A Proactive Approach to VoIP Security


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

A Proactive Approach to VoIP Security

  1. 1. A Proactive Approach to VoIP Security Understanding VoIP security requirements, threats and architectures A corporate whitepaper by Bogdan Materna Chief Technical Officer and VP Engineering www.voipshield.com
  2. 2. Introduction real-time nature of services, a wide range of The emergence of Voice-Over-IP (VoIP) infrastructure devices, protocols and technology is creating a major discontinuity applications, and interaction with the existing in telecommunications. The promise of phone networks. These characteristics reduced hardware and operations costs require different techniques and coupled with new value-added services methodologies that will support PSTN-level makes VoIP, as well as Internet Protocol security and reliability. (IP) TV, videoconferencing, IP Multimedia Subsystem (IMS) and presence services, a compelling solution for enterprises and service providers. Current voice services which are delivered using Public Switched Telephone Networks (PSTN) provide high voice quality, very high reliability (99.999 per cent), carry critical services such as E911, enable federal agencies with ability for lawful intercept, all while offering an extremely high level of security. For VoIP networks to become a reality, both enterprises and service providers must be able to ensure that voice networks are able to deliver the identical quality, reliability, flexibility and Fig 1: VoIP is a complex service security to that of PSTN. For example, in the data security realm, With enterprises, carriers and cable common attacks, such as Denial of Service companies publicly committing to VoIP (DoS), often result in email or computer deployments, security has quickly emerged networks being unusable for several hours. as one of the biggest barriers to the To meet the high reliability requirements of successful deployment of VoIP. To securely VoIP networks, which are approaching implement VoIP networks a proactive 99.999 per cent or a total of less than five approach and an understanding of the minutes of downtime per year, any type of differences between VoIP and traditional attack would have to be stopped in a matter data networks is required. This document of seconds. With such high reliability examines these differences, new types of requirements, VoIP networks must have a attacks, and provides a comprehensive security approach which enables an security architecture for VoIP networks in automated, real-time response. Any attack the context of practical VoIP security must be addressed before there can be any problems. service disruption. VoIP Security Requires a Different The high sensitivity of VoIP to QoS Approach parameters such as packet delay, packet loss, and packet jitter makes most currently VoIP is not just another application running available data security solutions inadequate. on the top of the IP infrastructure. VoIP is a Existing firewalls cannot efficiently handle complex service. Similar to existing PSTN new VoIP protocols such as Session and Private Branch Exchange (PBX) Initiation Protocol (SIP) and a wide range of offerings, VoIP has its own business models vendor proprietary protocols since they relay and features which are offered to the end- on dynamic port ranges and do not support user. Over the years, service providers and Network Address Translation (NAT) very PBX vendors have established their well. A new generation of the firewalls called respective brands as being synonymous Session Border Controllers (SBC) is with high levels of reliability, quality and addressing most of these problems. security and must preserve these attributes in their VoIP offerings. Most of the firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention VoIP characteristics include: high sensitivity Systems (IPS) and similar security devices to Quality of Service (QoS) parameters, the rely on deep packet inspection techniques. A Proactive Approach to VoIP Security 2 2
  3. 3. A Proactive Approach to VoIP Security 3
  4. 4. These techniques introduce delay and jitter voice mail, SIP servers, call centers and to the VoIP packet streams thus impacting soft-switches are running on the top of this overall QoS. In VoIP world, maximum infrastructure. In turn, these applications are packet delay is set to 150 ms (in some part of VoIP service offerings with cases higher) but the multi-layer nature of appropriate billing mechanisms, large security infrastructure could add significant number of features and binding Service delays and jitter that would make the VoIP Level Agreements (SLA). services unusable. There is also the issue of balance between encryption and QoS. Existing encryption engines will introduce additional jitter and delay that would be cumulative due to hop- by-hop encryption schemas foreseen to be used by VoIP calls. As PSTN and VoIP networks coexist media gateways that provide internetworking between carrier’s IP network and TDM based PSTN networks will be required. This could enable cross- network security attacks which impact existing PSTN networks. VoIP is a real-time service. All communications are happening in real-time Fig 2: Layers of VoIP network and no information is stored anywhere on the network. As result, any loss of Since VoIP security attributes and information cannot be recovered or characteristics are different than those of retransmitted. This makes VoIP services existing data networks there are also very susceptible to worms and DoS attacks different types and categories of security that could very easily disrupt voice attacks specific to VoIP networks. VoIP communication. security threats can be categorized in many ways and fall into four main categories: Finally, the complex nature of VoIP attacks that aim at disrupting or VoIP service infrastructure demands a different approach availability, malicious activities the goal of to security. A VoIP network consists of a which is to compromise integrity of services, wide range of components and applications Spam over IP Telephony (SPIT) and such as telephone handsets, conferencing eavesdropping. units, mobile units, call processors/call managers, gateways, routers, firewalls and Service Availability specialized protocols. As a result, a system- Service availability attacks are currently level approach where security is built into all viewed as the most significant VoIP security the infrastructure layers and coordinated via threats to VoIP networks. This type of a centralized control center is required. attack has the potential to quickly impact customers, resulting in lost revenues, VoIP Security Threats system downtime, lost productivity and unplanned maintenance costs. Furthermore, For VoIP infrastructure and services to such attacks are a major concern for service function properly appropriate hardware, providers providing public services such E- operating systems, supporting services such 911, as even the smallest disruption could as Domain Name System (DNS), Dynamic have significant or even catastrophic Host Configuration Protocol (DHCP) and consequences. Authentication, Authorization and Accounting (AAA), IP and VoIP specific VoIP availability is the most important protocols such as SIP, H.323, Real-Time component of any commercial VoIP offering. Transport Protocol (RTP) and Transmission If the availability of VoIP services is Control Protocol (TCP)/User Datagram impacted, service providers and enterprise Protocol (UDP) are required. A number of revenues could be affected. The very high VoIP applications such as call managers, QoS levels required by any voice service,
