• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Download att_focus_network_security.ppt
 

Download att_focus_network_security.ppt

on

  • 1,055 views

 

Statistics

Views

Total Views
1,055
Views on SlideShare
1,055
Embed Views
0

Actions

Likes
0
Downloads
71
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Download att_focus_network_security.ppt Download att_focus_network_security.ppt Presentation Transcript

    • Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation [email_address]
      • General Security Trends
        • Good news
        • Bad news
        • Going forward
      • Network-Based Security
      • Managed Security Services
      • Internal Application/VoIP Security
      Outline Outline
      • Basic security measures, such as anti-virus, firewalls, and anti-spyware, are ubiquitously deployed
      • Average losses due to security breaches are up, but down significantly from 2001 and 2002 (*)
      • The number of incidents is down (*)
      • Incidents are being reported at a greater rate (*)
      General Security Trends Some Good News Security Trends (*) Source – 2007 Computer Crime and Security Survey
    • General Security Trends Some Good News Security Trends (*) Source – 2007 Computer Crime and Security Survey
    • General Security Trends Some Good News (*) Source – 2007 Computer Crime and Security Survey Security Trends
    • General Security Trends Some Good News Security Trends (*) Source – 2007 Computer Crime and Security Survey
    • General Security Trends Some Good News Security Trends (*) Source – 2007 Computer Crime and Security Survey
    • General Security Trends Some Bad News Security Trends (*) Source – 2007 Computer Crime and Security Survey
      • Signature based-detection systems are being pushed to the limit
      • The platforms, network, and applications are getting more and more complex
      • Attacks are becoming increasing complex
      • Perimeter security has many issues
      • Security funding is a small part of IT spending – no more than 10% and often less than 5% (*)
      • Targeted attacks are increasing (*)
      General Security Trends Some Bad News Security Trends (*) Source – 2007 Computer Crime and Security Survey
    • General Security Trends Some Bad News Security Trends (*) Source – 2007 Computer Crime and Security Survey
    • General Security Trends Some Bad News Security Trends (*) Source – 2007 Computer Crime and Security Survey
      • Increased deployment of Intrusion Detection and Prevention Systems (IDSs and IPSs)
      • Possible increase the in use of Network Admission Control (NAC)
      • Network-Based Security solutions are available
      • Managed Security Services solutions are available
      • Increased focus on internal application security
      • New applications such as Voice Over IP (VoIP) moving onto the data network
      General Security Trends Going Forward Security Trends
      • Enterprise customers are deploying firewalls, IDSs/IPSs, AV, anti-SPAM on network edge
      • Some disadvantages:
        • Expensive
        • Multiple vendors and difficult to manage
        • Does not scale well
      Network-based Security Introduction Network-based Security Client Enterprise Client Enterprise 3 rd Party Network Primary Provider IP Network Edge Edge
      • Network-based security embeds security capability in the network
      • Some advantages:
        • Leverages security capability in the network
        • Centralized management
        • Scales better
      Network-based Security Introduction Network-based Security Client Enterprise Client Enterprise 3 rd Party Network Edge Edge AT&T IP Network VPN, Firewall, IDS, Anti-Virus, etc. Firewall, IDS, Anti-Virus, etc.
      • Leverages security expertise
      • Greatly assists with threat reconnaissance
      • Broad network visibility allows greater awareness and warning of attacks
      • The impact of major Worm attacks are seen well in advance of when they are a threat to an enterprise
      • The only real solution to DoS and DDoS attacks
      • A great defense in depth approach
      • Still may need network defense and internal security
      Network-based Security Advantages Network-based Security
    • Network-based Security Early Detection of Attacks Network-based Security Reconnaissance Scanning System Access Damage Track Coverage Preventive Phase (Defense) Reactive Phase (Defense) Web-Based Information Collection Social Engineering Broad Network Mapping Targeted Scan Service Vulnerability Exploitation Password Guessing DDOS Zombie Code Installation System File Delete Log File Changes Use of Stolen Accounts for Attack AT&T Security Service Primary Emphasis
    • Network-based Security DoS and DDoS Attacks Network-based Security TARGETED Server AT&T IP Backbone Enterprise Server
