On 02.01.2014 17:00, Jr Richardson wrote:
Would it be prudent to open UDP media ports from Internet to PBX's on a case-by-case basis, basically white listing media streams or is there any attack vulnerability with UDP in the media port range or should I open up media port range to all PBX's and not worry about attacks. Are there any UDP Media exploits that I should be concerned with, or UDP flood attacks that could DOS my hosted PBX's?
Media proxies are usually just simple "UDP" forwarder. Thus, they do not check the payload of the UDP packet. Therefore, from point of view of the application which processes the RTP packet, there is no additional security by using a media proxy, as for example a malicious RTP packet will just be forwarded the PBX. Nevertheless it can be useful to use them, e.g. to have a single entry point for FW configuration, debugging ... When using a media relay, I always configure a very wide port range to make it for attackers more difficult to guess the port. Of course you should avoid other processes on this server listening in the same port range, as you have to open the whole port range on the firewall.
If you want to protect the RTP layer of your PBX, you need a B2BUA which fully checks the whole UDP payload to verify if it is a proper RTP packet. But on the other hand, you never know which RTP stack is more robust (the one from your PBX or the one from the B2BUA).
I personally add media relays, but not for additional RTP layer security, but for operational issues (debugging, single entry point ...).
regards Klaus