Secure your VoIP network with open source




                        Suhas Desai

10/22/2009           Confidential © Tec...
Agenda




         •VoIP Overview

         •VoIP Security Threats & Business Impact

         •Possible mitigation consi...
VoIP Overview

      Introduction to VoIP

  VoIP is being rapidly embraced across most markets as an alternative to the
 ...
Agenda




         •VoIP Overview

         •VoIP Security Threats & Business Impact

         •Possible mitigation consi...
VoIP Security Threats & Business Impact

       VoIP Security Threats




          Business Impact

    Confidentiality, ...
Agenda




         •VoIP Overview

         •VoIP Security Threats & Business Impact

         •Possible mitigation consi...
Possible mitigation considerations


 [1] Deploy VoIP traffic monitors

 Monitor the connections for log activities and fr...
Agenda




         •VoIP Overview

         •VoIP Security Threats & Business Impact

         •Possible mitigation consi...
Commercial Security Tools

   Need to perform security assessment of VoIP network with below tools!

    Commercial Securi...
Agenda




         •VoIP Overview

         •VoIP Security Threats & Business Impact

         •Possible mitigation consi...
Open Source and VoIP

         Why Open Source?

[1] Source code available , Easy to customize , Code reuse and redistribu...
Contd…

         PBX Platforms                                              Security Testing Tools

  Asterisk,CallWeaver,...
Agenda




         •VoIP Overview

         •VoIP Security Threats & Business Impact

         •Possible mitigation consi...
Role of Open source to Secure VoIP

  Best Practices for Securing VoIP with Open Source tools

[1] Monitor VoIP traffic

C...
Contd…

 Open source products/tools provides options for :
   Secure configuration of servers
   Secure configuration of c...
Agenda




         •VoIP Overview

         •VoIP Security Threats & Business Impact

         •Possible mitigation consi...
Case Studies

                 Case Study 1- Security assessment with SiVuS tool


   SiVuS
       SiVuS is the vulnerabil...
Contd…



 3. Security Findings Report




                               Confidential © Tech Mahindra 2008   18
Contd…

             Case Study 2- Security assessment with SIP Bomber

   SIP Bomber:
       SIP Bomber is used to test S...
Summary




     •   Building VoIP network with open source is cost effective and reliable.

     •   VoIP network can be ...
References




      [A].Web

      [1]. http://www.voipsa.org

      [2]. http://www.voip-info.org



      [B]. Books

 ...
Thank You !!
Upcoming SlideShare
Loading in...5
×

Suhas Desai - Secure your VoIP network with open source - Interop Mumbai

2,270

Published on

The purpose of this session is to focus on Open Source tools for VoIP, VoIP/SIP attacks and countermeasures. VoIP deployment has brought with it many security concerns like Non-Repudiation, Authentication, Call Quality, Integrity and Privacy; motivating the need for security solutions. VoIP security is complicated by the requirement of multiple components which are deployed on the current data network.

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,270
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
98
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Suhas Desai - Secure your VoIP network with open source - Interop Mumbai

