SlideShare a Scribd company logo

Voice Over IP Overview w/Secuirty

Download as PPT, PDF
Christopher Duffy
Christopher Duffy

VoIP security involves threats like denial of service attacks, eavesdropping, and quality of service issues. Best practices include using firewalls with application layer gateways or session border controllers, encrypting media and signaling, prioritizing bandwidth for VoIP, and restricting access to call managers through physical and logical security measures. NIST recommends logically separate networks, endpoint encryption, and avoiding vulnerabilities in softphones and wireless networks without encryption.

Related slideshows

How To Successfully Implement IP Video
How To Successfully Implement IP VideoHow To Successfully Implement IP Video
How To Successfully Implement IP Video
 
VOIP security
VOIP securityVOIP security
VOIP security
 
SIP - Introduction to SIP Protocol
SIP - Introduction to SIP ProtocolSIP - Introduction to SIP Protocol
SIP - Introduction to SIP Protocol
 
1 of 32
99, are you SURE This connection is secure? 99? 99? Can you hear me now??
Voice Over IP, A Security Overview Christopher Duffy, CISSP
VoIP Security Overview Definitions Under the Covers of SIP Threats in VoIP /VoIP Telephony Best Practices References
“ Voice over IP is the John Travolta of Internet technologies. It was big once, everyone laughed at it, and it faded away…. only to come back bigger than ever.” - (Alan Cohen VP Cisco)
CONVERGENCE! Vo IP resides on your Data Network Runs on OS Is an Application on Your Servers Uses same Infrastructure
Global Definitions VoIP – V oice o ver I nternet P rotocol (also called IP Telephony, & Internet telephony) is the routing of voice conversations over the Internet or any other packet switched network. PSTN – ( P ublic S witched T elephone N etwork) is the concentration of the world's public circuit-switched telephone networks, in much the same way that the Internet is the concentration of the world's public IP-based packet-switched networks.
Global Definitions (Cont) PBX – P rivate B ranch e X change is a telephone exchange that is owned by a private business, as opposed to one owned by a common carrier or by a telephone company.
QOS QOS ( Q uality O f S ervice) A defined measure of performance in a data communications system. For example, to ensure that real time voice is delivered without drops a traffic contract is negotiated between the customer and network provider that guarantees a minimum bandwidth along with the maximum delay that can be tolerated in milliseconds.
Latency Latency (Delay) The time from when words are spoken until they are heard at the other end the amount of time it takes a packet to travel from source to destination. Together, latency and bandwidth define the speed and capacity of a network. Voice delays of 80 ms (Toll Quality) is a good threshold. If that threshold is passed the communication returns annoying. Ear can accept 120 -180 ms delay.
Jitter Jitter (variation in delay) a variation in packet transit delay caused by queuing, contention and serialization effects on the path through the network. In general, higher levels of jitter are more likely to occur on either slow or heavily congested links. 20 milliseconds is threshold for tolerance on a call
Protocols H.323 International Telecommunications Union - Telecommunications (ITU-T) standard for real-time multimedia communications and conferencing over packet-based networks. CODECS G.711 - audio codec 56/64 kbps (Toll Quality) G.723.1 - speech codec for 5.3 and 6.3 kbps G.729 - speech codec for 8/13 kbps
