[Asterisk-Users] Open Ports

tim panton tpanton at attglobal.net
Sat Dec 18 06:00:02 MST 2004 

Comments inline...

On 18 Dec 2004, at 11:40, Rich Adamson wrote:

>>>> SIP uses port 5060
>>>>
>>>> RTP uses multiple ports, typically in the range 10000-20000
>>>>
>>>> Remember that SIP and RTP are different - SIP is used to set up the 
>>>> call;
>>>> RTP is used to carry the audio once the call has been set up.
>>>
>>> Thanks. May I ask what security control can be applied to RTP besides
>>> reducing the opened range? Are there stateful inspection can be done 
>>> on
>>> this?
>>
>> What insecurity exists from leaving the range open?
>>
>> I am not aware of any stateful helper modules (eg for netfilter) 
>> which handle
>> RTP streams, and certainly not any which understand the relationship 
>> between
>> SIP and RTP (eg by matching source/destination IP addresses), however 
>> I
>> wouldn't have thought it should be too difficult to write a netfilter 
>> module
>> to get RTP treated as "related" to an existing SIP connection?
>>
>> But, to return to my initial question, what's the security risk in 
>> leaving
>> your Asterisk server open to UDP packets from the world?
>>
>> I regard it like a mail server - a firewall allowing TCP packets 
>> through to
>> port 25 cannot protect against an application vulnerability in the 
>> MTA; the
>> application server itself has to be secure for your system to be 
>> safe.   Same
>> goes for a web server, or an Asterisk server.
>
> The answer to your questions depend entirely upon your specific
> implementation.

And your network environment. Some of us run our VOIP data
on different networks from our data networks, this reduces the exposure,
but even then if you have a real PSTN connection on that network, you 
could be
risking giving away free calls or having your ability to make calls 
removed or
reduced.

>
> If you have a small number of remote locations passing through the
> firewall, and, you write your inbound firewall rules to allow specific
> Ip addresses, and, you forward those to a specific internal Ip address,
> then there isn't much of a security issue.

True, but you are extending the 'envelope of trust' to include (to some 
extent)
the networks on the far end.

>
> However, if you open all udp ports (eg, 10000 - 20000) inbound _and_
> you happen to have other services running on that box that _might_ use
> those ports, then you're allowing access to those other services as
> well. (How many trojans, etc, happen to use ports in that range?)

You are also exposing your network to potential mapping and denial
of service attacks.

>
> Cisco phones use udp ports 16384-32776, while Xlite uses something like
> udp ports 8000-8050, and Polycom phones use another range, etc. If you
> worked for a large company that didn't have any sip phone standards and
> you had to open everything that _could_ be used for rtp, then you 
> really
> would be opening a hugh number of udp ports. At least some of those 
> ports
> have other uses.

Including dynamically allocated ones that may (sometimes) use that 
range,
like (some) DNS queries, SNMP managers, Interactive chat and gaming 
apps etc..

>
> Keep in mind using the above port range examples only, that Asterisk
> might use rtp port 12345 in one direction and the Cisco phone might
> use 32775 in the other direction.
>
> If you are trying to set this up for a small SOHO, then you might
> consider changing the rtp port range for the remote phones to something
> like 20000-20050, and changing Asterisk to 10000-10050 (or to the same
> 20000-20050) significantly reducing the number of holes poked in the
> firewall. Lots of flexibility "if" you have control over the configs.

I'm not as convinced by the numbers reduction game as far as  ports are
concerned. By limiting the IP addresses  to a few you are reducing risk 
by a factor of
millions. Even if you reduce the ports to 10, the risk reduction is 
only by 1000.

However when thinking about this, remember that for UDP it is 
appallingly
easy to spoof the _from_ address so well crafted DOS attacks can still
sneak in through the one IP address you are letting in, even though the 
attacker
is not actually sending from that address.

Yep, I was tech director of a network security company in a former 
life.....

>
>
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list