Vonage Broadband Phone Service

by Kevin T. Blakley

As a 15-year security professional and Vonage phone-service user over the past six months, I have uncovered some serious security problems with its use and solutions to possible security risks for both business and home users.  This broadband phone service, which saves the end-user hundreds or even thousands of dollars a year on local toll and long distance charges, can pose certain vulnerabilities to your network.  The service, which uses Cisco's VoIP ATA-186 telephone adapter, opens several holes in network security.

Vonage offers little help with serious technical or security issues and, in fact, several technical representatives stated to me that I should simply allow all traffic on the following ports (UDP: 53 [DNS], 69 [TFTP], 123 [SIP], 5060, 5061, and 10000-20000) into my secured local-network for any source IP.  There are many exploits for all of these ports that include exploits for TFTP on port 69, computer management on port 10000, and others.  Vonage refuses to provide their source IPs for the VoIP connections.

Given this information, one could easily set up firewall rules that would allow traffic only from Vonage's VoIP server addresses to the voice unit.  Service redirection, which is known to most seasoned firewall users, allows the firewall to map user-defined ports to a predefined local or private IP address.  This, while not suggested by Vonage, would suffice in securing the local private network and also provide security to the ATA unit.  What was suggested by Vonage was the placement of the ATA-186 into a DMZ firewall zone.  While this offers some logging ability for attempted attacks, it opens up the ATA unit itself to possible attacks via the open service ports mentioned above, specifically TFTP, and a service that is normally turned off: HTTP (port 80).

Since broadband Internet service is today almost as common as a television and with broadband phone service providers such as Vonage gaining popularity, it is the responsibility of security professionals such as myself to provide information to the general public relating to security threats.

Personal firewalls, such as the one provided in Windows XP and the many variants on the market, protect the computer on which they are installed from various attacks.  However, they do not protect any other device that is on the same network connected through a broadband router.  Many of the most popular broadband router/firewalls on the market today do offer some packet filtering but most do not inspect UDP traffic, which is what the ATA-186 voice unit uses to communicate VoIP traffic.

For those home or business users who do not employ a firewall on the front-end of their network, I would suggest doing so and employing stateful packet inspection of all traffic relating to the use of any VoIP device. Such small office and home products are available from many manufacturers such as Check Point, Watchguard, Netgear, and Linksys.

In no way am I discounting the value of broadband phone service providers.  However, it is my opinion that these same providers should be a little more security conscious.