This is Part 15 of the Securing Your WHS & Network series, this part identifies the vulnerabilities that are associated with using your high speed Internet connection for telephone service. There are several Voice over Internet Protocol (VoIP) providers and each provider uses proprietary protocols to enable you to send and receive telephone calls. Currently there are no Windows Home Server Add-In products for VoIP. Several competing providers are presented for comparative purposes.
Using the Internet to place and receive telephone calls is a relatively new concept. Now that homes and small businesses are enjoying the benefits of their high speed internet connection, they may want to use this connection to replace their local telephone service. Voice over Internet Protocol or VoIP can use the Internet to place and receive telephone calls. VoIP service normally requires a device to connect your internal telephone wiring to your Internet connection. This device is a very specialized form of a router that handles all telephone related traffic. It is usually connected directly to the ISP interface device with a RJ-45 cable.
The technology used by both the local telephone company and VoIP provider is very similar. Both convert the analog voice signal to a digital format. They then break up the digitized portion of the conversation into smaller chucks called data packets.
Part 5 describes how data packets are sent through a network. The technique used to send voice packets is similar to that of data packets. The telephone companies have been using this technique for over 30 years.
The network that is used to route the voice packets is different. The telephone companies use their own network, equipment, and electrical power to route the packets. This is called POTS or plain old telephone service. VoIP providers use the Internet as a network to route the packets. VoIP requires the use of a device that is located at the customer's premises to send and receive calls. The customer must provide electrical power to this device. Part 3 explains in detail the services used by satellite, cable, DSL, and telephone companies.
The VoIP provider dictates the hardware device that must be used to subscribe for their service. Lingo uses a Linksys network router that has been modified combine the VoIP device. The WAN port is connected to the ISP's modem, the LAN 1 through 4 connects to computers, and RJ-11 Jacks are used to connect to the internal telephone wiring.
Vonage uses a separate hardware device and integrated devices for its VoIP service. The WAN port is connected to the ISP's modem, the network port connects to the network router, and RJ-11 jacks are used to connect to the internal telephone wiring.
MagicJack uses a USB device that connects to a computer. A RJ-11 jack is used to connect a telephone. The computer must be powered on to send and receive calls.
VoIP shares the same threats and vulnerabilities as do personal computers. Since VoIP and computers use the same technology to send information through the Internet, a hacker can record conversations, break into voice mail, steal customer information, change the VoIP service, and institute denial of service attacks. VoIP traffic is not encrypted but neither is POTS traffic.
There are different ways to connect the VoIP device. These methods depend on the network equipment that has been provided by the ISP and the capabilities of the VoIP device. The ISP can provide a separate cable/DSL modem and router or they can be combined in one device. VoIP devices can be stand alone or combined with a network router.
The majority of VoIP devices prefer to be connected directly to the cable/DSL modem or high speed interconnect device. They achieve the highest quality, provide better reliability, and are easier to manage when the VoIP traffic does not have to pass through a router. There are disadvantages to network performance when the VoIP device is used to interconnect the cable/DSL modem and network router.
The VoIP provider's preferred configuration is when the cable/DSL modem and network router are two separate devices. The VoIP device can be connected to the cable/DSL modem and the network router can be connected to the VoIP device. All connections are made with CAT-5 Ethernet cables. Because the VoIP device is placed physically before the network router, there are no restrictions that can affect call quality and reliability. Also, the router does not need to be configured to permit the VoIP traffic to pass through it. The network performance can be reduced with this type of connection if a VoIP denial of service attack is made.
The following illustrates the VoIP provider preferred method to install the VoIP device. The red lines show the RJ-45 port pairs that are connected with CAT-5 Ethernet cables.
Some VoIP providers have partnered with router manufacturers to combine the VoIP device with the network router. In this case, the router's port forwarding rules have been preconfigured for the VoIP ports that are used by the VoIP provider. The advantages and disadvantages with this method are similar to that of the VoIP provider's preferred method.
The result of combining the VoIP and network routers simplifies the connection of the device to the cable/DSL modem. The red lines show the RJ-45 port pairs that are connected with CAT-5 Ethernet cables.
When the ISP provides a network router that is combined with the cable/DSL modem, the VoIP router must be connected to the network router. In this case, there are at least five Internet port ranges that must be configured to allow the VoIP device to send and receive telephone calls. These ports vary by VoIP provider. Programming the router to open the ports is addressed later in this section.
