[VOIPSEC] SBC security/pen testing

Mark Teicher mht3 at earthlink.net
Mon Apr 25 13:36:22 CDT 2005 

These are some of the partial results from a port scan after I was informed by a telecommunication vendor security consulting group that they successfully secured the product and it was safe to place on the secure network

21 ftp
22 ssh
23 telnet
25 smtp
80 http
68 dhcpclient
111 sunrpc
443 https
513 login
514 shell
1720 h.323 signaling
2945 h.248
5023 dsat administration
69 tftp
123 ntp
161 snmp
162 snmptrap
1332 arbiter
1719 ras
1030 remote MIB access
1812 radius
4501 election
4521 backup

As you can tell, the scan results were provided to the security group to review, and the vendor was notified to provide information regarding why the services needed to be notified.  So far after 5 weeks, the security consultants that were assigned from the telecommunications provider have not been responsive and neither has their management.  But they were mentioned on a conference call a week or two ago regarding a potential very large insurance carrier and their plan to lock down their ip enabled pbxs and other pieces of their solution with SIG boxes.

Again, most vendors have used comon port scan tools to check their product against distributed denial of service attacks or just verifying that the port/service responds to a scan.  Most do recommend the product be placed beyond a firewall or security zone.  Specific VOIP testing mentioning the previous example exploits should be used after the initial port scan findings are resolved, therefore VOIP pen-test may be a two-phased process: 1. discovery/identification 2. exploitation

/m
-----Original Message-----
From: "Christopher A. Martin" <chris at infravast.com>
Sent: Apr 24, 2005 10:07 PM
To: 'A S' <ccrouter at gmail.com>, Voipsec at voipsa.org
Subject: RE: [VOIPSEC] SBC security/pen testing

Ya, that and default community strings for snmp, default passwords and
accounts not disabled.

I cant even believe that telnet would be an option when ssh is already
included on many of the vendors products.

I am sanitizing my old vendor requirements document for submission to
the group.

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of A S
Sent: Saturday, April 23, 2005 12:02 PM
To: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] SBC security/pen testing

I have Scan SBC's using NMAP, Nessus, Sivus. interstingly almost all of
them have UDP ports open. One has FTP port open !!!. Wondering why
vendors are not testing their Security products against very well known,
easily
avaiable security tools.

thx

On 4/23/05, Christopher A. Martin <chris at infravast.com> wrote:
> Look for underlying protocols that may not have been disabled, such as
> rcp, ftp, telnet and default usernames and passwords...hint vxworks.
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
On
> Behalf Of A S
> Sent: Friday, April 22, 2005 1:35 PM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] SBC security/pen testing
> 
> Greetings All,
> 
> Testing SBC's from different vendors. Any idea/ suggestions?
> 
> thanks
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
>

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list