Security and OBiTalk

[JeffGT]

Call me paranoid but while I love the convenience and utility of OBiTalk, I do not want to have a portal that has full access to my device (and home network for that matter) at all times. Instead, I would like to configure my OBi202 to control OBiTalk from within the device's web configuration.  Any assistance with this would be greatly appreciated.  I understand some features will not work in this configuration, but what I am doing will work fine.

My initial service providers were successfully setup via OBiTalk and are working fine. I then disabled auto-provisioning of OBiTalk & ITSP and closed port 10000 but I can still see all device settings from within OBiTalk.  I would prefer to leave the device in my dashboard and reconnect it when I need to tweak the configuration via an OBi202 setting.  I also changed the admin password on my device and OBiTalk can still see it and make calls remotely.  Is there a hidden OBiTalk administrator account on my device separate from the local device admin?  How is the device to OBiTalk connection established and maintained?

And yes, I actually read the Admin Guide.

[giqcass]

I was also concerned about security.  That is why I did not use the portal to set up my Obi.  The information on how to set it up manually is hard to find but I found it.  Shows how to set it up Via portal and Via direct connection.

http://voxilla.com/2011/01/24/how-to-use-google-voice-and-obi-for-all-your-calls-free/

Port 10000 is a voice service for the ObiTalk network. I believe blocking that port might also disable the Obion  App.

Others have been concerned about a "backdoor" situation.  I'm personally not sure what to make of it.
You may find your answer here.  Let me know if this works for you.

http://www.obitalk.com/forum/index.php?topic=3229.0

[ProfTech]

I'm not sure I understand your question completely but here is a little information.
1. The use of the ObiTalk "Portal" to configure your device and the use of the ObiTalk "Network" to place & receive calls to other Obi owners are two distinct but related functions.

If you delete your device from the ObiTalk portal AND set all 3 Methods on your device Auto Provisioning web page to "Disabled" AND set ObiTalk Service -> Enable to UNChecked then you are in control of the Obi because ObiHai cannot "see" your device on the internet and your device does not communicate anything back to them.

However, as the last item indicates you cannot make / receive calls to other Obi users. If you enable the ObiTalk service in your device so you can make & receive calls then Obihai starts tracking your device regardless of the Auto provisioning settings.

If you enable any of the Auto Provisioning settings then you are saying that you want them to track your device so it is a moot point.

[JeffGT]

Thanks for the responses.  I am not surprised there is such a long history about this topic.  Thanks for the references.  I am about half way thru them now.

And yes, the jist of ProfTech's response is basically what I was looking for.  While I would not go so far as to say that a company should avoid doing this sort of thing, I would say the honorable thing to do (again my opinion) would be to include a section in the user documentation that fully discloses the extent there is remote connectivity, how it is secured, how a user can explicitly control it, and what functionality is associated with it.

I actually tend to give most of these companies (especially US based) the benefit of the doubt when it comes to their intentions.  The fact of the matter is that ANY remote connection from your network is something that could theoretically by leveraged by ANYONE on the public internet to attempt or successfully exploit.  I simply feel I deserve to be aware of the level of exposure I introduce to my networks.  Does that mean that I don't have any open ports/connections open on my networks? ... absolutely not.  But I had the opportunity to evaluate them and configure them smartly.

Thanks again for all the info.

[Felix]

The information on how to set it up manually is hard to find but I found it.

Huh? Admin guide deals exclusively with setting it up manually. Yes, the documentation is absolutely atrocious; but it exists - as opposed to documentation how to set it up on the portal is absent. In other words the opposite from what you said is correct.

For both Obitalk network and Obitalk portal you don't need to open any ports on the network. So, I assume that the device opens an outbound connection through the firewall. Not really that different from Skype, IM client, or your Vonage adapter. If you have concerns about service provider (or somebody hacking into service provider), you shouldn't be using these services. In fact, my employer blocks public IM services and Skype for exactly these reasons (Google Voice, for some reason, is kosher, and AIM and Yahoo IM are integrated into our Lync communicator - so it's not so bad).