This bulletin


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

This bulletin

  1. 1. October 2004 SECURING VOICE OVER that provides the same convenience INTERNET PROTOCOL (IP) as a conventional cordless phone. ITL Bulletins are published by the NETWORKS Information Technology Laboratory ❑ Conferencing units - These provide (ITL) of the National Institute of By Thomas J. Walsh and D. Richard Kuhn National Institute of Standards and Technology the same type of service as conven- Standards and Technology (NIST). tional conference calling phone sys- Each bulletin presents an in-depth Voice over IP (VOIP) - the transmis- tems, but since communication is discussion of a single topic of significant sion of voice over traditional packet- handled over the Internet, they may interest to the information systems switched IP networks - is one of the allow users to coordinate traditional community. Bulletins are issued on hottest trends in telecommunications. data communication services, such an as-needed basis and are available As with any new technology, VOIP as a whiteboard that displays on from ITL Publications, National introduces both opportunities and computer monitors at both ends. Institute of Standards and Technology, security challenges. Lower cost and 100 Bureau Drive, Stop 8900, greater flexibility are among the prom- ❑ Mobile units - Wireless VOIP units are becoming increasingly popular, Gaithersburg, MD 20899-8900, ises of VOIP for the enterprise, but telephone (301) 975-2832. To be security administrators will face signif- especially since many organizations already have an installed base of placed on a mailing list to receive icant issues. Administrators may future bulletins, send your name, assume that since digitized voice trav- 802.11 networking equipment. Wireless VOIP products present organization, and business address to els in packets, they can simply plug this office. You will be placed on this VOIP components into their already- particularly acute security problems, given the well-known weaknesses of mailing list only. secured networks and expect a stable and secure voice network. Unfortu- the 802.11 family of protocols. Bulletins issued since August 2003 nately, many of the tools used to safe- ❑ PC or “softphone” - With a headset, guard today’s computer networks, ❐ IT Security Metrics, August 2003 software, and inexpensive connec- namely firewalls, Network Address tion service, any PC or workstation ❐ Information Technology Security Awareness, Translation (NAT), and encryption, can be used as a VOIP unit, often Training, Education, and Certification, don’t work “as is” in a VOIP network. October 2003 referred to as a “softphone.” ❐ Network Security Testing, November 2003 VOIP systems take a wide variety of In addition to end-user equipment, ❐ Security Considerations in the Information forms. Just about any computer is VOIP systems include specialized com- System Development Life Cycle, December capable of providing VOIP, and most ponents beyond those found on an 2003 users don’t realize that they already ordinary IP network: call managers and ❐ Computer Security Incidents: Assessing, have basic VOIP applications. media/signaling gateways. Call manag- Managing, and Controlling the Risks, Microsoft’s NetMeeting, or the newer ers are required to set up calls, monitor January 2004 Windows Messenger, which come call state, handle number translation, ❐ Federal Information Processing Standard with Windows platforms, provides and provide basic telephony services. (FIPS) 199, Standards for Security voice and video services, and Linux Call managers also handle signaling Categorization of Federal Information and platforms have a number of VOIP functions that coordinate with media Information Systems, March 2004 applications from which to choose. In gateways, which are the interface ❐ Selecting Information Technology Security general, though, the term Voice Over between the VOIP network and the Products, April 2004 IP is associated with equipment that public switched telephone network ❐ Guide for the Security Certification and provides the ability to dial telephone (PSTN). Depending on the system, Accreditation of Federal Information numbers and communicate with par- gateway functions may be implemented Systems, May 2004 ties on the other end who may have as a board or dedicated appliance, or ❐ Information Technology Security Services: either another VOIP system or a tradi- may be provided through a distributed How to Select, Implement, and Manage, tional analog telephone. Demand for system of servers and databases. June 2004 VOIP services has resulted in a broad Current VOIP systems use one of two ❐ Guide for Mapping Types of Information array of products, including: and Information Systems to Security protocols, H.323 or the Session Initia- ❑ Traditional telephone handset - tion Protocol (SIP). SIP is the Internet Categories, July 2004 Usually these products have extra Engineering Task Force (IETF) speci- ❐ Electronic Authentication: Guidance For features beyond a simple handset fied protocol for initiating a two-way Selecting Secure Techniques, August 2004 with dial pad. Some of these units ❐ Information Security Within The System may have a “base station” design Continued on page 2 Development Life Cycle, September 2004
