[VOIPSEC] RE: SBC security/pen testing

Thu Apr 28 23:39:46 CDT 2005

True, but hopefully security indepth is practiced... anti-spoofing rules
implemented at the router... a firewall, and, if a port isn't listening
(since there isn't a valid session associated with it, the proper
response should be icmp port unreachable...no need to make it to the
application layer if the application wasn't listening after all.

SIP on the other hand, or whatever signaling protocol is implemented, is
where the risk lies, also any actual active media session.

An active media session that is not protected by the SBC on the basis of
the call signaling then all bets are off...it may be possible to divert
traffic using the media mechanisms (RTCP) to pull it or any other attack
off.

If the media session is based on signaling then only the session may be
at risk of DoS or misdirection based on RTCP.

Just a thought. 

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Geoff Devine
Sent: Wednesday, April 27, 2005 7:18 AM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] RE: SBC security/pen testing

It depends on implementation strategy.  A Session Border Controller may
very well treat messages to ports that don't have known flows on them as
attacks.  If that's your strategy, it's better to dump the messages on
the floor rather than generate responses for each message and inject
work into the network.  If the source of those messages is spoofed, you
can actually use an SBC to mount an attack that traverses some other
firewall that has policy to trust anything that comes from the SBC.
This is a pretty common topology for VoIP hosted PBX environments where
the SBC is owned by some service provider.  SBCs typically support at
least wirespeed GigE so an attacker could direct a really big hose that
would kill any host sitting behind that corporate firewall.  An SBC
isn't a host so you shouldn't necessarily expect it to behave like one.

Geoff

---------------------------------------------------------------

Subject: RE: [VOIPSEC] SBC security/pen testing
To: "'Geoff Devine'" <gdevine at cedarpointcom.com>, <Voipsec at voipsa.org>
Message-ID: <000001c549f0$ae8cd110$6403a8c0 at home1>
Content-Type: text/plain;       charset="us-ascii"

Not necessarily...

Much like a firewall, those ports should be listening for specific
endpoints...other hosts probing those ports should receive a port
unreachable message...

The ports should only be dynamically listening during the time that they
are required for use as signaled by the signaling protocol for the
respective endpoints that are part of that dynamic session.

If we rely on static rules or listening ports there will be no security
and a full high risk scenario waiting to happen.