Meletis Belsis - Voip security
•Download as PPT, PDF•
0 likes•601 views
VoIP Security: An Overview discusses the security challenges of Voice over IP (VoIP) technology. It notes that VoIP inherits vulnerabilities from TCP/IP networks and uses the corporate network, making it complex to secure. Common VoIP threats include denial of service attacks, interception attacks, covert channels, and vulnerabilities in VoIP platforms. The document outlines example attacks and tools used by hackers. It recommends countermeasures like network separation, encryption of SIP and RTP, firewalls, intrusion detection systems, and hardening VoIP infrastructure and devices. VoIP honeypots can also be used to detect attackers.
Report
Share
More Related Content
What's hot
What's hot (20)
Similar to Meletis Belsis - Voip security
Similar to Meletis Belsis - Voip security (20)
More from Meletis Belsis MPhil/MRes/BSc
More from Meletis Belsis MPhil/MRes/BSc (6)
Recently uploaded
Recently uploaded (20)
Meletis Belsis - Voip security
- 1. VoIP Security: An OverviewVoIP Security: An Overview (2008)(2008) Meletis BelsisMeletis Belsis Information Security ConsultantInformation Security Consultant MPhil / MSc / BScMPhil / MSc / BSc CWNA/CWSP, C|EH, CCSA, ISO27001LACWNA/CWSP, C|EH, CCSA, ISO27001LA
- 2. AgendaAgenda VoIP Technology VoIP Complexity VoIP Threats Example Attacks The Hacker’s Toolbox VoIP Countermeasures The Company
- 3. VoIP TechnologyVoIP Technology • VoIP is an integral part of modern Enterprises • VoIP allows the reduction of OpEx by providing PSTN like services • Based on open IETF and ITU standards • Protocols used to support VoIP include TCP/UDP/IP, DNS,TFTP, DHCP,STUN,HTTP,SIP,RTPTCP/UDP/IP, DNS,TFTP, DHCP,STUN,HTTP,SIP,RTP • VoIP components include: Routers, Switches, Firewalls, SIP Servers, Media Gateways, iPBX, WiFi
- 4. VoIP SecurityVoIP Security “ The flexibility of VoIP comes at a price: added complexity in securing voice and data. Because VoIP systems are connected to the data network and share many of the same hardware and software components, there are more ways for intruders to attack a VoIP system than a conventional voice telephone system or PBX “ NIST: Considerations for Voice over IP SystemsNIST: Considerations for Voice over IP Systems
- 5. VoIP Security ComplexityVoIP Security Complexity • Securing a VoIP network is complex because: – VoIP inherits the TCP/IP Vulnerabilitiesinherits the TCP/IP Vulnerabilities. – VoIP uses the corporate networkuses the corporate network to operate. Usually there is no network separation. – Applying security may affect other attributes of VoIPaffect other attributes of VoIP (e.g. Delay, Latency, Jitter). – VoIP usually uses UDP communicationuses UDP communication and thus may not be able to operate on networks that use firewalls. Special proxy techniques like STUNSTUN need to be applied.
- 6. VoIP ThreatsVoIP Threats • Denial Of ServiceDenial Of Service – Flood Attacks (i.e Controller Flooding) – BYE Tear Down – Registration Reject – Hold Attack – Call Reject • Interception AttacksInterception Attacks – Call Hijacking – Registration Hijacking – Media Session Hijacking – Server Masquerading – DNS Poisoning – Caller ID Spoofing – VoIP VLAN Hopping – ARP Spoofing • Covert ChannelsCovert Channels • WiFi AttacksWiFi Attacks SIP server SIP server Media proxy SIP signaling Media Stream Sniffing (D)DoS attack Wire tapping SPIT
- 7. VoIP ThreatsVoIP Threats • VoIP Platforms Vulnerabilities – CAN-2004-0056CAN-2004-0056: Malformed H.323 packet to exploit Nortel BCM vulnerabilities – CAN-2004-0054CAN-2004-0054: Exploits CISCO IOS H.323 implementation – CVE-2007-4459CVE-2007-4459: Cisco SIP DoS vulnerabilities. – CVE-2007-6424CVE-2007-6424: Vulnerabilities on the Fonality Trixbox 2.0 PBX products – CVE-2007-5361CVE-2007-5361: Vulnerabilities on the Alcatel- Lucent OmniPCX Enterprise Communication Server. – CVE-2007-5556CVE-2007-5556: Vulnerabilities on the Avaya VoIP Handset.
