On Mon, 2009-11-09 at 16:22 -0600, [email protected] wrote: > I thought that an SBC hides a lot of information because it > specifically rewrites information that prevents the network > side from being understood basically
Some SBC vendors make much of this... the sipXbridge hides some things and not others (the more you try to hide, the more you have to translate and remember); mostly that hiding is just a side effect of being a B2BUA, not a deliberated design. Personally, I think that there is little value in trying to hide things like your internal network numbers and addresses of your major servers. In practice, it's not at all difficult to guess these things or find them by brute force. It is true that our recommended deployment is to let SIP and RTP messages flow through your firewall unmolested, which means that an attacker has a path to your system. If you don't do silly things like setting all the SIP passwords to the same value, this isn't too serious a problem. Ultimately, it's a tradeoff. You can buy something that claims to police the boundary, but that just shifts the first point of attack to the new thing - it's still software and it's still got potential holes. Importantly, it's going to have to modify the messages that pass through it to be a real barrier and that means that if it doesn't do all those changes perfectly (and trust me, the definition of perfect is a moving target) then it's going to break something. _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
