[cisco-voip] RTP permission and related attacks/threats
Wes Sisk (wsisk)
wsisk at cisco.com
Mon Oct 14 11:56:50 EDT 2013
Border device highly recommended.
All NAT inspection engines are not keeping up with protocol updates. This article is dated but still relevant:
https://supportforums.cisco.com/docs/DOC-8131
Even with that NAT does not proxy TCP data so any TCP retransmission. See:
CSCso34072 NAT TCP re-assemby of skinny packets causes fragmentation
for some background. IOS first attempted to implement a proxy to store bytes for TCP retransmit on either side but that was unscalable and backed out.
NAT/PAT will not work with IOS if TCP retransmits are involved AFAIK.
Regards,
Wes
On Oct 12, 2013, at 6:41 AM, Tim Smith <tim.smith at enject.com.au<mailto:tim.smith at enject.com.au>> wrote:
Hi Ahmed,
When you say different organizations, do you mean other CUCM systems? SIP / H323 systems etc?
If so it’s perfect use for CUBE and / or trusted relay points.
I would definitely not let other organizations right into my network on such a broad range of ports.
You should try and force them through a demarcation point that you can control.
You want the media to flow through this device. This way you only have to let them talk to your CUBE, and your CUBE can reach everyone inside your network on their behalf.
The other complication this gets around is NAT, and routing issues. I.e. without this type of setup, you would both have to have fairly full knowledge of each others networks, and also avoid overlaps.
It’s been a while since I’ve looked at security on routers.
However, NBAR and ACL’s are typically used in class maps in QoS to identify traffic and apply QoS policies
You do have inspection as an option on Cisco routers as well. Used to be called CBAC, I think it’s just IOS Firewall now. It can inspect SIP, SCCP, H323 from memory, and open up pinholes where required.
My recommendation is look at some smart border device. I would be mandating SIP if possible and use CUBEs.
There are lots of improvements and fun stuff planned for the edge and this sort of connectivity coming soon too.
Hope that helps a bit.
Cheers,
Tim
From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net<mailto:voip-bounces at puck.nether.net>] On Behalf Of Ahmed -Y
Sent: Saturday, 12 October 2013 7:53 AM
To: cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
Subject: [cisco-voip] Fwd: RTP permission and related attacks/threats
HI Guys,
I have to permit RTP traffic from internal network to other organizations (under different management) on gateway devices (routers, switches). I am curious to know if there are known attacks/threats when upd range 16384-32767 is permited. RTP source/destination can be desk phone or PC with softphone. If yes then can we configure gateway routers/switches to protect from these attacks.
We have cisco 7200, 6500, 3550, 3560, 3750 switches as gateway devices.
One more quick question are there only two ways (NBAR and ACL with udp range) on routers/switches to identify/match RTP traffic? I know Firewalls provide feature like inspect, AGL etc to dynamically identify RTP ports by inspecting control traffic.
Your input will be highly appreciated
Regards
_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net<mailto:cisco-voip at puck.nether.net>
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20131014/675097b1/attachment.html>
More information about the cisco-voip
mailing list