[VOIPSEC] Has anyone found or done a comprehensive review ofopen source firewalls with a focus on SIP?

J. Oquendo sil at infiltrated.net
Mon Feb 4 07:08:01 CST 2008 

Paul Ryan wrote:
> What about adding an SBC into the mix - any preferences / weaknesses ?
> Regards,

I don't know how others use their SBC's but ours (Netrake nCite) isn't 
being used on the level most SBC vendors sell it on. We have a lot of 
companies that re-brand VoIP and sell it at a low cost but we're the 
ones providing the actual service. Its difficult to try to use my SBC 
for NAT since I have an insane mixture of traffic:

CLI-nCite_1# show stats sip
SIP Call Statistics
-------------------
Total Active Calls . . . . . . . . . . . . . . . .  2481
Same-Side Active Calls                                 0
Local Active Calls                                   433
Normal Active Calls. . . . . . . . . . . . . . . . . 648
Initiating Calls                                      82
Terminating Calls                                      0
Calls Processed. . . . . . . . . . . . . . . . . 1092269
Completed Calls                                  1016604
Abandoned Calls                                    54888
Unauthorized Calls . . . . . . . . . . . . . . . . . . 0
Degraded Calls                                         0
Failed Calls                                       20366
Peak Active Calls. . . . . . . . . . . . . . . . . .1903
Peak Active Same-Side Calls                            0
Peak Active Local Calls                             1766
Peak Active Normal Calls . . . . . . . . . . . . . . 188
Call Initiation Timeouts                            4036
Call Termination Timeouts                            103
Call Authentication Challenges . . . . . . . . . . . .56
Media Timeouts                                       411
RTP FW Traversal Timeouts                            526

CLI-nCite_1#


So let me think about this for a second... 1 mill calls per month, 
spread throughout minimum 500 servers... Those 500 servers (PBX, 
mixtures) are all behind all sorts of routers and firewalls I don't 
manage... Can you see the problem?

SBC's are expensive and a pain to administrate and I don't believe the 
average company would need an SBC. Heck I don't even believe Fortune 
500's would truly need them and here is why... We have a client I will 
not name (I don't even name where I work but some here know...), anyhow, 
this Fortune 500 is huge worldwide, we have portions their main office 
and a slew of their central offices. We're doing their termination as 
follows:

Them --> Us --> Split Carriers --> Terminating_Call
Caller --> Carriers --> Us --> Fortune 500

They're using Avaya, we pass traffic, all works fine and dandy, they 
never have to do anything, ever. We monitor their usage, stats, all the 
fun stuff. There is no need from what we can tell for them to run out 
and dish out on an SBC. So let's say they did... $50k (MINIMUM) for a 
decent SBC. Then what? Hire someone to configure, maintain, troubleshoot 
it? Another what? Let's say minimum... $50k salary per year... $100k 
expense? Which will solve what?

Security on the SIP/H323 side can be achieved by experience security 
engineers who take some time to understand the core of it all. Forget 
the fuzzy marketing "Super parallelized - distant vector - deep packet 
inspection - fubar - sign on the dotted line sucker" wording. Stick to 
the core: SRC, DST, Payload ... And go from there and security can be 
effectively achieved. Anyone selling you that crap (you need superUber 
Firewall X with UberDuper SIP/VoIP Capabilities), have them take you out 
to lunch for the next year for free. Have them explain it all over and 
over and over until you're no longer hungry... Then stop playing with 
them and get back to work...

Experience admins just do... If I can create my own IDS/IPS on SIP then 
so should the experienced engineer. I'm not an IETF, IEEE engineer, just 
Joe Blow doing work:

CLI-nCite_1# show stats registration sip -i 5
SIP Registration Statistics
---------------------------
(stripped for clarity)
...
Unauthorized Registrations                             7
...

---------------------------

Neat, now let me write a script to alert me if Unauthorized 
Registrations exceed 7 in say a 30 second interval. That number 7? 
Nagios alerts... What? Oh, maybe write a script to automagically block 
anyone over the number 7...

SBC's aren't for everyone.


====================================================
J. Oquendo

SGFA #579 (FW+VPN v4.1)
SGFE #574 (FW+VPN v4.1)

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E

More information about the Voipsec mailing list