Check Point NG FP2 VoIP Security Features

897
-1

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
897
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Check Point NG FP2 VoIP Security Features

  1. 1. VoIP Security white paper Check Point NG FP2 VoIP Security Features July In this document: Abstract......................................................................................................2 VoIP Introduction.......................................................................................3 VoIP protocols ...........................................................................................5 Short introduction to H.323.........................................................................5 Short introduction SIP .................................................................................7 Why VoIP security is considered almost impossible .....................................8 Check Point FireWall-1 Security features ..................................................11 Check Point FireWall-1 Security features for H.323 ...................................11 Check Point FireWall-1 Security features for SIP.......................................13 QoS integration ........................................................................................14 VoIP Security Problems prevented with Check Point.................................15 Summary..................................................................................................17 Appendix A – VoIP Standards and Recommendations ...............................18 Page 1 out of 19 pages - Confidential and proprietary – Document4
  2. 2. VoIP Security white paper Abstract Voice over IP (VoIP), one of the fastest emerging technologies today, is a technique by which voice is transported over data network using the Internet Protocol (IP). VoIP is no longer a vague concept; VoIP networks are experiencing rapid growth and are being integrated into traditional IP networks in an equally rapid manner. Until recently, it was not possible to securely deploy VoIP ne tworks. The only way to allow inbound calls was to leave a permanent hole from the outside world to the user's IP phone. Obviously, this violates even the most basic firewall security policies. 1 One should always bear in mind that basically, we are talking about an IP network where security is an integral requirement.2 In addition to the traditional threats that are introduced when deploying VoIP networks, there are many challenges that need to be addressed without hindering performance. This paper describes Check Point’s NG FP2 VoIP security features and enhancements. In order to recognize the outstanding achievement of Check Point’s VoIP security solution, one should understand the problems of securing VoIP protocols. The following paragraph describes the challenges that one is faced with trying to secure VoIP infrastructures using H.323 based protocols: 1 Can we talk? VoIP's firewall challenges, Daniel Briere and Beth Gage, The Edge, 06/11/02. http://www.nwfusion.com/edge/columnists/2002/0625bleeding.html 2 VoIP, The Next Generation of Phreaking. Revision 1.1 By Ofir Arkin, @Stake Page 2 out of 19 pages - Confidential and proprietary – Document4
  3. 3. VoIP Security white paper VoIP Introduction3 VoIP is the ability to make telephone calls over IP-based data networks with a suitable quality of service (QoS) and superior cost/benefit. Everyone is talking about VoIP and everyone wants to be seen as a leading contender in this arena. Equipment developers and manufacturers see a window of opportunity to innovate and compete. They are busy developing new VoIP-enabled equipment attempting to break into the market in time. Internet service providers see the possibility of competing with the PSTN for customers. Users are interested in the integration of voice and data applications in addition to the cost savings. Although VoIP seems to be most attractive, the technology has not been developed to the point where it can replace the services and quality provided by the PSTN. First it must be clear that VoIP will indeed be cost effective. In order to compete with today's PSTN, there must be significantly lower total cost of operation. These savings will initially be seen in the area of long distance calls. VoIP provides a competitive threat to providers of traditional telephone services that will clearly stimulate improvements in cost and function throughout the industry. VoIP implementations are present in many other applications. For example, voice messages can be prepared using a telephone and then delivered to an integrated voice/data mailbox using Internet or intranet services. Voice annotated documents, multimedia files, etc. can easily become standard within office suites in the near future. 3 http://www.protocols.com/papers/voip.htm Page 3 out of 19 pages - Confidential and proprietary – Document4
