[OpenSER-Users] OpenSER and Security - how?!

Klaus Darilion klaus.mailinglists at pernau.at
Tue Mar 4 15:07:48 CET 2008



Max Bowsher schrieb:
> I've been looking at the possibility of using OpenSER as an 
> ingress/egress gateway, mediating access between the internet at large, 
> and a private network containing amongst other things SIP servers 
> through which a call may be routed to provide services such as IVR and 
> call archiving, but which should otherwise be hidden from the outside world.
> 
> I'm finding two interlinked problems:
> 
> (1) The internal layout of the network is revealed in Via headers - OK, 
> so this is somewhat intrinsic in SIP, and not really OpenSER's fault, 
> but....

For topology hiding you need a B2BUa (back to back user agent)

> (2) ... If an inbound SIP request has Route headers, loose_route() 
> pretty much sends it whereever the requester asks. There are admonitions 
> in the OpenSER docs about the need to secure loose_route(), but there's 
> no information I can find on how you should do this. In particular, a 
> simple authorization scheme is not good enough - just because someone 
> should be allowed to place calls through the gateway, doesn't mean it 
> should be allowed absolute control over the routing of the request, or 
> they could use information gleaned from Via headers of previous 
> transactions to add or bypass routing steps within the private network 
> at will.

At first: do not allow loose route for out-of-dialog requests.
Second: Usually in-dialog requests are just get routed as the client 
should reject the request if it is a faked in-dialog request. 
Neverthelss - YES - it is possible to send messages to internal SIP 
servers by finding out the IP address and spoofing Route headers. Thus, 
either the internal components must be secure on their own or you have 
to use a B2BUA to hide them.

regards
klaus

> 
> 
> It is possible to securely use OpenSER on a security boundary? If so, how?
> 
> 
> Max.
> 
> _______________________________________________
> Users mailing list
> Users at lists.openser.org
> http://lists.openser.org/cgi-bin/mailman/listinfo/users




More information about the Users mailing list