• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues Document Transcript

    • Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues v Noriyuki Fukuyama v Shingo Fujimoto v Masahiko Takenaka (Manuscript received September 26, 2003) IP telephony services using VoIP (Voice over Internet Protocol) technologies have rap- idly spread over the last several years. However, interoperation of an IP-PBX (Private Branch eXchange) service and a consumer IP telephony service has not yet been achieved. This is because typical intranets are protected by firewalls and IP telephony protocols are not firewall-friendly—because, among other reasons, they use UDP (User Datagram Protocol)-based protocols. In this paper, we explain the technologies of the VoIP Secure Gateway, which makes IP telephony protocols firewall-friendly and en- ables an enterprise IP-PBX service to interoperate with a consumer IP telephony ser- vice through a firewall. Also, we look at other security problems that need to be solved in order to expand IP telephony services in the future. 1. Introduction they use UDP (User Datagram Protocol)-based IP telephony services using VoIP (Voice over protocols. Consequently, interoperation services Internet Protocol) technologies have rapidly are achieved by using legacy telephone lines. spread over the last several years. Many IP tele- In this paper, we describe the technologies phony services have recently been started: for of the VoIP Secure Gateway, which makes IP tele- example, consumer IP telephony services provid- phony protocols firewall-friendly and enables an ed by legacy telephone carriers, IP-PBX (Private enterprise IP-PBX service to interoperate with a Branch eXchange) services provided by enterpris- consumer IP telephony service through a firewall. es, and IP telephony outsourcing services for Also, we look at other security problems that need enterprises (IP Centrex services) provided by ISPs to be solved to expand IP telephony services in (Internet Service Providers)/carriers. the future. In the case of IP-Centrex services, ISPs/car- riers provide not only IP-Centrex services but also 2. Problems associated with consumer IP telephony services, so ISPs/carriers interconnections between IP can provide secure interoperation between an telephony services enterprise IP phone and a consumer IP phone. IP telephony services use IP networks as However, apart from IP-Centrex services, IP-PBX their infrastructure. Therefore, interoperation of services cannot interoperate with consumer IP IP networks is required for interoperation of IP telephony services. telephony services. Since an IP network is “open,” This is because typical intranets are protect- it increases the risk of illegal accesses. In this ed by firewalls and IP telephony protocols are not section, we explain the security risks when an IP- firewall-friendly—because, among other reasons, PBX service interoperates with a consumer IP 182 FUJITSU Sci. Tech. J., 39,2,p.182-188(December 2003)
    • N. Fukuyama et al.: Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues telephony service through a firewall and the prob- 1) Rejects incoming calls Firewall rejects calling of intranet lems with previous methods. Other servers (Mail/Web) phones VoIP server Internet 2.1 Interconnections between the Internet and an intranet through a firewall for Home Access to network data traffic confidential information 2) Drop any Firewall prevents users Generally, when an enterprise connects its UDP packets from performing media Intranet network intranet to the Internet, administrators install a communication firewall to filter out unwelcome packets and there- by protect the intranet against illegal accesses Figure 1 Incompatibility with typical firewall configurations. from the Internet. From the users viewpoint, the firewall should prevent illegal accesses from the Internet while at firewall rule that permits Internet-to-intranet the same time enable the system it protects to TCP connections. On the other hand, if the IP provide e-mail and Web services. Therefore, the telephony protocol uses UDP for its call signaling firewall is set to permit passage of packets from protocol, the same problems as the ones that af- the intranet to the Internet (outgoing packets) and, fect the voice media protocol will occur (Figure 1). with one exception, reject all packets coming from Because an IP telephony service provides the Internet (incoming packets). This one excep- real-time communication, it is suitable for trans- tion is TCP (Transmission Control Protocol) packets ferring voice media packets using UDP rather of the SMTP (Simple Mail Transportation