SlideShare a Scribd company logo

VoIP Security

D
Dayanand Prabhakar

This presentation describes the summary of VoIP infrastructure and related vulnerabilities and security concerns.

Related slideshows

Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
 
Wireshark
WiresharkWireshark
Wireshark
 
1 of 22
VoIP(Voice over IP) Security Dayanand Prabhakar
Project scope • Understanding VoIP • Threat profiling of VoIP application • Develop the test case and Methodologies to test VoIP application • Sample testing of one VoIP application and report presentation • Mitigation strategies • Conclusion
What is VoIP?  Routingof voice conversations over the Internet or through any other IP-based network.
Benefits  VoIP enables convergence of data, voice, and video onto single network.  Attractive opportunities – Reducing costs – Reducing complexities – Enabling progressive business gains
VoIP implementations  Business-grade VoIP telephony – Designed specifically for business grade usage  Softphones – X-lite, 3cx , Express Talk  Instant Messaging voice services – Application such as AIM, MSN, Apple iChat offer ‘voice chat’ functionality  Mobile VoIP – Requires mobile telephone with 3G or wireless connectivity – Using a mobile version of a Softphone mobile devices and telephones are capable of offering VoIP services  VoIP handsets – Requires a VoIP handset from the service provider – Offer call functionality and services similar of typical PSTN services
Protocols  Signaling Protocol – Create, modify, and terminate sessions with participants – Conferences – Proxies – Authentication  Transport /Carrier Protocol – Manages the actual voice data
Protocols  Session Initiation Protocol (SIP) – Signaling protocol – Session Initiation Protocol – Application layer control protocol for initiating VOIP sessions – Currently most favored protocol for new systems
Protocols  H.323 – One of the earliest sets of VoIP standards by ITU-T – Handles voice, video and data conferencing – Some limitations, but most VoIP traffic utilizes this today  Real-time Transport Protocol (RTP) – Used for media transfer by other protocols – Fast, scalable and efficient – RTP uses UDP
Most Common VOIP Security Mistakes 1. Treating VOIP security the same way as Network security 2. Not treating VOIP security the same way as Network security How it’s the Same How it’s Different • Uses mostly the same • Some unique protocols protocols • Traditional Security devices • Uses mostly the same (Firewalls can disrupt service) Operating Systems • People treat it like the old phone • Many of the same system threats
Complexities in VOIP Architecture
Voice over IP Threats Threats are categorized into following parameters.  Threats against availability  Threats against confidentiality  Threats against integrity  Threats against social context
Voice over IP Threats Against Availability Against Confidentiality  Call flooding  Eavesdropping  Toll Fraud  Call pattern Tracking  Call hijacking  Reconstruction  Fuzzing  TDOS
Voice over IP Threats Against Integrity Against Social context  Message  Misrepresentation Alteration  Call SPIT (Spam over  Call Rerouting Internet Telephony )  Media Alteration  Vising
What are the Threat Vectors?  OS Exploits  Signaling Attacks  Endpoint Admin Privilege Exploits  Real Time Protocol (RTP) Attacks  DoS Attacks  IP PBX &Telephony Server Exploits
Specialized Hacking Tools  BackTrack Penetration Testing Distribution – www.backtrack-linux.org/  Wireshark (http://www.wireshark.org) – Packet Sniffer  Cain and Abel (http://www.oxid.it) – Password cracker – ARP spoofing – RTP Playback  SiVuS (http://www.vopsecurity.org/html/tools.html) – VoIP Vulnerability Scanner – General Purpose VoIP packet generation, spoofing, testing tool.
Attack on VoIP
VoIP Security
Mitigation Strategies  Create VOIP Specific Security Policies  Segmentation as appropriate – Utilize separate VLANs for voice and data  Device Hardening – Do not use default passwords – Turn off unnecessary services – Apply vendor supplied patches in a timely manner – Perform vendor installation security checklist to harden applications  Pay attention to Security Risk Assessments and planning against the VOIP infrastructure
Key Mitigation Strategies  Apply Encryption where possible  Use tools to test the network  Utilize VoIP aware Firewalls, Intrusion Prevention Systems  Continue to protect against traditional system attacks (Toll Fraud, Modem Security, Social Networking Attacks & etc.)  Avoid Single point of failure
Conclusion  VoIP is established as the future of telephones  Security is critical when designing, implementing and maintaining VoIP systems  VoIP technology should there by provide a balance between security and business needs .
References  VOIPSA – http://www.voipsa.org/  The VOIP Dilemma SANS Institute – http://www.sans.org/rr/whitepapers/voip/1452.php  NIST - Security Considerations for Voice Over IP Systems, – http://csrc.nist.gov/publications/nistpubs/800- 58/SP800-58-final.pdf  IP Telephony & VoIP: Security technical implementation guide – http://csrc.nist.gov/pcig/STIGs/VoIP-STIG-V2R2.pdf
THANK YOU Dayanand Prabhakar