Protocols SIP ( S ession I nitiation P rotocol) is an IP telephony signaling protocol used to establish, modify and terminate VOIP telephone calls. SIP is comparable to a Telephone Operator. Other technology is used once connected. SIP has become the standard for VOIP, or H323. The protocol resembles the HTTP protocol, is text based, and very open and flexible. It has therefore largely replaced the H323 standard .
Session Initiated Protocol Application layer protocol, similar to http Client-server model Uses requests and responses for transactions Request and responses are transmitted in ASCII plaintext (like http)
SIP Entities A SIP network is composed of a number of logical SIP entities: User Agent (Phone) Initiates, receives and terminates calls Proxy Server (Call Controller) Acts on behalf of UA in forwarding or responding to requests Can “fork” requests to multiple servers Redirect Server (Call Controller) Responds to, but does not forward requests Registration Server (Call Controller) Handles User Agent authentication and registration
SIP Entity Example User Agent Hard phone Proxy Server VoIP Gateway User Agent Soft phone User Agent 802.11X Traditional Digital Analog Registration Server Packet Switched Network Circuit Switched Networks Registration Server PBX
VoIP Threats: Denial of Service IP phones shadow computers. Both are residents on the same network Request Flooding H.323 Setup floods SIP INVITE floods Malformed Signaling c07-SIP PROTOS CERT® Advisory CA-2003-06 affected Alcatel, Cisco, Ingate, IPTel, Mediatrix Telecom, Nortel and others
VoIP Security Concern – Denial of Service Interjected Signaling Unsolicited “End Session” or “BYE” packets will terminate calls Underlying OS DoS A soft client is only as reliable as the OS it runs on Microsoft Distributed DoS Multiple focused external attacks on a given Gateway SYNFlood attacks, Malformed ICMP Nuke attacks, etc., can be mitigated or eliminated effectively with a proper firewall
Phishing via VoIP , “Vishing” SPAM Over Internet Telephony (SPIT) V oice O ver M isconfigured I nternet T elephones Converts a captured phone call into a .wav file vomit -r phone.dump | waveplay -S8000 -B16 -C1 Eavesdropping SIP Server Impersonation Registration Hijacking Call Hijacking
VoIP Threat:Eavesdropping IP to Circuit Based APR (ARP Poison Routing) – Enables sniffing on switched networks and the interception of IP traffic on switched networks SonicWALL/SecureIT
VoIP Threats: Eavesdropping If media is encrypted, but signaling is not Invasion of privacy vulnerability – Number Harvesting Builds a list of “real” phone numbers for future use (SPIT) Invasion of privacy vulnerability – Call Pattern Tracking Who is calling whom? When? How long? VoIP protection against eavesdropping When implemented correctly – Better than POTS When implemented incorrectly – More vulnerable than POTS
VoIP Security Concern – Quality of Service QoS at Layer 2, 3 and 4+ Layer 2: 802.11p Requires 802.11q VLAN header support Layer 3: DSCP – Differentiated services Contained within the IP header 802.11p/DSCP rely upon correct and accurate packet coloring Vulnerable to injected higher-color network saturation Dependent upon capability of intermediate network equipment Layer 4: VoIP Aware Stateful BWM is most reliable Requires VoIP awareness and multiple stream identification and coalation Most effective when combined with Layer 2/3 marking/coloring
