Is it safe to port forward from public IP direct to phone system?

[mattybrownuk]

We currently use Mitel Phone Manager as a softphone for all of our remote workers, which has worked well so far, connecting via an SSL VPN client on the user's PC back to our corporate network, where our MiVoice Office 250 is.

I've been asked if it's possible to connect a physical Mitel 5330e handset remotely, over the Internet and I'm told it is, but I have my concerns over how secure that would be.  Having the softphones connect in via a secure VPN tunnel seems much safer, but it's hard to see how I could get a desk phone connected as securely.

I'm told that I don't need to use Mitel Border Gateway (MBG) - I can just forward a number of TCP and UDP ports from our public IP address to our phone system, boot the phones up whilst holding 7, input our public IP address and the phones will connect as if they're onsite.  But that doesn't sound very secure to me - especially given the easily guessed default PIN numbers for extensions.

What would MBG give me, over and above what could be accomplished by port forwarding?  Is port forwarding really as insecure as it sounds?

[acejavelin]

You will be forwarding a specific set of ports directly to the phone system, literally tens of thousands of systems are setup this way... There is no appreciable security concern as long as it's done properly.

I usually tell customers, depending on their Internet connection, that 4-6 phones remotely via port forwarding is fine, much more than that needs an MBG. That said, I have customers with 20+ phones remotely via port forwarding and zero issues. I have never seen, nor heard from another tech anywhere (and I talk to a lot of them), of a security breach via a remote MiNet phone or it's connection.

What exactly does an MBG give you over port forwarding? Capacity, management, some level of security
Is port forwarding as insecure as it sounds? No, there are no appreciable security concerns with MiNet phones (SIP is a different story though)

[cholzhauer]

I did port forwarding for about seven years with close to twenty phones and never had an issue with security or performance. Make sure you only forward the ports you need and keep you're phone system semi-current, and you'll be fine

[Travis]

Mattybrownuk,

If you are familiar with debian and iptables you can ssh into the system and open the ports via command to specified public. This would typically only work if all the offsite phones have static address's on their end.

I have also been opening the ports for remote phones that use minet without a single issue... ever.

The company I work for made it a practice to put a bunch of systems directly on public address's without any firewall configuration for years. When that Exim attack came around I had my hands full lol not a single issue since with EVERY port open.

[mattybrownuk]

You will be forwarding a specific set of ports directly to the phone system, literally tens of thousands of systems are setup this way... There is no appreciable security concern as long as it's done properly.

I usually tell customers, depending on their Internet connection, that 4-6 phones remotely via port forwarding is fine, much more than that needs an MBG. That said, I have customers with 20+ phones remotely via port forwarding and zero issues. I have never seen, nor heard from another tech anywhere (and I talk to a lot of them), of a security breach via a remote MiNet phone or it's connection.

What exactly does an MBG give you over port forwarding? Capacity, management, some level of security
Is port forwarding as insecure as it sounds? No, there are no appreciable security concerns with MiNet phones (SIP is a different story though)

I did port forwarding for about seven years with close to twenty phones and never had an issue with security or performance. Make sure you only forward the ports you need and keep you're phone system semi-current, and you'll be fine

I have also been opening the ports for remote phones that use minet without a single issue... ever.

Thanks for the advice guys, much appreciated.

[mattybrownuk]

If you are familiar with debian and iptables you can ssh into the system and open the ports via command to specified public. This would typically only work if all the offsite phones have static address's on their end.

Can't say I am familiar with debian and iptables, no.  But none of our staff working remotely (me included) have static IP addresses, unsurprisingly.

I am a bit concerned about setting up port forwarding from our public IP to our phone system - especially as the client end has to be left open to any IPv4 address, but less so than I was, now I know this is the way plenty of others do it and it hasn't caused you guys issues.

[Dogbreath]

The difference between SIP and MiNet in this instance is that SIP is an open protocol with plenty of implementations of exploit tools and MiNet is a proprietary protocol that nobody has got around to writing them for yet.
So if you expose the MiVO 250's SIP port [and the SSH port for that matter] to the internet a) the MiVO 250's puny CPU will soon be overwhelmed dealing with requests b) some of the requests may actually succeed.
If your firewall has geo blocking capabilities, use them. We know that the only valid country any of our customer's handsets will be coming from is the UK, so we allow only that on the access rule.

[acejavelin]

The difference between SIP and MiNet in this instance is that SIP is an open protocol with plenty of implementations of exploit tools and MiNet is a proprietary protocol that nobody has got around to writing them for yet.
So if you expose the MiVO 250's SIP port [and the SSH port for that matter] to the internet a) the MiVO 250's puny CPU will soon be overwhelmed dealing with requests b) some of the requests may actually succeed.
If your firewall has geo blocking capabilities, use them. We know that the only valid country any of our customer's handsets will be coming from is the UK, so we allow only that on the access rule.

Fortunately, none of those ports are needed for remote MiNet phones.