  4. 4. VoIP Security white paper The main justifications for development of VoIP can be summarized as follows: • Cost reduction. As described, there can be a real savings in long distance telephone costs, which is extremely important to most companies, particularly those with international markets. • Simplification. An integrated voice/data network allows more standardization and reduces total equipment needs. • Consolidation. The ability to eliminate points of failure, consolidate accounting systems and combine operations is obviously more efficient. • Advanced Applications. The long run benefits of VoIP include support for multimedia and multi-service applications; something which today's telephone system cannot compete with. Growth in the VoIP market is expected to be considerable over the next 5 years. Estimates put the annual growth rate for IP-enabled telephone equipment at 132% between 1997 and 2002 with an expected market of some $3.16B in 2002. This expected growth is encouraging to prospective developers of VoIP products. However, many challenges are still facing developers of VoIP equipment, both in terms of voice quality, latency and packet loss as well as cal control and system management. For more l information on these and more issues regarding VoIP, see the full article: Voice over IP (VoIP) in techguide.com, sponsored by Telogy Networks. Page 4 out of 19 pages - Confidential and proprietary – Document4
  5. 5. VoIP Security white paper VoIP protocols In order to provide voice services over data networks, and especially over traditional Internet Protocol 4based networks, over the years, different standards bodies such as the ITU-T, ETSI, IETF, ANSI and many others developed different protocols. The following diagram5 illustrates the different standard gr oups. Each group has its own standard. Figure 1: IP telephony standards groups The most widely accepted protocols for VoIP are from the H.323 family of protocols and from SIP. Short introduction to H.3236 The H.323 standard provides a foundation for audio, video, and data communications across IP-based networks, including the Internet. H.323 is an umbrella recommendation from the International Telecommunications Union (ITU) that sets standards for multimedia 4 RFC 791 http://www.faqs.org/rfcs/rfc791.html 5 Source: IP Telephony Protocols and Architectures USNIX 1999, Melinda Shore, Nokia IP Telephony 6 Source: http://www.protocols.com/pbook/h323.htm Page 5 out of 19 pages - Confidential and proprietary – Document4
  6. 6. VoIP Security white paper communications over Local Area Networks (LANs) that do not provide a guaranteed Quality of Service (QoS). The H.323 standards are important building blocks for a broad new range of collaborative, LAN-based applications for multimedia communications. It includes parts of H.225.0 - RAS, Q.931, H.245 RTP/RTCP and audio/video codecs, such as the audio codecs (G.711, G.723.1, G.728, etc.) and video codecs (H.261, H.263) that compress and decompress media streams. Media streams are transported on RTP/RTCP. RTP carries the actual media and RTCP carries status and control information. The signaling information is transported reliably over TCP. The following protocols deal with signaling: • RAS manages registration, admission, and status. • Q.931 manages call setup and termination. • H.245 negotiates channel usage and capabilities. • H.235 manages security and authentication. The following diagram shows H.323 protocols in relation to the OSI model Figure 2: H.323 family and related protocols Page 6 out of 19 pages - Confidential and proprietary – Document4
  7. 7. VoIP Security white paper Short introduction SIP The session initiation protocol (SIP) described in RFC 2543 is a signaling protocol for setting up sessions between clients over a network, e.g. the Internet. These sessions do not necessarily have to be Internet telephony sessions. SIP could just as well be used for setting up gaming sessions or for distance learning where a lecture is streamed out to the participants. The Session Initiation Protocol (SIP) is an application- layer control (signaling) protocol for creating, modifying and terminating sessions with one or more participants. These sessions include Internet multimedia conferences, Internet telephone calls and multimedia distribution. Members in a session can communicate via multicast or via a mesh of unicast relations, or a combination of these. SIP invitations used to create sessions carry session descriptions, which allow participants to agree on a set of compatible media types. SIP supports user mobility by proxying and redirecting requests to the user's current location. It follows that users can register their current location. SIP is not tied to any particular conference control protocol. SIP is designed to be independent of the lower- layer transport protocol and can be extended with additional capabilities. The following diagram conta ins example of a SIP message INVITE sip:uabfrth@134.138.228.159 SIP/2.0 via: SIP/2.0/UDP 134.138.242.7:5062 from: sip:Fredrik.Thernelius@uab.ericsson.se to: sip:uabfrth@134.138.242.7 call-ID: 955720785564@134.138.242.7 cseq: 1444 INVITE user-agent: Ellemtel-PICo/R2H contact: sip:Fredrik.Thernelius@134.138.242.7:5062 content-type: application/sdp content-length: 250 v=0 o=uabfrth 955720785594 955720785594 IN IP4 134.138.242.7 s=Basic Session c=IN IP4 134.138.242.7 t=955720785594 0 m=audio 2328 RTP/AVP 8 0 96 98 99 97 a=rtpmap:96 SC6/6000 a=rtpmap:98 SC6/3000 a=rtpmap:99 RT24/2400 a=rtpmap:97 VR15/1500 Diagram 3: SIP message example Page 7 out of 19 pages - Confidential and proprietary – Document4
