How to convince Security Firewall Personnel MBG is secure?

[danramirez]

Hi Gents,

Every time I approach a customer and I ask to connect the MBG directly to the internet, or on the DMZ with several ports forwarded, panic and questions start coming.

What I do is I forward the MBG Engineering Guidelines and sometimes I convince them sometimes not.

What do you tell them to convince them the MBG is secured?

regards,

daniel

http://www.hatkanatelecom.com

 

[jpruder]

Sometimes I ask them why they think their firewall is secure, then tell them that this is closed to only the ports required for operation

 

[ADB100]

I think a lot of customers don't like the fact that you can't see any statistics or reporting like you can with an actual firewall. It is 'taken as read' that it does it's job but its all hidden away.
If you stick it in a DMZ behind a firewall you can lock down what traffic is allowed to reach it and you can then monitor the allowed traffic as well as the disallowed. If its directly connected to the Internet you don't get these statistics and have to rely on the software writers and that the underlying OS isn't vulnerable to yet another bug..
I guess standard authentication best practises apply (as with any OS) - strong passwords, 2FA etc. You don't want to have a host that hackers can easily get into that can proxy SSH sessions to hosts on your internal network..

 

[meneerB]

That's true.
Our hospital uses an external firewall cluster for all services.

E.g. Citrix Netscalers for remote access are placed behind that

In our case the MBG's ar not behind it, because, I think, it's not needed because our telco uses a direct IP link for vice only.

We do have a MBG for micollab facing the internet.
That box is placed in our DMZ.

I'm a customer, let me explain my thoughts.

I understand the discussion!
But... why do you care?
If you manage and install the phone systems and the customer trust you and Mitels technology and does not need an extra firewall: great.

If they are questioning the technique, it may be (corporste)company policy or whatever reason:
It's probably more work for you, I know setting up voice in a firewall costs the customer -and you!- probably more time. One-way audio is one of the commonly known issues.

Troubleshooting afterwards also costs more work.
But: that's up to the customer.

Explain the options, share the docs -as you did-, and let the customer decide.
But it's fair to be clear: they'll have to be ready for extra work themselves and pay for your extra work now and probably troubleshooting hours in the near future.

Don't argue, that's not professional, and as a (technical skilled) customer: I like to have options, and will probably choose the best for our hospital, also with the company-security-policy in my mind.
But in a commercial business, the manager maybe like to choose the cheapest option.
You never know. And if you don't argue: it doesn't matter and you get paid eather way and are respected for your work

 

[meneerB]

Ps. The Corona causes a lot of extra traffic.
The Mitel MIB is just not what I expected of a professional phone system: no trunk utilization OID/ no history in the GUI.

But even in our case, without the firewall in between, I have a nice way to see the historical utilization of the SIP trunks:
Our network management system monitors the network interfaces.
1 SIP channel uses the same amount of data.
So quite accurate for the purpose: visual history of the channels used, with 'busy time's.

 

[danramirez]

Cheers All.

We finally managed to install the MBG on the DMZ and they did port forwarding accordingly. So far so good.

Also added some whitelist IP ranges on the MBG.

regards,

daniel

http://www.hatkanatelecom.com