[OpenSER-Users] OpenSER and Security - how?!
Klaus Darilion
klaus.mailinglists at pernau.at
Tue Mar 4 15:07:48 CET 2008
Max Bowsher schrieb:
> I've been looking at the possibility of using OpenSER as an
> ingress/egress gateway, mediating access between the internet at large,
> and a private network containing amongst other things SIP servers
> through which a call may be routed to provide services such as IVR and
> call archiving, but which should otherwise be hidden from the outside world.
>
> I'm finding two interlinked problems:
>
> (1) The internal layout of the network is revealed in Via headers - OK,
> so this is somewhat intrinsic in SIP, and not really OpenSER's fault,
> but....
For topology hiding you need a B2BUa (back to back user agent)
> (2) ... If an inbound SIP request has Route headers, loose_route()
> pretty much sends it whereever the requester asks. There are admonitions
> in the OpenSER docs about the need to secure loose_route(), but there's
> no information I can find on how you should do this. In particular, a
> simple authorization scheme is not good enough - just because someone
> should be allowed to place calls through the gateway, doesn't mean it
> should be allowed absolute control over the routing of the request, or
> they could use information gleaned from Via headers of previous
> transactions to add or bypass routing steps within the private network
> at will.
At first: do not allow loose route for out-of-dialog requests.
Second: Usually in-dialog requests are just get routed as the client
should reject the request if it is a faked in-dialog request.
Neverthelss - YES - it is possible to send messages to internal SIP
servers by finding out the IP address and spoofing Route headers. Thus,
either the internal components must be secure on their own or you have
to use a B2BUA to hide them.
regards
klaus
>
>
> It is possible to securely use OpenSER on a security boundary? If so, how?
>
>
> Max.
>
> _______________________________________________
> Users mailing list
> Users at lists.openser.org
> http://lists.openser.org/cgi-bin/mailman/listinfo/users
More information about the sr-users
mailing list