Download att_focus_network_security.ppt


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Download att_focus_network_security.ppt

  1. 1. Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation [email_address]
  2. 2. <ul><li>General Security Trends </li></ul><ul><ul><li>Good news </li></ul></ul><ul><ul><li>Bad news </li></ul></ul><ul><ul><li>Going forward </li></ul></ul><ul><li>Network-Based Security </li></ul><ul><li>Managed Security Services </li></ul><ul><li>Internal Application/VoIP Security </li></ul>Outline Outline
  3. 3. <ul><li>Basic security measures, such as anti-virus, firewalls, and anti-spyware, are ubiquitously deployed </li></ul><ul><li>Average losses due to security breaches are up, but down significantly from 2001 and 2002 (*) </li></ul><ul><li>The number of incidents is down (*) </li></ul><ul><li>Incidents are being reported at a greater rate (*) </li></ul>General Security Trends Some Good News Security Trends (*) Source – 2007 Computer Crime and Security Survey
  4. 4. General Security Trends Some Good News Security Trends (*) Source – 2007 Computer Crime and Security Survey
  5. 5. General Security Trends Some Good News (*) Source – 2007 Computer Crime and Security Survey Security Trends
  6. 6. General Security Trends Some Good News Security Trends (*) Source – 2007 Computer Crime and Security Survey
  7. 7. General Security Trends Some Good News Security Trends (*) Source – 2007 Computer Crime and Security Survey
  8. 8. General Security Trends Some Bad News Security Trends (*) Source – 2007 Computer Crime and Security Survey
  9. 9. <ul><li>Signature based-detection systems are being pushed to the limit </li></ul><ul><li>The platforms, network, and applications are getting more and more complex </li></ul><ul><li>Attacks are becoming increasing complex </li></ul><ul><li>Perimeter security has many issues </li></ul><ul><li>Security funding is a small part of IT spending – no more than 10% and often less than 5% (*) </li></ul><ul><li>Targeted attacks are increasing (*) </li></ul>General Security Trends Some Bad News Security Trends (*) Source – 2007 Computer Crime and Security Survey
  10. 10. General Security Trends Some Bad News Security Trends (*) Source – 2007 Computer Crime and Security Survey
  11. 11. General Security Trends Some Bad News Security Trends (*) Source – 2007 Computer Crime and Security Survey
  12. 12. <ul><li>Increased deployment of Intrusion Detection and Prevention Systems (IDSs and IPSs) </li></ul><ul><li>Possible increase the in use of Network Admission Control (NAC) </li></ul><ul><li>Network-Based Security solutions are available </li></ul><ul><li>Managed Security Services solutions are available </li></ul><ul><li>Increased focus on internal application security </li></ul><ul><li>New applications such as Voice Over IP (VoIP) moving onto the data network </li></ul>General Security Trends Going Forward Security Trends
  13. 13. <ul><li>Enterprise customers are deploying firewalls, IDSs/IPSs, AV, anti-SPAM on network edge </li></ul><ul><li>Some disadvantages: </li></ul><ul><ul><li>Expensive </li></ul></ul><ul><ul><li>Multiple vendors and difficult to manage </li></ul></ul><ul><ul><li>Does not scale well </li></ul></ul>Network-based Security Introduction Network-based Security Client Enterprise Client Enterprise 3 rd Party Network Primary Provider IP Network Edge Edge
  14. 14. <ul><li>Network-based security embeds security capability in the network </li></ul><ul><li>Some advantages: </li></ul><ul><ul><li>Leverages security capability in the network </li></ul></ul><ul><ul><li>Centralized management </li></ul></ul><ul><ul><li>Scales better </li></ul></ul>Network-based Security Introduction Network-based Security Client Enterprise Client Enterprise 3 rd Party Network Edge Edge AT&T IP Network VPN, Firewall, IDS, Anti-Virus, etc. Firewall, IDS, Anti-Virus, etc.
