[VOIPSEC] RE: SBC security/pen testing

[Geoff Devine]

It depends on implementation strategy.  A Session Border Controller may very well treat messages to ports that don't have known flows on them as attacks.  If that's your strategy, it's better to dump the messages on the floor rather than generate responses for each message and inject work into the network.  If the source of those messages is spoofed, you can actually use an SBC to mount an attack that traverses some other firewall that has policy to trust anything that comes from the SBC.  This is a pretty common topology for VoIP hosted PBX environments where the SBC is owned by some service provider.  SBCs typically support at least wirespeed GigE so an attacker could direct a really big hose that would kill any host sitting behind that corporate firewall.  An SBC isn't a host so you shouldn't necessarily expect it to behave like one.

 

Geoff

---------------------------------------------------------------

Subject: RE: [VOIPSEC] SBC security/pen testing
To: "'Geoff Devine'" <gdevine at cedarpointcom.com>, <Voipsec at voipsa.org>
Message-ID: <000001c549f0$ae8cd110$6403a8c0 at home1>
Content-Type: text/plain;       charset="us-ascii"

Not necessarily...

Much like a firewall, those ports should be listening for specific
endpoints...other hosts probing those ports should receive a port
unreachable message...

The ports should only be dynamically listening during the time that they
are required for use as signaled by the signaling protocol for the
respective endpoints that are part of that dynamic session.

If we rely on static rules or listening ports there will be no security
and a full high risk scenario waiting to happen.