[OpenSER-Users] Security hole in REGISTER's Contact using domain

Neill Wilkinson neill.wilkinson at btinternet.com
Fri Dec 14 11:38:08 CET 2007


Fair point.

Neill...;o)

-----Original Message-----
From: Juha Heinanen [mailto:jh at tutpro.com] 
Sent: 14 December 2007 10:33
To: Neill Wilkinson
Cc: users at lists.openser.org
Subject: Re: [OpenSER-Users] Security hole in REGISTER's Contact using
domain

Neill Wilkinson writes:

 > Surely just authenticate all register requests with www-challenge. Hide
your
 > gateway and SER behind a firewall so your Gateway cannot be seen from the
 > outside work (from a SIP Signalling perspective), and for PSTN calls from
 > authenticated users do a rewritehost and forward to send the INVITEs on
to
 > the PSTN gateway?
 > 
 > Neill....;o)

perhaps you didn't understand the problem.  authenticating register
requests is not enough.  you also need to check what user puts in
contact(s), since you cannot hide your gws from your proxies.

-- juha





More information about the Users mailing list