  15. 15. <ul><li>Leverages security expertise </li></ul><ul><li>Greatly assists with threat reconnaissance </li></ul><ul><li>Broad network visibility allows greater awareness and warning of attacks </li></ul><ul><li>The impact of major Worm attacks are seen well in advance of when they are a threat to an enterprise </li></ul><ul><li>The only real solution to DoS and DDoS attacks </li></ul><ul><li>A great defense in depth approach </li></ul><ul><li>Still may need network defense and internal security </li></ul>Network-based Security Advantages Network-based Security
  16. 16. Network-based Security Early Detection of Attacks Network-based Security Reconnaissance Scanning System Access Damage Track Coverage Preventive Phase (Defense) Reactive Phase (Defense) Web-Based Information Collection Social Engineering Broad Network Mapping Targeted Scan Service Vulnerability Exploitation Password Guessing DDOS Zombie Code Installation System File Delete Log File Changes Use of Stolen Accounts for Attack AT&T Security Service Primary Emphasis
  17. 17. Network-based Security DoS and DDoS Attacks Network-based Security TARGETED Server AT&T IP Backbone Enterprise Server
  18. 18. Network-based Security AT&T Offerings Network-based Security Policy Management Identity Management Intrusion Management Perimeter Security Secure Connectivity Monitoring & Mgmt Incident Management Network-Based Security Platform <ul><li>AT&T Internet Protect ® </li></ul><ul><li>AT&T DDoS Defense </li></ul><ul><li>AT&T My Internet Protect </li></ul><ul><li>AT&T Private Intranet Protect </li></ul><ul><li>AT&T Network-Based Firewalls </li></ul><ul><li>AT&T Secure E-Mail Gateway </li></ul><ul><li>AT&T Web Security Services </li></ul>
  19. 19. <ul><li>Managed Security Services (MSS) are a viable alternative to in-house security staffing </li></ul><ul><li>Leverage experienced staff, who are familiar with security processes and products </li></ul><ul><li>Often can be more cost effective </li></ul><ul><li>Eliminates the need to retain and train staff </li></ul><ul><li>Security assessments/audits are commonly outsourced </li></ul>Managed Security Services Introduction Managed Security Services
  20. 20. Managed Security Services Enterprise Penetration (*) Source – 2007 Computer Crime and Security Survey Managed Security Services
  21. 21. Managed Security Services Assessments/Audits (*) Source – 2007 Computer Crime and Security Survey Managed Security Services
  22. 22. Managed Security Services AT&T Offerings <ul><li>Premises-Based Firewalls </li></ul><ul><li>Managed Intrusion Detection </li></ul><ul><li>Endpoint Security Service </li></ul><ul><li>Token Authentication </li></ul>Network-based Security
  23. 23. <ul><li>Despite availability of network-based security, managed services, and customer-premise edge security, securing applications is still important </li></ul><ul><li>Voice Over IP (VoIP) is one internal application that must be secured </li></ul>Application/VoIP Security VoIP Security Introduction
  24. 24. <ul><li>An enterprise website often contains a lot of information that is useful to a hacker: </li></ul><ul><ul><li>Organizational structure and corporate locations </li></ul></ul><ul><ul><li>Help and technical support </li></ul></ul><ul><ul><li>Job listings </li></ul></ul><ul><ul><li>Phone numbers and extensions </li></ul></ul>Public Website Research Introduction Gathering Information Footprinting
  25. 25. Public Website Research Countermeasures <ul><li>It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it </li></ul><ul><li>Try to limit amount of detail in job postings </li></ul><ul><li>Remove technical detail from help desk web pages </li></ul>Gathering Information Footprinting