    • Network-based Security AT&T Offerings Network-based Security Policy Management Identity Management Intrusion Management Perimeter Security Secure Connectivity Monitoring & Mgmt Incident Management Network-Based Security Platform
      • AT&T Internet Protect ®
      • AT&T DDoS Defense
      • AT&T My Internet Protect
      • AT&T Private Intranet Protect
      • AT&T Network-Based Firewalls
      • AT&T Secure E-Mail Gateway
      • AT&T Web Security Services
      • Managed Security Services (MSS) are a viable alternative to in-house security staffing
      • Leverage experienced staff, who are familiar with security processes and products
      • Often can be more cost effective
      • Eliminates the need to retain and train staff
      • Security assessments/audits are commonly outsourced
      Managed Security Services Introduction Managed Security Services
    • Managed Security Services Enterprise Penetration (*) Source – 2007 Computer Crime and Security Survey Managed Security Services
    • Managed Security Services Assessments/Audits (*) Source – 2007 Computer Crime and Security Survey Managed Security Services
    • Managed Security Services AT&T Offerings
      • Premises-Based Firewalls
      • Managed Intrusion Detection
      • Endpoint Security Service
      • Token Authentication
      Network-based Security
      • Despite availability of network-based security, managed services, and customer-premise edge security, securing applications is still important
      • Voice Over IP (VoIP) is one internal application that must be secured
      Application/VoIP Security VoIP Security Introduction
      • An enterprise website often contains a lot of information that is useful to a hacker:
        • Organizational structure and corporate locations
        • Help and technical support
        • Job listings
        • Phone numbers and extensions
      Public Website Research Introduction Gathering Information Footprinting
    • Public Website Research Countermeasures
      • It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it
      • Try to limit amount of detail in job postings
      • Remove technical detail from help desk web pages
      Gathering Information Footprinting
      • Google is incredibly good at finding details on the web:
        • Vendor press releases and case studies
        • Resumes of VoIP personnel
        • Mailing lists and user group postings
        • Web-based VoIP logins
      Google Hacking Introduction Gathering Information Footprinting
      • Determine what your exposure is
      • Be sure to remove any VoIP phones which are visible to the Internet
      • Disable the web servers on your IP phones
      • There are services that can help you monitor your exposure:
        • www.cyveilance.com
        • ww.baytsp.com
      Google Hacking Countermeasures Gathering Information Footprinting
      • Consists of various techniques used to find hosts:
        • Ping sweeps
        • ARP pings
        • TCP ping scans
        • SNMP sweeps
      • After hosts are found, the type of device can be determined
      • Classifies host/device by operating system
      • Once hosts are found, tools can be used to find available network services
      Host/Device Discovery and Identification Gathering Information Scanning
    • Host/Device Discovery Ping Sweeps/ARP Pings Gathering Information Scanning
      • Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps
      • VLANs can help isolate ARP pings
      • Ping sweeps can be blocked at the perimeter firewall
      • Use secure (SNMPv3) version of SNMP
      • Change SNMP public strings
      Host/Device Discovery Countermeasures Gathering Information Scanning
      • Involves testing open ports and services on hosts/devices to gather more information
      • Includes running tools to determine if open services have known vulnerabilities
      • Also involves scanning for VoIP-unique information such as phone numbers
      • Includes gathering information from TFTP servers and SNMP
      Enumeration Introduction Gathering Information Enumeration
    • Vulnerability Testing Tools Gathering Information Enumeration
    • Vulnerability Testing Countermeasures
      • The best solution is to upgrade your applications and make sure you continually apply patches
      • Some firewalls and IPSs can detect and mitigate vulnerability scans
      Gathering Information Enumeration
    • TFTP Enumeration Introduction
      • Almost all phones we tested use TFTP to download their configuration files
      • The TFTP server is rarely well protected
      • If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password
      • The files are downloaded in the clear and can be easily sniffed
      • Configuration files have usernames, passwords, IP addresses, etc. in them
      Gathering Information Enumeration
    • TFTP Enumeration Countermeasures
      • It is difficult not to use TFTP, since it is so commonly used by VoIP vendors
      • Some vendors offer more secure alternatives
