[SR-Users] SIP Security Architectural Question to Use RTP/Media Proxy or Not?

Muhammad Shahzad shaheryarkh at gmail.com
Thu Jan 2 17:27:19 CET 2014 

Generally opening media ports range is fine. Media ports are usually
dynamically allocated and not easy to guess for an attacker.

Secondly using proxy like mediaproxy or mediraproxy-ng which use Kernel
based RTP packet forwarding, its not easy to create DOS attack, since
kernel will only accept RTP packets from IP addresses advertised by SIP UAs.

Thank you.




On Thu, Jan 2, 2014 at 5:00 PM, Jr Richardson <jmr.richardson at gmail.com>wrote:

> Hi All,
>
> Background:
> We are a service provider offering VoIP/Data services to business
> customers.  All hosted VoIP systems and Customers are mostly on-net,
> VoIP systems not exposed to the Internet, but all hosted PBX's do have
> public IP address.  I do have some Customers with off-net phones/users
> so I basically white list their IP's so the phones can register back
> to their hosted PBX.  This works well and keeps SIP attack vectors to
> a minimum.  I've been working on a single point of registration
> Kamailio server to backend PBX's so I can further control public
> Internet access to hosted PBX's.  I've got this working in the lab but
> have some concerns about RTP streams.
>
> I know I can use a RTP/Media Proxy to also have a single point of
> entry for media streams to the the backend PBX's but don't believe
> this to be the best method.  Researching SBC's and what I know about
> SIP and RTP Streams, it's best to have media controlled via the B2BUA
> (Asterisk in this case) and since all my hosted PBX's have public IP's
> there would be no compelling reason to proxy RTP adding another hop,
> latency and point of failure other than for security.  I'm not
> transcoding media or doing anything outside of the capability of the
> B2BUA as far as media goes.
>
> Question:
> Would it be prudent to open UDP media ports from Internet to PBX's on
> a case-by-case basis, basically white listing media streams or is
> there any attack vulnerability with UDP in the media port range or
> should I open up media port range to all PBX's and not worry about
> attacks.  Are there any UDP Media exploits that I should be concerned
> with, or UDP flood attacks that could DOS my hosted PBX's?
>
> Thanks for any feedback.
>
> JR
> --
> JR Richardson
> Engineering for the Masses
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>



-- 
Mit freundlichen Grüßen
Muhammad Shahzad
-----------------------------------
CISCO Rich Media Communication Specialist (CRMCS)
CISCO Certified Network Associate (CCNA)
Cell: +49 176 99 83 10 85
MSN: shari_786pk at hotmail.com
Email: shaheryarkh at googlemail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20140102/57d85a91/attachment.html>

More information about the sr-users mailing list