  2. 2. 2 October 2004 communication session. It was What’s Different About VOIP when latency-producing security designed to be simpler than H.323, Security? devices are slowing down traffic. but has become increasingly complex, Another QoS issue, jitter, refers to as the standard has evolved. SIP is text To understand why security for VOIP non-uniform delays that can cause based; its messages are similar to e-mail isn’t the same as data network security, packets to arrive and be processed out message formats. Also, SIP is an appli- we need to look at both the unique of sequence. Real-time Transport Pro- cation level protocol, that is, it is constraints of transmitting voice over a tocol (RTP), the protocol used to decoupled from the protocol layer it is packet network, and at characteristics transport voice media, is based on the transported across. Unlike H.323, SIP shared by VOIP and data networks. User Datagram Protocol (UDP), so uses only one port in the call setup Packet networks depend on a large packets received out of order cannot process. The architecture of a SIP net- number of configurable parameters: IP be reassembled at the transport level, work also differs from the H.323 and media access control (MAC) and therefore must be reordered at the structure. A SIP network is made up (physical) addresses of voice terminals, application level, introducing a signifi- of end points, a proxy and/or redirect addresses of routers and firewalls. cant overhead. Even when packets server, location server, and registrar. In VOIP networks add specialized soft- manage to arrive in order, high jitter the SIP model, a user is not bound to ware such as call managers and other causes them to arrive at their destina- a specific host. Instead, users initially programs used to place and route calls. tion in spurts. This scenario is analo- report their location to a registrar, Many of the network parameters are gous to uniform road traffic coming to which may be integrated into a proxy established dynamically every time a a stoplight. As soon as the stoplight or redirect server. network component is restarted, or turns green (bandwidth opens up), H.323 is the International Telecom- when a VOIP telephone is restarted or traffic races through in a clump. munication Union (ITU) specifica- added to the network. Because there are so many places in a VOIP network Infrastructure issues become significant tion for audio and video with a change to VOIP. With conven- communication across packetized net- with dynamically configurable parame- ters, intruders have as wide an array of tional telephones, eavesdropping works. H.323 acts as a wrapper for a potentially vulnerable points to attack requires either physical access to tap a suite of media control recommenda- line or penetration of a switch. tions by the ITU incorporating several as they have with data networks. But VOIP systems have much stricter per- Attempting physical access increases other protocols, including H.225 and formance constraints than data net- the intruder’s risk of being discovered, H.245. Each of these protocols has a and conventional private branch specific role in the call setup process, works, with significant implications for security. exchanges (PBXs) typically use propri- and all but one make use of dynamic etary protocols, specialized software, ports. An H.323 network is made up Quality of Service (QoS) is fundamen- and have fewer points of access than of several endpoints (terminals) that tal to the operation of a VOIP net- VOIP systems. With VOIP, opportu- are normally bound to a specific work. A VOIP application is much nities for eavesdroppers are multiplied. address, a gateway, and possibly a more sensitive to delays than its tradi- VOIP units share physical network gatekeeper, multipoint control unit, tional data counterparts. If one down- connections with the data network, and back end service. The gateway loads a file, a slowdown of a few and in many cases, VOIP and data are serves as a bridge between the H.323 seconds is negligible. In contrast, a on the same logical portion of the net- network and the outside world of delay of merely 150 milliseconds is (possibly) non-H.323 devices, includ- enough to turn a crisp VOIP call into ing SIP networks and traditional a garbled, unintelligible mess. In the Who we are PSTN networks. VOIP vernacular, this is termed the The Information Technology Laboratory Most VOIP components have counter- latency problem. (ITL) is a major research component of parts used in data networks, but the Latency turns traditional security mea- the National Institute of Standards and performance demands of VOIP mean sures into double-edged swords for Technology (NIST) of the Technology that ordinary network software and VOIP. Tools such as encryption and Administration, U.S. Department of hardware must be supplemented with firewall protection can help secure the Commerce. We develop tests and special VOIP components. One of the network, but they also introduce a sig- measurement methods, reference data, main sources of confusion for those nificant amount of delay. Latency is not proof-of-concept implementations, and new to VOIP is the assumption that just a quality of service issue, but a technical analyses that help to advance the because digitized voice travels in pack- security issue as well, because it development and use of new information ets just like other data, existing network increases the system’s susceptibility to a technology. We seek to overcome barriers architectures and tools can be used Denial of Service (DoS) attack. For a to the efficient use of information with little or no change. Unfortunately, DoS attack to succeed in a VOIP net- technology, and to make systems more VOIP adds a number of complications work, it need not completely shut interoperable, easily usable, scalable, and to existing network technology, and down the system. It must only delay secure than they are today. Our website is these problems are compounded by voice packets for a fraction of a second. security considerations. The necessary impediment is even less