Proto- than TCP. For communication between a termi- col), which is the protocol for e-mail services. nal on the Internet and an intranet terminal Therefore, users can establish intranet-to-Internet through a firewall, the firewall must permit the TCP connections over the firewall, but apart from passage of UDP packets. As described in Refer- SMTP TCP connections, Internet-to-intranet TCP ence 1), UDP packets do not have handshake connections are not possible. mechanisms or sequence numbers, so it is much However, in order to prevent direct illegal ac- easier to make fake UDP packets than fake TCP cess from the Internet, the firewall only permits packets. Therefore, fields such as the source Internet-to-intranet SMTP TCP connections via address field of UDP packets must be carefully the mail gateway in the DMZ (De-Militarized checked. This is why conservative administrators Zone). reject UDP packets at the firewall. The coupling of IP telephony protocols is an- 2.2 Incompatibility between firewalls and other problem. Typical IP telephony systems use IP telephony protocol different protocols for call signaling (SIP or H.323) Unlike HTTP (Hypertext Transfer Protocol) and media communication using RTP (Real-time for Web browsing and FTP (File Transfer Proto- Transport Protocol). Since RTP packets must be col), an IP telephony service that only enables routed by destination IP address and port num- outgoing calls is not useful. To receive incoming ber for each call, the IP telephony system needs calls, a firewall is needed to pass an IP telephony to use a wide range of port numbers. However, protocol such as SIP (Session Initiation Protocol) typical intranet security policies do not allow such or H.323 from the Internet. If the IP telephony a wide range of port numbers to be opened on the protocol uses TCP for its call signaling protocol, it firewall. is similar to SMTP. However, many firewall administrators think it is undesirable to add a FUJITSU Sci. Tech. J., 39,2,(December 2003) 183
    • N. Fukuyama et al.: Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues Adds pinholes for voice Set to pass ALG is not HTTP proxy protected by media when calling. call signaling Deletes when terminated. protocol. Signaling the firewall. Web server protocol Passes voice Home network media protocol. Data Firewall for data Internet Voice VoIP server Internet VoIP server Intranet network Firewall Voice media Attacker(s) protocol Application level Intranet network gateway (ALG) for VoIP Spoofed signaling protocol IP addresses are can pass directly through Home network Potential risk of attack disclosed. the firewall. when the ALG is hijacked Attacker(s) Figure 2 Figure 3 Making pinholes in a firewall. Application level gateway (ALG). 2.3 Existing strategies and their problems rate from the firewall. The ALG acts as an inter- There are several strategies for interconnect- mediary for IP telephone calls between the ing IP telephony services through a firewall. We Internet and the intranet (Figure 3). will now explain two major strategies and their Because the ALG is not protected by the fire- problems. wall, this method can be attacked if the ALG becomes hijacked. 2.3.1 Making pinholes in a firewall The method of making pinholes is shown in 3. VoIP Secure Gateway Figure 2 and consists of the following steps: In the previous section, we described the 1) Instruct the firewall to pass the IP telepho- problems of interoperability of IP-PBX services ny call signaling protocol, and consumer IP telephony services. These prob- 2) use the signaling protocol to exchange session lems come from the fact that IP telephony information that includes communication protocols are not firewall-friendly. parameters, IP addresses, and port numbers. We developed the VoIP Secure Gateway (This strategy captures the session informa- (VoIP-SGW) to make IP telephony protocols friend- tion and uses it to add or delete firewall rules.) ly for common firewall configurations. Because 3) pass the voice media protocol through the our system only requires the minimal addition of rule while the call is being established, and the rule that is typically used for TCP-based ap- 4) delete the permission rule (close the pinhole) plications, security will not be weakened. to pass the voice media protocol when the call In this section, we describe the VoIP-SGW is terminated. technologies shown in Figure 4. However, this strategy has several weakness- es that can be used to attack servers and terminals. 3.1 Connection control technology For example, SIP and H.323 based IP telephony services 1) A spoofed signaling protocol can pass direct- use UDP packets and incoming TCP connections, ly through the firewall, and but most enterprise firewalls do not allow them 2) the IP addresses of IP-PBXs and IP telephone to pass through. Therefore, it is impossible to terminals are disclosed. interoperate over firewalls using these protocols. Our approach to this problem is to convert these 2.3.2 Application level gateway (ALG) transports into outgoing TCP connections, which In this strategy, the IP telephony system has are usually accepted by firewalls when they are an application level gateway (ALG) that is sepa- used in major Internet applications such as HTTP 184 FUJITSU Sci. Tech. J., 39,2,(December 2003)
