VoIP UDP Security ?

Hi All.

I am running a VoIP telephone system (Linux) using ports
5004:5060 and I am concerned about protecting my hosts/
network. I have IPtables allowing 5004:5060 port access
but because the IP phone gets its IP, gateway, time etc.
from dhcp, is there ANY possibility of a cracker
invading my network via the VoIP phones system ?
Or are most if not all crackers more interested in
tcp/ip ports?

Any discussion/guidance appreciated.
Cheers. Grahame

On Tue, 14 Sep 2004 09:23:49 -0400, Grahame wrote:

> Hi All.
>
> I am running a VoIP telephone system (Linux) using ports 5004:5060 and I
> am concerned about protecting my hosts/ network. I have IPtables
> allowing 5004:5060 port access but because the IP phone gets its IP,
> gateway, time etc. from dhcp, is there ANY possibility of a cracker
> invading my network via the VoIP phones system ? Or are most if not all
> crackers more interested in tcp/ip ports?
>
> Any discussion/guidance appreciated.
> Cheers. Grahame

Hi Grahame,

No expert here. But I did use VoIP several years ago and am considering
doing it again. You are _probably_ pretty safe, but cannot be 100% sure
without more detailed information. Also could not tell you what most or
all crackers/skiddies are interested in (also outside of my areas of
knowledge). ;) The volume or number of possible attacks is not as
relevant to security as the *one* that gets through and compromises your
machine/network.

I think it is important to remember that a port that you have opened with
iptables is only a security liability when there is a process listening
(and responding) on that port. Even if you open a port, if there is no
process listening on that port, the crackers/skiddies can hammer on it all
day and night and just waste their time and bandwidth (and yours, too!).
Without a listening process, there is no possibility of a response, or of
system compromise. (BIG smile!)

Since you opened the port(s) to allow access to and from your VoIP client,
you should focus on the vulnerabilities that client might present. AFAIK,
the most popular VoIP clients are proprietary (not OS) software, and you
need to ask the vendor or just plain trust them about what is really going
on when the software runs. Those clients will probably run for user
logins that have no privileges (a plus), and probably are intended to do
little more than send and receive audio (another plus).

But and however, UDP or TCP or anything else, if you open the port to it
and the software responds to it and (hopefully not) has a bug or glitch
(read: "buffer overflow error"), that results in the client crashing, then
malicious code can be executed with whatever privileges the user that
called the application has.

Any doubts you might have about the security of your VoIP system should be
addressed with the best information and confidence you can get about the
specific software (Skype?, Real?, ...) in use. A good thought is to
always run any internet-connected software with the lowest levels of
privileges under which they will do what is needed. Think that last one
through thoroughly; any net-connected process or automatic or automated
system should have only the minimum system access and priviledges needed
to do their intended services, and none that would facilitate root access.

From what you wrote, I think you are probably fairly safe. But no one can
guarantee that better than you, along with the best information on the
software you are using. I'll be interested to learn what others say, and
what you learn about this, because VoIP is an important and valuable
technology. I would like to start using it again, myself.

Best wishes.

--
n e w s b o x /AT/ c u s t o m e r s - o f - a d e l p h i a (dot) o r g

Grahame wrote:
> Hi All.
>
> I am running a VoIP telephone system (Linux) using ports
> 5004:5060 and I am concerned about protecting my hosts/
> network. I have IPtables allowing 5004:5060 port access
> but because the IP phone gets its IP, gateway, time etc.
> from dhcp, is there ANY possibility of a cracker
> invading my network via the VoIP phones system ?
> Or are most if not all crackers more interested in
> tcp/ip ports?

If you have iptables properly configured you are probably
well protected from attacks. This ports are not problematic,
people use to try the standard ports or Netbios ports.
I don't think crackers are quite interested in this ports,
but you can never be too sure.


--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"