  8. 8. VoIP Security white paper Why VoIP security is considered almost impossible H.323 is complex, uses dynamic ports, and includes multiple UDP streams. Punching holes in a firewall lets voice pass through but could put networks at risk. This threat becomes dire for businesses using server-based IP PBXs because the phone systems could be brought down by viruses and hacker attacks. 7 In the past, different vendors that provide proprietary security solutions for H.323 explained why it would be almost impossible to provide firewall based security solutions. A comprehensive study that was made by Intel Corporation discussed the different possible solutions for H.323 security problems. Based on this study, following are some of H.323 major security related problems: • An H.323 call contains many different simultaneous connections. At least two of the connections are TCP. For an audio-only conference, there may be up to 4 different UDP connections’ made. • All connections except one are made to ephemeral (dynamic) ports. • Calls can be initiated from outside the firewall, as well as from inside. In order to make conference calls, external users need to be able to esta blish calls directly with internal users’ desktop systems. • The addresses and port numbers are exchanged within the data stream of the “next higher” connection. For example, the port number for the H.245 connection is established within the Q.931 data stream. This makes it particularly difficult for address translating firewalls, which must modify the addresses inside those data streams. To make matters worse, it is possible in Q.931, for example, to specify that the H.245 connection should be secured (encrypted). • Most of the control information is encoded in ASN.1 (only the User-User Information within Q.931 Protocol Data Units, or PDUs, is ASN.1-encoded. Other parts of each Q.931 PDU are not encoded). For those unfamiliar with ASN.1, suffice to say that it is a complex encoding scheme, which does not end up with fixed byte offsets for address information. In fact, the same version of the same application connecting to the same destination may negotiate to include different options, changing the byte offsets. 8 7 Firewall limits vex VoIP users. Phil Hochmuth and Tim Greene, Network World, 07/08/02 . http://www.nwfusion.com/news/2002/0708vo ip.html 8 Source: H.323 and Firewalls: The problems and pitfalls of getting H.323 safely through firewalls, Intel Corporation. Page 8 out of 19 pages - Confidential and proprietary – Document4
  9. 9. VoIP Security white paper The ability to talk with a customer or business colleague is more than a business critical requirement. It is one of the most primitive and basic tasks today. Whilst ensuring that the VoIP system will work, security is an absolute requirement. The same study 9 states that in the author’s opinion, “A Stateful Inspection firewall can provide better support for H.323 if it can disassemble the packets on the control streams and dynamically open up the firewall as indicated. This is better than the solution above (Packet Filter –S.B) because the only ports that are opened are those associated with the H.323 connection. However, disassembling the packets is not as easy as it sounds due to ASN.1 encoding of the control streams.” Check Point is addressing those issues and more. The following diagram illustrates in a graphical way the problems of securing VoIP connections: As one can see, there are several possible locations for the firewall. It can either protect the Gatekeeper, the Terminal or the Gateway. The terminal client may be located at the protect zone or in another un-trusted network. The next diagram illustrates the problem of protecting the signaling traffic from being abused by the users or hackers: 9 H.323 and Firewalls: The problems and pitfalls of getting H.323 safely through firewalls, Intel Corporation., Table 1 page 12 Page 9 out of 19 pages - Confidential and proprietary – Document4
  10. 10. VoIP Security white paper A VoIP call is made out of many connections. A firewall can be placed between any of the different parties. The challenge is to understand the context of a connection. This includes both the data and the signaling connections. VPN-1/FireWall-1 that sees LRQ/LCF in a specific configuration will enforce the relationship between the RAS and the Q.931 connections. Even more complicated scenario is described at the next diagram. Two GateKeepers are being used. Note that a firewall can be placed at any point between different servers. Page 10 out of 19 pages - Confidential and proprietary – Document4
