[VOIPSEC] SBC security/pen testing

Christopher A. Martin chris at infravast.com
Thu Apr 28 23:49:52 CDT 2005 

Geez, they hadn't even performed basic hardening on this box...

The vendors need to start realizing that firewalls are not silver
bullets, neither are SBC's for that matter. You have to take a holistic
approach to securing an infrastructure.

I bet you could even log in with default account info too on port 443.
Some of the IP PBX vendors don't permit this to be modified...

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Mark Teicher
Sent: Monday, April 25, 2005 1:36 PM
To: Voipsec at voipsa.org
Subject: RE: [VOIPSEC] SBC security/pen testing

These are some of the partial results from a port scan after I was
informed by a telecommunication vendor security consulting group that
they successfully secured the product and it was safe to place on the
secure network

21 ftp
22 ssh
23 telnet
25 smtp
80 http
68 dhcpclient
111 sunrpc
443 https
513 login
514 shell
1720 h.323 signaling
2945 h.248
5023 dsat administration
69 tftp
123 ntp
161 snmp
162 snmptrap
1332 arbiter
1719 ras
1030 remote MIB access
1812 radius
4501 election
4521 backup

As you can tell, the scan results were provided to the security group to
review, and the vendor was notified to provide information regarding why
the services needed to be notified.  So far after 5 weeks, the security
consultants that were assigned from the telecommunications provider have
not been responsive and neither has their management.  But they were
mentioned on a conference call a week or two ago regarding a potential
very large insurance carrier and their plan to lock down their ip
enabled pbxs and other pieces of their solution with SIG boxes.

Again, most vendors have used comon port scan tools to check their
product against distributed denial of service attacks or just verifying
that the port/service responds to a scan.  Most do recommend the product
be placed beyond a firewall or security zone.  Specific VOIP testing
mentioning the previous example exploits should be used after the
initial port scan findings are resolved, therefore VOIP pen-test may be
a two-phased process: 1. discovery/identification 2. exploitation

/m
-----Original Message-----
From: "Christopher A. Martin" <chris at infravast.com>
Sent: Apr 24, 2005 10:07 PM
To: 'A S' <ccrouter at gmail.com>, Voipsec at voipsa.org
Subject: RE: [VOIPSEC] SBC security/pen testing

Ya, that and default community strings for snmp, default passwords and
accounts not disabled.

I cant even believe that telnet would be an option when ssh is already
included on many of the vendors products.

I am sanitizing my old vendor requirements document for submission to
the group.

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of A S
Sent: Saturday, April 23, 2005 12:02 PM
To: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] SBC security/pen testing

I have Scan SBC's using NMAP, Nessus, Sivus. interstingly almost all of
them have UDP ports open. One has FTP port open !!!. Wondering why
vendors are not testing their Security products against very well known,
easily
avaiable security tools.

thx

On 4/23/05, Christopher A. Martin <chris at infravast.com> wrote:
> Look for underlying protocols that may not have been disabled, such as
> rcp, ftp, telnet and default usernames and passwords...hint vxworks.
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
On
> Behalf Of A S
> Sent: Friday, April 22, 2005 1:35 PM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] SBC security/pen testing
> 
> Greetings All,
> 
> Testing SBC's from different vendors. Any idea/ suggestions?
> 
> thanks
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
>

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org




_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list