atcomsystems.ca/forum Forums VOIP Phones & IP PBX Networking Port forwarding and security

As a network admin, that's so true. My concern usually isn't with the systems themselves, it's the associated Windows Server or *nix server that might be required.

The other thing that I will add though is that in many organizations, the phone system falls under IT control. Depending on the IT policy, it may be prohibitively restrictive. I've seen this in some organizations back when I was doing field work. Trying to get a little change implemented took cutting through so much red tape it's ridiculous. And if it involved opening up a single port, doing a single translation, good grief.. The way some companies I've dealt with handled it, you'd think it was Chicken Little and the sky was falling.

All that said, in the case of the client I live at, we run an Avaya IP406 system. Rather than having direct access from the Internet to it and doing any translations, I use LogMeIn to get into the Windows server that has all the management software on it. Works quite well in that regards. Of course, I'm the network admin here, so it's not an issue for me to put LogMeIn on there. Some IT groups may have issues with it though.

The other thing that I will add though is that in many organizations, the phone system falls under IT control.

There be the problem!!

My preferred program is Crossloop for those time when I need to remote a computer, but I have been considering it for this situation...

I think the best pat is the CG can't complain, since the customer must initiate the connection from inside the system... and when you're done, they close the "hole", so to say.

I just heard about Crossloop today. Looks interesting.. I need to investigate it more.

I could be wrong but I am guessing that Crossloop is similar to GoToMyPC? If yes then that would require loading proprietary software to an in house computer and then you would gain access to that computer from a remote location. If this is the case then you have opened up a larger security hole than the one that is originally being avoided?

Yes-No-Maybe :shrug:

The way I understand it is that it is similar, but it's a customer initiated connection. If you're familiar with the Remote Assistance feature of Windows, it's the same idea. That's the way I'm interpreting it, but I haven't had a chance to do a whole lot more investigation yet on it. It sounds like there's more to it than just that.

It is a customer-initiated process. You cannot start it remotely.

Now maybe this isn't possible, but are they able to give you an unused public IP? You could then plug the system in ahead of their internal network and in front of their fire-wall/pix/etc.

As a side note, Teamviewer is another tool for remote access to a single computer. They have a "customer module" which doesn't install the app, and when you close the app, it is no longer running (can delete the .exe file in the user's temp files). Works nicely. I also use LogMeIn for a more permanent way of remote access/hands.

I think it goes without saying, whatever you give access to the internet, make sure it is fully patched. Even the more obscure systems, I'm sure that those manufacturers have security patches that should be applied. It takes one simple e-mail/forum post to the security mailing lists on a possible security bug for a bot to be written by a nefarious person, which automates the scanning and network penetrations.