  11. 11. VoIP Security white paper Check Point FireWall-1 Security features Using the same security infrastructure that differentiates Check Point’s solutions from other devices, VPN-1/FireWall-1 provides extensive security support for SIP and H.323 protocols. Check Point FireWall-1 Security features for H.323 VPN-1/FireWall-1 performs the following operations for H.323 based protocols: • Parsing of H.323 messages is done in FireWall-1 kernel. This includes o Parsing of LCQ/LCF H.225 RAS messages. o Parsing of setup and connect commands in Q.931 messages. o Parsing of H.245 protocol commands. • Parsing Fast start commands, encapsulate H.245 in H.225 messages. • Performing Stateful inspection operations on open RTP/RTCP ports based on H.323 signaling context and H.245, T.120 in case of H.225 RAS (LRQ/LCF), FireWall-1 also opens the H.225 Q.931 ports dynamically. In this event, FireWall-1 enforces security restrictions which are far beyond the basic operation of dynamic port allocation: o Always enforces the control-data connection relationship. o The H.323 service will not allow one type of connection to exist independently of the other. The system does not allow any data connection to open if the negotiation for it in the control connection was not seen. • FireWall-1 supports Gatekeeper direct and indirect routing modes. This allows the highest level of flexibility in the network architecture. o Direct (only RAS messages) o Call Setup (Q.931) o Call Setup & Call Control (Q.931 and H.245) • Gateway supported routing modes: o Call Setup (Q.931) o Call Setup & Call Control (Q.931 and H.245) • Since different part of the signaling is being done by different entities, FireWall-1 is enforcing security restrictions over Handover domains: VPN-1/FireWall-1 Page 11 out of 19 pages - Confidential and proprietary – Document4
  12. 12. VoIP Security white paper disables the possibility to abuse the redirection capabilities of the signaling protocols to allow unsolicited or non-VoIP communication. The following Handover types are supported: o Gatekeeper -> Gateway / End Point handover after Q.931/H.245 Gateway -> End Point /(Gateway) ha ndover after Q.931/H.245 o Cascaded 10: Gatekeeper -> Gateway ->End Point. All the capabilities that were mentioned are fully supported from the Policy Editor GUI: o VoIP domains. o Definitions of Gateway object, Gatekeeper objects. o Definitions of Endpoints domain, Routing mode. H.323 logging As a company that focus on security, special attention was given to H.323 logging. Check Point will generate the following logs: • Call logs: Each log entry contain the IP source and destination, and H.323 protocol types, including call logging of each message and Phone number from LRQ • Setup messages logs (H.225 Q.931) • Registration logs, which contains the H.323 phone numbers. • Reject logs with detailed description. 10 The cascaded is not really a type, since the End Point of a Gateway is not supposed to be an IP End Point. We allow this type, since a Gateway can perform redirections between its own IP addresses Page 12 out of 19 pages - Confidential and proprietary – Document4
  13. 13. VoIP Security white paper Check Point FireWall-1 Security features for SIP Check Point FireWall-1/VPN1 provides the following security options for SIP Voice over IP sessions: • Rule-Based SIP support with full GUI support. • Ability to parse SIP header to determine multimedia type and associated media port • Ability to open RTP/RTCP ports, as indicated in SDP header, and monitor the states of those connections. • The SIP service always enforces the control data connection relationship. The - SIP service will not allow one type of connection to exist independently of the other. This ensures the security and integrity of billing processes. • Validate SIP protocol call flow according to the RFC, and drop out of state SIP messages. • Ability to define SIP Handover Domain object, thus disabling the possibility to abuse the redirection capabilities of the signaling protocols to allow non-VoIP communication. • Handles extensive SIP protocol feature set: re-invite messages (with the ability to limit the re-invite messages), hold, and Call conference… SIP logging Check Point VPN-1/FireWall-1 will generate the following logs: • Call logs: Each log will contain the “from” and “to” SIP URLs and phone numbers. • Registration logs, which contain the SIP URLs. • Reject logs with detailed description. Page 13 out of 19 pages - Confidential and proprietary – Document4
