VoIP Security Best Practices Bogdan Materna CTO & VP Engineering VoIPshield Systems Session: U3-03   04/02/2009
VoIP Security Overview <ul><li>Voice over IP (VoIP) inherits the same  security threats  as the IP data network, plus some...
<ul><li>Follows the data networks security history but VoIP is different than traditional data security: </li></ul><ul><ul...
Typical Enterprise PBX Deployment <ul><li>One physical interface (1 Gbit/sec) supports both access and trunking traffic </...
VoIP based Call Center PBX Call Recorder Confidential  information usage, maintenance, collection Confidential  informatio...
<ul><ul><li>Software related (introduced by a VoIP vendor) </li></ul></ul><ul><ul><li>Configuration related (introduced by...
PBX Call Manager  Remote/Local Remote/Local Remote/Local Remote/Local Remote/Local Hundreds of permutations and attack vec...
Converged Networks Security Protection Prevention Mitigation Converged Data, Voice and Video Network  <ul><li>Prevention <...
Corporate  Firewall VIPS/Anti-SPIT IP PBX/Softswitch/ Call Manager PRI / BRI / Analog Lines IP PBX/Softswitch/ Call Manage...
VoIP Best Practices
Best Practices – VoIP Risk Assessment <ul><li>Pre-deployment or existing VoIP installations </li></ul><ul><li>Identify thr...
Best Practices – Risk Assessment Critical Success Factors <ul><li>Obtain  C level,  IT , security and telecommunication de...
Best Practices – Pre-deployment <ul><li>Execute Risk Assessment process </li></ul><ul><li>Create VoIP Security Architectur...
Best Practices – Existing Installations <ul><li>Execute Risk Assessment process </li></ul><ul><li>Create VoIP Security Arc...
Best Practices – Specific Recommendations <ul><li>Be proactive : </li></ul><ul><ul><li>Acquire VoIP VA tool or procure VoI...
Best Practices – Specific Recommendations <ul><li>3.  Manage  PBX configuration: </li></ul><ul><ul><li>Default passwords, ...
Best Practices – Operationalize VoIP Security <ul><li>Write polices and procedures how to manage, for example: </li></ul><...
Best Practices – Operationalize VoIP Security <ul><li>Integrate VoIP security infrastructure with the existing management ...
Best Practices – Advice <ul><li>Don’t think you are secure because: </li></ul><ul><ul><li>You use only PSTN trunks </li></...
Thank You [email_address] www.voipshield.com
Upcoming SlideShare
Loading in...5
×

VoIP Security best Practices - The World's Largest Communications ...

1,775
-1

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,775
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
99
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • UPDATES – VISUAL needed as per notes on slide
  • UPDATES – VISUAL needed as per notes on slide
  • VoIP Security best Practices - The World's Largest Communications ...

    1. 2. VoIP Security Best Practices Bogdan Materna CTO & VP Engineering VoIPshield Systems Session: U3-03 04/02/2009
    2. 3. VoIP Security Overview <ul><li>Voice over IP (VoIP) inherits the same security threats as the IP data network, plus some new ones </li></ul><ul><li>Traditional IT security products are not equipped to address the new challenges associated with securing voice systems </li></ul>
    3. 4. <ul><li>Follows the data networks security history but VoIP is different than traditional data security: </li></ul><ul><ul><ul><li>VoIP is a real-time, mission-critical service </li></ul></ul></ul><ul><ul><ul><li>Voice-specific malicious activities </li></ul></ul></ul><ul><ul><ul><li>VoIP presents new vectors of attack </li></ul></ul></ul><ul><ul><ul><ul><ul><li>Applications (existing H/W and new S/W based vendors) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Devices (wireline and wireless) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Protocols (standard and proprietary) </li></ul></ul></ul></ul></ul><ul><li>Still in the early stages – a few known incidents, more unpublished cases </li></ul><ul><li>Research a cornerstone of VoIP and UC security </li></ul><ul><ul><ul><li>Vulnerabilities, threats, exploits </li></ul></ul></ul><ul><ul><ul><li>Signatures </li></ul></ul></ul><ul><ul><ul><li>Zero day </li></ul></ul></ul>Current State of VoIP Security
    4. 5. Typical Enterprise PBX Deployment <ul><li>One physical interface (1 Gbit/sec) supports both access and trunking traffic </li></ul><ul><li>In large installation an additional physical interface might be used to provide dedicated IP trunking </li></ul>Call Manager Gateway Soft Clients Corporate Data Network Hard Phones IP Trunk Switch PSTN Trunk Access and Trunk Traffic