  5. 5. amplifies the threat of attacks such as DoS, viruses and worms. A generic worm attack can very quickly cripple a VoIP network, Examples of VoIP Security long before the data network is impacted, Vulnerabilities since it has a much higher sensitivity to Services QoS. What may cause a data network to • Voicemail exploits slow down temporarily has the potential to rapidly knock out voice networks. • Dialing plan security (calls to 1-900 or other numbers) DoS, virus and worm-based threats will also • Transferring to ‘9011’ extension for use VoIP specific protocols and VoIP application vulnerabilities. These directed long distance exploits threats will be much more difficult to detect and stop in VoIP networks since the existing Applications security devices do not have specific • Buffer overflows knowledge of these threats and • Format-string exploits vulnerabilities. Attacks will target critical • Scripts VoIP applications such as end-user phones • Password cracking and soft-clients, call managers, authentication servers and billing • Overload (DoS, DDoS) applications. VoIP Protocols Other common scenarios which impact • Session tear-down service availability is the flooding of VoIP • Impersonation components with signaling protocol packets causing exhaustion of resources or DoS • Session hijacking attacks that exploits loop and spiral • SIP-SS7 boundary messages implementation on a call manager. Open tampering source call manager software provides easy • Malformed messages access to potential attackers, enabling them • Loops and spirals to create peer-to-peer attacks on • Overload (DoS, DDoS) commercial soft switches and PBXs. For example, attackers could have two or more VoIP Supporting Services call managers continually forward a single request message back and forth to each • DNS other until resources on the targeted call • SNMP manager/softswitch are exhausted. This • LDAP method of attack can quickly affect a large • Web servers number of phones leaving them unable to • VPN initiate or receive calls. • Email A final area of concern is that in the near- • SQL Database term VoIP and PSTN networks will co-exist. To facilitate internetworking between PSTN VoIP OS and Networking and VoIP networks, media gateways are • Buffer overflows required. Since placing of the calls from • Format-string exploits VoIP network via PSTN requires interaction between VoIP signaling protocols and PSTN • Scripts SS7 infrastructure new vectors of attack are • Password cracking being introduced. Attackers now have new • Overload (DoS, DDoS) opportunities for attacks on PSTN through • ARP cache poisoning the VoIP network and the media gateway. • WEP Examples of these attacks include Destination Unavailable (DUNA) or Signaling Congestion (SCON) attacks.
  6. 6. Service Integrity SPIT Service integrity threats are focused on Spam has become a major concern in the compromising VoIP services through toll data security world as millions of unwanted fraud, identity theft and other fraudulent messages are sent around the world each acts. Service integrity threats have the day. It is expected that SPIT will fill up potential to impact service providers through users’ voicemail boxes just like email spam lost revenue and damage to their reputation, does today. while government organizations and enterprises may be impacted by the leakage SPIT presents another potentially critical of sensitive or proprietary information. threat to VoIP services and to existing PSTN Individual consumers may also be impacted users. While there are advanced solutions as scams are developed which victimize that address e-mail spam such as blacklists them through identity and service theft. and quarantines, combating SPIT is much more difficult due to the real-time nature of As new, converged services such as IP TV voice services. Also, the impact of having to are being deployed, content theft has the deal with many unsolicited phone calls potential to become a major problem for during the day and night may have a chilling service providers. In this scenario, a hacker impact on the deployment of VoIP services. could record the content of the broadcast and then sell it illegally. Another possible For example, a telemarketer interested in scenario is broadcast hijacking where a sending out an unsolicited advertisement potential attacker intercepts an IP TV could easily collect phone numbers for VoIP broadcast and re-broadcasts it to services. Any of these phones could be unsuspecting users. targeted. Then, the telemarketer would create an audio ad and send it to all VoIP VoIP services are offered with many users at the same time. features such call ID, call forwarding, voice mail and three-way calling which could be Eavesdropping used for toll fraud, identity theft and spam. Eavesdropping on signaling and media For example, a false identity in the form of a paths enables attackers to obtain sensitive false caller ID, voice mail or phone number business or personal information. Once the could be easily implemented by relatively information is collected and translated, unsophisticated hackers. various man-in-the-middle attacks altering the content of the conversation could be More sophisticated attackers could use launched. Examples of these attacks are interception/modification attacks that include insertion and disruption, masquerading, conversation alternation, impersonation and registration hijacking, impersonation and hijacking. Conversation alternation, replay. impersonation and hijacking includes various modifications of any voice, video, A simple example of the eavesdropping text and/or imaging data. First, attackers threat could be the collection of VoIP would collect and translate VoIP information. information included in packets and then the Then, the content of the conversation would translation of this information into plain be altered in real-time in order to deliver speech. In this scenario, calls related to false and misleading information to a third national security or financial information, party. Finally, VoIP conversations would be could be intercepted and provide third hijacked and the caller would be misled into parties with confidential information. In more communicating with the attacker, sophisticated scenarios, valid VoIP calls to a masquerading as a party to this call. financial institution could be intercepted and A hacker could also commit toll fraud via a then re-directed to a bogus bank VoIP phone that is registered using a stolen representative. or guessed user account and password. Once this is accomplished, the hacker can place phone calls at the victim's expense.
