14 Dec
2007
14 Dec
'07
9:38 p.m.
Fair point.
Neill...;o)
-----Original Message-----
From: Juha Heinanen [mailto:jh@tutpro.com]
Sent: 14 December 2007 10:33
To: Neill Wilkinson
Cc: users(a)lists.openser.org
Subject: Re: [OpenSER-Users] Security hole in REGISTER's Contact using
domain
Neill Wilkinson writes:
Surely just authenticate all register requests with
www-challenge. Hide
your
gateway and SER behind a firewall so your Gateway
cannot be seen from the
outside work (from a SIP Signalling perspective), and for PSTN calls from
authenticated users do a rewritehost and forward to send the INVITEs on
to
the PSTN gateway?
Neill....;o)
perhaps you didn't understand the problem. authenticating register
requests is not enough. you also need to check what user puts in
contact(s), since you cannot hide your gws from your proxies.
-- juha