As someone who does vulnerability assessments, you always hope your clients are doing a good job with their security infrastructure. Theoretically, the perfect assessment is "we didn't find any problems, here's a list of our tests, and here's a list of things you're doing right". In practice, though, that *never* happens.' Also in real life, there's that private (or vocal) "WOOT" moment that you have when you find a clear path from the internet to the crown jewels. I can start anticipating that moment when I see a VOIP gateway in the rack - these allow remote VOIP sessions (either from a handset or a laptop) to connect to the PBX, through a proxy. VOIP vendors (all of them) sell these appliances as "Firewalls", and usually they have the word "Firewall" in the product name. In another engagement, we found a gateway from a different vendor, based on BSD (good start), but with a similar litany of issues:
Not having actually seen the unit, I asked the client to check to see if it might have been hooked up backwards (with the private interface on the internet side) - alas, that was not the case, the "hardened" interface had these issues ! It's still *extremely* common to see voicemail servers based on SCO Unix or Windows 2000 (Windows NT4 in a recent assessment ! ). One vendor in particular still has a production, new-off-the-shelf voicemail server based on Win2k. |
Rob VandenBrink 556 Posts ISC Handler Nov 28th 2011 |
Thread locked Subscribe |
Nov 28th 2011 9 years ago |
Excellent diary Rob! I would add my experience of finding gateways (often SBCs) with a implicit trust relationship to the upline RTP server. This invites theft of telephony services as the trust relationship often negates the need for endpoint authentication ... hence any endpoint with a valid terminal identifier can register with the RTP/SIP server via the proxy. My point is neither gateways nor SBCs should be permitted to serve as just a pass-through for RTP services; endpoint affiliation and registration should be required to the maximum extent afforded by the IP communications environment. As you so eloquently mentioned, perceiving VoIP gateway devices as simply another network appliance is a very dangerous school of thought.
|
VB33 6 Posts |
Quote |
Nov 28th 2011 9 years ago |
You haven't lived until you've written a script that robocalls and rickrolls the client's workforce during a pentest.
|
No Love. 37 Posts |
Quote |
Nov 29th 2011 9 years ago |
You haven't lived until you've written a script that robocalls and rickrolls the client's workforce during a pentest.
|
No Love. 37 Posts |
Quote |
Nov 29th 2011 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!