  26. 26. <ul><li>Google is incredibly good at finding details on the web: </li></ul><ul><ul><li>Vendor press releases and case studies </li></ul></ul><ul><ul><li>Resumes of VoIP personnel </li></ul></ul><ul><ul><li>Mailing lists and user group postings </li></ul></ul><ul><ul><li>Web-based VoIP logins </li></ul></ul>Google Hacking Introduction Gathering Information Footprinting
  27. 27. <ul><li>Determine what your exposure is </li></ul><ul><li>Be sure to remove any VoIP phones which are visible to the Internet </li></ul><ul><li>Disable the web servers on your IP phones </li></ul><ul><li>There are services that can help you monitor your exposure: </li></ul><ul><ul><li> </li></ul></ul><ul><ul><li> </li></ul></ul>Google Hacking Countermeasures Gathering Information Footprinting
  28. 28. <ul><li>Consists of various techniques used to find hosts: </li></ul><ul><ul><li>Ping sweeps </li></ul></ul><ul><ul><li>ARP pings </li></ul></ul><ul><ul><li>TCP ping scans </li></ul></ul><ul><ul><li>SNMP sweeps </li></ul></ul><ul><li>After hosts are found, the type of device can be determined </li></ul><ul><li>Classifies host/device by operating system </li></ul><ul><li>Once hosts are found, tools can be used to find available network services </li></ul>Host/Device Discovery and Identification Gathering Information Scanning
  29. 29. Host/Device Discovery Ping Sweeps/ARP Pings Gathering Information Scanning
  30. 30. <ul><li>Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps </li></ul><ul><li>VLANs can help isolate ARP pings </li></ul><ul><li>Ping sweeps can be blocked at the perimeter firewall </li></ul><ul><li>Use secure (SNMPv3) version of SNMP </li></ul><ul><li>Change SNMP public strings </li></ul>Host/Device Discovery Countermeasures Gathering Information Scanning
  31. 31. <ul><li>Involves testing open ports and services on hosts/devices to gather more information </li></ul><ul><li>Includes running tools to determine if open services have known vulnerabilities </li></ul><ul><li>Also involves scanning for VoIP-unique information such as phone numbers </li></ul><ul><li>Includes gathering information from TFTP servers and SNMP </li></ul>Enumeration Introduction Gathering Information Enumeration
  32. 32. Vulnerability Testing Tools Gathering Information Enumeration
  33. 33. Vulnerability Testing Countermeasures <ul><li>The best solution is to upgrade your applications and make sure you continually apply patches </li></ul><ul><li>Some firewalls and IPSs can detect and mitigate vulnerability scans </li></ul>Gathering Information Enumeration
  34. 34. TFTP Enumeration Introduction <ul><li>Almost all phones we tested use TFTP to download their configuration files </li></ul><ul><li>The TFTP server is rarely well protected </li></ul><ul><li>If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password </li></ul><ul><li>The files are downloaded in the clear and can be easily sniffed </li></ul><ul><li>Configuration files have usernames, passwords, IP addresses, etc. in them </li></ul>Gathering Information Enumeration
  35. 35. TFTP Enumeration Countermeasures <ul><li>It is difficult not to use TFTP, since it is so commonly used by VoIP vendors </li></ul><ul><li>Some vendors offer more secure alternatives </li></ul><ul><li>Firewalls can be used to restrict access to TFTP servers to valid devices </li></ul>Gathering Information Enumeration
  36. 36. SNMP Enumeration Introduction <ul><li>SNMP is enabled by default on most IP PBXs and IP phones </li></ul><ul><li>Simple SNMP sweeps will garner lots of useful information </li></ul><ul><li>If you know the device type, you can use snmpwalk with the appropriate OID </li></ul><ul><li>You can find the OID using Solarwinds MIB </li></ul><ul><li>Default “passwords”, called community strings, are common </li></ul>Gathering Information Enumeration