VoIP Security Concern – Interception/Modification Call Black Holes A directed attack utilizing Dynamic Routing at intermediate routers sending calls to unconnected networks Call Hijacking A directed attack utilizing Dynamic Routing at intermediate routers sending calls to unintended “other” receiver Media Alteration Modification of media stream Caller ID Falsification Caller ID modification – On-the-fly via interception or intended falsification by the call initiator
VoIP Security Practices Bandwidth Management Prioritize (Layer 7) Segment onto Logically distinct networks (NIST 800-58) Separate VLANs QoS Edge points ISP Router SOHO Router Internally Physical Port Management
VoIP Security Practices – Media and Signaling Encryption IPSec VPN Currently the most complete solution Complexity of configuration is a barrier Not supported by many vendors TLS (Transport Layer Security), IETF Interoperability concerns Issues with key exchange SSL (Secure Sockets Layer), Netscape, IETF Generally not supported for peer-to-peer Hub and spoke deployments
Firewall – NAT/Port Considerations VoIP issues with classic stateful NAT firewalls Inbound access to UDP/TCP ports are restricted by default RTP dynamically assigned an “even” port 1024-65534 It would be necessary to open up the entire firewall RTCP port is dynamically remapped with Symmetric NAT VoIP endpoints each have a unique IP NAT turns all “internal” IPs into a single “external” IP All incoming calls are to a single IP. Which endpoint is the actual intended IP? VoIP requires either Application Layer Gateway Session Border Controller
Firewall Solution – SBC Session Border Controller A dedicated appliance which implements firewall/NAT traversal Tricks the existing firewall Placed in the Signaling and Media Path between calling and called parties Breaks end-to-end security unless private keys are told to the SBC Implemented as a B2BUA – Back-to-back User Agent Can run into scalability issues
Firewall Solutions – ALG An Application Layer Gateway is a firewall which understands VoIP media Embedded software on a firewall Dynamically identifies, opens and closes ports as needed Transforms outer (NAT) and inner (DPT) IPs & ports on-the-fly May be able to identify and coalesce disparate streams into a single call flow for monitoring and QoS Should be able to identify and protect against malformed signaling and media Since it is not terminating/re-initiating calls, a proper ALG can scale beyond an SBC on a price/call metric
NIST Recommendations NIST Special Publication 800-58, January 2005 Logically distinct networks Use an ALG firewall or Session Border Controller STUN – Simple Traversal of UDP through NAT, does not work with Symmetric NAT TURN – Traversal Using Relay NAT, works with STUN, limited to a single peer behind a NAT device ICE – Interactive Connectivity Establishment, uses STUN, TURN, RSIP – requires additional SDB attributes UPnP – Universal Plug and Play, multi-NAT scalability and security issues Strong authentication and IPSec or SSH to access controller Use end-point encryption or Site-to-Site IPSec tunnels Don’t use soft phones – PCs are too vulnerable Stay away from 802.11 a/b/g phones without IPSec
VoIP Security Practices – Endpoint and Call Manager Protection UTM Firewall Unified Threat Management Physical and Logical Security Access to Call Manager must be restricted It is only as secure as the weakest password Redundant Power VoIP requires AC power to operate; PSTN does not End-to-end Encryption TLS, SRTP covers media only IPSec, SSL covers media and signaling
References VOIPSA- http://voipsa.org CERT- http://www.cert.org NIST, “Security Considerations for Voice Over IP Systems”- http://csrc.nist.gov
 
