Security FAQs

Q: Is this inbound or outbound or does it affect traffic both ways? 

A: These network and firewall configurations affect inbound and outbound Voice (VoiceHub) call traffic.

Q: Why does ExpertConnect require such a large range of IP addresses/ports?

A: Due to growing customer base and growth of traffic on our platform, this increased range helps us to provide reliability and scalability for the foreseeable future.

Q: Isn't it a security risk for us to have so many IPs/Ports open? 

A: The IP range in the respective section is owned by our Communication Provider Vendor (referred to as CPV) and registered with ARIN. This is not an ephemeral IP range that is at risk of being recycled by our cloud providers and could potentially be used by another organization in the future, with this in mind it is our CPV's position that this is a security improvement over the previous paradigm, despite the larger range(s).

It is a security risk to have any IPs/ports allow listed. If an attacker can take over one IP or port from a given range they can take over others, so the threat doesn't increase with the number of IPs or ports open. 

Q: The size of the allow list is a concern, this gives the attacker more surface area to attach and does not provide the security cover we require. 

A: Every RTP media session is negotiated by one of a few trusted CPV signaling edges. The IP/ports here refer to the CPV media edge. Thus, you should allow UDP traffic to be sent and received from the published IP address ranges. However, you do not need to open any additional IPs or ports on your side.

Q: Why don't other products have such broad requirements? 

A: We can't speak for the decision-making processes of other products/offerings or their architectural designs, but we do see other some with broadly similar requirements. For example: Telnyx has a single non-regional /19 IP range, and Zoom Phone and Zoom Contact Center has a UDP port range of 20000-64000 for reference.

Q: We want to learn more about WebRTC. 

A: WebRTC (Web Real-Time Communications) is an advanced protocol employed for facilitating real-time communication capabilities such as voice, video, and data exchange directly within web browsers. This technology establishes a peer-to-peer connection between browsers, which, while efficient, introduces certain security vulnerabilities. WebRTC predominantly utilizes a spectrum of UDP ports, alongside occasional TCP ports, to enable this connectivity. 

In terms of firewall configuration, WebRTC necessitates the opening of a broad range of ports, typically within the dynamic or ephemeral 49152 to 65535 range for UDP traffic. This requirement stems from the protocol's utilization of "hole punching" techniques, which are essential for navigating through firewalls and Network Address Translation (NAT) systems. This method is crucial for enabling peers situated on disparate networks to locate and connect without the intermediation of a central server. 

Although the necessity for multiple open firewall ports might initially appear as a significant security concern, it is crucial to recognize that WebRTC is inherently designed to support secure communications. The potential security risks posed by these open ports can be effectively mitigated through strategic network configuration and the adoption of supplementary security protocols. Firewalls, for instance, can be meticulously configured to minimize vulnerabilities and obstruct unwarranted traffic. Furthermore, the deployment of additional safeguards such as Virtual Private Networks (VPNs) can offer an extra layer of security. In summary, while the implementation of WebRTC demands the opening of an extensive range of firewall ports, the potential security risks are manageable and can be substantially alleviated through judicious network management and the application of robust security measures. 

ExpertConnect has integrated with CPV services to facilitate voice/video calls, utilizing the WebRTC/Signaling protocol. This advanced protocol necessitates the pre-approval of certain domains and ports within security-restricted networks. The domains specified are crucial for the initiation and execution of voice/video calls through ExpertConnect's web and mobile platforms.

Q: What about data privacy for voice, video, data exchange and security?

A: ExpertConnect adheres to the security policies and standards set by Deere, focusing on protecting dealer data and privacy. This includes ensuring appropriate isolation of dealer-related activities. All CPV services integrated into ExpertConnect comply with these high standards, offering detailed information about their security measures and compliance policies. When selecting an RTE PaaS provider, special attention is given to geo-routing and geo-fencing capabilities. This ensures that the selected vendor can provide an edge server close to the user, vital for efficient data routing. 

Regarding data privacy, our CPV services strictly avoid collecting personal data from users, except for IP addresses and necessary operational data for voice/video calls. ExpertConnect prioritizes user privacy, sharing only essential user data, like an internal identifier, to initiate client SDK for call sessions. Voice and video call streaming is managed by CPV RTN servers, utilizing geo-routing to match the user's cloud region. Deploying these CPV service SDKs within ExpertConnect does not permit other users to access or conduct unauthorized activities on the platform. 

Additionally, as part of Deere, ExpertConnect regularly conducts vulnerability assessments, and security audits, and implements protections against attacks. This is complemented by a defined process for reporting and mitigating any security concerns, ensuring ongoing vigilance and responsiveness to potential threats.

Q: This configuration isn't going to work for us?

A: It's very likely the ExpertConnect users at your Dealership will encounter service disruptions if these IP Addresses/Port Ranges are not allowlisted.