Voice Over IP Overview w/Secuirty


Published on

voIP terminology with a focus on the security issues and vulnerabilities.

  • Be the first to comment

Voice Over IP Overview w/Secuirty

  1. 1. 99, are you SURE This connection is secure? 99? 99? Can you hear me now??
  2. 2. Voice Over IP, A Security Overview Christopher Duffy, CISSP
  3. 3. VoIP Security Overview <ul><li>Definitions </li></ul><ul><li>Under the Covers of SIP </li></ul><ul><li>Threats in VoIP /VoIP Telephony </li></ul><ul><li>Best Practices </li></ul><ul><li>References </li></ul>
  4. 4. <ul><li>“ Voice over IP is the John Travolta of Internet technologies. It was big once, everyone laughed at it, and it faded away…. </li></ul>only to come back bigger than ever.” - (Alan Cohen VP Cisco)
  5. 5. CONVERGENCE! <ul><li>Vo IP resides on your Data Network </li></ul><ul><ul><li>Runs on OS </li></ul></ul><ul><ul><li>Is an Application on Your Servers </li></ul></ul><ul><ul><li>Uses same Infrastructure </li></ul></ul>
  6. 6. Global Definitions <ul><li>VoIP – V oice o ver I nternet P rotocol (also called IP Telephony, & Internet telephony) </li></ul><ul><ul><li>is the routing of voice conversations over the Internet or any other packet switched network. </li></ul></ul><ul><li>PSTN – ( P ublic S witched T elephone N etwork) </li></ul><ul><ul><li>is the concentration of the world's public circuit-switched telephone networks, in much the same way that the Internet is the concentration of the world's public IP-based packet-switched networks. </li></ul></ul>
  7. 7. Global Definitions (Cont) <ul><li>PBX – P rivate B ranch e X change </li></ul><ul><ul><li>is a telephone exchange that is owned by a private business, as opposed to one owned by a common carrier or by a telephone company. </li></ul></ul>
  8. 8. QOS <ul><li>QOS ( Q uality O f S ervice) </li></ul><ul><ul><li>A defined measure of performance in a data communications system. For example, to ensure that real time voice is delivered without drops </li></ul></ul><ul><ul><li>a traffic contract is negotiated between the customer and network provider that guarantees a minimum bandwidth along with the maximum delay that can be tolerated in milliseconds. </li></ul></ul>
  9. 9. Latency <ul><li>Latency (Delay) </li></ul><ul><ul><li>The time from when words are spoken until they are heard at the other end </li></ul></ul><ul><ul><li>the amount of time it takes a packet to travel from source to destination. </li></ul></ul><ul><ul><ul><li>Together, latency and bandwidth define the speed and capacity of a network. </li></ul></ul></ul><ul><ul><ul><li>Voice delays of 80 ms (Toll Quality) is a good threshold. If that threshold is passed the communication returns annoying. Ear can accept 120 -180 ms delay. </li></ul></ul></ul>
  10. 10. Jitter <ul><li>Jitter (variation in delay) </li></ul><ul><ul><li>a variation in packet transit delay caused by queuing, contention and serialization effects on the path through the network. In general, higher levels of jitter are more likely to occur on either slow or heavily congested links. </li></ul></ul><ul><ul><ul><li>20 milliseconds is threshold for tolerance on a call </li></ul></ul></ul>
  11. 11. Protocols <ul><li>H.323 </li></ul><ul><ul><li>International Telecommunications Union - Telecommunications (ITU-T) standard for real-time multimedia communications and conferencing over packet-based networks. </li></ul></ul><ul><ul><li>CODECS </li></ul></ul><ul><ul><ul><li>G.711 - audio codec 56/64 kbps (Toll Quality) </li></ul></ul></ul><ul><ul><ul><li>G.723.1 - speech codec for 5.3 and 6.3 kbps </li></ul></ul></ul><ul><ul><ul><li>G.729 - speech codec for 8/13 kbps </li></ul></ul></ul>
