More on VOIP Vulnerabilities: SANS
The SANS Institute has compiled its year-end list of security vulnerabilities, and there's quite a bit of detail on VOIP. Their suggestions for mitigation:
* Consider security concerns as an integral part of any VoIP implementation. Additional caution should be taken at the product selection phase to ensure the VoIP product vendors support OS patches as they are released. Many VoIP vendors will void support for unapproved patches and may take considerable time before approving them.* Apply the vendor supplied patches for VoIP servers and phone software/firmware as they become available.
* Ensure that operating systems running VoIP servers are patched with the latest OS patch supplied by either the OS vendor or the VoIP product vendor.
* Scan the VoIP servers and phones to detect open ports. Firewall all the ports from the Internet that are not required for operation of the VoIP infrastructure.
* Use a VoIP protocol aware firewall or Intrusion Prevention product to ensure that all UDP ports on VoIP phones are not open to the Internet for RTP/RTCP communications.
* Disable all unnecessary services on phones and servers (telnet, HTTP etc.)
Consider using VoIP protocol fuzzing tools such as OULU SIP PROTOS Suite against the VoIP components to ensure the VoIP protocol stack integrity.*Apply separate VLANs to your voice and data network as much as your converged network will allow. Ensure that VoIP DHCP and TFTP servers are separate from your data network.
* Change the default passwords on phones' and proxies' administrative login functions.
* Ensure that the VoIP VLAN can not be used as a way to gain access to other core services, usually this is a propagated VLAN over different locations with some machines such as the Call Manager dual homed."
The whole thing is here.
What strikes me about that list is that 3 of the 9 points relate, in one way or another, to patching. Gary Audin has written a lot about patching and version control, but when he did a session on the topic at VoiceCon San Francisco in August, it didn't draw quite as well as I'd expected it would. The VoiceCon audience loves Gary, so my conclusion was that they weren't as concerned about this as maybe they should start being.
Another noteworthy thing is that SANS is still pushing the Separate VLANs fix, which is rightly being questioned [Blog Post 6]. However, the other half of that bullet point, about DHCP and TFTP servers, certainly makes sense.
This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.
Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.
Important Note: This comment area is NOT intended for commercial messages or solicitations of business.
