[OpenSER-Users] OpenSER and Security - how?!
Max Bowsher
maxb at f2s.com
Tue Mar 4 15:01:40 CET 2008
I've been looking at the possibility of using OpenSER as an
ingress/egress gateway, mediating access between the internet at large,
and a private network containing amongst other things SIP servers
through which a call may be routed to provide services such as IVR and
call archiving, but which should otherwise be hidden from the outside world.
I'm finding two interlinked problems:
(1) The internal layout of the network is revealed in Via headers - OK,
so this is somewhat intrinsic in SIP, and not really OpenSER's fault,
but....
(2) ... If an inbound SIP request has Route headers, loose_route()
pretty much sends it whereever the requester asks. There are admonitions
in the OpenSER docs about the need to secure loose_route(), but there's
no information I can find on how you should do this. In particular, a
simple authorization scheme is not good enough - just because someone
should be allowed to place calls through the gateway, doesn't mean it
should be allowed absolute control over the routing of the request, or
they could use information gleaned from Via headers of previous
transactions to add or bypass routing steps within the private network
at will.
It is possible to securely use OpenSER on a security boundary? If so, how?
Max.
More information about the Users
mailing list