More on VOIP Vulnerabilities: SANSMore on VOIP Vulnerabilities: SANS
The SANS Institute has compiled its year-end list of security vulnerabilities, and there's quite a bit of detail on VOIP. Their suggestions for mitigation:
December 11, 2007
The SANS Institute has compiled its year-end list of security vulnerabilities, and there's quite a bit of detail on VOIP. Their suggestions for mitigation:
The SANS Institute has compiled its year-end list of security vulnerabilities, and there's quite a bit of detail on VOIP. Their suggestions for mitigation:
* Consider security concerns as an integral part of any VoIP implementation. Additional caution should be taken at the product selection phase to ensure the VoIP product vendors support OS patches as they are released. Many VoIP vendors will void support for unapproved patches and may take considerable time before approving them.
* Apply the vendor supplied patches for VoIP servers and phone software/firmware as they become available.
* Ensure that operating systems running VoIP servers are patched with the latest OS patch supplied by either the OS vendor or the VoIP product vendor.
* Scan the VoIP servers and phones to detect open ports. Firewall all the ports from the Internet that are not required for operation of the VoIP infrastructure.
* Use a VoIP protocol aware firewall or Intrusion Prevention product to ensure that all UDP ports on VoIP phones are not open to the Internet for RTP/RTCP communications.
* Disable all unnecessary services on phones and servers (telnet, HTTP etc.) Consider using VoIP protocol fuzzing tools such as OULU SIP PROTOS Suite against the VoIP components to ensure the VoIP protocol stack integrity.
*Apply separate VLANs to your voice and data network as much as your converged network will allow. Ensure that VoIP DHCP and TFTP servers are separate from your data network.
* Change the default passwords on phones' and proxies' administrative login functions.
* Ensure that the VoIP VLAN can not be used as a way to gain access to other core services, usually this is a propagated VLAN over different locations with some machines such as the Call Manager dual homed."
* Apply the vendor supplied patches for VoIP servers and phone software/firmware as they become available.
* Ensure that operating systems running VoIP servers are patched with the latest OS patch supplied by either the OS vendor or the VoIP product vendor.
* Scan the VoIP servers and phones to detect open ports. Firewall all the ports from the Internet that are not required for operation of the VoIP infrastructure.
* Use a VoIP protocol aware firewall or Intrusion Prevention product to ensure that all UDP ports on VoIP phones are not open to the Internet for RTP/RTCP communications.
* Disable all unnecessary services on phones and servers (telnet, HTTP etc.) Consider using VoIP protocol fuzzing tools such as OULU SIP PROTOS Suite against the VoIP components to ensure the VoIP protocol stack integrity.
*Apply separate VLANs to your voice and data network as much as your converged network will allow. Ensure that VoIP DHCP and TFTP servers are separate from your data network.
* Change the default passwords on phones' and proxies' administrative login functions.
* Ensure that the VoIP VLAN can not be used as a way to gain access to other core services, usually this is a propagated VLAN over different locations with some machines such as the Call Manager dual homed."
The whole thing is here.
What strikes me about that list is that 3 of the 9 points relate, in one way or another, to patching. Gary Audin has written a lot about patching and version control, but when he did a session on the topic at VoiceCon San Francisco in August, it didn't draw quite as well as I'd expected it would. The VoiceCon audience loves Gary, so my conclusion was that they weren't as concerned about this as maybe they should start being.
Another noteworthy thing is that SANS is still pushing the Separate VLANs fix, which is rightly being questioned [Blog Post 6]. However, the other half of that bullet point, about DHCP and TFTP servers, certainly makes sense.
