[cisco-voip] Fwd: RTP permission and related attacks/threats

Tim Smith tim.smith at enject.com.au
Sat Oct 12 06:41:33 EDT 2013 

Hi Ahmed,

When you say different organizations, do you mean other CUCM systems? SIP / H323 systems etc?
If so it's perfect use for CUBE and / or trusted relay points.

I would definitely not let other organizations right into my network on such a broad range of ports.
You should try and force them through a demarcation point that you can control.
You want the media to flow through this device. This way you only have to let them talk to your CUBE, and your CUBE can reach everyone inside your network on their behalf.

The other complication this gets around is NAT, and routing issues. I.e. without this type of setup, you would both have to have fairly full knowledge of each others networks, and also avoid overlaps.

It's been a while since I've looked at security on routers.
However, NBAR and ACL's are typically used in class maps in QoS to identify traffic and apply QoS policies

You do have inspection as an option on Cisco routers as well. Used to be called CBAC, I think it's just IOS Firewall now. It can inspect SIP, SCCP, H323 from memory, and open up pinholes where required.

My recommendation is look at some smart border device. I would be mandating SIP if possible and use CUBEs.

There are lots of improvements and fun stuff planned for the edge and this sort of connectivity coming soon too.

Hope that helps a bit.

Cheers,

Tim

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of Ahmed -Y
Sent: Saturday, 12 October 2013 7:53 AM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Fwd: RTP permission and related attacks/threats


HI Guys,

I have to permit RTP traffic from internal network to other organizations (under different management) on gateway devices (routers, switches). I am curious to know if there are known attacks/threats when upd range 16384-32767 is permited. RTP source/destination can be desk phone or PC with softphone. If yes then can we configure gateway routers/switches to protect from these attacks.



We have cisco 7200, 6500, 3550, 3560, 3750 switches as gateway devices.



One more quick question are there only two ways (NBAR and ACL with udp range) on routers/switches to identify/match RTP traffic? I know Firewalls provide feature like inspect, AGL etc to dynamically identify RTP ports by inspecting control traffic.



Your input will be highly appreciated



Regards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131012/a6ab3815/attachment.html>

More information about the cisco-voip mailing list