Best Practices

More Related Content

Voice Over IP Overview w/Secuirty

  • 1. 99, are you SURE This connection is secure? 99? 99? Can you hear me now??
  • 2. Voice Over IP, A Security Overview Christopher Duffy, CISSP
  • 3. VoIP Security Overview Definitions Under the Covers of SIP Threats in VoIP /VoIP Telephony Best Practices References
  • 4. “ Voice over IP is the John Travolta of Internet technologies. It was big once, everyone laughed at it, and it faded away…. only to come back bigger than ever.” - (Alan Cohen VP Cisco)
  • 5. CONVERGENCE! Vo IP resides on your Data Network Runs on OS Is an Application on Your Servers Uses same Infrastructure
  • 6. Global Definitions VoIP – V oice o ver I nternet P rotocol (also called IP Telephony, & Internet telephony) is the routing of voice conversations over the Internet or any other packet switched network. PSTN – ( P ublic S witched T elephone N etwork) is the concentration of the world's public circuit-switched telephone networks, in much the same way that the Internet is the concentration of the world's public IP-based packet-switched networks.
  • 7. Global Definitions (Cont) PBX – P rivate B ranch e X change is a telephone exchange that is owned by a private business, as opposed to one owned by a common carrier or by a telephone company.
  • 8. QOS QOS ( Q uality O f S ervice) A defined measure of performance in a data communications system. For example, to ensure that real time voice is delivered without drops a traffic contract is negotiated between the customer and network provider that guarantees a minimum bandwidth along with the maximum delay that can be tolerated in milliseconds.
  • 9. Latency Latency (Delay) The time from when words are spoken until they are heard at the other end the amount of time it takes a packet to travel from source to destination. Together, latency and bandwidth define the speed and capacity of a network. Voice delays of 80 ms (Toll Quality) is a good threshold. If that threshold is passed the communication returns annoying. Ear can accept 120 -180 ms delay.
  • 10. Jitter Jitter (variation in delay) a variation in packet transit delay caused by queuing, contention and serialization effects on the path through the network. In general, higher levels of jitter are more likely to occur on either slow or heavily congested links. 20 milliseconds is threshold for tolerance on a call
  • 11. Protocols H.323 International Telecommunications Union - Telecommunications (ITU-T) standard for real-time multimedia communications and conferencing over packet-based networks. CODECS G.711 - audio codec 56/64 kbps (Toll Quality) G.723.1 - speech codec for 5.3 and 6.3 kbps G.729 - speech codec for 8/13 kbps
  • 12. Protocols SIP ( S ession I nitiation P rotocol) is an IP telephony signaling protocol used to establish, modify and terminate VOIP telephone calls. SIP is comparable to a Telephone Operator. Other technology is used once connected. SIP has become the standard for VOIP, or H323. The protocol resembles the HTTP protocol, is text based, and very open and flexible. It has therefore largely replaced the H323 standard .
  • 13. Session Initiated Protocol Application layer protocol, similar to http Client-server model Uses requests and responses for transactions Request and responses are transmitted in ASCII plaintext (like http)
  • 14. SIP Entities A SIP network is composed of a number of logical SIP entities: User Agent (Phone) Initiates, receives and terminates calls Proxy Server (Call Controller) Acts on behalf of UA in forwarding or responding to requests Can “fork” requests to multiple servers Redirect Server (Call Controller) Responds to, but does not forward requests Registration Server (Call Controller) Handles User Agent authentication and registration
  • 15. SIP Entity Example User Agent Hard phone Proxy Server VoIP Gateway User Agent Soft phone User Agent 802.11X Traditional Digital Analog Registration Server Packet Switched Network Circuit Switched Networks Registration Server PBX
  • 16. VoIP Threats: Denial of Service IP phones shadow computers. Both are residents on the same network Request Flooding H.323 Setup floods SIP INVITE floods Malformed Signaling c07-SIP PROTOS CERT® Advisory CA-2003-06 affected Alcatel, Cisco, Ingate, IPTel, Mediatrix Telecom, Nortel and others
  • 17. VoIP Security Concern – Denial of Service Interjected Signaling Unsolicited “End Session” or “BYE” packets will terminate calls Underlying OS DoS A soft client is only as reliable as the OS it runs on Microsoft Distributed DoS Multiple focused external attacks on a given Gateway SYNFlood attacks, Malformed ICMP Nuke attacks, etc., can be mitigated or eliminated effectively with a proper firewall
  • 18. Phishing via VoIP , “Vishing” SPAM Over Internet Telephony (SPIT) V oice O ver M isconfigured I nternet T elephones Converts a captured phone call into a .wav file vomit -r phone.dump | waveplay -S8000 -B16 -C1 Eavesdropping SIP Server Impersonation Registration Hijacking Call Hijacking