      • Firewalls can be used to restrict access to TFTP servers to valid devices
      Gathering Information Enumeration
    • SNMP Enumeration Introduction
      • SNMP is enabled by default on most IP PBXs and IP phones
      • Simple SNMP sweeps will garner lots of useful information
      • If you know the device type, you can use snmpwalk with the appropriate OID
      • You can find the OID using Solarwinds MIB
      • Default “passwords”, called community strings, are common
      Gathering Information Enumeration
      • Disable SNMP on any devices where it is not needed
      • Change default public and private community strings
      • Try to use SNMPv3, which supports authentication
      SNMP Enumeration Countermeasures Gathering Information Enumeration
      • The VoIP network and supporting infrastructure are vulnerable to attacks
      • VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter
      • Attacks include:
        • Flooding attacks
        • Network availability attacks
        • Supporting infrastructure attacks
      Network Infrastructure DoS Attacking The Network Network DoS
      • Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests
      Flooding Attacks Introduction Attacking The Network Network DoS
      • Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling)
      • Use rate limiting in network switches
      • Use anti-DoS/DDoS products
      • Some vendors have DoS support in their products (in newer versions of software)
      Flooding Attacks Countermeasures Attacking The Network Network DoS
      • This type of attack involves an attacker trying to crash the underlying operating system:
        • Fuzzing involves sending malformed packets, which exploit a weakness in software
        • Packet fragmentation
        • Buffer overflows
      Network Availability Attacks Attacking The Network Network DoS
      • A network IPS is an inline device that detects and blocks attacks
      • Some firewalls also offer this capability
      • Host based IPS software also provides this capability
      Network Availability Attacks Countermeasures Attacking The Network Network DoS
      • VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc.
      • DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones
      • DNS cache poisoning involves tricking a DNS server into using a fake DNS response
      Supporting Infrastructure Attacks Attacking The Network Network DoS
      • Configure DHCP servers not to lease addresses to unknown MAC addresses
      • DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries
      Supporting Infrastructure Attacks Countermeasures Attacking The Network Network DoS
      • VoIP configuration files, signaling, and media are vulnerable to eavesdropping
      • Attacks include:
        • TFTP configuration file sniffing (already discussed)
        • Number harvesting and call pattern tracking
        • Conversation eavesdropping
      • By sniffing signaling, it is possible to build a directory of numbers and track calling patterns
      • voipong automates the process of logging all calls
      • Wireshark is very good at sniffing VoIP signaling
      Network Eavesdropping Introduction Attacking The Network Eavesdropping
    • Conversation Recording Wireshark Attacking The Network Eavesdropping
      • Other tools include:
        • vomit
        • Voipong
        • voipcrack (not public)
        • DTMF decoder
      Conversation Recording Other Tools Attacking The Network Eavesdropping
      • Use encryption:
        • Many vendors offer encryption for signaling
        • Use the Transport Layer Security (TLS) for signaling
        • Many vendors offer encryption for media
        • Use Secure Real-time Transport Protocol (SRTP)
        • Use ZRTP
        • Use proprietary encryption if you have to
      Network Eavesdropping Countermeasures Attacking The Network Eavesdropping
      • The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing:
        • Eavesdropping on the conversation
        • Causing a DoS condition
        • Altering the conversation by omitting, replaying, or inserting media
        • Redirecting calls
      Network Interception Introduction Attacking The Network Net/App Interception
      • The most common network-level MITM attack is ARP poisoning
      • Involves tricking a host into thinking the MAC address of the attacker is the intended address
      • There are a number of tools available to support ARP poisoning:
        • Cain and Abel
        • ettercap
        • Dsniff
        • hunt
      Network Interception ARP Poisoning Attacking The Network Net/App Interception
    • Network Interception ARP Poisoning Attacking The Network Net/App Interception
    • Network Interception Countermeasures
      • Some countermeasures for ARP poisoning are:
        • Static OS mappings
        • Switch port security
        • Proper use of VLANs
