cancel
Showing results for 
Search instead for 
Did you mean: 
richardcwgate
Aspiring Contributor
974 Views
Message 41 of 44

Re: Home Hub 3 Security exposure allowing VOIP (SIP) traffic into the internal network

Just to let anyone who's interested know....

 

I have replaced the insecure HH3 with a much more effective Zoom 5751.

This is giving me more throughput and no SIP access exposure.

 

The Zoom router can also be run as a bridge so you and put it behind something like pfSense

and have pfSense do the ADSL authenticatuion and have the public IP assigned to it. So you can

get full control over your traffic.

 

Richard

0 Ratings
charlies
Contributor
951 Views
Message 42 of 44

Re: Home Hub 3 Security exposure allowing VOIP (SIP) traffic into the internal network

Great investigation & useful thread Richard.

 

Just for the record, looks like something similar is happening with my 'trusty' old HH 1.

 

I will start a new post to keep subject line relevant.

0 Ratings
Jonkarra
Expert
929 Views
Message 43 of 44

Re: Home Hub 3 Security exposure allowing VOIP (SIP) traffic into the internal network

SIP is a devlishly difficult protocol to firewall, as its normally using UDP its a connectionless protocol whch means even on enterprise firewall it will just allow all UDP between the two IPs once a packet matching the filter is seen for a period of time often a minute or two by default. The problem is SIP as a protocol requires a high degree of application awareness to be able to function as sessions are often initiated to IPs that are different than the ones in the original connection. The problem is to add this additional application awareness requires more CPU and memory in the router, meaning to provide a secure voip implementation would push up the price for everyone. Unfortunately the only way to get SIP to work on a lower end cpu like this means basically opening up the IP/port to all incoming access. Its a fudge but the protocol is complex and what makes it even worse is not all SIP implementations will work with other products, a prime example being the SIP implementation thats part of microsoft OCS/Lync.

 

Ultimately do you charge everyone to add additional features and hardware for a small minority of people? Ultimately if you want better sip security you need to buy a more expensive product to support that.

0 Ratings
richardcwgate
Aspiring Contributor
926 Views
Message 44 of 44

Re: Home Hub 3 Security exposure allowing VOIP (SIP) traffic into the internal network

The world of networking is full of Black Magic, Smoke and Mirrors, and just plain missunderstaning.

It's not difficult to do the job correctly. A cheap Zoom modem works, the HH3 fails.

If you really need to go to town on a complex and highly functional solution that does not make you suffer

the "Emperor's Clothes" price tag of an "Enterprise Class" (a Marketting term if I ever heard one) product,

have a look at pfSense.

 

It's not a case of a "few people", anyone with a SIP device behind an HH3 can potentially be compromised.

Security by ignorance is not a solution.

0 Ratings