The versatility and vulnerability of SIP technologies.
As a mission critical service, 500 advocates that any IP telephony solution should be secure. As the take up and roll out of IP telephony increases in businesses, the issues of IP security will become increasingly important.
A recent article published in www.voipplanet.com, discussed the versatility and vulnerability of SIP technologies.
Although there are inherent vulnerabilities with standard PSTN and IP networks in general, this article concentrated on the inherent vulnerabilities of SIP technologies. These were:
- Network-borne attacks
- New SIP products code attacks
- Secure network & system configuration
Below are pertinent extracts. Regarding, network-borne attacks:
“existing network security measures can be used to help mitigate them. For example, firewalls can protect SIP servers and applications from Denial of Service floods, while LAN authentication methods like 802.1X can deter impersonation. Extensions are often necessary to satisfy VoIP-specific demands—for example, firewalls must process RTP without undue latency or jitter, while intrusion prevention systems need SIP attack signatures.”
Regarding, new SIP products code attacks (i.e.: attacks can be introduced during product development):
“…when the Oulu University Secure Programming Group (OUSPG) tested INVITE message processing by SIP agents and proxies, just one of nine implementations survived this relatively basic exercise.”
“Although the affected implementations have since been patched, this test demonstrates the likelihood of code flaws in newly released VoIP products and the importance of applying available patches.”
“SIP registrar/proxy servers are not the only devices that should be tested for security bugs. Applications and handsets/phones also deserve plenty of scrutiny.”
Regarding, secure network & system configuration:
“…security advisories recommend the use of ingress, egress, and broadcast traffic filters to block SIP messages sent to/from systems that should not do so. In networks that use VLANs to compartmentalize VoIP traffic, switches and access points should be configured to avoid VoIP hopping. The premise here is simple: the fewer systems that are exposed to SIP, the lower the risk of falling victim to SIP-based attacks.”
“Many VoIP servers and user agents are easily compromised as the result of basic configuration mistakes like failure to disable risky services or change default passwords. VoIP phones tend to be particularly vulnerable to mis-configuration because (a) they aren’t managed like ordinary desktop computers and (b) their debug and admin interfaces are frequently hidden or not well advertised to end users.”
In conclusion,
“The trick is to proactively identify and eliminate security holes before hackers get a chance to exploit them. Start your vulnerability assessment with conventional network security tools like port scanners and application banner grabs. But don’t stop there—pursue SIP-specific tests that can uncover the vulnerabilities described here and many others.”
It can be a challenge to find an IP telephony service provider that adequately considers security within their provisioning. However, here at 500 we take security seriously. Businesses can be rest assured that when assessing network capabilities and recommending an IP telephony solution, the issues raised in this article have been considered and addressed: from SIP endpoint encryption to ISP provisioning for voice-only calls that do not ‘touch’ the public internet.
Article courtesy of www.voipplanet.com, 15/05/08.
