Zulu and firewall security considerations for future mobile clients

avayax · June 22, 2017, 3:09pm

I like the direction Zulu is going and it will hopefully become the UC package containing the features we need. I have read about a mobile client coming soon, that’s great.

I just wanted to bring up some considerations for roaming remote clients and changing IP addresses when it comes to firewall security.

Traffic from the mobile phones Zulu will be running on will have to be allowed through our firewalls, but many of us users wouldn’t be comfortable opening the Zulu port (whichever one it will require) to the internet without having any whitelisting of IP addresses or FQDNs in place.

Does Sangoma, @tonyclewis, have anything specific in mind on how to address this?

I would have a few suggestions:

Best would be to integrate an OpenVPN client into the Zulu app, connecting to the VPN server managed in Sysadmin pro. For people with FPBX behind a NAT firewall and an off-board VPN server like us, they need this feature: https://issues.freepbx.org/browse/FREEPBX-12442?filter=-2.
Second best would be to integrate a DDNS client into the Zulu app, updating the IP address of the phone whenever it changes, and we could then allow FQDNs on our firewalls.
Responsive firewall could probably do some filtering, but for people with FPBX behind a NAT firewall not using the FPBX firewall, it would be best to not have to allow unwanted traffic to the PBX in the first place, hence option 1. and 2. would apply.

I am bringing this up now, as I know Zulu mobile is in development and we are budgeting for a potential large purchase later this year for several of our few hundred user HA installs.

Other Zulu users, please also comment on what you would need and want.

Thanks.

tonyclewis · June 22, 2017, 3:32pm

We have not decided on that route at this time but have plenty of ideas with some of them being what you have suggested and others.

Right now focus is on all the other features and stability.

jessy5765 · June 22, 2017, 3:36pm

Well Personally ever since @tonyclewis yelled at me for not “just using the responsive firewall” to solve my issues, we have found its much easier to just port forward the traffic to the phone system and allow the responsive firewall to just sort itself out.

Technically speaking the way its designed is that if the initial packet is sent with the wrong authentication the firewall polices the traffic and then denies it if sent again incorrectly.

What are the chances that someone is going to know your extension combined with password in the first few guesses? Its like anything else. Keep the passwords long for the accounts.

tonyclewis · June 22, 2017, 3:38pm

I would never yell. Just highly encourage. Lol.

jessy5765 · June 22, 2017, 3:47pm

…yes… highly encourage. I cant wait to come out for training in the next year so I can hear you… highly encourage us all to learn FreePBX. lol

However that is what you recommend for Zulu right? Or is that maybe why the firewall is blocking my ZULU connection? Because its not going through the responsive firewall and my interface is set to internet?

tonyclewis · June 22, 2017, 4:26pm

Zulu does not use SIP. It uses Web Sockets. It has its own port.

cordingm · March 2, 2020, 7:47pm

Maybe something like fwknop (SPA) in both the Zulu UC client and PBX is a potential option?