        • Signaling encryption/authentication
        • ARP poisoning detection tools, such as arpwatch
      Attacking The Network Net/App Interception
      • VoIP systems are vulnerable to application attacks against the various VoIP protocols
      • Attacks include:
        • Fuzzing attacks
        • Flood-based DoS
        • Signaling and media manipulation
      Attacking The Application Attacking The Application
      • Fuzzing describes attacks where malformed packets are sent to a VoIP system in an attempt to crash it
      • Research has shown that VoIP systems, especially those employing SIP, are vulnerable to fuzzing attacks
      • There are many public domain tools available for fuzzing:
        • Protos suite
        • Asteroid
        • Fuzzy Packet
        • NastySIP
        • Scapy
      Fuzzing Introduction Attacking The Application Fuzzing
        • SipBomber
        • SFTF
        • SIP Proxy
        • SIPp
        • SIPsak
      • There are some commercial tools available:
        • Beyond Security BeStorm
        • Codenomicon
        • MuSecurity Mu-4000 Security Analyzer
        • Security Innovation Hydra
        • Sipera Systems LAVA tools
      Fuzzing Commercial Tools Attacking The Application Fuzzing
      • Make sure your vendor has tested their systems for fuzzing attacks
      • Consider running your own tests
      • An VoIP-aware IPS can monitor for and block fuzzing attacks
      Fuzzing Countermeasures Attacking The Application Fuzzing
      • Several tools are available to generate floods at the application layer:
        • rtpflood – generates a flood of RTP packets
        • inviteflood – generates a flood of SIP INVITE packets
        • SiVuS – a tool which a GUI that enables a variety of flood-based attacks
      • Virtually every device we tested was susceptible to these attacks
      Flood-Based DoS Attacking The Application Flood-Based DoS
      • There are several countermeasures you can use for flood-based DoS:
        • Use VLANs to separate networks
        • Use TCP and TLS for SIP connections
        • Use rate limiting in switches
        • Enable authentication for requests
        • Use SIP firewalls/IPSs to monitor and block attacks
      Flood-Based DoS Countermeasures Attacking The Application Flood-Based DoS
    • Registration Manipulation Attacking The Application Sig/Media Manipulation Proxy User Proxy Attacker Hijacked Media Hijacked Session User
    • Session Teardown Attacking The Application Sig/Media Manipulation Attacker Sends BYE Messages To UAs Attacker Proxy Proxy User User
    • IP Phone Reboot Attacking The Application Sig/Media Manipulation Attacker Sends check-sync Messages To UA Attacker Proxy Proxy User User
    • Audio Insertion/Mixing Attacker Sees Packets And Inserts/Mixes In New Audio Attacking The Application Sig/Media Manipulation Attacker Proxy Proxy User User
      • Some countermeasures for signaling and media manipulation include:
        • Use digest authentication where possible
        • Use TCP and TLS where possible
        • Use SIP-aware firewalls/IPSs to monitor for and block attacks
        • Use audio encryption to prevent RTP injection/mixing
      Signaling/Media Manipulation Countermeasures Attacking The Application Sig/Media Manipulation
      • Voice SPAM refers to bulk, automatically generated, unsolicited phone calls
      • Similar to telemarketing, but occurring at the frequency of email SPAM
      • Not an issue yet, but will become prevalent when:
        • The network makes it very inexpensive or free to generate calls
        • Attackers have access to VoIP networks that allow generation of a large number of calls
      • It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access
      Voice SPAM Introduction Social Attacks Voice SPAM
      • Some potential countermeasures for voice SPAM are:
        • Authenticated identity movements, which may help to identify callers
        • Legal measures
        • Network-based filtering
      • Enterprise voice SPAM filters:
        • Black lists/white lists
        • Approval systems
        • Audio content filtering
        • Turing tests
      Voice SPAM Countermeasures Social Attacks Voice SPAM
    • VoIP Phishing Introduction
      • Similar to email phishing, but with a phone number delivered though email or voice
      • When the victim dials the number, the recording requests entry of personal information
      Social Attacks Phishing
    • VoIP Phishing Countermeasures
      • Traditional email spam/phishing countermeasures come in to play here.
      • Educating users is a key
      Social Attacks Phishing
    • Final Thoughts
      • General network security is improving in some ways, but new threats are emerging
      • Network-based security and managed security services can be used to improve enterprise security
      • Don’t neglect internal security and key applications
      Final Thoughts