[SR-Users] SIP Security Architectural Question to Use RTP/Media Proxy or Not?

Klaus Darilion klaus.mailinglists at pernau.at
Tue Jan 7 10:56:47 CET 2014



On 02.01.2014 17:00, Jr Richardson wrote:
> Would it be prudent to open UDP media ports from Internet to PBX's on
> a case-by-case basis, basically white listing media streams or is
> there any attack vulnerability with UDP in the media port range or
> should I open up media port range to all PBX's and not worry about
> attacks.  Are there any UDP Media exploits that I should be concerned
> with, or UDP flood attacks that could DOS my hosted PBX's?

Media proxies are usually just simple "UDP" forwarder. Thus, they do not 
check the payload of the UDP packet. Therefore, from point of view of 
the application which processes the RTP packet, there is no additional 
security by using a media proxy, as for example a malicious RTP packet 
will just be forwarded the PBX. Nevertheless it can be useful to use 
them, e.g. to have a single entry point for FW configuration, debugging 
... When using a media relay, I always configure a very wide port range 
to make it for attackers more difficult to guess the port. Of course you 
should avoid other processes on this server listening in the same port 
range, as you have to open the whole port range on the firewall.

If you want to protect the RTP layer of your PBX, you need a B2BUA which 
fully checks the whole UDP payload to verify if it is a proper RTP 
packet. But on the other hand, you never know which RTP stack is more 
robust (the one from your PBX or the one from the B2BUA).

I personally add media relays, but not for additional RTP layer 
security, but for operational issues (debugging, single entry point ...).

regards
Klaus



More information about the sr-users mailing list