Tag Archives: fortinet Deep SIP message inspection

Deep SIP message inspection

Leave a reply

Deep SIP message inspection

Deep SIP message syntax inspection (also called Deep SIP header inspection or SIP fuzzing protection) provides protection against malicious SIP messages by applying SIP header and SDP profile syntax checking. SIP Fuzzing attacks can be used by attackers to discover and exploit vulnerabilities of a SIP entity (for example a SIP proxy server). Most often these attacks could crash or compromise the SIP entity.

 

Deep SIP message inspection

SIP message

Malformed SIP header

eld detected

FortiCarrier

SIP

PAacrstiever

Blade

Message compliant

Yes: Check next

header eld

  • Checks the SIP request message

Request-line

  •  Checks the following SIP

header fields:

  • Allow, Call-id, Contact, Content- length, Content-type, CSeq, Expires, From, Max-Forwards,

P-asserted-identity, Rack,

Yes: Return SIP client error Response message

400 Bad Request or

413 Request entity too large

Configured:

“Pass” ?

No

Configured:

“Respond

?

If no

Record-Route, Route, Rseq, To, Via

  • Checks all SDP profile lines
  • Configurable header and body length checks
  • Optional logging of message violations

 

Discard message

Deep SIP message inspection checks the syntax of each SIP header and SDP profile line to make sure they conform to the syntax defined in the relevant RFC and IETF standard. You can also configure the SIP ALG to inspect for:

  • Unknown SIP message types (message types not defined in a SIP RFC) this option is enabled by default and can be disabled. When enabled unknown message types are discarded. Configured using the block-unknown option.
  • Unknown line types (message line types that are not defined in any SIP or SDP RFC). Configured using the unknown-header option.
  • Messages that are longer than a configured maximum size. Configured using the max-body-length option.
  • Messages that contain one or more lines that are longer that a set maximum line length (default 998 characters). Configured using the max-line-length option.

 

Actions taken when a malformed message line is found

When a malformed message line or other error is found the SIP ALG can be configured to discard the message containing the error, pass the message without any other actions, or responding to the message with a 400 Bad Request or 413 Request entity too large client error SIP response message and then discard the message. (For information about client error SIP response messages, see “Client error”.)

If a message line is longer than the configured maximum, the SIP ALG sends the following message:

SIP/2.0 413 Request Entity Too Large, <optional_info>

If a message line is incorrect or in an unknown message line is found, the SIP ALG sends the following message:

SIP/2.0 400 Bad Request, <optional_info>

The <optional_info> provides more information about why the message was rejected. For example, if the SIP ALG finds a malformed Via header line, the response message may be:

SIP/2.0 400 Bad Request, malformed Via header

If the SIP ALG finds a malformed message line, and the action for this message line type is discard, the message is discarded with no further checking or responses. If the action is pass, the SIP ALG continues parsing the SIP message for more malformed message lines. If the action is respond, the SIP ALG sends the SIP response message and discards the message containing the malformed line with no further checking or response. If only malformed message line types with action set to pass are found, the SIP ALG extracts as much information as possible from the message (for example for NAT and opening pinholes, and forwards the message to its destination).

If a SIP message containing a malformed line is discarded the SIP ALG will not use the information in the message for call processing. This could result in the call being terminated. If a malformed line in a SIP message includes information required for the SIP call that the SIP ALG cannot interpret (for example, if an IP address required for SIP NAT is corrupted) the SIP ALG may not be able to continue processing the call and it could be terminated. Discarded messages are counted by SIP ALG static message counters.

 

Logging and statistics

To record a log message each time the SIP ALG finds a malformed header, enable logging SIP violations in a VoIP profile. In all cases, when the SIP ALG finds an error the FortiGate unit records a malformed header log message that contains information about the error. This happens even if the action is set to pass.

If, because of recording log messages for deep message inspection, the CPU performance is affected by a certain amount, the FortiGate unit records a critical log message about this event and stops writing log messages for deep SIP message inspection.

The following information is recorded in malformed header messages:

  • The type of message line in which the error was found.
  • The content of the message line in which the error was found (it will be truncated if it makes the log message too long)
  • The column or character number in which the error was found (to make it easier to determine what caused the error)

 

Deep SIP message inspection best practices

Because of the risks imposed by SIP header attacks or incorrect data being allowed and because selecting drop or respond does not require more CPU overhead that pass you would want to set all tests to drop or respond. However, in some cases malformed lines may be less of a threat or risk. For example, the SDP i= does not usually contain information that is parsed by any SIP device so a malformed i= line may not pose a threat.