  • 19. VoIP Threat:Eavesdropping IP to Circuit Based APR (ARP Poison Routing) – Enables sniffing on switched networks and the interception of IP traffic on switched networks SonicWALL/SecureIT
  • 20. VoIP Threats: Eavesdropping If media is encrypted, but signaling is not Invasion of privacy vulnerability – Number Harvesting Builds a list of “real” phone numbers for future use (SPIT) Invasion of privacy vulnerability – Call Pattern Tracking Who is calling whom? When? How long? VoIP protection against eavesdropping When implemented correctly – Better than POTS When implemented incorrectly – More vulnerable than POTS
  • 21. VoIP Security Concern – Quality of Service QoS at Layer 2, 3 and 4+ Layer 2: 802.11p Requires 802.11q VLAN header support Layer 3: DSCP – Differentiated services Contained within the IP header 802.11p/DSCP rely upon correct and accurate packet coloring Vulnerable to injected higher-color network saturation Dependent upon capability of intermediate network equipment Layer 4: VoIP Aware Stateful BWM is most reliable Requires VoIP awareness and multiple stream identification and coalation Most effective when combined with Layer 2/3 marking/coloring
  • 22. VoIP Security Concern – Interception/Modification Call Black Holes A directed attack utilizing Dynamic Routing at intermediate routers sending calls to unconnected networks Call Hijacking A directed attack utilizing Dynamic Routing at intermediate routers sending calls to unintended “other” receiver Media Alteration Modification of media stream Caller ID Falsification Caller ID modification – On-the-fly via interception or intended falsification by the call initiator
  • 23. VoIP Security Practices Bandwidth Management Prioritize (Layer 7) Segment onto Logically distinct networks (NIST 800-58) Separate VLANs QoS Edge points ISP Router SOHO Router Internally Physical Port Management
  • 24. VoIP Security Practices – Media and Signaling Encryption IPSec VPN Currently the most complete solution Complexity of configuration is a barrier Not supported by many vendors TLS (Transport Layer Security), IETF Interoperability concerns Issues with key exchange SSL (Secure Sockets Layer), Netscape, IETF Generally not supported for peer-to-peer Hub and spoke deployments
  • 25. Firewall – NAT/Port Considerations VoIP issues with classic stateful NAT firewalls Inbound access to UDP/TCP ports are restricted by default RTP dynamically assigned an “even” port 1024-65534 It would be necessary to open up the entire firewall RTCP port is dynamically remapped with Symmetric NAT VoIP endpoints each have a unique IP NAT turns all “internal” IPs into a single “external” IP All incoming calls are to a single IP. Which endpoint is the actual intended IP? VoIP requires either Application Layer Gateway Session Border Controller
  • 26. Firewall Solution – SBC Session Border Controller A dedicated appliance which implements firewall/NAT traversal Tricks the existing firewall Placed in the Signaling and Media Path between calling and called parties Breaks end-to-end security unless private keys are told to the SBC Implemented as a B2BUA – Back-to-back User Agent Can run into scalability issues
  • 27. Firewall Solutions – ALG An Application Layer Gateway is a firewall which understands VoIP media Embedded software on a firewall Dynamically identifies, opens and closes ports as needed Transforms outer (NAT) and inner (DPT) IPs & ports on-the-fly May be able to identify and coalesce disparate streams into a single call flow for monitoring and QoS Should be able to identify and protect against malformed signaling and media Since it is not terminating/re-initiating calls, a proper ALG can scale beyond an SBC on a price/call metric
  • 28. NIST Recommendations NIST Special Publication 800-58, January 2005 Logically distinct networks Use an ALG firewall or Session Border Controller STUN – Simple Traversal of UDP through NAT, does not work with Symmetric NAT TURN – Traversal Using Relay NAT, works with STUN, limited to a single peer behind a NAT device ICE – Interactive Connectivity Establishment, uses STUN, TURN, RSIP – requires additional SDB attributes UPnP – Universal Plug and Play, multi-NAT scalability and security issues Strong authentication and IPSec or SSH to access controller Use end-point encryption or Site-to-Site IPSec tunnels Don’t use soft phones – PCs are too vulnerable Stay away from 802.11 a/b/g phones without IPSec
  • 29. VoIP Security Practices – Endpoint and Call Manager Protection UTM Firewall Unified Threat Management Physical and Logical Security Access to Call Manager must be restricted It is only as secure as the weakest password Redundant Power VoIP requires AC power to operate; PSTN does not End-to-end Encryption TLS, SRTP covers media only IPSec, SSL covers media and signaling
  • 30. References VOIPSA- http://voipsa.org CERT- http://www.cert.org NIST, “Security Considerations for Voice Over IP Systems”- http://csrc.nist.gov
  • 31.