Cisco Cisco IPS 4255 Sensor 白書
© 2004 Cisco Systems, Inc. All right reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com
Page 5 of 8
H.225 SECURITY CONSIDERATIONS
As shown in earlier figures, H.225 call signaling and status messages form an inherent part of the H.323 call setup. Various H.323 entities in the
network like the gatekeeper, gateways, and endpoint terminals run implementations of the H.225 protocol stack. In scenarios like this, it becomes
increasingly important to have robust implementations of these protocols and to have proper security checks to avoid protocol misuse and allow
attackers to use bugs in these implementations as attack vectors. Attackers can try and compromise the H.225 protocol implementations; it is
possible to adversely affect the VoIP network, hijack calls, or lead to misuse of the VoIP network.
Buffer Overflow Attacks
Since H.225 messages are PER encoded, the attacker can misencode the PER encoding lengths and try and cause buffer overflow at the receiving
endpoint. The ASN.1 representation of the H.225 protocol lays down some specific bounds on the lengths of the fields, and protocol modules may
be susceptible to attacks based on these fields.
DoS Attacks
Attackers can try and send huge messages by specifying out-of-bound and large messages or fields. This leads to excessive memory usage at the
endpoints and gateways and can lead to a DoS attack. The attackers can try to use PER encoding coupled with the ASN.1 representation to encode
excessive recursive fields and lead to huge processing and memory overhead at the endpoint.
Invalid Protocol Fields/Misuse
Attackers may use a vulnerability in the endpoint implementation by sending invalid protocol fields, or may misuse the misinterpretation of endpoint
software. This can lead to inadvertent leakage of sensitive network topology information, call hijacking, or a DoS attack.
Attacks Using Bad Patterns in String Fields
Attackers may use certain string fields in the Q.931 and H.225 protocols to insert specific patterns and compromise the endpoint implementation to
run specific attack code, like opening a back door for further attacks.
THE CISCO IPS SENSOR SOFTWARE VERSION 5.0 H.225 ENGINE
To protect different H.225 implementations and provide for a single point of misuse or attack detection for H.225 implementations in the network,
an IPS is an ideal solution.
Because the call-signaling messages are exchanged over TCP PDUs, they need deep-packet inspection. An IPS can be ideal to detect such attacks on
multiple H.323 gatekeepers, VoIP gateways, and endpoint terminals by sitting at the edge of the network. An IPS can also act as a central point for
various policy enforcements on H.225 messages coming into the network.
In order to use the IPS as a detection/protection point, to protect against attacks by specially crafted invalid H.225 messages, and to protect against
the misuse and overflow attacks on various protocol fields in these messages, we need to analyze the H.225 protocol. By analyzing the messages and
fields and applying static and user-tunable signature checks for the protocol implementation, an IPS can provide customers with a solution to protect
their H.323 implementations against such attack vectors. Especially important is the SETUP call-signaling message; this is the first message
exchanged between H.323 entities as part of the call setup. The SETUP message uses many of the commonly found fields in the call-signaling
messages, and implementations that are exposed to probable attacks will also likely fail the security checks for the SETUP messages. As a result, it is
highly important to check the H225 SETUP message for validity and to enforce checks on the perimeter of the network.