The Risk of Port Forwarding to a VOIP Device

1

My VOIP provider uses a device to supply the service. The device is on my side of my router and part of my LAN. He requires I forward a very large range of ports to his device (something like 5000 to 65000). I asked if this compromises the security of the rest of my LAN he said no, but he can't sell me his service if he says yes. So, I'm asking here whether it does or not.

From the little I understand about port forwarding I think an intruder can only reach the the device assigned this IP address. If that's so the question becomes, can the intruder use their device to network to my LAN and thus reach my other computers?

Ken

Posted 2014-02-06T22:51:33.953

Reputation: 11

Verify if the device supports UPnP. If it does then forwarding ports isn't required. – Ramhound – 2014-02-06T23:09:24.770

I use a VoIP provider with modern equipment (8x8.com) and they have no such requirement. They do, however, recommend setting QoS rules for a few ports to prioritize VoIP traffic above all others (locally). Are you in a position to use a hosted VoIP service instead if one that requires such holes? I wouldn't allow it myself unless my VoIP LAN was separate from my data LAN. – Brian Adkins – 2014-02-06T23:46:30.953

Answers

2

NAT provides security by obscurity as a side-effect of how it works, not by design.

If you are concerned about security, you should have a firewall or packet filter on your router, which is meant to provide security by design, whether or not NAT is in the mix.

As far as what access this gives people external to your network, it depends on the vendor's device. If the vendor's device can connect to other devices in your network, it could be a source of vulnerabilities.

You can place a firewall between this device and its connections back into your LAN if needed - in essence you'd be creating a DMZ. Since this is a VOIP device, you probably want to separate any connections it can make to the LAN within a VLAN for QoS purposes - which would isolate it nicely from the rest of your network.

LawrenceC

Posted 2014-02-06T22:51:33.953

Reputation: 63 487

+1 for VLAN separation recommendation in this case. – Brian Adkins – 2014-02-06T23:47:25.287

I see where you aren't supposed to than people, but thanks for both of your replies. – Ken – 2014-02-07T20:52:36.727

1I don't have much understanding of this area. From the replies I think I understand two things: 1) There's some risk depending on the design of the VOIP box (which I have no way to know), and 2) if I used a VLAN I could secure my LAN, but I don't think my Comcast modem-router supports VLANs. Not sure what to do now. – Ken – 2014-02-07T21:00:48.670

Sounds like you are in over your head. You ought to consult with a networking or VoIP professional for further help. :) – LawrenceC – 2014-02-08T00:08:53.490

Asked: 2014-02-06T22:51:33.953

Viewed: 464 times

Active: 2014-02-06T23:14:49.410