  14. 14. VoIP Security white paper QoS integration As described previously, quality of service (QoS) is essential for VoIP systems. Check Point architecture allows to integrate it’s QoS solution (Check Point FloodGate-1) and VoIP security features. Check Point FloodGate-1 is a policy-based, Quality of Service (QoS) solution for VPNs, private WANs and I nternet links, which is tightly integrated with VPN -1/FireWall-1. It optimizes network performance by assigning priority to business-critical applications and end users. In order to support the special business requirements of VoIP applications, FloodGate-1 supports the VoIP-tuned mechanism LLQ – Low Latency Queuing. This mechanism is tuned to achieve best latency for constant bit rate applications, like VoIP. In order to limit the number of connections admitted, one should use LLQ with a per connection guarantee. For voice application, one wants to give each conversation a guaranteed bandwidth. Usually one should set an admission policy that does not accept additional calls if bandwidth is not adequate. Page 14 out of 19 pages - Confidential and proprietary – Document4
  15. 15. VoIP Security white paper VoIP Security Problems prevented with Check Point At Black Hat 2002 presentation, Ofir Arkin, Managing Security Architect for @stake 11 described several attacks against VoIP based systems.12 The following examples, taken from his presentation, describe two different types of attacks that can easily be mitigated by anyone that is using a properly configured VPN-1/FireWall-1, due to its Stateful Inspection mechanism. SIP Denial of Service There are many Simple Denial-of-Service attacks against SIP when using the UDP protocol. Since UDP is an asynchrono us protocol, if one can guess the target network a caller is sending its SIP signaling over UDP to, sending an ICMP Error Message such as Port Unreachable, Protocol Unreachable, Network Unreachable or even Host Unreachable, will terminate the signaling and the call in any state. This can be achieved by using “CANCEL”s or using “BYE” commands anytime. Since Check Point solutions tracks the state of a SIP connection it will limit any command abusing. 11 Ofir@stake.com 12 VoIP, The Next Generation of Phreaking. Revision 1.1 By Ofir Arkin, @Stake Page 15 out of 19 pages - Confidential and proprietary – Document4
  16. 16. VoIP Security white paper In this example, a Check Point Gateway that will be located in front of SIP phone A, will drop the packet arriving from attacker C even if C is using the right protocol parameters, since the call was originated from SIP phone B Call Hijacking In the following example, Sip phone A sends an INVITE request to SIP phone B. The attacker C is sending a 301 message indicating that the called party has moved, and will give his own forwarding address. Another variant of this attack involve a DoS attack on SIP phone A and spoofed registration on the SIP Registration server. Check Point Gateway that will be installed in front of either SIP phone A or the Registration Server or even both could easily prevent those types of attacks. This is achieved since the SIP connections are examined based on the hand-over domains as well and the connection Page 16 out of 19 pages - Confidential and proprietary – Document4
  17. 17. VoIP Security white paper specific signaling parameters. In addition, Check Point ensures that spoofed IP connections will be blocked. It is important to mention that there are other types o f attacks that can be blocked using Check Point VoIP solutions. Summary VPN-1/FireWall-1 is the best-suited solution to protect VoIP based applications. Its inspection code is based on the Stateful Inspection original patent and it is integrated with other generic security features of FireWall-1. Combined with the integration of FloodGate -1 and the rich logging and debugging information enables positioning this solution not only as the best secure platform for VoIP applications, but also as VoIP best infrastructure system. Page 17 out of 19 pages - Confidential and proprietary – Document4
  18. 18. VoIP Security white paper Appendix A – VoIP Standards and Recommendations Signaling: ITU-T Standards and Recommendations Standard Description H.323 V2 Packet-based mutlimedia communications systems H.225.0 Call signalling protocols and media stream pac ketization for packet -based multimedia (includes Q.931 and RAS) H.225.0 Annex G Gatekeeper to gatekeeper (inter-domain) communications H.245 Control protocol for multimedia communications H.235 Security and encryption for H -series multimedia terminals H.450.x Supplementary services for multimedia: 1. Generic functional protocol for the support of supplementary services in H.323 2. Call transfer 3. Diversion 4. Hold 5. Park & pickup 6. Call waiting 7. Message waiting indication H.323 Annex D Real -time fax using T.38 H.323 Annex E Call connection over UDP H.323 Annex F Single-use device T.38 Procedures for real-time group 3 facsimile communications over IP networks T.120 series Data protocols for multimendia conferencing Signaling: IETF RFCs and Drafts Standard Description RFC 2543 SIP: Session initiation protocol RFC 2327 SDP: Session description protocol Internet Draft SAP: Session announcement protocol Media Transport: IETF RFCs Standard Description RFC 1889 RTP: Real-time transport protocol Page 18 out of 19 pages - Confidential and proprietary – Document4
  19. 19. VoIP Security white paper RFC 1889 RTCP: Real-time transport control protocol RFC 2326 RTSP: Real -time streaming protocol Page 19 out of 19 pages - Confidential and proprietary – Document4

×