You can also used the pre-defined VoIP profiles to apply different levels of deep message inspection. The default VoIP profile sets all deep message inspection options to pass and the strict VoIP profile sets all deep message inspection options to discard. From the CLI you can use the clone command to copy these pre-defined VoIP profiles and then customize them for your requirements.

 

Configuring deep SIP message inspection

You configure deep SIP message inspection in a VoIP profile. All deep SIP message inspection options are available only from the CLI.

Enter the following command to configure deep SIP message inspection to discard messages with malformed Request-lines (the first line in a SIP request message):

config voip profile edit VoIP_Pro_Name

config sip

set malformed-request-line respond end

end

 

You cannot configure message inspection for the Status-line, which is the first line in a SIP response message.

The following table lists the SIP header lines that the SIP ALG can inspect and the CLI command for configuring the action for each line type. The table also lists the RFC that the header line is defined in.

 

SIP header lines that the SIP ALG can inspect for syntax errors

SIP Header line VoIP profile option RFC
 

Allow

  

malformed-header-allow

  

RFC 3261
 

CallID

  

malformed-header-call-id

  

RFC 3261
 

Contact

  

malformed-header-contact

  

RFC 3261
 

Content-Length

  

malformed-header-content-length

  

RFC 3261
 

Content-Type

  

malformed-header-content-type

  

RFC 3261
 

CSeq

  

malformed-header-cseq

  

RFC 3261
 

Expires

  

malformed-header-expires

  

RFC 3261
 

From

  

malformed-header-from

  

RFC 3261
 

Max-forwards

  

malformed-header-max-forwards

  

RFC 3261
 

PAssertedIden– tity

  

malformed-header-p-asserted-identity

  

RFC 3325
 

RAck

  

malformed-header-rack

  

RFC 3262
 

RecordRoute

  

malformed-header-record-route

  

RFC 3261
 

Route

  

malformed-header-route

  

RFC 3261

 

SIP Header line VoIP profile option RFC
 

RSeq

  

malformed-header-rseq

  

RFC 3262
 

To

  

malformed-header-to

  

RFC 3261
 

Via

  

malformed-header-via

  

RFC 3261

The table below lists the SDP profile lines that the SIP ALG inspects and the CLI command for configuring the action for each line type. SDP profile lines are defined by RFC 4566 and RFC 2327.

 

SDP profile lines that the SIP ALG can inspect for syntax errors

Attribute                  VoIP profile option

a=                              malformed-header-sdb-a

b=                              malformed-header-sdp-b

c=                              malformed-header-sdp-c

i=                               malformed-header-sdp-i

k=                              malformed-header-sdp-k

m=                             malformed-header-sdp-m

o=                              malformed-header-sdp-o

r=                               malformed-header-sdp-r

s=                              malformed-header-sdp-s

t=                               malformed-header-sdp-t

v=                              malformed-header-sdp-v

z=                               malformed-header-sdp-z

 

Discarding SIP messages with some malformed header and body lines

Enter the following command to configure deep SIP message inspection to discard SIP messages with a malformed Via line, a malformed route line or a malformed m= line but to pass messages with a malformed i= line or a malformed Max-Forwards line

config voip profile edit VoIP_Pro_Name

config sip

set malformed-header-via discard set malformed-header-route discard

set malformed-header-sdp-m discard set malformed-header-sdp-i pass

set malformed-header-max-forwards pass end

end

 

Discarding SIP messages with an unknown SIP message type

Enter the following command to discard SIP messages with an unknown SIP message line type as defined in all current SIP RFCs:

config voip profile edit VoIP_Pro_Name

config sip

set unknown-header discard end

end

 

Discarding SIP messages that exceed a message size

Enter the following command to set the maximum size of a SIP message to 200 bytes. Messages longer than 200 bytes are discarded.

config voip profile edit VoIP_Pro_Name

config sip

set max-body-length 200 end

end

The max-body-length option checks the value in the SIP Content-Length header line to determine body length. The Content-Length can be larger than the actual size of a SIP message if the SIP message content is split over more than one packet. SIP message sizes vary widely. The size of a SIP message can also change with the addition of Via and Record-Route headers as the message is transmitted between users and SIP servers.

 

Discarding SIP messages with lines longer than 500 characters

Enter the following command to set the length of a SIP message line to 500 characters and to block messages that include lines with 500 or more characters:

config voip profile edit VoIP_Pro_Name

config sip

set max-line-length 500

set block-long-lines enable end

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!