The recent advent of Voice over IP (VoIP) telephone using the Internet is gaining ground, Vonage being a major provider of the service. Linksys is a major manufacturer of the equipment that the VoIP service relys on.
Droit Technologies became involved with a customer that is a small company with an existing DSL Internet connection using the Linksys BEFSR41 router. The customer testing the Linksys VoIP RT31P2 router before taking it home, using Vonage, was able make a call without any effort beyond plugging the unit into the LAN. The RT31P2 behind the BEFSR41 DSL/Cable router (Firmware version 1.46.02, Aug 3, 2004), was getting through to the internet without having any ports open for VoIP on the BEFSR41 and UPnP disabled. From the Vonage site the following IP ports need to be open:
SIP 5060-5061
NTP 123
TFTP 69
DNS 53
RTP 10000-20000
Possibly Linksys sees this as desired feature, and from several e-mails, does not see the matter as a security flaw. VoIP may be used mostly at Home, but the potential exists for an employee with an RT31P2 router and the company using a BEFSR41 DSL/cable router for internet access and firewall protection to make phone calls from the company using the "alleged free" bandwidth. The firewall and NAT transversal is a feature of the SIP protocol. At present (5/3/2005), the BERFSR41 manual does not mention this capability of the VoIP router.
The IT manager at the small company may think the router is blocking all access unless explicitly turned ON with port forwarding or UPnP enabled.
How to block the VoIP service before it becomes an issue? There is port filtering on the BEFSR41 router, and for the Vonage system, filtering the UDP ports 5060-5061 and 10000-20000 stopped VoIP, as far as Droit Technologies' testing.
It is unknown if filtering ports is the correct solution. Ports above 1024 seem to be fair game for any service, and thereby a potential booby trap waiting.