Security people are paranoid. I am OK with their paranoid behavior, though, as it is often in the best interest of their organization.
As many OCS admins can attest, when we ask the security team to open up the 50,000-59,999 port range for A/V Media connections, they spit out pea soup looking stuff and their heads spin around. After they are done with their fits, they say they won’t do it because it is so unsecure. Well, I don’t believe they are right. I think they are all stuck in the days of Netscape (FYI, Netscape is long gone) and worrying about how to manage port 80 and 443 traffic. Maybe I am exaggerating.
I have always argued that the range is not a big security risk as each port is associated with the same service but for different users of the service and that the ports are not even actively listening unless they have been told to listen by the server side. The server randomly selects the ports for use as part of the SIP conversation between the external end points and the servers, and the entire conversation via SIP is fully encrypted.
Anyway, one of my students pointed out an excellent blog article that basically says the same thing, but also includes another couple of reasons why these ports are actually more secure. Basically, in order to be able to compromise the ports in question, an attacker would have to:
- Guess which ports are active for a particular user. Guessing only one of multiple ports really won’t help an attacker since only part of the entire session would be available to the attacker, and guessing which ones that equate to the entire session is going to be pretty next to impossible. Remember that at any point in time, a large number of the ports won’t even be listening.
- Crack the TLS protected SIP stream. Try it and get back to me after several hundred hours on your Cray Mini. Oh, wait, by then the communication will have been completed.
- Spoof the remote user’s IP address.
Don’t forget, an attacker would have to complete the 1-3 during the duration of the session. Mathematically, I just don’t see how that is going to happen but once every 4 or 5 gazillion years.
Also, don’t forget, that while we can reduce the number of ports, we need to be very careful that we don’t cut it down too much and end up losing the ability to support the number of users that we need to support during peak usage times. For more information on reducing the number of ports, see the Technical Reference document for OCS.