Just to let anyone who's interested know....
I have replaced the insecure HH3 with a much more effective Zoom 5751.
This is giving me more throughput and no SIP access exposure.
The Zoom router can also be run as a bridge so you and put it behind something like pfSense
and have pfSense do the ADSL authenticatuion and have the public IP assigned to it. So you can
get full control over your traffic.
Great investigation & useful thread Richard.
Just for the record, looks like something similar is happening with my 'trusty' old HH 1.
I will start a new post to keep subject line relevant.
SIP is a devlishly difficult protocol to firewall, as its normally using UDP its a connectionless protocol whch means even on enterprise firewall it will just allow all UDP between the two IPs once a packet matching the filter is seen for a period of time often a minute or two by default. The problem is SIP as a protocol requires a high degree of application awareness to be able to function as sessions are often initiated to IPs that are different than the ones in the original connection. The problem is to add this additional application awareness requires more CPU and memory in the router, meaning to provide a secure voip implementation would push up the price for everyone. Unfortunately the only way to get SIP to work on a lower end cpu like this means basically opening up the IP/port to all incoming access. Its a fudge but the protocol is complex and what makes it even worse is not all SIP implementations will work with other products, a prime example being the SIP implementation thats part of microsoft OCS/Lync.
Ultimately do you charge everyone to add additional features and hardware for a small minority of people? Ultimately if you want better sip security you need to buy a more expensive product to support that.
The world of networking is full of Black Magic, Smoke and Mirrors, and just plain missunderstaning.
It's not difficult to do the job correctly. A cheap Zoom modem works, the HH3 fails.
If you really need to go to town on a complex and highly functional solution that does not make you suffer
the "Emperor's Clothes" price tag of an "Enterprise Class" (a Marketting term if I ever heard one) product,
have a look at pfSense.
It's not a case of a "few people", anyone with a SIP device behind an HH3 can potentially be compromised.
Security by ignorance is not a solution.