  1. 1. Secure your VoIP network with open source Suhas Desai 10/22/2009 Confidential © Tech Mahindra 2008
  2. 2. Agenda •VoIP Overview •VoIP Security Threats & Business Impact •Possible mitigation considerations •Commercial Security Tools •Open source and VoIP •Role of Open source to secure VoIP •Case Studies Confidential © Tech Mahindra 2008 2
  3. 3. VoIP Overview Introduction to VoIP VoIP is being rapidly embraced across most markets as an alternative to the traditional PSTN. VoIP is a broad term, describing many different types of applications installed on a wide variety of platforms and using a wide variety of both proprietary and open protocols that depends heavily on preexisting data network’s infrastructure and services. The cost savings of VoIP compared to that of circuit switched networks is encouraging companies to move to VoIP. Issues and Concerns VoIP deployment has brought with it many security concerns like Non-Repudiation, Authentication, Call Quality and Integrity and Privacy; motivating the need for security solutions to deal with the many issues. In India, VoIP calls to PSTN are not allowed. For enterprise networks, VoIP are the effective solutions in India. Confidential © Tech Mahindra 2008 3
  4. 4. Agenda •VoIP Overview •VoIP Security Threats & Business Impact •Possible mitigation considerations •Commercial Security Tools •Open source and VoIP •Role of Open source to secure VoIP •Case Studies Confidential © Tech Mahindra 2008 4
  5. 5. VoIP Security Threats & Business Impact VoIP Security Threats Business Impact Confidentiality, Integrity and authentication Privacy Non-repudiation Social Threats QoS Confidential © Tech Mahindra 2008 5
  6. 6. Agenda •VoIP Overview •VoIP Security Threats & Business Impact •Possible mitigation considerations •Commercial Security Tools •Open source and VoIP •Role of Open source to secure VoIP •Case Studies Confidential © Tech Mahindra 2008 6
  7. 7. Possible mitigation considerations [1] Deploy VoIP traffic monitors Monitor the connections for log activities and fraud detection. [2] Employ encryption techniques Strong encryption techniques allow privacy and confidentiality over the network. [3] Use voice firewalls Control inbound and outbound connections by filtering the traffic. [4] Use adequate security infrastructure such as secure gateways, gatekeepers & proxy servers. [5] Use IPsec tunneling IPsec provides the secure communication over network by providing authentication and encryption [6] Conduct regular security audits Audit VoIP network regularly for security vulnerabilities . [7] Use VoIP platforms with adequate security features Prefer VoIP platform with built in security features for development and deployment of VoIP applications. Confidential © Tech Mahindra 2008 7
  8. 8. Agenda •VoIP Overview •VoIP Security Threats & Business Impact •Possible mitigation considerations •Commercial Security Tools •Open source and VoIP •Role of Open source to secure VoIP •Case Studies Confidential © Tech Mahindra 2008 8
  9. 9. Commercial Security Tools Need to perform security assessment of VoIP network with below tools! Commercial Security Testing Tools Confidential © Tech Mahindra 2008 9
  10. 10. Agenda •VoIP Overview •VoIP Security Threats & Business Impact •Possible mitigation considerations •Commercial Security Tools •Open source and VoIP •Role of Open source to secure VoIP •Case Studies Confidential © Tech Mahindra 2008 10
  11. 11. Open Source and VoIP Why Open Source? [1] Source code available , Easy to customize , Code reuse and redistribute. [2] Cost Savings. [3] Higher level of security. Open Source Tools SIP Proxies SIP Clients Mini-SIP-Proxy, MjServer, MySIPSwitch, Cockatoo,Ekiga,FreeSWITCH,JPhone,Kphone, NethidPro3.0.6, Net-SIP, JAIN-SIP Linphone, minisip,MjUA,OpenSIPStack,OpenZoep, Proxy,OpenSBC,OpenSER, PJSUA, QuteCom ex-Open Wengo, SFLphone, OpenSIPS,partysip,SaRP,sipd,SIPExpress Router, Shtoom,SipToSis,sipXezPhone,sipXphone,Twinkle, Siproxd,SIPVicious,sipX,Vocal,Yxa. YATE, YeaPhone. SIP Tools Callflow, Open Source Asterisk AMI, H.323 Clients pjsip-perf,miTester for SIP,PROTOS Test Suite, SFTF, SIP CallerID, SIPbomber, Sipp, Sipper, SIP FGnomeMeeting, ohphoneX,OpenPhone. Proxy,Sipsak,SIP Soft client, SIPVicious tool suite,SMAP,Vovida.org load balancer. H.323 Gatekeeper RTP Proxies GNU Gatekeeper AG Projects,Maxim Sobolev's RTPproxy,MediaProxy. Confidential © Tech Mahindra 2008 11