  3. 3. October 2004 3 work. Protocols are standardized, and attention to the security of the appli- alleviate this including Application tools to monitor and control packet cations they help produce. VOIP Level Gateways (ALGs), that make the networks are widely available. Attach- device web applications have been dis- firewall “VOIP-aware,” and Midcom ing a packet sniffer, such as the freely covered with weak or no access con- Controls, which allow the firewall to available “voice over misconfigured trol, script vulnerabilities, and be traversed by allowing it to receive internet telephony” (known by its inadequate parameter validation, instruction from an application-aware unfortunate acronym “vomit”), to the resulting in privacy and denial of ser- agent. That is, they can understand VOIP network segment makes it easy vice vulnerabilities. As VOIP gains in the VOIP protocol data carried as a to intercept voice traffic. popularity, with implementations on payload within an ordinary packet, devices of all types, it is almost inevita- making it possible to do stateful filter- Like other types of software, VOIP ble that more administrative web ing of call packets. Attempting to systems have been found to have vul- applications with exploitable errors implement a VOIP system on a legacy nerabilities due to buffer overflows will be found. network without such devices is gen- and improper packet header handling. erally not feasible. Exploitable software flaws typically result in two types of vulnerabilities: What do the Special Firewalls, gateways, and other such denial of service or disclosure of criti- Characteristics of VOIP devices can help keep intruders from cal system parameters. In some cases, Mean for Security? compromising a network. However, the system can be crashed, producing these devices are no defense against an a memory dump in which an intruder Meeting the security challenges of internal hacker and don’t protect voice VOIP can require changes to a num- can find IP addresses of critical system data as it crosses the Internet. Another nodes, passwords, or other security- ber of familiar security components. layer of defense is necessary at the pro- relevant information. Crashing a Firewalls are a staple of security in tocol level to protect the data itself. In today’s IP networks. Whether protect- VOIP server may also result in a VOIP, as in data networks, this can be restart that restores default passwords ing a local-area network (LAN), a accomplished by encrypting the pack- or falls prey to a rogue server attack. In wide-area network (WAN), encapsu- ets at the IP level using Internet Proto- lating a demilitarized zone (DMZ), or addition, buffer overflows that allow col Security (IPsec). This way, if anyone the introduction of malicious code just protecting a single computer, a intercepts VOIP traffic and is not the have been found in VOIP software, as firewall is usually the first line of intended recipient (for instance, via a defense. Firewalls work by blocking in other applications. packet sniffer), such packets would be traffic deemed to be malicious or unintelligible. The IPsec suite of secu- Tradeoffs between convenience and potentially risky. Acceptable traffic is rity protocols and encryption algo- security are routine in software, and determined by a set of rules pro- rithms is the standard for securing VOIP is no exception. Most, if not all, grammed into the firewall by the net- packets against unauthorized viewers VOIP components use integrated web work administrator. These may over data networks and will be sup- servers for configuration. Web inter- include such commands as “Block all ported by the protocol stack in IPv6. faces can be attractive, easy to use, and FTP traffic (port 21)” or “Allow all So it seems logical to extend IPsec to inexpensive to produce because of the http traffic (port 80).” Much more VOIP, encrypting the signal and voice wide availability of good development complex rule sets are available in packets on one end and decrypting tools. Unfortunately, most web devel- almost all firewalls. Firewalls also pro- them only when needed by their opment tools are built with features vide a central location for deploying intended recipient. Unfortunately, the and ease of use in mind, with less security policies, the ultimate bottle- nature of the signaling protocols and neck for network traffic, because no the VOIP network itself make it neces- traffic can enter or exit the LAN with- sary for routers, proxies, and other ITL Bulletins Via E-Mail out passing through the firewall. components to read the VOIP packets, We now offer the option of delivering This situation lends itself to the VOIP so encryption is often done at the gate- your ITL Bulletins in ASCII format network where firewalls simplify secu- ways to a network, rather than the end- directly to your e-mail address. To rity management by consolidating points. Such a scheme also allows the subscribe to this service, send an e-mail security measures at the firewall gate- endpoints to be computationally sim- message from your business e-mail way, instead of requiring all the end- ple and promotes scalability as new account to with the points to maintain up-to-date security encryption algorithms can be overlaid message subscribe itl-bulletin, and your policies. This takes an enormous bur- on the network without upgrading the name, e.g., John Doe. For instructions den off the VOIP network infrastruc- endpoints. Several factors, including on using listproc, send a message to ture. Unfortunately, this abstraction the expansion of packet size, ciphering with the message and simplification of security mea- latency, and a lack of QoS urgency in HELP. To have the bulletin sent to an sures comes at a price. The introduc- the cryptographic engine itself, can e-mail address other than the From tion of firewalls to the VOIP network cause an excessive amount of latency in address, contact the ITL editor at complicates several aspects of VOIP, the VOIP packet delivery. This leads to 301-975-2832 or most notably dynamic port trafficking degraded voice quality, so once again and call setup procedures. Several there is a tradeoff between security and commercial solutions are available to voice quality, and a need for speed.