Below is an example of a VoIP router that is connected to a DSL modem/router device. Here the DSL modem is connected using a CAT-5 cable to the local telephone company's jack. One of the router's RJ-45 network ports is connected to the Internet port of the VoIP router by using a CAT-5 cable. This configuration leaves three ports available to connect directly to other computers or a network switch. Since the maximum speed of the router's RJ-45 ports is 100Mbs, a switch with a maximum speed of 1000Mbs is needed to connect computers with gigabit network interface cards. In addition, the router must be programmed to allow incoming and outgoing traffic for the Internet ports that are used by the VoIP service provider.
This method is the least desirable because all the VoIP traffic must first be passed through the network router. Call quality and reliability can be affected based on the configuration of the router and network traffic.
The optimal method of connecting a VoIP device to the Internet is by first connecting a network switch to the cable/DSL modem. Then as shown below the VoIP device and network router is connected to the switch. Using an inexpensive four port unmanaged switch with a maximum speed of 100Mbs allows for the separation of voice and data network traffic and has the advantage that any delays caused by the VoIP router does not affect the network traffic. Call quality and reliability can be achieved and the router does not need to be configured for VoIP traffic.
The instructions on programming the VoIP router vary by provider and equipment manufacturer. Use the VoIP router's configuration interface to set the router to automatically obtain an IP address from the network router's DHCP server and record the MAC or Ethernet address. If the option to obtain an IP address is not available, enter a local IP address. In our example, we want to assign the VoIP router 192.168.145.10 for the IP address.
When the only alternative is to connect the VoIP device to the network router, the router must be configured to permit VoIP traffic to be forwarded to the VoIP device. The following explains how to configure a SonicWALL TZ-180 router to support VoIP.
The VoIP device must be defined as an address object in the SonicWALL router. Click Network, then the Address Objects option, scroll to the bottom of the Address Objects table, and click the Add... button. In our example, we entered VoIP Service for the name and 192.168.145.10 for the IP address. Select the LAN option for zone, and Host for the type. Click the OK button to save the configuration.
A static internal IP address is configured for the VoIP device. Click Network, then click the DHCP Server option, and click the Add Static button. In our example, we entered VoIP Service as the entry name, 192.168.145.10 as the IP address, 00-1f-e2-4d-92-c4 as the Ethernet address. The MAC or Ethernet address was obtained from the VoIP router's configuration interface. Select LAN interface option and 192.168.145.1 option for the gateway. Click the OK button to save the static IP configuration for the VoIP device.
Certain VoIP implementations may require consistent NAT to be enabled at the router level. This option modifies the standard NAT behavior when handling outbound UDP traffic in order to provide higher levels of compatibility - Consistent NAT uses an MD5 hashing method to consistently assign the same remapped (i.e. Network Address Translated) public IP address and public UDP port pair to each internal / private IP address and private UDP port pair.
The Internet protocol used to send and receive VoIP calls is RTP or real-time transport protocol. The Internet ports used to send and receive calls vary by VoIP provider. Using Vonage for our example, Internet ports 10000 through 20000 are used and UDP or user datagram protocol is used for the transport protocol.
Search the network router's services to see if a service matching the ports and transport protocol is predefined. If not, a service must be defined.
To define a service, click Firewall, then click the Services option, scroll to the bottom of the Services table, and click the Add... button. In our example, we entered Vonage RTP for the name and 10000 and 20000 for the port range. Select the UDP option for the protocol. Click the OK button to save the configuration.
Vonage VoIP uses ports 10000 through 20000 to listen for VoIP calls. To allow call to be received, an inbound rule must be defined in the router for the RTP service. This rule permits the router to forward VoIP traffic to the VoIP device for it to receive calls.
To create the rule, first click Firewall, then the Access Control option, and then click on the configuration icon at the intersection of WAN and LAN.
The five major components to the rule are as follows.
To create the access rule, click the Add... button. In our example, we selected Vonage RTP for service, All WAN IP for source, VoIP Service for destination, All for users allowed, and Always on for schedule. We entered Vonage VoIP as the comment. Click the OK button to save the access rule.
MagicJack uses a proprietary USB device that is connected to a computer. A telephone is plugged in the other end of the USB device. The MagicJack allows unlimited amount of VoIP calls within the United States for $19.95US per year. Comments from subscribers basically say that when it works it works fine and when it doesn't work... A friend of mine recently called me from his log cabin in upstate New York. We had been talking about 30 minutes when he told me he was using MagicJack for the call. I was surprised at the clarity and quality of the call.