  12. 12. Contd… PBX Platforms Security Testing Tools Asterisk,CallWeaver,OpenPBX,PBX4Linux, VoIP Sniffing Tools SIPexchange PBX Pingtel's SIP PBX , AuthTool, Cain & Abel, Oreka , PSIPDump , rtpBreak , SIPomatic , SIPv6 Analyzer, UCSniff , VoiPong, sipwitch,sipX. VoIPong ISO Bootable , VOMIT , WIST. VoIP Scanning and Enumeration Tools: IVR Platforms enumIAX, iaxscan, iWar, SCTPScan, Bayonne,CT Server,OpenVXI,SEMS,sipX PBX, SIP Forum Test Framework (SFTF), SIP-Scan, VoiceXML. SIPcrack, Sipflanker , SIPSCAN , SiVuS, SMAP. VoiceMail Servers VoIP Packet Flooding Tools: IAXFlooder , INVITE Flooder, kphone-ddos , Lintad,OpenUMS,SEMS,VOCP. RTP Flooder , Scapy , SIPBomber, SIPsak, SIPp . VoIP Fuzzing Tools: Fax Servers Asteroid, PROTOS H.323 Fuzzer, PROTOS SIP Fuzzer Asterisk Fax Email Gateway, Lintad,Hylafax. VoIP Signaling Manipulation Tools: Development Platforms BYE Teardown, SipRogue, VoIPHopper H323plus,OpenBloX,Ooh323c,++Skype. Confidential © Tech Mahindra 2008 12
  13. 13. Agenda •VoIP Overview •VoIP Security Threats & Business Impact •Possible mitigation considerations •Commercial Security Tools •Open source and VoIP •Role of Open source to secure VoIP •Case Studies Confidential © Tech Mahindra 2008 13
  14. 14. Role of Open source to Secure VoIP Best Practices for Securing VoIP with Open Source tools [1] Monitor VoIP traffic Continuously monitor VoIP traffic to identify VoIP attacks. Use tools - SIP-Scan, SiVuS , SMAP etc. [2] Use encryption Apply encryption for end points communication. Use SRTP (Secure Real Time Protocol). [3] Use Firewalls Put VoIP network beyond open source firewalls. Use firewalls - iptables. [4] Conduct security audits Audit VoIP network regularly for security vulnerabilities and configuration flaws. Use - VoIP Security Audit Program (VSAP). [5] Secure gateways, gatekeepers. Control the number of concurrent connections for proper utilize bandwidth. [6] Secure proxy servers Authenticate authorized access control. Use Asterisk. [7] Use IPsec tunneling Ipsec provides secure communication over the public networks. [8] Secure VoIP platforms Prefer VoIP platform with built in security features for development and deployment of VoIP applications Confidential © Tech Mahindra 2008 14
  15. 15. Contd… Open source products/tools provides options for : Secure configuration of servers Secure configuration of clients Securing gateways Securing Firewalls VOIP/SIP Security Assessment with Open Source before deployment :
  16. 16. Agenda •VoIP Overview •VoIP Security Threats & Business Impact •Possible mitigation considerations •Commercial Security Tools •Open source and VoIP •Role of Open source to secure VoIP •Case Studies Confidential © Tech Mahindra 2008 16
  17. 17. Case Studies Case Study 1- Security assessment with SiVuS tool SiVuS SiVuS is the vulnerability scanner for VoIP networks that use the SIP protocol. The scanner provides several powerful features to verify the robustness and secure implementation of a SIP component. SiVuS is used to verify the robustness and security of their SIP implementations by generating the attacks that are included in the SiVuS database or by crafting their own SIP messages using the SIP Message generator. 1. SIP Component Discovery 2. Message Generator Confidential © Tech Mahindra 2008 17
  18. 18. Contd… 3. Security Findings Report Confidential © Tech Mahindra 2008 18
  19. 19. Contd… Case Study 2- Security assessment with SIP Bomber SIP Bomber: SIP Bomber is used to test SIP-protocol implementation. SIPBomber is complied on Linux machines with asterisk server for testing of SIP server implementation. 1. Message Generator 2. Password Validation Confidential © Tech Mahindra 2008 19
  20. 20. Summary • Building VoIP network with open source is cost effective and reliable. • VoIP network can be secured with open source tools, its configurations and settings. • SiVuS and SIP Bomber tools can be used to assess your VoIP security. Confidential © Tech Mahindra 2008 20
  21. 21. References [A].Web [1]. http://www.voipsa.org [2]. http://www.voip-info.org [B]. Books 1. Patrick Park;”Voice over IP Security” ; Ciscopress. 2. Thomas Porter, Jan Kanclirz Jr;”Practical VoIP Security”; Syngress Publishing, Inc. 3. James Ransome and John Rittinghouse;”Voice over Internet Protocol Security”; Elsevier 4. Alan B. Johnston, David M. Piscitello;”Understanding Voice over IP Security”;Artech House Confidential © Tech Mahindra 2008 21
  22. 22. Thank You !!
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×