How to use fuzzing to deter VoIP protocol attacks

To demonstrate the effectiveness of this methodology, the University of Oulu's PROTOS project (http://www.ee.oulu.fi/research/ouspg/protos/index.html) developed functional test suites for several Internet protocols, including HTTP, LDAP, SNMP, SIP and H.225. The PROTOS Test-Suite: c07-sip exercises SIP proxy and user agent INVITE handling, using more than 4,500 test messages. The PROTOS Test-Suite: c07-h2250v4 tests devices that handle H.225.0/Q.931 Setup-PDU messages, including H.323 endpoint terminals and gateways, VoIP-aware firewalls and multi-point control units.

When these test suites ran against several representative SIP and H.323 implementations, product failure rates were alarming. Fortunately, many of these vendors used test results to correct identified vulnerabilities. Test case definitions and Java code for sending these test messages are available for downloading on the PROTOS project Web site, at no charge.

The PROTOS SIP and H.323 test suites clearly demonstrated the value of functional protocol testing, but they only scratched the surface of each protocol. Further testing of other VoIP protocol messages may uncover more vulnerabilities. Nonetheless, enterprises rolling out VoIP would be wise to take one of these PROTOS suites out for a test drive. Running functional tests against VoIP products under consideration or already installed in your company's network can identify vulnerabilities before attackers compromise them. The following are some key tactics for successfully testing products:

• Test all devices that send, receive or parse VoIP protocols, including handsets, softphones, SIP proxies, H.323 gateways, call managers and firewalls that VoIP messages pass through. Exercise care because some tests may result in DoS.
• When vulnerabilities are found, search CVE databases and apply any related patches, or report test results for unpatched problems to your vendor for remediation.
• Re-run tests to verify that applied patches have fixed identified vulnerabilities and have not created new vulnerabilities. Also re-run tests after installing software/firmware updates to VoIP products.
• Companies that already have a network security audit process may want to add VoIP functional tests to the list of penetration tests run during each audit.
• Enterprises with significant investment in (and dependence on) VoIP may want to create more extensive functional protocol test cases, using PROTOS test suites as a guide.

This tip originally appeared as part of SearchSecurity.com's VoIP protocols: A technical guide

ABOUT THE AUTHOR:

Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications.

Rate this Tip To rate tips, you must be a member of SearchUnifiedCommunications.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT VoIP Security Security concerns for enterprise Skype SIP tutorial Unified communications security risks and countermeasures Can outsiders access my VoIP line and gather confidential data? Top VoIP Chapter Downloads of 2007 Best practices for instant messaging security Top rated VoIP security tips of 2007 Voice over IPv6: Architectures for Next Generation VoIP Networks VoIP vulnerability threatens data How to Cheat at VoIP Security VoIP Protocols SIP trunks a no-brainer for VoIP rollouts Digium's Asterisk PBX does God's work at Midwest church Microsoft's Real-Time Codec (RTC) for VoIP optimization Is there a difference between VoIP and IP telephony? VoIP for the globe-trotting frequent traveler SIP tutorial Springer Handbook of Speech Processing Top 10 VoIP tips for 2007 Push-to-talk implementation using SIP protocol IP PBX eases VoIP transition for gas company Unified Communications Tech Tip Streaming Cisco's IP Communicator to an HP thin client Demystifying unified communications deployment strategies Presence management and security Presence: SIMPLE versus XMPP Four factors driving videoconferencing Consider IBM Lotus SameTime for UC, not just Microsoft OCS An introduction to SIP, part 1 What's the value of unified communications? The benefits and challenges of presence within unified communications Will we get reliable unified communications? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary vishing  (SearchUnifiedCommunications.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.