    5. 6. VoIP based Call Center PBX Call Recorder Confidential information usage, maintenance, collection Confidential information transmission <ul><li>Confidential information is collected , stored and transmitted through VoIP infrastructure </li></ul><ul><li>Complex call flows, infrastructure and outsourcing creates potential for security breaches </li></ul><ul><li>Large call volumes </li></ul>ACD Web Application Servers (HTML, VXML, E-mail, and Chat) CTI & Reporting Server CRM Customer Internet Voice Mail Customer IVR Agents Softphone
    6. 7. <ul><ul><li>Software related (introduced by a VoIP vendor) </li></ul></ul><ul><ul><li>Configuration related (introduced by the user of VoIP) </li></ul></ul><ul><ul><li>Protocol related (inherent protocol issues – SIP, UNIStim, Skinny, H323) </li></ul></ul><ul><ul><li>Composite (combination of the above) </li></ul></ul><ul><ul><li>Device level (related to a particular device/application such as IP PBX) </li></ul></ul><ul><ul><li>System level (related to the VoIP infrastructure components and topology) </li></ul></ul><ul><ul><li>Unidirectional or duplex (related to flow of data and information) </li></ul></ul>VoIP Vulnerabilities and Exploits
    7. 8. PBX Call Manager Remote/Local Remote/Local Remote/Local Remote/Local Remote/Local Hundreds of permutations and attack vectors Device Level Vulnerabilities and Exploits Security Layers VoIP Protocol Layer VoIP Application Layer (Call Manager, PBX, Voice Mail, gateway, softphone…) Singling Protocols (Unistim, Skinny, SIP, …) Transport Protocols (RTP, UDP, …) VoIP Supporting Services Layer (DNS, DHCP, Web, Database, Authentication servers…) OS and Network Layer (Linux, Unix, Windows) Configuration Database
    8. 9. Converged Networks Security Protection Prevention Mitigation Converged Data, Voice and Video Network <ul><li>Prevention </li></ul><ul><ul><li>Compliance assessment </li></ul></ul><ul><ul><li>Vulnerability and Risk Assessment </li></ul></ul><ul><ul><li>Patching </li></ul></ul><ul><li>Protection </li></ul><ul><li>Perimeter (Firewall, IPS, SPIT) </li></ul><ul><li>Internal (HIPS, NAC, Encryption) </li></ul>Mitigation Security attack impact mitigation Processes People Processes Modified to accommodate VoIP specific security requirements People Education and awareness training
    9. 10. Corporate Firewall VIPS/Anti-SPIT IP PBX/Softswitch/ Call Manager PRI / BRI / Analog Lines IP PBX/Softswitch/ Call Manager Enterprise VoIP Network VoIP Phones PCs/ VoIP Soft Phones VA/CM VIPS/VNAC Corporate SBC Corporate VoIP Network Corporate Data Network Departmental IPS/NAC Departmental IPS/NAC Departmental IPS/NAC Data Calls VIPS/VNAC SIM Enterprise VoIP Security Infrastructure Internet PSTN VoIP Service Provider
    10. 11. VoIP Best Practices
    11. 12. Best Practices – VoIP Risk Assessment <ul><li>Pre-deployment or existing VoIP installations </li></ul><ul><li>Identify threats that could adversely affect critical operations and assets </li></ul><ul><li>Estimate the probability that such threats being exploited based on historical information and judgment of experts </li></ul><ul><li>Identify and rank the value, sensitivity, and criticality of the operations and assets that could be affected. Determine which operations and assets are the most important. </li></ul><ul><li>Estimate, for the most critical and sensitive assets and operations, the potential losses or damage </li></ul><ul><li>Identify the best actions to mitigate or reduce the risk. These actions can include implementing policies, procedures and technical or physical controls </li></ul><ul><li>Document the results and develop an action plan </li></ul>
    12. 13. Best Practices – Risk Assessment Critical Success Factors <ul><li>Obtain C level, IT , security and telecommunication department support </li></ul><ul><li>Involve VoIP equipment vendor(s)Designate primes for various activities </li></ul><ul><li>Define procedures </li></ul><ul><li>Involve business and VoIP/UC technical experts </li></ul><ul><li>Keep the scope well defined and focused </li></ul><ul><li>Document and maintain results </li></ul>
    13. 14. Best Practices – Pre-deployment <ul><li>Execute Risk Assessment process </li></ul><ul><li>Create VoIP Security Architecture Design & Implementation Document </li></ul><ul><li>Make it an integral part of VoIP RFP process </li></ul><ul><li>Create a lab infrastructure corresponding to the production VoIP deployment </li></ul><ul><li>Run vulnerability assessment on the VoIP equipment </li></ul><ul><li>Install and test VoIP security applications identified in (1) </li></ul><ul><li>Run effectiveness assessment on the VoIP security apps </li></ul><ul><li>Put it all together and run false/positive realistic tests: </li></ul><ul><ul><li>Blocking attacks </li></ul></ul><ul><ul><li>Blocking legitimate traffic </li></ul></ul>
