Flaws Threaten VoIP Networks?

jdkane writes "CNET News reports that security flaws have been found in products that use VoIP and text messaging, including those from Microsoft and Cisco Systems. What's interesting, in Microsoft's case, is that the Internet Security and Acceleration Server product that's also affected is designed to help protect companies' networks from online attacks. Specifically, a filter used in the server that secures VoIP communications is vulnerable to the flaw."

ISA's Track Record is very bad

[tyler@mango.net.nz]

Since Microsoft released their "Depend on certified security" firewall, it has had 8 Security Bulletins http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/current.asp?productid=11 0&servicepackid=0&chkcritical=on&chkimportant=on&c hkmoderate=on&chklow=on&seldaterange=0&txtdatestar t=&txtdateend=&submit1=go) (and far more holes, due to Microsoft's 'monthly cluster together all the bugs we found this month and call it one hole deal.') I have installed about 20 of these fine things, and the amount of bugs and hotfixes we have found and needed to get it amazing. Microsoft Proxy Server only had ONE security hole. In fact, Proxy Server v1.0 was a single DLL which slid into IIS4! Proxy Server 2.0 SP1 could fit on a floppy. The problem is everyone uses ISA, because no other firewall I have found can provide the following. 1. Basic Reporting on Users (jo used x MB and went to these web sites.) 2. Tie in to Active Directory, so we don't have to setup and maintain another directory.

Re:ISA's Track Record is very bad

The problem is everyone uses ISA, because no other firewall I have found can provide the following. 1. Basic Reporting on Users (jo used x MB and went to these web sites.) 2. Tie in to Active Directory, so we don't have to setup and maintain another directory.

You haven't looked very hard. My company uses squid, and it uses NTLM authentication against a windows 2000 domain. Users are authenticated automagically using the integrated IE authentication, and there's only one password store - the active directory on win2k server.

Squid logs everything. There are dozens of reporting tools (some free, some not) which can read squid log files and generate pretty graphs for management.

Squid has all sorts of detailed ACLs you can use to allow, disallow or redirect web browsing.

Squid is fast and free (aside from my time). How much did you pay for ISA?

Now, using ISA to manage non-web internet connections, that's something else entirely.

Re:meh...

[afidel]

Actually all of the effected Cisco products are in fact services that run on Windows. I know that this fact was a big concern among quite a few engineers at Cisco that wanted to port CallManager to L/Unix so that OS vulnerabilities wouldn't affect the stability of a product that they were aiming at Enterprise customers. Of course management went and did the exact opposite by tying the multimedia capabilities of CCM to an Exchange backend =(

"VoIP" is not a protocol

[Frater+219]

Slashdot editors, technical journalists, and others writing serious articles on the subject would be well-advised to drop terms such as "VoIP security flaw" or "products that use VoIP". Voice-over-IP is a general application category, and gives very little help in discerning whether an issue affects a particular site or product.

Suppose that a new bug were described as a "file sharing security flaw". Now, does that affect Samba? FTP? NFS? Kazaa? File server bots on IRC? One expects good technical reporting to mention the affected services -- or better yet, actual products -- rather than simply describing a general application category.

Specifically, in the VoIP application category, there are two major signaling protocols in use: H.323 and SIP. The last round of "VoIP security flaws" affected SIP software. The current discoveries affect H.323. Describing both as "VoIP flaws" and suggesting that the application domain itself is "threatened" is really quite silly. It is as if someone suggested that a certain bug in IIS and another in Freenet together suggested that "file transfer" on the Internet were threatened.

(For those who don't know much about VoIP: H.323 is the older of the two protocols, and is closer to the "telecoms" way of doing things. It was, IIRC, originally connected to ISDN. SIP is newer, and closer to the "Internet" way of doing things -- if you look at packet captures of it, they look vaguely reminiscent of HTTP, only they're UDP.)

Re:"VoIP" is not a protocol

[binux]

... they look vaguely reminiscent of HTTP, only they're UDP.)

Not just vaguely reminiscent. SIP message formats (request/status line followed by headers) are pretty much like HTTP headers. The response codes like 200 (OK), 404 (Not Found) too are from HTTP. SIP implements authentication using the HTTP digest authentication scheme. Most of the early SIP implementations were on UDP. TCP is however the mandatory transport to be supported by SIP end-points and servers. SIP also works over TLS.

Re:You should read this before committing to Linux

But Windows rests on a 20 year old operating system.

Muh? Granted the parent poster is a troll, but there's no need to lie in response.

Windows NT 3.1 - a 32-bit operating system built from the ground-up was released in July 1993 (there was no NT version 1.0 or 2.0, they skipped ahead to keep up with the Windows 3.1 version number). As anyone who tried to run DOS games on Windows NT / 2000 / XP can tell you - it is definitely *NOT* based on DOS.

Taking release dates, Windows NT is two years younger than Linux - which was released in August 1991

If you're going to lie, at least do it convincingly. (The original poster was refering to Windows NT 4, not Windows 95 and 98, which admittedly sit on top of DOS).

