BCM50 Remote IP Sets - VPN or not to VPN?

[dukane123]

Hi all,

The medical clinic where I manage a BCM50 R6 (fully patched) has asked me to look into setting up remote IP sets that employees can use from their homes.

I have some spare i2004 sets lying around and with the Remote Worker/NAT Traversal feature, this seems relatively straightforward to set up. However... using the Remote Worker feature instead of a VPN would mean that voice traffic is unencrypted, and given that this is a medical clinic, calls over IP sets would involve confidential information.

My aim is not to install an IP set solution that would compromise confidentiality, but I'm trying to understand if using the Remote Worker feature is any more risky from a security standpoint than a having confidential discussion over a POTS line (which the clinic already uses several of).

Have any of you vendors/installers used the Remote Worker setup for businesses where confidentiality is important (medicine, law, etc.), or do you have another preferred method for connecting remote IP sets to the BCM? I'm curious to hear some perspective on this...

Thanks!
Matteo

 

[curlycord]

I have never had those type of clients worry or ask about it.

From what I understand but could be wrong with some of this....

Remote Worker has it's own tunnel (IP set to the BCM) via UDP ports.
When the port is forwarded the router excuses itself from intervention, like bridging your internet modem.

VPN would only be protecting/encrypting the call between the IP set and the BCM, not calls out on the BCM's trunks.

IP Sets are still digital between set and BCM

A hacker would have to:
1. Know the public IP of one of the sites be it BCM or the users home/office.
2. Tap into the connection/router/network
3. Put a sniffer on the connection (wireshark etc)
4. Know which RDP packets to capture and decipher
5. If its a hacker whom is after info on a specific person or event, then would they even know who is talking to who or what they are really talking about.

If anything I would say any paranoia should be focused on the voip trunk maybe.
I read if the police wanted to "wiretap" a voip line then the carrier would put a temp conversion from RDP to analog lines, then back to RDP etc, so the police would wiretap the temp analog lines.

If the remote routers are setup as VPN to the main office then you probably only need to enter the local IP of the BCM into the set config, but that is just an assumption as well.

Maybe/hopefully more phone nerds will reply since this is not my forte.

=----(((((((((()----=

http://www.curlycord.com

Toronto, Canada

Add me to LinkedIN

 

[dukane123]

Thank you for your input cc.

What you explained makes sense to me. As of now, I'm likely going to choose to go ahead with the Remote Worker setup. If anyone else has something to add, I welcome any other feedback.

Matteo

 

[ramblingrebel]

i am being asked to deploy 2 of these setups, and i don't think i've done it for about 2 years so i'm trying to come back up to speed. my 2 clients use 1140e with latest firmware (that i know of) and i'm putting in a separate xDSL for these projects, only because i don't control network access. as for wiretaps of voip stuff, i'm a little dated on whats current but i do remember lawful intercept had to be on every north american network (IP, voip, cell, etc) new and existing by 2008, i lost track of the legislation shortly after 2012

now to re-read up on remote worker

thanks for your reply CC

rr