security - The Risk of Port Forwarding to a VOIP Device

05
2014-04
  • Ken

    My VOIP provider uses a device to supply the service. The device is on my side of my router and part of my LAN. He requires I forward a very large range of ports to his device (something like 5000 to 65000). I asked if this compromises the security of the rest of my LAN he said no, but he can't sell me his service if he says yes. So, I'm asking here whether it does or not.

    From the little I understand about port forwarding I think an intruder can only reach the the device assigned this IP address. If that's so the question becomes, can the intruder use their device to network to my LAN and thus reach my other computers?

    • Answers
  • ultrasawblade

    NAT provides security by obscurity as a side-effect of how it works, not by design.

    If you are concerned about security, you should have a firewall or packet filter on your router, which is meant to provide security by design, whether or not NAT is in the mix.

    As far as what access this gives people external to your network, it depends on the vendor's device. If the vendor's device can connect to other devices in your network, it could be a source of vulnerabilities.

    You can place a firewall between this device and its connections back into your LAN if needed - in essence you'd be creating a DMZ. Since this is a VOIP device, you probably want to separate any connections it can make to the LAN within a VLAN for QoS purposes - which would isolate it nicely from the rest of your network.


    • Related Question

    networking - Garbled VoIP over VPN, mainly on conference bridges
  • Questioner

    My office has a large Cisco UCM setup, and I work primarily remotely with a physical Cisco 7940 phone. I've battled some quality issues before, which turned out to be a bad switch port. But mostly my quality has been fine for months. Recently, people complain that my voice breaks in and out, and they can't understand me. I'm currently using the G.729 codec and my calls all have an average MOS LQK of 3.68. My phone is reporting no RxLost, no jitter. My TxSize is 20ms, but I don't know how that affects audio transmission. I have never had a problem receiving audio.

    My connection to the UCM is over an IPSec VPN handled by an ASA5505 to an ASA5580. The ASA5505 plugs into my home network, and then goes though my home router to access the internet. My phone plugs into an ASA5505 PoE port.

    In one-to-one calls, I rarely, if ever, have had a problem. Most people never know I'm on an IP phone. However, with internal conference bridges, I recently have to call in from an outside line to speak. I have also experienced this problem with outside bridges at other companies when I call into their meetings, but less often. I can't find any correlation of what might be occurring when poor quality issues happen. Traffic on my home network is almost non-existent. I do have another SIP internet phone sharing the same broadband connection, but my quality issues occur regardless of whether that phone is in use or not at the same time.

    Previously I monitored traffic from the ASA5505 and noticed it is tagging encapsulated VoIP on the outside segment as Expedited Forwarding with DSCP 46 (I as surprised the IPSec packets were tagged as this but our VPN/Phone guy had no idea what DSCP was). I can prioritize this (currently I am not), but in the past it did not help. Below is Vyatta config code for this:

    qos-policy {
    traffic-shaper EXTERNAL_QOS {
        bandwidth 1mbit
        class 10 {
            bandwidth 90%
            description "Match VoIP traffic"
            match VOIP {
                ip {
                    dscp 46
                }
            }
        }
        default {
            bandwidth 5%
        }
        description "External bandwidth QoS Policy"
    }
}

    Is there anything I can tell the group that manages the Phone and ASA to help them resolve this? As of now, they refuse to believe the problem is on their side, only that since it runs through my home router, I'm at fault. I guess they presume I have a bunch of torrents running...


    • Related Answers
  • stonefoz

    The only real difference I know of with conference calls are timing in the pbx and the echo canceler.

    Assuming the pbx is working for everyone else, I have two suggestions. Timing will cause dropped frames, codec resets, etc. Echo can mute your outgoing voice.

    Try seeing if not dropping silent frames will fix timing issues. It's wasteful, but it it trying to emulate circuit switch system. Have the phone send every frame, silent or not.

    As for the Echo canceler, you're side isn't going to be able to have it's echo canceler "train". while on conference call, you're echo isn't going to be sent back while another circuit is doing voice. Disable any aggressive settings on you're side, the conference bridge is probably already doing very aggressive echo cancellation. On that note, are you using speaker-phone? Speaker-phone also requires aggressive echo cancellation.