To demonstrate the effectiveness of this methodology, the University of Oulu's PROTOS project (http://www.ee.oulu.fi/research/ouspg/protos/index.html) developed functional test suites for several Internet protocols, including HTTP, LDAP, SNMP, SIP and H.225. The PROTOS Test-Suite: c07-sip exercises SIP proxy and user agent INVITE handling, using more than 4,500 test messages. The PROTOS Test-Suite: c07-h2250v4 tests devices that handle H.225.0/Q.931 Setup-PDU messages, including H.323 endpoint terminals and gateways, VoIP-aware firewalls and multi-point control units.
When these test suites ran against several representative SIP and H.323 implementations, product failure rates were alarming. Fortunately, many of these vendors used test results to correct identified vulnerabilities. Test case
The PROTOS SIP and H.323 test suites clearly demonstrated the value of functional protocol testing, but they only scratched the surface of each protocol. Further testing of other VoIP protocol messages may uncover more vulnerabilities. Nonetheless, enterprises rolling out VoIP would be wise to take one of these PROTOS suites out for a test drive. Running functional tests against VoIP products under consideration or already installed in your company's network can identify vulnerabilities before attackers compromise them. The following are some key tactics for successfully testing products:
- Test all devices that send, receive or parse VoIP protocols, including handsets, softphones, SIP proxies, H.323 gateways, call managers and firewalls that VoIP messages pass through. Exercise care because some tests may result in DoS.
- When vulnerabilities are found, search CVE databases and apply any related patches, or report test results for unpatched problems to your vendor for remediation.
- Re-run tests to verify that applied patches have fixed identified vulnerabilities and have not created new vulnerabilities. Also re-run tests after installing software/firmware updates to VoIP products.
- Companies that already have a network security audit process may want to add VoIP functional tests to the list of penetration tests run during each audit.
- Enterprises with significant investment in (and dependence on) VoIP may want to create more extensive functional protocol test cases, using PROTOS test suites as a guide.
Want to learn more about VoIP security? Check out our Learning Guide.
VOIP PROTOCOLS TECHNICAL GUIDE
Understanding VoIP protocols
VoIP protocol insecurity
How to use fuzzing to deter VoIP protocol attacks
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications.
This was first published in January 2006