  12. 12. Protocols <ul><li>SIP ( S ession I nitiation P rotocol) </li></ul><ul><ul><li>is an IP telephony signaling protocol used to establish, modify and terminate VOIP telephone calls. </li></ul></ul><ul><ul><li>SIP is comparable to a Telephone Operator. Other technology is used once connected. </li></ul></ul><ul><li>SIP has become the standard for VOIP, or H323. The protocol resembles the HTTP protocol, is text based, and very open and flexible. It has therefore largely replaced the H323 standard . </li></ul>
  13. 13. Session Initiated Protocol <ul><li>Application layer protocol, similar to http </li></ul><ul><li>Client-server model </li></ul><ul><li>Uses requests and responses for transactions </li></ul><ul><li>Request and responses are transmitted in ASCII </li></ul><ul><li>plaintext (like http) </li></ul>
  14. 14. SIP Entities <ul><li>A SIP network is composed of a number of logical SIP entities: </li></ul><ul><ul><li>User Agent (Phone) </li></ul></ul><ul><ul><ul><li>Initiates, receives and terminates calls </li></ul></ul></ul><ul><ul><li>Proxy Server (Call Controller) </li></ul></ul><ul><ul><ul><li>Acts on behalf of UA in forwarding or responding to requests </li></ul></ul></ul><ul><ul><ul><li>Can “fork” requests to multiple servers </li></ul></ul></ul><ul><ul><li>Redirect Server (Call Controller) </li></ul></ul><ul><ul><ul><li>Responds to, but does not forward requests </li></ul></ul></ul><ul><ul><li>Registration Server (Call Controller) </li></ul></ul><ul><ul><ul><li>Handles User Agent authentication and registration </li></ul></ul></ul>
  15. 15. SIP Entity Example User Agent Hard phone Proxy Server VoIP Gateway User Agent Soft phone User Agent 802.11X Traditional Digital Analog Registration Server Packet Switched Network Circuit Switched Networks Registration Server PBX
  16. 16. VoIP Threats: Denial of Service <ul><li>IP phones shadow computers. Both are residents on the same network </li></ul><ul><ul><li>Request Flooding </li></ul></ul><ul><ul><ul><li>H.323 Setup floods </li></ul></ul></ul><ul><ul><ul><li>SIP INVITE floods </li></ul></ul></ul><ul><ul><li>Malformed Signaling </li></ul></ul><ul><ul><ul><li>c07-SIP PROTOS </li></ul></ul></ul><ul><ul><ul><ul><li>CERT® Advisory CA-2003-06 affected Alcatel, Cisco, Ingate, IPTel, Mediatrix Telecom, Nortel and others </li></ul></ul></ul></ul>
  17. 17. VoIP Security Concern – Denial of Service <ul><li>Interjected Signaling </li></ul><ul><ul><li>Unsolicited “End Session” or “BYE” packets will terminate calls </li></ul></ul><ul><li>Underlying OS DoS </li></ul><ul><ul><li>A soft client is only as reliable as the OS it runs on </li></ul></ul><ul><ul><li>Microsoft </li></ul></ul><ul><li>Distributed DoS </li></ul><ul><ul><li>Multiple focused external attacks on a given Gateway </li></ul></ul><ul><ul><li>SYNFlood attacks, Malformed ICMP Nuke attacks, etc., can be mitigated or eliminated effectively with a proper firewall </li></ul></ul>
  18. 18. <ul><li>Phishing via VoIP , “Vishing” </li></ul><ul><li>SPAM Over Internet Telephony (SPIT) </li></ul><ul><li>V oice O ver M isconfigured I nternet T elephones </li></ul><ul><ul><li>Converts a captured phone call into a .wav file vomit -r phone.dump | waveplay -S8000 -B16 -C1 </li></ul></ul><ul><li>Eavesdropping </li></ul><ul><li>SIP Server Impersonation </li></ul><ul><li>Registration Hijacking </li></ul><ul><li>Call Hijacking </li></ul>
