[Asterisk-Users] Open Ports

[Rich Adamson]

> > > SIP uses port 5060
> > >
> > > RTP uses multiple ports, typically in the range 10000-20000
> > >
> > > Remember that SIP and RTP are different - SIP is used to set up the call;
> > > RTP is used to carry the audio once the call has been set up.
> >
> > Thanks. May I ask what security control can be applied to RTP besides
> > reducing the opened range? Are there stateful inspection can be done on
> > this?
> 
> What insecurity exists from leaving the range open?
> 
> I am not aware of any stateful helper modules (eg for netfilter) which handle 
> RTP streams, and certainly not any which understand the relationship between 
> SIP and RTP (eg by matching source/destination IP addresses), however I 
> wouldn't have thought it should be too difficult to write a netfilter module 
> to get RTP treated as "related" to an existing SIP connection?
> 
> But, to return to my initial question, what's the security risk in leaving 
> your Asterisk server open to UDP packets from the world?
> 
> I regard it like a mail server - a firewall allowing TCP packets through to 
> port 25 cannot protect against an application vulnerability in the MTA; the 
> application server itself has to be secure for your system to be safe.   Same 
> goes for a web server, or an Asterisk server.

The answer to your questions depend entirely upon your specific 
implementation.

If you have a small number of remote locations passing through the
firewall, and, you write your inbound firewall rules to allow specific 
Ip addresses, and, you forward those to a specific internal Ip address,
then there isn't much of a security issue.

However, if you open all udp ports (eg, 10000 - 20000) inbound _and_
you happen to have other services running on that box that _might_ use
those ports, then you're allowing access to those other services as
well. (How many trojans, etc, happen to use ports in that range?)

Cisco phones use udp ports 16384-32776, while Xlite uses something like
udp ports 8000-8050, and Polycom phones use another range, etc. If you
worked for a large company that didn't have any sip phone standards and
you had to open everything that _could_ be used for rtp, then you really
would be opening a hugh number of udp ports. At least some of those ports
have other uses.

Keep in mind using the above port range examples only, that Asterisk
might use rtp port 12345 in one direction and the Cisco phone might
use 32775 in the other direction.

If you are trying to set this up for a small SOHO, then you might
consider changing the rtp port range for the remote phones to something
like 20000-20050, and changing Asterisk to 10000-10050 (or to the same
20000-20050) significantly reducing the number of holes poked in the
firewall. Lots of flexibility "if" you have control over the configs.