    • N. Fukuyama et al.: Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues Meta IP telephony protocol Connection Control securely interoperates GWs that establishes TCP terminate incoming IP telephony from Intranet protocols Relay IP-PBX server gateway Firewall Termination DMZ (GW1) gateway firewall (GW2) Home network Internet IP telephony protocol Meta IP telephony protocol in the intranet IP telephony protocol in the Internet Connection control Intranet network DMZ Consumer IP telephone VoIP Secure Gateway service provider Figure 4 VoIP Secure Gateway (VoIP-SGW). and FTP. We call this approach “Connection prevent direct passage of IP telephony protocol Control.” messages to the intranet hosts. GW2 examines The VoIP-SGW consists of a relay gateway incoming IP telephony messages and reconstructs (GW1) located in the intranet and a termination them as Meta IP telephony protocol messages. gateway (GW2) located in the DMZ. The main These messages are sent to the relay gateway, idea of Connection Control is to make TCP con- GW1. Then, GW1 communicates with the appro- nections from GW1 to GW2 (intranet-to-DMZ). priate intranet IP telephone using the internal IP Usually, TCP transports cause critical transmis- telephony protocol. During this process, unsup- sion delays in real-time applications. However, ported options and illegal protocol messages are under a well-managed LAN network environment, filtered out. which rarely loses packets, TCP connections can GW2 also examines incoming media commu- provide good transmission. There are several nication messages and filters them before implementation approaches, but it is important forwarding them to GW1. The Meta IP telephony to simplify the filtering rules for VoIP service on protocol is designed to be transferred over a TCP the firewall to protect the intranet from illegal connection. The TCP connection for the Meta IP accesses. In our implementation, the VoIP-SGW telephony protocol is established from GW1 uses two TCP connections: one for the call signal- (located in the intranet) to GW2 (located in the ing protocol and another for the voice media DMZ). This TCP connection is usually accepted protocol. In this case, the firewall will have a fil- in typical firewall security policies. tering rule to allow TCP connections from GW1 These features enable VoIP communication to GW2 using two specific ports. over a firewall without compromising security. 3.2 Meta IP telephony protocol 3.3 Features of the VoIP Secure Gateway To prevent Internet-to-intranet passage of IP The VoIP-SGW has two unique characteris- packets, GW2 terminates incoming calls, exam- tics: 1) the administrators do not need to configure ines them carefully, and then converts them to the the firewall to pass packets from the Internet to IP telephony protocol of the intranet. We call this the intranet for VoIP communication, and 2) it only internal IP telephony protocol the Meta IP tele- accepts incoming calls on gateway servers locat- phony protocol. ed in the DMZ network. If a gateway has been IP telephony protocols are terminated to attacked and hijacked, the firewall can still guard FUJITSU Sci. Tech. J., 39,2,(December 2003) 185
    • N. Fukuyama et al.: Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues the intranet and limit access from the gateway use open IP networks as their communication server. infrastructure, an IP telephony system does not Moreover, the VoIP-SGW system terminates achieve the security level achieved by legacy PSTN incoming protocol messages and converts them to telephone systems (Figure 5). We therefore sug- Meta IP telephony protocol messages. GW1 can gest that IP telephony services reinforce their convert the Meta IP telephony protocol into any security in terms of availability, authentication, and major VoIP protocol for the IP-PBX system, for ex- confidentiality. ample, SIP and H.323. Therefore, this method can be used when the IP telephony protocol used in the 4.1 Availability on IP