One of our home users has cable Internet with SHAW and their modem is not compatible with VoIP. Even after port forwarding tinkering they still complain constantly. They are also not tech savy so debugging this issue has become a bit of a nightmare. The only thing that seems to work is putting the VoIP phone in the DMZ and I need to know how dangerous this is for us.
The phone GUI is visible on the public and open to potential hackers. We put a 30 character user and admin passcode on the phone to protect it but I am still a bit worried. If hackers were to breach the phone they could probably make calls in this account but that’s about it. No?
Any comments?
are you sure it is a Shaw issue and not a bandwidth issue?
if someone hacks into the phone, they can get the user id, password and ip address of the server which will enable them to register a phone on your pbx and make calls.
it’s not a Shaw or bandwidth issue.
The problem is the router. The firewall is causing all sorts of issues, and we can’t turn off SIP ALG unless we switch it to bridge mode (which the end user does not allow). The DMZ seems to do the trick but like you said it could come back to bite us in the …
Depending on the phone, you should be able to disable the management interface, or at least lock the phone’s management port down to a specific address.
If you are using a reasonably large and complex management password on the web interface, you should be able to get by with this relatively safely.
If the customer has a static IP address, you can limit the extension’s allowed IP address to the specific range that the DMZ is coming from. That way, your list of perpetrators can be narrowed considerably.