  7. 7. A Proactive Security Architecture for Protection VoIP Within the VoIP network, various security With new challenges and types of attacks, architectures and solutions should be VoIP clearly requires a more sophisticated deployed to protect VoIP services from approach to security than those currently security threats during their life cycle. Any used to secure data networks. Solutions security architectures and solutions based on network-based devices and deployed must be “VoIP aware” so they do signature-based applications simply are not not impact VoIP service quality and going to address the real-time nature and reliability. It is recommended to deploy a complexity of VoIP networks. A system- multi-layer security infrastructure that based approach that combines network and provides both perimeter as well as internal host-based security devices and network protection. In most cases, it will applications with sophisticated, systems- consists of a number of security devices and level threat mitigation systems will be host based applications to protect VoIP required to efficiently protect the entire VoIP networks such as SBCs, VoIP Network infrastructure. Intrusion Prevention Systems (NIPS), VoIP DoS defenses, VoIP Network Intrusion In building a systems-level approach to VoIP Detection Systems (IDS), Host IPSs, security, a unified VoIP specific security Authenication, Authorization and Accounting infrastructure architecture consists of three (AAA) servers, encryption engines and VoIP functional components: prevention, anti-virus software. All the devices and protection and mitigation. applications have to be coordinated via a Prevention higher level application providing unified Prevention enables organizations to view of the end-to-end VoIP infrastructure. proactively identify and fix VoIP-specific vulnerabilities before they impact end-users. A commonly used approach from the data security world, vulnerability assessment (VA) is particularly effective as a proactive strategy. By performing a VoIP VA in the lab, before any VoIP equipment and applications are deployed, organizations are able to verify vendor claims and identify security flaws early in the deployment cycle. Executing a VoIP VA of all components prior to the commissioning of the VoIP infrastructure is recommended. This process enables the identification of security vulnerabilities not revealed during earlier Fig 3: Security Architecture for VoIP testing. Once VoIP is deployed, periodic or, where required, continuous vulnerability Mitigation assessments should become cornerstone of It is already widely accepted that no matter an overall proactive VoIP security strategy. how good the prevention and/or protection in Once security vulnerabilities are identified place may be, sooner or later an attacker or they should be addressed by appropriate worm will successfully penetrate all the actions such as patching, re-configuration defenses and wreak havoc on VoIP and network tuning. These actions should infrastructure. To date, there have not been be clearly defined as part of the company’s many widely publicized VoIP security overall security policy to provide a attacks. However, as VoIP becomes more framework for dealing with possible threats mainstream, it is really a matter of when and to VoIP security. not if widespread attacks will occur. In dealing with these attacks, VoIP presents a unique challenge as IP services cannot rely on a human-based response for mitigation, as QoS will already be compromised.
  8. 8. Currently, a combination of human VoIP security infrastructure in the next two intervention and security management tools to three years, and should be planned for. are being used to mitigate the impact of these attacks. As the VoIP market matures, Summary and VoIP-specific attacks become more prevalent, these methods will not be VoIP requires a different approach to sufficient as VoIP networks cannot tolerate security which takes into account the unique multi-hour or multi-day downtimes if they are nature of telecommunications networks and required to support 99.999 per cent how greatly VoIP differs from traditional data availability. Expect to see solutions emerge security. The specific characteristics of VoIP which are designed to provide the real-time, networks combined with the mission-critical automated VoIP security mitigation solutions importance of many voice applications needed to keep VoIP services running in the imposes strict requirements on security presence of major security threats such as applications. To effectively secure VoIP SPIT, DoS or fast-spreading worms. Threat- networks, organizations need to proactively mitigation systems should be able to address security at three levels – respond autonomously to the detected prevention, protection, and mitigation. By security threats and keep their impact at the taking a holistic approach to VoIP security, levels where VoIP services can still function enterprises, carriers and cable operators will albeit at lower QoS. While VoIP threat be able to preserve the attributes of quality, mitigation systems are not currently reliability, and security that we’ve come to available, they will become a key part of the expect from the existing phone networks.