[VOIPSEC] RE: SBC security/pen testing

Doug Fleming dfleming at arbor.net
Thu Apr 28 17:42:07 CDT 2005 

While there are specifics procedures for pen testing, a flow based behavioral
model of VoIP network elements (SBC, SIP proxy, etc) and subsequent
client-server interaction with validation of client bits via an authorization
feed like Radius could allow for a more complete test setup for security.  

If you can understand the behavior of the authorized user base (and the
condition of the network elements during that time) recognizing and
identifying security incidents may get easier.  This also plays well for
compliance based testing since you can analyze, summarize and report on
client and network element behavior (and misbehavior).

The implementation question remains a good one;  service provider security
measures will dictate some of this interaction, but SIP based elements may
need to be treated a bit differently depending on their purpose.  Having flow
turned on during both testing and production can be a useful set of data
about how that device handles both normal traffic as well as either
intentional or unintentional abnormal traffic.

 Hope this helps.

-----------------------------------------------
          Doug Fleming
          703-842-7572


> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Geoff Devine
> Sent: Wednesday, April 27, 2005 8:18 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] RE: SBC security/pen testing
> 
> 
> It depends on implementation strategy.  A Session Border 
> Controller may very well treat messages to ports that don't 
> have known flows on them as attacks.  If that's your 
> strategy, it's better to dump the messages on the floor 
> rather than generate responses for each message and inject 
> work into the network.  If the source of those messages is 
> spoofed, you can actually use an SBC to mount an attack that 
> traverses some other firewall that has policy to trust 
> anything that comes from the SBC.  This is a pretty common 
> topology for VoIP hosted PBX environments where the SBC is 
> owned by some service provider.  SBCs typically support at 
> least wirespeed GigE so an attacker could direct a really big 
> hose that would kill any host sitting behind that corporate 
> firewall.  An SBC isn't a host so you shouldn't necessarily 
> expect it to behave like one.
> 
>  
> 
> Geoff
> 
> ---------------------------------------------------------------
> 
> Subject: RE: [VOIPSEC] SBC security/pen testing
> To: "'Geoff Devine'" <gdevine at cedarpointcom.com>, <Voipsec at voipsa.org>
> Message-ID: <000001c549f0$ae8cd110$6403a8c0 at home1>
> Content-Type: text/plain;       charset="us-ascii"
> 
> Not necessarily...
> 
> Much like a firewall, those ports should be listening for 
> specific endpoints...other hosts probing those ports should 
> receive a port unreachable message...
> 
> The ports should only be dynamically listening during the 
> time that they are required for use as signaled by the 
> signaling protocol for the respective endpoints that are part 
> of that dynamic session.
> 
> If we rely on static rules or listening ports there will be 
> no security and a full high risk scenario waiting to happen.
> 
> 
> 
>

More information about the Voipsec mailing list