Pragmatically, though.....

[liamk]

I've received several calls and emails from customers today asking about the relevancy of the Cisco Security Alert. By and large, I only deal with enterprise/corporate-type customers (not large VoIP service providers), and I install a ton of Cisco VoIP products, so this comment really only applies to that segment of the marketplace.

I don't think that this is going to be as large of a problem as Cisco's earlier issues. Although a worm could target home users running IP telephony applications on their PC's, this vulnerability is non-replicating and the potential for abuse is rather limited.

Basically, there are two major Cisco product lines that are affected by this bug. The first is Cisco's VoIP infrastructure products: the Cisco CallManager server, Conferencing Server, Softswitch and IOS-based routers running H.323 services, among others. Except where the public has access to VoIP services over the Internet, these servers and routers are located on the inside of a firewall. In a best-practices network design, all access to these servers and routers is either via the internal LAN or through a secure VPN connection over the Internet (or any other public network, for that matter). I would find it very unusual to have these services available publicly. If I left a Cisco router with POTS access and an easily guessable dial peer on an Internet-accessible LAN, the potential for toll fraud would be enormous (free calls, lots 'o free calls).

The second group of products that are vulnerable are Cisco routers performing NAT and firewall services. Cisco's Content Based Access-Control (CBAC) -- a "dynamic firewall" technology -- is also vulnerable to the H.323 DoS attacks in the same manner as the Microsoft IAS server. Once again, unless H.323 ports are open to unrestricted access from the Internet, routers are not vulnerable from random outside attacks. Traffic that originated from behind the firewall would be able to disrupt services, however it's much easier to apply an access list to track and block the offending traffic than it is to prevent an external DoS attack.

What's my point? I don't see a widespread attack being able to disable servers and routers on a large scale. Unless attacks are originated from inside a corporate firewall, the potential for disrupted services are minimal. I'm sure that large VoIP service providers are scrambling to patch and secure whatever systems possible - however, they are much better equipped to handle this issue than a Mom and Pop business who happens to have a CallManager server (at least we hope).

For people who are running these products, I'm recommending a thorough review of external firewall policies to make sure that there aren't any exposed H.323 ports. I'm also recommending an upgrade when it's feasible, but IMHO, there aren't many situations that would require burning the midnight oil to install patches.

Just my $.02.

Re:meh...

[doogles]

Actually all of the effected Cisco products are in fact services that run on Windows. I know that this fact was a big concern among quite a few engineers at Cisco that wanted to port CallManager to L/Unix so that OS vulnerabilities wouldn't affect the stability of a product that they were aiming at Enterprise customers. Of course management went and did the exact opposite by tying the multimedia capabilities of CCM to an Exchange backend =(

Well, it's obvious you've looked at the Cisco IP Telephony products, but don't use them day to day:

• Cisco CallManager has nothing to do with Microsoft Exchange, directly
• It has recently been stated by Cisco to their PArtners that CallManager 5.0 will be offered on a Linux-based "appliance" (this is quite a ways off, as CCM 4.0 will not be out of controlled release until the start of 2HCY2004)
• Rumour has it that CallManager/Windows will eventually disappear in favor of a Linux-based "appliance"
• CallManager relies on two other pieces: an LDAP server (CCM ships with DC-Directory from Data Connection and MS SQL 2000. Obviously, there are numerous Linux-based options for each (DC claims to have a Linux port of DC-Directory, and there are numerous database options for Linux) but at this time I am unsure which direction they are heading on this
• When you reference MS Exchange, you are thinking of the Unified Messaging & Voicemail product Cisco Unity, which has traditionally used MS Exchange as it's message store for voice messages
• There was no management decision to drive this product towards MS Exchange; it was developed by Active Voice from the ground up to be a Unified Messaging platform, and they chose the most popular platform to integrate with
• Cisco now offers a Cisco Unity for Lotus Domino which I have two customers running. Unity has to have heavy knowledge of it's Partner Message Store so it's not trivial to add support for new backends. I've heard they are planning a Linux-based appliance for this as well, but don't know one way or the other.
• Cisco IPCC Express product has already been ported to Linux, as Cisco Unity Express actually is not Unity at all, but a very customized IPCC Express script running on an embedded Linux platform (no, it is NOT IOS; you're thinking of CallManager Express, formerly known at ITS, which I have referenced on Slashdot previously
• This leaves us with a few other products in the AVVID portfolio still on Windows. Coming to mind is Cisco Emergency Responder, Cisco Personal Assistant, IPCC Enterprise, and Cisco Conference Connection (OEM'd; and Cisco just bought a company which offers a similar product with 20x the features) /UL
  
  So, yes, Cisco is very married to Windows right now. However, this is actively changing. And additionally, there was no Cisco conspiracy to develop these products for Windows: CallManager (which came from Selsius) was already running on Windows NT 4.0, and Unity (which as I said came from