  37. 37. <ul><li>Disable SNMP on any devices where it is not needed </li></ul><ul><li>Change default public and private community strings </li></ul><ul><li>Try to use SNMPv3, which supports authentication </li></ul>SNMP Enumeration Countermeasures Gathering Information Enumeration
  38. 38. <ul><li>The VoIP network and supporting infrastructure are vulnerable to attacks </li></ul><ul><li>VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter </li></ul><ul><li>Attacks include: </li></ul><ul><ul><li>Flooding attacks </li></ul></ul><ul><ul><li>Network availability attacks </li></ul></ul><ul><ul><li>Supporting infrastructure attacks </li></ul></ul>Network Infrastructure DoS Attacking The Network Network DoS
  39. 39. <ul><li>Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests </li></ul>Flooding Attacks Introduction Attacking The Network Network DoS
  40. 40. <ul><li>Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling) </li></ul><ul><li>Use rate limiting in network switches </li></ul><ul><li>Use anti-DoS/DDoS products </li></ul><ul><li>Some vendors have DoS support in their products (in newer versions of software) </li></ul>Flooding Attacks Countermeasures Attacking The Network Network DoS
  41. 41. <ul><li>This type of attack involves an attacker trying to crash the underlying operating system: </li></ul><ul><ul><li>Fuzzing involves sending malformed packets, which exploit a weakness in software </li></ul></ul><ul><ul><li>Packet fragmentation </li></ul></ul><ul><ul><li>Buffer overflows </li></ul></ul>Network Availability Attacks Attacking The Network Network DoS
  42. 42. <ul><li>A network IPS is an inline device that detects and blocks attacks </li></ul><ul><li>Some firewalls also offer this capability </li></ul><ul><li>Host based IPS software also provides this capability </li></ul>Network Availability Attacks Countermeasures Attacking The Network Network DoS
  43. 43. <ul><li>VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc. </li></ul><ul><li>DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones </li></ul><ul><li>DNS cache poisoning involves tricking a DNS server into using a fake DNS response </li></ul>Supporting Infrastructure Attacks Attacking The Network Network DoS
  44. 44. <ul><li>Configure DHCP servers not to lease addresses to unknown MAC addresses </li></ul><ul><li>DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries </li></ul>Supporting Infrastructure Attacks Countermeasures Attacking The Network Network DoS
  45. 45. <ul><li>VoIP configuration files, signaling, and media are vulnerable to eavesdropping </li></ul><ul><li>Attacks include: </li></ul><ul><ul><li>TFTP configuration file sniffing (already discussed) </li></ul></ul><ul><ul><li>Number harvesting and call pattern tracking </li></ul></ul><ul><ul><li>Conversation eavesdropping </li></ul></ul><ul><li>By sniffing signaling, it is possible to build a directory of numbers and track calling patterns </li></ul><ul><li>voipong automates the process of logging all calls </li></ul><ul><li>Wireshark is very good at sniffing VoIP signaling </li></ul>Network Eavesdropping Introduction Attacking The Network Eavesdropping
  46. 46. Conversation Recording Wireshark Attacking The Network Eavesdropping
  47. 47. <ul><li>Other tools include: </li></ul><ul><ul><li>vomit </li></ul></ul><ul><ul><li>Voipong </li></ul></ul><ul><ul><li>voipcrack (not public) </li></ul></ul><ul><ul><li>DTMF decoder </li></ul></ul>Conversation Recording Other Tools Attacking The Network Eavesdropping