    14. 15. Best Practices – Existing Installations <ul><li>Execute Risk Assessment process </li></ul><ul><li>Create VoIP Security Architecture Design & Implementation Document </li></ul><ul><li>Provide business case for deploying VoIP security </li></ul><ul><li>Run vulnerability assessment on the production VoIP equipment. Fix the issues by patching, reconfiguration or network tuning </li></ul><ul><li>Create a lab infrastructure corresponding to the production VoIP deployment </li></ul><ul><li>In the lab install and test VoIP security applications identified in (2) </li></ul><ul><li>In the lab run effectiveness assessment on the VoIP security apps </li></ul><ul><li>In the lab put it all together and run false/positive realistic tests: </li></ul><ul><ul><li>Blocking attacks </li></ul></ul><ul><ul><li>Blocking legitimate traffic </li></ul></ul><ul><li>Run pilots/stage the security apps deployment in production </li></ul>
    15. 16. Best Practices – Specific Recommendations <ul><li>Be proactive : </li></ul><ul><ul><li>Acquire VoIP VA tool or procure VoIP VA Services </li></ul></ul><ul><ul><li>Make sure VoIP is part regulatory compliance framework </li></ul></ul><ul><li>Protect your infrastructure </li></ul><ul><ul><li>Use Session Border Controller as a access point for SIP trunks </li></ul></ul><ul><ul><li>Deploy VoIP IPS with VoIP specific signatures sets and detection engines </li></ul></ul><ul><ul><li>Deploy VIPS sensors in remote locations </li></ul></ul><ul><ul><li>Encryption/Authentication where it makes sense </li></ul></ul><ul><ul><li>Use VPN to carry traffic amongst the sites if it provides required QoS </li></ul></ul><ul><ul><li>Consider Data Leakage Protection on VoIP </li></ul></ul><ul><ul><li>For large number of home office or travelling employees consider deployment of VNAC functionality </li></ul></ul><ul><ul><li>If SPIT is a risk you identified you should acquire anti-SPIT appliance </li></ul></ul>
    16. 17. Best Practices – Specific Recommendations <ul><li>3. Manage PBX configuration: </li></ul><ul><ul><li>Default passwords, barrier codes, access codes </li></ul></ul><ul><ul><li>Employees who are no longer with the company </li></ul></ul><ul><ul><li>Local administrators </li></ul></ul><ul><ul><li>Administrative access </li></ul></ul><ul><ul><li>User profiles </li></ul></ul><ul><ul><li>Adds/Moves </li></ul></ul><ul><ul><li>Toll fraud </li></ul></ul>
    17. 18. Best Practices – Operationalize VoIP Security <ul><li>Write polices and procedures how to manage, for example: </li></ul><ul><ul><li>Passwords, barrier codes, access codes, etc. </li></ul></ul><ul><ul><li>Accounts owned by people who are no longer with the company: end-point PBX profiles, voice mail, remote access, admin access, etc. </li></ul></ul><ul><ul><li>Changes made by VoIP administrators </li></ul></ul><ul><ul><li>admin passwords </li></ul></ul><ul><ul><li>Vulnerability assessment process </li></ul></ul><ul><ul><li>VoIP remote access policy </li></ul></ul><ul><ul><li>Usage of softclients on the laptops </li></ul></ul><ul><ul><li>Contractors, business partners access to VoIP infrastructure </li></ul></ul>
    18. 19. Best Practices – Operationalize VoIP Security <ul><li>Integrate VoIP security infrastructure with the existing management tools and processes, for example: </li></ul><ul><ul><li>Integration with SIM/SEM systems </li></ul></ul><ul><ul><li>Tracking changes in PBX configuration </li></ul></ul><ul><ul><li>User adds and moves </li></ul></ul><ul><ul><ul><li>Patching process </li></ul></ul></ul><ul><ul><li>Relationship with VoIP Service Provider(s) </li></ul></ul><ul><ul><li>Integration with email, IM and other UC applications </li></ul></ul>
    19. 20. Best Practices – Advice <ul><li>Don’t think you are secure because: </li></ul><ul><ul><li>You use only PSTN trunks </li></ul></ul><ul><ul><li>You implemented VLAN based separation of VoIP and data </li></ul></ul><ul><ul><li>You have a solid data security infrastructure </li></ul></ul><ul><ul><li>You encrypted all the traffic </li></ul></ul><ul><ul><li>Your VoIP equipment vendor told you so </li></ul></ul>
    20. 21. Thank You [email_address] www.voipshield.com
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×