instead of sending packets to the DMZ host; so, an active session, virtual server, active port trigger, or gaming rule will take priority over sending a packet to the DMZ host. (The DMZ policy resembles a default gaming rule that forwards every port that is not specifically sent anywhere else.)

The router provides only limited firewall protection for the DMZ host. The router does not forward a TCP packet that does not match an active DMZ session, unless it is a connection establishment packet (SYN). Except for this limited protection, the DMZ host is effectively "outside the firewall". Anyone considering using a DMZ host should also consider running a firewall on that DMZ host system to provide additional protection.

Packets received by the DMZ host have their IP addresses translated from the WAN-side IP address of the router to the LAN-side IP address of the DMZ host. However, port numbers are not translated; so applications on the DMZ host can depend on specific port numbers.

DMZ IP Address:
Specify the LAN IP address of the LAN computer that you want to have unrestricted Internet communication. If this computer obtains its address Automatically using DHCP, then you may want to make a static reservation on the Basic → Network Settings page so that the IP address of the DMZ computer does not change".

Thunderbird Wrote:
This evening I was reviewing my router's logs. I found that in a month's time I had only five unauthorized connection attempts to the static IP address in my router’s DMZ, assigned to my Ooma Telo. Each one of the unauthorized connection attempts was rejected by the router.

I would suspect the low number of unauthorized connection attempts is because I use a commercial router using a medium level of security, although I think newer home routers, set to at least a medium level of security, would probably have similar results.