  4. 4. 4 October 2004 Virtual private network (VPN) tun- tions from the data network. Use should be avoided, if possible, neling of VOIP has also become pop- strong authentication and access where security or privacy are a con- ular recently, but the congestion and control on the voice gateway sys- cern. In addition to violating the bottlenecks associated with encryption tem, as with any other critical net- separation of voice and data, PC- suggest that this solution may not work management component. based VOIP applications can be always be scalable. Although great vulnerable to worms and viruses ❑ A mechanism to allow VOIP traffic strides are being made in this area, the that are all too common on PCs, through firewalls is required. There hardware and software necessary to and may infect other parts of the are a variety of protocol-dependent ensure call quality for encrypted voice network. and independent solutions, includ- traffic may not be economically or ing ALGs for VOIP protocols, Ses- ❑ Consider methods to “harden” any architecturally viable for all enterprises sion Border Controllers, or other VoIP platform based on common considering the move to VOIP. standards-based solutions. Stateful operating systems such as Windows packet filters can track the state of or Linux. This includes disabling What are the Prospects for connections, denying packets that unnecessary services and possibly Securing a VOIP Network? are not part of a properly originated using host-based intrusion detec- Thus far, we have painted a fairly call. tion methods. bleak picture of VOIP security. The ❑ Use IPsec or Secure Shell (SSH) for ❑ Be especially diligent about main- construction of a VOIP network is an all remote management and audit- taining patches and current versions intricate procedure that should be ing access. If practical, avoid using of VOIP software. studied in great detail before being remote management at all and do ❑ Analyze the impact of VOIP adop- attempted. Integrating a VOIP system IP PBX access from a physically into an already congested or overbur- tion on the rest of the organization’s secure system. dened network could be disastrous for infrastructure, including issues such ❑ Use IPsec tunneling when available as backup power, E-911 emergency an organization’s technology infra- structure. There is no easy “one size instead of IPsec transport because location, and records retention poli- fits all” solution to the issues discussed tunneling masks the source and des- cies or other legal issues. tination IP addresses. This secures in this bulletin. The use of VPNs, ver- VOIP can be done securely, but the sus ALG-like solutions and the choice communications against rudimen- path is not smooth. It will likely be of SIP or H.323 are decisions that tary traffic analysis (i.e., determin- several years before standards issues are ing who is calling each other). must be made based on the specific settled and VOIP systems become a nature of the current network and the ❑ If performance is a problem, use mainstream commodity. Until then, VOIP network to be. However, the encryption at the router or other organizations should proceed cau- technical problems are solvable, and gateway, not the individual end- tiously and not assume that VOIP the establishment of a secure imple- points, to provide for IPsec tunnel- components are just more peripherals mentation of VOIP is well worth the ing. Since some VOIP endpoints for the local network. Above all, it is difficulty associated with these solu- are not computationally powerful important to keep in mind the unique tions. To implement VOIP securely enough to perform encryption, requirements of VOIP, acquiring the today, start with these general guide- placing this burden at a central right hardware and software to meet lines, recognizing that practical con- point ensures all VOIP traffic ema- the challenges of VOIP security. For siderations may require adjustments nating from the enterprise network more information on securing VOIP for the organization: has been encrypted. Newer IP systems, see draft NIST Special Publi- phones are able to provide cation 800-58, Security Considerations ❑ Put voice and data on logically sepa- Advanced Encryption Standard for Voice Over IP Systems, at http:// rate networks. Different subnets (AES) encryption at a reasonable with separate RFC 1918 address cost. index.html. blocks should be used for voice and data traffic, with separate DHCP ❑ Look for IP Phones that can load servers for each, to ease the incorpo- digitally (cryptographically) signed ration of intrusion detection and images to guarantee the integrity of Disclaimer: Any mention of commercial products VOIP firewall protection. the software loaded onto the IP or reference to commercial organizations is for Phone. information only; it does not imply recommenda- ❑ At the voice gateway, which inter- tion or endorsement by the National Institute of faces with the PSTN, disallow ❑ “Softphone” systems, which imple- Standards and Technology nor does it imply that H.323, SIP, or Media Gateway ment VOIP using an ordinary PC the products mentioned are necessarily the best Control Protocol (MGCP) connec- with a headset and special software, available for the purpose.
  5. 5. U.S. DEPARTMENT OF COMMERCE PRSRT STD National Institute of Standards and Technology POSTAGE & FEES PAID 100 Bureau Drive, Stop 8900 NIST Gaithersburg, MD 20899-8900 PERMIT NUMBER G195 Official Business Penalty for Private Use $300 Address Service Requested