telephony intranet is different from that used in the Inter- Because IP networks are “open,” they do not net, or the IP version in the intranet is different provide the required level of security that dedi- from that in the Internet (e.g., IPv6 vs. IPv4). cated PSTN-based networks provide. VoIP-SGW improves the availability of an IP telephony sys- 4. Other VoIP security issues tem; however, it cannot solve some of the security We have explained how VoIP-SGW protects problems that affect IP telephony services. an IP telephony system against illegal accesses Attacks such as DoS (Denial of Service) from the Internet through a firewall. In this sec- attacks and network congestions caused by tion, we describe the security problems related to computer viruses and worms are serious problems an IP telephony service. because telephone services are lifeline services. According to Reference 2), when evaluating Especially, ensuring the priority of emergency the security of an IP telephony service, we should phone calls is a problem that should be solved consider six aspects (availability, authentication, immediately.3) confidentiality, integrity, non-repudiation, and Most of these problems are common to access control) (Table 1). IP-based systems, and we can solve them by Legacy PSTN (Public Switched Telephone integrating standard IP security technologies and Network) telephone systems achieve high securi- IP telephony technologies. ty levels regarding these aspects because they use single-purpose, physically secured communication 4.2 Authentication for IP telephony lines provided by a trusted telephone office. services On the other hand, since IP telephony systems In general, IPsec (IP security) protocol, TLS Table 1 Security functions in IP telephony. Certificate Client Security services Security functions in IP telephony authority VoIP (SIP) authentication Cheat the user Packet snooping to server Fake VoIP using server Availability Countermeasures against interruption of steal call setup server privileges network access and DoS attacks information p Ca e tu ll s (including VoIP-SGW) Attack with ll s ign Ca ali packet flood Mutual Ca ng ll s Authentication Terminal, VoIP servers, and message authentication etu authentication. & encryption Internet p Confidentiality Privacy functions for communication data, Attacker’s protocol parameters, correspondents, Media communication IP-phone and calling activities. Server IP-phone IP-phones authentication Integrity Countermeasures against session hijacks and replay attacks Mutual authentication Snooping on phone & encryption conversations Non-repudiation Session logs to be charged for Access control Permission to make calls and use additional Figure 5 services Other security issues for IP telephony services. 186 FUJITSU Sci. Tech. J., 39,2,(December 2003)
    • N. Fukuyama et al.: Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues (Transport Layer Security), and S/MIME (Secure/ telephony services into four levels. The lowest Multipurpose Internet Mail Extensions) are con- level of confidentiality hides the conversation sidered to be powerful tools that add security context and is achieved by encrypting the media features such as authentication and encryption. communication. The second level hides protocol However, it is not commonly known that system parameters that may give hints for further attacks, security depends on how these tools are used. for example, the IP addresses, port numbers, In legacy PSTNs, each phone line is given its CODEC (COder/DECoder) names, and data own phone number (ID), so phone numbers are formats used in a call. This confidentiality level is matched to the physical location of the telephone achieved by encrypting call signaling protocol set connected to the line. Additionally, the lines messages. are physically secured against illegal accesses and Encryption technologies make it difficult to the telephone numbers are centrally controlled at obtain original data contents, but the third level the telephone office. goes one step further by hiding the src/dst pair of On the other hand, the IP telephony system VoIP traffic. This level of confidentiality can be assigns an IP address to each IP phone user achieved by multiplexing media communication instead of a phone number. Since attackers can packets from several users, sending them to an easily spoof an IP address, an IP telephony intermediate server, and then switching them. service requires peer-to-peer authentication. The highest level of confidentiality hides the call- However, it is difficult to share the secret ing activities themselves. This can be achieved information