The greatest limitation of MagicJack VoIP is that the length of the telephone line is restricted to a maximum of six feet or about 2 meters. This restriction means that only one telephone device can be connected at one time and only one MagicJack can be used at a time for an Internet connection. This also means you cannot connect a MagicJack to your house's telephone wiring.
There have been questions in the Home Server Land's forums about connecting a MagicJack to their Windows Home Server. I would venture a guess that it would be possible as long as the distance between the WHS and telephone does not exceed six feet. For example, a cordless multi-telephone system could probably be used.
The MagicJack website claims that VoIP calls can be sent and received from any computer that is connected to a network router. The UDP ports 5060 and 5070 must be forwarded to receive calls.
The Internet protocol used to send and receive VoIP calls is RTP or real-time transport protocol. The Internet ports used to send and receive calls vary by VoIP provider. MagicJack uses Internet ports 5060 and 5070 and UDP for the transport protocol.
To define a service, click Firewall, then click the Services option, scroll to the bottom of the Services table, and click the Add... button. In our example, we entered MagicJack RTP for the name and 5060 and 5070 for the port range. Select the UDP option for the protocol. Click the OK button to save the configuration.
MagicJack VoIP uses ports 5060 and 5070 to listen for VoIP calls. To allow call to be received, an inbound rule must be defined in the router for the RTP service. This rule permits the router to forward VoIP traffic to the VoIP device for it to receive calls.
To create the rule, first click the Firewall and then the Access Control option, and then click on the configuration icon at the intersection of WAN and LAN. Next click the Add... button to create the access rule.
Using MagicJack as an example, we selected MagicJack RTP for service, All WAN IP for source, All for destination, All for users allowed, and Always on for schedule. We entered MagicJack VoIP as the comment. Click the OK button to save the access rule.
We at Home Server Land make the following recommendations when considering the use of VoIP to replace your traditional or POTS telephone service.
This blog identified threats that are associated with adding VoIP service to your broadband Internet connection. Consider the threats that are associated with the attacks that are made to the VoIP router. The security plan should be updated to identify these threats and address methods to resolve the threats. We have developed the Voice over IP Threats Risk Assessment to assist with the identification and methods that can reduce threats we identified. The Threat and Risk Assessment Worksheet can be used to document the threats that have been identified and used as a basis to manage them. Both documents are attached at the end of this blog.
This concludes Part 15 of Securing Your WHS & Network. We identified the risks and vulnerabilities that are associated with adding VoIP service to your Internet connection. Although VoIP attacks cannot be directed to the WHS, VoIP attacks can affect the network performance. We explained alternative ways to separate the VoIP traffic from the network traffic. We used Vonage and MagicJack as examples and explained the router configuration settings to permit calls to be sent and received.
In Part 16, we will address the threats and security compromises that are associated with Windows Home Server Add-In products. Vulnerabilities that are associated with installing Add-In products that have been developed for the Windows Home Server are identified. In the meantime, we look forward to your questions and discussion in response to this blog.
We will be taking a break for the summer after we publish Part 16. We will resume the Securing Your WHS & Network series in September and we will use a different perspective. Parts 1 through 16 are intended to be both educational and informative that focus on security of the WHS and network. We hope that you have enjoyed this blog.
Starting with Part 17, we will structure the content in a top-down approach. We will emphasize the planning stage and the use of standards. Our basic assumption with Part 17 and beyond is that a network and a home server does not exist. We will present the material in a highly structured format to encourage our community members that they can build a network and install a Windows Home Server.
I can't sign into my account. The forgot password function is not sending any message to my email account. I am unable to get into the site to beta test the Outlook add-in, which I have already been approved for.
BTW, this site has no mechanism for a reader to contact the admin. I'm resorting to leaving a comment on an article. That's not very user friendly.
Thank you for your comment. We are in the midst of a software upgrade to the site and we are working on a few glitches. I have referred your request to the site admin.
I make a lot of long distant phone calls and Magic Jack would be perfect for me if I could connect it to the WHS :( I have tried this but run into many problems. Does anyone know any other VoIP solution (not WHS add-in) that would work directly on the WHS?
I continue to NOT be able to sign in. Would someone please contact me at my email address that is linked to my name to help resolve this issue. This website (and my beta testing) is useless without account access. Thank you.
Hi Douglas
Sorry to hear you are having a hard time. We are in the midst of site upgrades and the contact us page will be available shortly. We have checked our system and do not have any user with your said email address registered. If you believe this to be in error please contact us to further explore at:
www.kentdome.com/contact