Comments inline...
On 18 Dec 2004, at 11:40, Rich Adamson wrote:
SIP uses port 5060
RTP uses multiple ports, typically in the range 10000-20000
Remember that SIP and RTP are different - SIP is used to set up the call;
RTP is used to carry the audio once the call has been set up.
Thanks. May I ask what security control can be applied to RTP besides
reducing the opened range? Are there stateful inspection can be done on
this?
What insecurity exists from leaving the range open?
I am not aware of any stateful helper modules (eg for netfilter) which handle
RTP streams, and certainly not any which understand the relationship between
SIP and RTP (eg by matching source/destination IP addresses), however I
wouldn't have thought it should be too difficult to write a netfilter module
to get RTP treated as "related" to an existing SIP connection?
But, to return to my initial question, what's the security risk in leaving
your Asterisk server open to UDP packets from the world?
I regard it like a mail server - a firewall allowing TCP packets through to
port 25 cannot protect against an application vulnerability in the MTA; the
application server itself has to be secure for your system to be safe. Same
goes for a web server, or an Asterisk server.
The answer to your questions depend entirely upon your specific implementation.
And your network environment. Some of us run our VOIP data
on different networks from our data networks, this reduces the exposure,
but even then if you have a real PSTN connection on that network, you could be
risking giving away free calls or having your ability to make calls removed or
reduced.
If you have a small number of remote locations passing through the firewall, and, you write your inbound firewall rules to allow specific Ip addresses, and, you forward those to a specific internal Ip address, then there isn't much of a security issue.
True, but you are extending the 'envelope of trust' to include (to some extent)
the networks on the far end.
However, if you open all udp ports (eg, 10000 - 20000) inbound _and_ you happen to have other services running on that box that _might_ use those ports, then you're allowing access to those other services as well. (How many trojans, etc, happen to use ports in that range?)
You are also exposing your network to potential mapping and denial of service attacks.
Cisco phones use udp ports 16384-32776, while Xlite uses something like
udp ports 8000-8050, and Polycom phones use another range, etc. If you
worked for a large company that didn't have any sip phone standards and
you had to open everything that _could_ be used for rtp, then you really
would be opening a hugh number of udp ports. At least some of those ports
have other uses.
Including dynamically allocated ones that may (sometimes) use that range,
like (some) DNS queries, SNMP managers, Interactive chat and gaming apps etc..
Keep in mind using the above port range examples only, that Asterisk might use rtp port 12345 in one direction and the Cisco phone might use 32775 in the other direction.
If you are trying to set this up for a small SOHO, then you might consider changing the rtp port range for the remote phones to something like 20000-20050, and changing Asterisk to 10000-10050 (or to the same 20000-20050) significantly reducing the number of holes poked in the firewall. Lots of flexibility "if" you have control over the configs.
I'm not as convinced by the numbers reduction game as far as ports are
concerned. By limiting the IP addresses to a few you are reducing risk by a factor of
millions. Even if you reduce the ports to 10, the risk reduction is only by 1000.
However when thinking about this, remember that for UDP it is appallingly
easy to spoof the _from_ address so well crafted DOS attacks can still
sneak in through the one IP address you are letting in, even though the attacker
is not actually sending from that address.
Yep, I was tech director of a network security company in a former life.....
_______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
_______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