used for authentication between by additionally transmitting fake packets so an end-users. Therefore, an integrated authentica- unauthorized receiver cannot easily detect call- tion system, for example, PKI (Public Key ing activity. However, this method requires a lot Infrastructure), could be used for peer-to-peer of extra bandwidth and computation power and authentication and encryption for secure IP is therefore not normally acceptable. telephony services. We will research and develop technologies to For example, in Japan, there is a kind of na- solve these problems by considering the balance tionwide integrated authentication system called between requirements and cost. Also, we will keep the “JuKi-Net, Basic Resident Registration Data- up with the relevant standardization activities to base.” However, various privacy problems must guarantee interoperability. be solved before this database can be used for com- mercial systems. 5. Conclusion Currently, many people regard interoperabil- In this paper, we explained the technologies ity as the most important problem of IP telephony of our VoIP Secure Gateway. The VoIP-SGW services; however, we believe that security is even solves the incompatibility problem between typi- more important. Especially, mobile IP phones and cal enterprise firewalls and IP telephony protocols software IP phones cannot work safely without se- and enables an IP-PBX service to interoperate curity enhancements, and one-stop authentication with other IP telephony services on the Internet. will be required when IP telephony services are To make practical use of these technologies, the used with other IP services such as Web services. consumer IP telephony service providers and enterprises that use IP-PBXs should agree on 4.3 Confidentiality on IP telephony the parameters that are to be exchanged, for services example, the parameters for mutual authentica- Another major security problem is confiden- tion, accounting, caller/callee information, and tiality. We categorize confidentiality on IP bandwidth. FUJITSU Sci. Tech. J., 39,2,(December 2003) 187
    • N. Fukuyama et al.: Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues We also described the general security prob- 6. References lems related to interoperation between IP 1) W. R. Cheswick and S. M. Bellovin: Firewalls telephony services. These problems are related and Internet Security. AT&T Bell Laborato- to the service availability, authentication infra- ries, 1994. structure, and privacy functions and are not only 2) W. Stallings: Cryptography and Network technological problems but also political ones. Security: Principles and Practice. Second Since telephone services are lifeline services, it Edition, Prentice-Hall, 1999. will be necessary for the Government to institute 3) T. Kikuchi, M. Noro, H. Sunahara, and Shinji guidelines and new laws concerning IP telephony Shimojo: Lifeline Support of the Internet. in services. Proceedings of SAINT2003 workshops, p.323- 327, January 2003. Noriyuki Fukuyama received the B.E. Masahiko Takenaka received the B.E. and M.E. degrees in Communication and M.E. degrees in Electronic Engi- Engineering from Osaka University, neering from Osaka University, Osaka, Osaka, Japan in 1986 and 1988, Japan in 1990 and 1992, respectively. respectively. He joined Fujitsu Ltd., He joined Fujitsu Laboratories Ltd., Kawasaki, Japan in 1988, where he has Kawasaki, Japan in 1992, where he has been engaged in research and develop- been engaged in research and devel- ment of communication systems. He is opment of cryptography and information a member of the Institute of Electronics, security systems. He is a member of Information and Communication Engi- the Institute of Electronics, Information neers (IEICE) of Japan. He is currently and Communication Engineers (IEICE) working at Fujitsu Laboratories Ltd., Kawasaki, Japan. of Japan. He is currently working at Fujitsu Laboratories Ltd., Akashi, Japan. E-mail: noriyuki@jp.fujitsu.com E-mail: ma@jp.fujitsu.com Shingo Fujimoto received the B.E. and M.E. degrees in Computer Science from the University of Electro-Communications, Tokyo, Japan in 1992 and 1994, respec- tively. He joined Fujitsu Laboratories Ltd., Akashi, Japan in 1994. In 1996, he worked at Fujitsu Laboratories of America, where he helped standardize the protocol specifications for Internet applications at the Internet Engineering Task Force (IETF). He returned to Akashi in 2000. He is currently engaged in research and devel- opment of security enhancing technologies for Internet applica- tions. E-mail: shingo_fujimoto@jp.fujitsu.com 188 FUJITSU Sci. Tech. J., 39,2,(December 2003)