  48. 48. <ul><li>Use encryption: </li></ul><ul><ul><li>Many vendors offer encryption for signaling </li></ul></ul><ul><ul><li>Use the Transport Layer Security (TLS) for signaling </li></ul></ul><ul><ul><li>Many vendors offer encryption for media </li></ul></ul><ul><ul><li>Use Secure Real-time Transport Protocol (SRTP) </li></ul></ul><ul><ul><li>Use ZRTP </li></ul></ul><ul><ul><li>Use proprietary encryption if you have to </li></ul></ul>Network Eavesdropping Countermeasures Attacking The Network Eavesdropping
  49. 49. <ul><li>The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing: </li></ul><ul><ul><li>Eavesdropping on the conversation </li></ul></ul><ul><ul><li>Causing a DoS condition </li></ul></ul><ul><ul><li>Altering the conversation by omitting, replaying, or inserting media </li></ul></ul><ul><ul><li>Redirecting calls </li></ul></ul>Network Interception Introduction Attacking The Network Net/App Interception
  50. 50. <ul><li>The most common network-level MITM attack is ARP poisoning </li></ul><ul><li>Involves tricking a host into thinking the MAC address of the attacker is the intended address </li></ul><ul><li>There are a number of tools available to support ARP poisoning: </li></ul><ul><ul><li>Cain and Abel </li></ul></ul><ul><ul><li>ettercap </li></ul></ul><ul><ul><li>Dsniff </li></ul></ul><ul><ul><li>hunt </li></ul></ul>Network Interception ARP Poisoning Attacking The Network Net/App Interception
  51. 51. Network Interception ARP Poisoning Attacking The Network Net/App Interception
  52. 52. Network Interception Countermeasures <ul><li>Some countermeasures for ARP poisoning are: </li></ul><ul><ul><li>Static OS mappings </li></ul></ul><ul><ul><li>Switch port security </li></ul></ul><ul><ul><li>Proper use of VLANs </li></ul></ul><ul><ul><li>Signaling encryption/authentication </li></ul></ul><ul><ul><li>ARP poisoning detection tools, such as arpwatch </li></ul></ul>Attacking The Network Net/App Interception
  53. 53. <ul><li>VoIP systems are vulnerable to application attacks against the various VoIP protocols </li></ul><ul><li>Attacks include: </li></ul><ul><ul><li>Fuzzing attacks </li></ul></ul><ul><ul><li>Flood-based DoS </li></ul></ul><ul><ul><li>Signaling and media manipulation </li></ul></ul>Attacking The Application Attacking The Application
  54. 54. <ul><li>Fuzzing describes attacks where malformed packets are sent to a VoIP system in an attempt to crash it </li></ul><ul><li>Research has shown that VoIP systems, especially those employing SIP, are vulnerable to fuzzing attacks </li></ul><ul><li>There are many public domain tools available for fuzzing: </li></ul><ul><ul><li>Protos suite </li></ul></ul><ul><ul><li>Asteroid </li></ul></ul><ul><ul><li>Fuzzy Packet </li></ul></ul><ul><ul><li>NastySIP </li></ul></ul><ul><ul><li>Scapy </li></ul></ul>Fuzzing Introduction Attacking The Application Fuzzing <ul><ul><li>SipBomber </li></ul></ul><ul><ul><li>SFTF </li></ul></ul><ul><ul><li>SIP Proxy </li></ul></ul><ul><ul><li>SIPp </li></ul></ul><ul><ul><li>SIPsak </li></ul></ul>
  55. 55. <ul><li>There are some commercial tools available: </li></ul><ul><ul><li>Beyond Security BeStorm </li></ul></ul><ul><ul><li>Codenomicon </li></ul></ul><ul><ul><li>MuSecurity Mu-4000 Security Analyzer </li></ul></ul><ul><ul><li>Security Innovation Hydra </li></ul></ul><ul><ul><li>Sipera Systems LAVA tools </li></ul></ul>Fuzzing Commercial Tools Attacking The Application Fuzzing
  56. 56. <ul><li>Make sure your vendor has tested their systems for fuzzing attacks </li></ul><ul><li>Consider running your own tests </li></ul><ul><li>An VoIP-aware IPS can monitor for and block fuzzing attacks </li></ul>Fuzzing Countermeasures Attacking The Application Fuzzing
