[Asterisk-Users] Open Ports

Sat Dec 18 04:19:07 MST 2004

On Saturday 18 December 2004 10:58, Norman Zhang wrote:

> > SIP uses port 5060
> >
> > RTP uses multiple ports, typically in the range 10000-20000
> >
> > Remember that SIP and RTP are different - SIP is used to set up the call;
> > RTP is used to carry the audio once the call has been set up.
>
> Thanks. May I ask what security control can be applied to RTP besides
> reducing the opened range? Are there stateful inspection can be done on
> this?

What insecurity exists from leaving the range open?

I am not aware of any stateful helper modules (eg for netfilter) which handle 
RTP streams, and certainly not any which understand the relationship between 
SIP and RTP (eg by matching source/destination IP addresses), however I 
wouldn't have thought it should be too difficult to write a netfilter module 
to get RTP treated as "related" to an existing SIP connection?

But, to return to my initial question, what's the security risk in leaving 
your Asterisk server open to UDP packets from the world?

I regard it like a mail server - a firewall allowing TCP packets through to 
port 25 cannot protect against an application vulnerability in the MTA; the 
application server itself has to be secure for your system to be safe.   Same 
goes for a web server, or an Asterisk server.

Regards,

Antony.

-- 
Never automate fully anything that does not have a manual override capability. 
Never design anything that cannot work under degraded conditions in emergency.

                                                     Please reply to the list;
                                                           please don't CC me.