Security Best Practice: SIP Protocol Enforcement
| Check Point Reference: | SBP-2008-15 | |
| Date Published: | ||
| Severity: | ||
| Source: | IPS Research Center | |
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? SIP VoIP Systems | ||
| Vulnerability Description The Session Initiation Protocol (SIP) is a signaling protocol, widely used for controlling multimedia communication sessions such as voice and video calls over Internet Protocol (IP). The protocol can be used for creating, modifying and terminating two-party (unicast) or multiparty (multicast) sessions consisting of one or several media streams. The modification can involve changing addresses or ports, inviting more participants, adding or deleting media streams, etc. Other feasible application examples include video conferencing, streaming multimedia distribution, instant messaging, presence information and online games. VoIP opens voice communications to the same kinds of security threats that imperil data communications. Attacks on data communications can come through the IP voice infrastructure and vice versa. Denial of service attacks targeting weak VoIP elements could flood the network with voice traffic, degrading network performance or shutting down both voice and data communications. Hacked-into gateways might be used to make unauthorized free telephone calls. Unprotected voice communications might be intercepted and stolen or corrupted. Voice packets can be sniffed out and listened to in real time. PC-based soft phones are vulnerable to eavesdropping if the PC is infected with a Trojan horse that snoops into LAN traffic. Voicemail can be redirected to "ghost" mailboxes. |
||
|
Vulnerability Details Hackers can attack SIP VoIP systems with different denial of service attacks blocking legitimate services, perform a denial of service attack on the entire network, sniff sensitive data and in some cases, even launch IP bounce attacks, traversing traditional security gateways, gaining complete control over the VoIP enabled system as well as the entire network. The most common threats include: * Call hijacking. Calls intended for one receiver are redirected to someone else. At best hijacked calls are a disruptive nuisance; at worst they can steal valuable sensitive information. * Fooled billing. For example, fake BYE and OK messages exchanged over the SIP signaling path appear to terminate a call and billing is stopped, while the media path actually remains open. Undetected, these attacks can rob an organization of considerable revenue. * Denial of Service attacks. The attacker mimics caller identities and cancels pending SIP INVITE requests. The result: an organization's phone system is effectively shut down. |
Protection Overview
IPS/SmartDefense offers several protections against SIP related vulnerabilities.
SIP Protections - This defense protects against Denial of Service attacks, and against penetration attempts such as connection hijacking and connection manipulation. IPS validates the expected usage of the SIP protocol:
* Checks for illegal characters in the packets
* Ensures packets conform to RFC 3261 for SIP over UDP/TCP, for example the use of Basic Authentication is blocked.
SIP Filtering - IPS filters SIP traffic allowing you to enforce your SIP application policy, for example, to allow video or audio and to block SIP based instant messaging. In addition, IPS enables SIP method filtering and dropping unknown SIP messages.
SIP Custom Properties - When these properties are enabled, IPS blocks SIP traffic according to the following options:
* Block SIP early media
* Block SIP proxy failover
* Block SIP calls that use two different voice connections (RTP) for incoming audio and outgoing audio
* Block calls using a proxy or a redirect server
* SIP user suffix length
* Default proxy registration expiration time period
To configure the defense, select your product from the list below and follow the related protection steps.