Researchers at the University of Oulu discovered many of the known SIP and H.323 vulnerabilities using functional test methods to assess protocol implementation security. Functional protocol testing, also known as "black-box testing" or "fuzzing," sends many diverse input messages to a vendor's implementation, exercising error handling routines and generating conditions never anticipated by the protocol designers or software developers....
Fuzzers systematically send test messages, randomly or sequentially, within the framework defined by a given protocol specification. The implementation undergoing testing is observed for buffer overflows, unhandled exceptions and unexpected behavior.
To demonstrate the effectiveness of this methodology, the University of Oulu's PROTOS project (http://www.ee.oulu.fi/research/ouspg/protos/index.html) developed functional test suites for several Internet protocols, including HTTP, LDAP, SNMP, SIP and H.225. The PROTOS Test-Suite: c07-sip exercises SIP proxy and user agent INVITE handling, using more than 4,500 test messages. The PROTOS Test-Suite: c07-h2250v4 tests devices that handle H.225.0/Q.931 Setup-PDU messages, including H.323 endpoint terminals and gateways, VoIP-aware firewalls and multi-point control units.
When these test suites ran against several representative SIP and H.323 implementations, product failure rates were alarming. Fortunately, many of these vendors used test results to correct identified vulnerabilities. Test case definitions and Java code for sending these test messages are available for downloading on the PROTOS project Web site, at no charge.
The PROTOS SIP and H.323 test suites clearly demonstrated the value of functional protocol testing, but they only scratched the surface of each protocol. Further testing of other VoIP protocol messages may uncover more vulnerabilities. Nonetheless, enterprises rolling out VoIP would be wise to take one of these PROTOS suites out for a test drive. Running functional tests against VoIP products under consideration or already installed in your company's network can identify vulnerabilities before attackers compromise them. The following are some key tactics for successfully testing products:
- Test all devices that send, receive or parse VoIP protocols, including handsets, softphones, SIP proxies, H.323 gateways, call managers and firewalls that VoIP messages pass through. Exercise care because some tests may result in DoS.
- When vulnerabilities are found, search CVE databases and apply any related patches, or report test results for unpatched problems to your vendor for remediation.
- Re-run tests to verify that applied patches have fixed identified vulnerabilities and have not created new vulnerabilities. Also re-run tests after installing software/firmware updates to VoIP products.
- Companies that already have a network security audit process may want to add VoIP functional tests to the list of penetration tests run during each audit.
- Enterprises with significant investment in (and dependence on) VoIP may want to create more extensive functional protocol test cases, using PROTOS test suites as a guide.
Testing alone cannot defeat all attacks against VoIP. How you choose to deploy, configure and use your VoIP products is equally important. However, tests like these can help you reduce the inherent risk posed by SIP and H.323 protocols.
VOIP PROTOCOLS TECHNICAL GUIDE
Understanding VoIP protocols
VoIP protocol insecurity
How to use fuzzing to deter VoIP protocol attacks
Want to learn more about VoIP security? Check out our Learning Guide.
ABOUT THE AUTHOR:
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications.