For example, several of the aforementioned security advisories recommend the use of ingress, egress, and broadcast traffic filters to block SIP messages sent to/from systems that should not do so. In networks that use VLANs to compartmentalize VoIP traffic, switches and access points should be configured to avoid VoIP hopping. The premise here is simple: the fewer systems that are exposed to SIP, the lower the risk of falling victim to SIP-based attacks.
Many VoIP servers and user agents are easily compromised as the result of basic configuration mistakes like failure to disable risky services or change default passwords. VoIP phones tend to be particularly vulnerable to mis-configuration because (a) they aren't managed like ordinary desktop computers and (b) their debug and admin interfaces are frequently hidden or not well advertised to end users. For example:
These three vulnerabilities must be addressed through patching or workarounds (e.g., blocking Telnet or debug traffic). However, many VoIP phones have configurable ports, passwords, and wireless keys that should be changed to prevent unauthorized access. Devices that run softphones also require hardening, using the same techniques commonly applied to any Internet-connected host.
And keep your eyes peeled on VoIPplanet.com, as, over the coming months, we will follow up this article with one on free tools for mitigating SIP vulnerabilities and another on commercial solutions.
This article was first published on VoIPPlanet.com.