- 9. Vlan HoppingVlan Hopping SourceSource:: http://www.securityfocus.com/infocus/1892
- 10. SIP InjectionSIP Injection UE’s initial Register Request looks like: REGISTER SIP: home1.de SIP/2.0 Username=”user Authorization: Digest Username user_private@home1.de”, realm=”home1.de”, nonce=” “, uri=”SIP: home1.de”, response=” “ Malicious Code infected with SQL injection looks like: REGISTER SIP: home1.de SIP/2.0 Authorization: Digest Username=”user_private@home1.de;delete table users”, realm=”home1.de”, nonce=” “, uri=”SIP: home1.de”, response=” “
- 11. Hacker’s ToolboxHacker’s Toolbox • OrekaOreka : A cross-platform system for recording and retrieving audio streams • rtpBreakrtpBreak: detects, reconstructs and analyzes any RTP session through heuristics over the UDP network traffic. • SIPCrackSIPCrack : a SIP protocol login cracker • SiVusSiVus : A SIP Vulnerability Scanner. • BYE Teardown:BYE Teardown: disconnect an active VoIP conversation by spoofing the SIP BYE message from the receiving party • SipRogueSipRogue :multifunctional SIP proxy that can be inserted between two talking parties • RTPInjectRTPInject :attack tool that injects arbitrary audio into established RTP connections. • TFTP CrackerTFTP Cracker: A tool to attack VoIP endpoint and copy their configuration through tftp • ILTY(I am Listening to You)ILTY(I am Listening to You) : A multi-channel VoIP Sniffer • Registration AdderRegistration Adder: A tool to allow fake registrations to be send • VoIP HopperVoIP Hopper: Allows to hope from a normal VLAN to the VoIP Vlan
- 12. Hackers ToolboxHackers Toolbox RTPInject SiVUS Scanner
- 13. 13 WiFi VoIPWiFi VoIP NetStumblerNetStumbler Is used by WarDriversIs used by WarDrivers to detect unprotectedto detect unprotected WiFi NetworksWiFi Networks AirSnortAirSnort Is widely used to attack WEP passwords
- 14. VoIP CountermeasuresVoIP Countermeasures • Network SeparationNetwork Separation : Although dedicated VoIP VLANs offer a level of security, a dedicate VoIP network will be more secure. • SIP EncryptionSIP Encryption: The TLS protocol can be used to encrypt the SIP messages exchanged between the nodes. TLS provides only Server authentication. S/MIME is another option for SIP encryption. • RTP EncryptionRTP Encryption: Secure RTP(SRTP) can be used to encrypt media in a VoIP network
- 15. VoIP CountermeasuresVoIP Countermeasures • ManagementManagement: Avoid using weak management protocols like Telnet, tftp and SNMP ver 2. • FirewallsFirewalls: Ensure that VoIP components (i.e. SIP Proxy, DNS, DHCP, Radius) are logically located behind VoIP aware firewalls (e.g. CISCO SIP Extensions for ASA). • IDS/IPSIDS/IPS : The existent IDS/IPS architecture can be extended using SIP Aware Sensors
- 16. VoIP CountermeasuresVoIP Countermeasures • Hardening the network EnvironmentHardening the network Environment – Enforce Security at the Network Equipment: • Port Security • DHCP Snooping • Receive Access Lists • Enable MAC Filtering • Define the maximum number of MAC addresses per port. • Enable 802.1x for VoIP devices – Use AAA on all VoIP infrastructure Systems – Disable the PC Port on VoIP phone with multiple ports. – Harden the OS of the platforms used • DNZ Zone Transfers • IP to MAC mappings on DHCP • Apply Security Patches / Updates • Disable Telnet and/or r-utilities
- 17. • VoIP Honeypots – VoIP Phones – Fake SIP Proxies (i.e. Asterix) VoIP CountermeasuresVoIP Countermeasures
- 19. Detecting WiFi NetworksDetecting WiFi Networks
- 20. 20 Detecting WiFi NetworksDetecting WiFi Networks
- 21. Bypassing MAC ACLsBypassing MAC ACLs
- 22. Being in the MiddleBeing in the Middle • DNSDNS (modify entries to point all traffic to a hacker's machine) • DHCPDHCP (make all traffic go to hackers machine as default gateway, or change DNS entry to point at hacker's machine so all names resolve to hacker's IP address) • ARPARP (reply with hacker's MAC address, gratuitous ARPs or regular ARP replies) • Flood CAMFlood CAM tables in switches to destroy existing MAC addr/port associations so all traffic is broadcast out every port, and then use ARP attacks • Routing protocolsRouting protocols (change routing such that traffic physically passes through a router/machine controlled by hacker) • Spanning tree attacksSpanning tree attacks to change layer 2 forwarding topology • Physical insertionPhysical insertion (e.g. PC with dual NIC cards, be it Ethernet based or WLAN-based)