  57. 57. <ul><li>Several tools are available to generate floods at the application layer: </li></ul><ul><ul><li>rtpflood – generates a flood of RTP packets </li></ul></ul><ul><ul><li>inviteflood – generates a flood of SIP INVITE packets </li></ul></ul><ul><ul><li>SiVuS – a tool which a GUI that enables a variety of flood-based attacks </li></ul></ul><ul><li>Virtually every device we tested was susceptible to these attacks </li></ul>Flood-Based DoS Attacking The Application Flood-Based DoS
  58. 58. <ul><li>There are several countermeasures you can use for flood-based DoS: </li></ul><ul><ul><li>Use VLANs to separate networks </li></ul></ul><ul><ul><li>Use TCP and TLS for SIP connections </li></ul></ul><ul><ul><li>Use rate limiting in switches </li></ul></ul><ul><ul><li>Enable authentication for requests </li></ul></ul><ul><ul><li>Use SIP firewalls/IPSs to monitor and block attacks </li></ul></ul>Flood-Based DoS Countermeasures Attacking The Application Flood-Based DoS
  59. 59. Registration Manipulation Attacking The Application Sig/Media Manipulation Proxy User Proxy Attacker Hijacked Media Hijacked Session User
  60. 60. Session Teardown Attacking The Application Sig/Media Manipulation Attacker Sends BYE Messages To UAs Attacker Proxy Proxy User User
  61. 61. IP Phone Reboot Attacking The Application Sig/Media Manipulation Attacker Sends check-sync Messages To UA Attacker Proxy Proxy User User
  62. 62. Audio Insertion/Mixing Attacker Sees Packets And Inserts/Mixes In New Audio Attacking The Application Sig/Media Manipulation Attacker Proxy Proxy User User
  63. 63. <ul><li>Some countermeasures for signaling and media manipulation include: </li></ul><ul><ul><li>Use digest authentication where possible </li></ul></ul><ul><ul><li>Use TCP and TLS where possible </li></ul></ul><ul><ul><li>Use SIP-aware firewalls/IPSs to monitor for and block attacks </li></ul></ul><ul><ul><li>Use audio encryption to prevent RTP injection/mixing </li></ul></ul>Signaling/Media Manipulation Countermeasures Attacking The Application Sig/Media Manipulation
  64. 64. <ul><li>Voice SPAM refers to bulk, automatically generated, unsolicited phone calls </li></ul><ul><li>Similar to telemarketing, but occurring at the frequency of email SPAM </li></ul><ul><li>Not an issue yet, but will become prevalent when: </li></ul><ul><ul><li>The network makes it very inexpensive or free to generate calls </li></ul></ul><ul><ul><li>Attackers have access to VoIP networks that allow generation of a large number of calls </li></ul></ul><ul><li>It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access </li></ul>Voice SPAM Introduction Social Attacks Voice SPAM
  65. 65. <ul><li>Some potential countermeasures for voice SPAM are: </li></ul><ul><ul><li>Authenticated identity movements, which may help to identify callers </li></ul></ul><ul><ul><li>Legal measures </li></ul></ul><ul><ul><li>Network-based filtering </li></ul></ul><ul><li>Enterprise voice SPAM filters: </li></ul><ul><ul><li>Black lists/white lists </li></ul></ul><ul><ul><li>Approval systems </li></ul></ul><ul><ul><li>Audio content filtering </li></ul></ul><ul><ul><li>Turing tests </li></ul></ul>Voice SPAM Countermeasures Social Attacks Voice SPAM
  66. 66. VoIP Phishing Introduction <ul><li>Similar to email phishing, but with a phone number delivered though email or voice </li></ul><ul><li>When the victim dials the number, the recording requests entry of personal information </li></ul>Social Attacks Phishing
  67. 67. VoIP Phishing Countermeasures <ul><li>Traditional email spam/phishing countermeasures come in to play here. </li></ul><ul><li>Educating users is a key </li></ul>Social Attacks Phishing
  68. 68. Final Thoughts <ul><li>General network security is improving in some ways, but new threats are emerging </li></ul><ul><li>Network-based security and managed security services can be used to improve enterprise security </li></ul><ul><li>Don’t neglect internal security and key applications </li></ul>Final Thoughts