More Related Content

VoIP Security

  • 1. VoIP(Voice over IP) Security Dayanand Prabhakar
  • 2. Project scope • Understanding VoIP • Threat profiling of VoIP application • Develop the test case and Methodologies to test VoIP application • Sample testing of one VoIP application and report presentation • Mitigation strategies • Conclusion
  • 3. What is VoIP?  Routingof voice conversations over the Internet or through any other IP-based network.
  • 4. Benefits  VoIP enables convergence of data, voice, and video onto single network.  Attractive opportunities – Reducing costs – Reducing complexities – Enabling progressive business gains
  • 5. VoIP implementations  Business-grade VoIP telephony – Designed specifically for business grade usage  Softphones – X-lite, 3cx , Express Talk  Instant Messaging voice services – Application such as AIM, MSN, Apple iChat offer ‘voice chat’ functionality  Mobile VoIP – Requires mobile telephone with 3G or wireless connectivity – Using a mobile version of a Softphone mobile devices and telephones are capable of offering VoIP services  VoIP handsets – Requires a VoIP handset from the service provider – Offer call functionality and services similar of typical PSTN services
  • 6. Protocols  Signaling Protocol – Create, modify, and terminate sessions with participants – Conferences – Proxies – Authentication  Transport /Carrier Protocol – Manages the actual voice data
  • 7. Protocols  Session Initiation Protocol (SIP) – Signaling protocol – Session Initiation Protocol – Application layer control protocol for initiating VOIP sessions – Currently most favored protocol for new systems
  • 8. Protocols  H.323 – One of the earliest sets of VoIP standards by ITU-T – Handles voice, video and data conferencing – Some limitations, but most VoIP traffic utilizes this today  Real-time Transport Protocol (RTP) – Used for media transfer by other protocols – Fast, scalable and efficient – RTP uses UDP
  • 9. Most Common VOIP Security Mistakes 1. Treating VOIP security the same way as Network security 2. Not treating VOIP security the same way as Network security How it’s the Same How it’s Different • Uses mostly the same • Some unique protocols protocols • Traditional Security devices • Uses mostly the same (Firewalls can disrupt service) Operating Systems • People treat it like the old phone • Many of the same system threats
  • 11. Voice over IP Threats Threats are categorized into following parameters.  Threats against availability  Threats against confidentiality  Threats against integrity  Threats against social context
  • 12. Voice over IP Threats Against Availability Against Confidentiality  Call flooding  Eavesdropping  Toll Fraud  Call pattern Tracking  Call hijacking  Reconstruction  Fuzzing  TDOS
  • 13. Voice over IP Threats Against Integrity Against Social context  Message  Misrepresentation Alteration  Call SPIT (Spam over  Call Rerouting Internet Telephony )  Media Alteration  Vising
  • 14. What are the Threat Vectors?  OS Exploits  Signaling Attacks  Endpoint Admin Privilege Exploits  Real Time Protocol (RTP) Attacks  DoS Attacks  IP PBX &Telephony Server Exploits
  • 15. Specialized Hacking Tools  BackTrack Penetration Testing Distribution – www.backtrack-linux.org/  Wireshark (http://www.wireshark.org) – Packet Sniffer  Cain and Abel (http://www.oxid.it) – Password cracker – ARP spoofing – RTP Playback  SiVuS (http://www.vopsecurity.org/html/tools.html) – VoIP Vulnerability Scanner – General Purpose VoIP packet generation, spoofing, testing tool.
  • 18. Mitigation Strategies  Create VOIP Specific Security Policies  Segmentation as appropriate – Utilize separate VLANs for voice and data  Device Hardening – Do not use default passwords – Turn off unnecessary services – Apply vendor supplied patches in a timely manner – Perform vendor installation security checklist to harden applications  Pay attention to Security Risk Assessments and planning against the VOIP infrastructure
  • 19. Key Mitigation Strategies  Apply Encryption where possible  Use tools to test the network  Utilize VoIP aware Firewalls, Intrusion Prevention Systems  Continue to protect against traditional system attacks (Toll Fraud, Modem Security, Social Networking Attacks & etc.)  Avoid Single point of failure
  • 20. Conclusion  VoIP is established as the future of telephones  Security is critical when designing, implementing and maintaining VoIP systems  VoIP technology should there by provide a balance between security and business needs .
  • 21. References  VOIPSA – http://www.voipsa.org/  The VOIP Dilemma SANS Institute – http://www.sans.org/rr/whitepapers/voip/1452.php  NIST - Security Considerations for Voice Over IP Systems, – http://csrc.nist.gov/publications/nistpubs/800- 58/SP800-58-final.pdf  IP Telephony & VoIP: Security technical implementation guide – http://csrc.nist.gov/pcig/STIGs/VoIP-STIG-V2R2.pdf
  • 22. THANK YOU Dayanand Prabhakar