  19. 19. VoIP Threat:Eavesdropping <ul><li>IP to Circuit Based </li></ul><ul><ul><li>APR (ARP Poison Routing) – Enables sniffing on switched networks and the interception of IP traffic on switched networks </li></ul></ul>SonicWALL/SecureIT
  20. 20. VoIP Threats: Eavesdropping <ul><li>If media is encrypted, but signaling is not </li></ul><ul><ul><li>Invasion of privacy vulnerability – Number Harvesting </li></ul></ul><ul><ul><ul><li>Builds a list of “real” phone numbers for future use (SPIT) </li></ul></ul></ul><ul><ul><li>Invasion of privacy vulnerability – Call Pattern Tracking </li></ul></ul><ul><ul><ul><li>Who is calling whom? When? How long? </li></ul></ul></ul><ul><li>VoIP protection against eavesdropping </li></ul><ul><ul><li>When implemented correctly – Better than POTS </li></ul></ul><ul><ul><li>When implemented incorrectly – More vulnerable than POTS </li></ul></ul>
  21. 21. VoIP Security Concern – Quality of Service <ul><li>QoS at Layer 2, 3 and 4+ </li></ul><ul><ul><li>Layer 2: 802.11p </li></ul></ul><ul><ul><ul><li>Requires 802.11q VLAN header support </li></ul></ul></ul><ul><ul><li>Layer 3: DSCP – Differentiated services </li></ul></ul><ul><ul><ul><li>Contained within the IP header </li></ul></ul></ul><ul><ul><li>802.11p/DSCP rely upon correct and accurate packet coloring </li></ul></ul><ul><ul><li>Vulnerable to injected higher-color network saturation </li></ul></ul><ul><ul><li>Dependent upon capability of intermediate network equipment </li></ul></ul><ul><ul><li>Layer 4: VoIP Aware Stateful BWM is most reliable </li></ul></ul><ul><ul><ul><li>Requires VoIP awareness and multiple stream identification and coalation </li></ul></ul></ul><ul><ul><ul><li>Most effective when combined with Layer 2/3 marking/coloring </li></ul></ul></ul>
  22. 22. VoIP Security Concern – Interception/Modification <ul><li>Call Black Holes </li></ul><ul><ul><li>A directed attack utilizing Dynamic Routing at intermediate routers sending calls to unconnected networks </li></ul></ul><ul><li>Call Hijacking </li></ul><ul><ul><li>A directed attack utilizing Dynamic Routing at intermediate routers sending calls to unintended “other” receiver </li></ul></ul><ul><li>Media Alteration </li></ul><ul><ul><li>Modification of media stream </li></ul></ul><ul><li>Caller ID Falsification </li></ul><ul><ul><li>Caller ID modification – On-the-fly via interception or intended falsification by the call initiator </li></ul></ul>
  23. 23. VoIP Security Practices <ul><li>Bandwidth Management </li></ul><ul><ul><li>Prioritize (Layer 7) </li></ul></ul><ul><ul><li>Segment onto Logically distinct networks (NIST 800-58) </li></ul></ul><ul><ul><ul><li>Separate VLANs </li></ul></ul></ul><ul><li>QoS </li></ul><ul><ul><li>Edge points </li></ul></ul><ul><ul><ul><li>ISP Router </li></ul></ul></ul><ul><ul><ul><li>SOHO Router </li></ul></ul></ul><ul><ul><li>Internally </li></ul></ul><ul><li>Physical </li></ul><ul><ul><li>Port Management </li></ul></ul>
  24. 24. VoIP Security Practices – Media and Signaling Encryption <ul><li>IPSec VPN </li></ul><ul><ul><li>Currently the most complete solution </li></ul></ul><ul><ul><li>Complexity of configuration is a barrier </li></ul></ul><ul><ul><li>Not supported by many vendors </li></ul></ul><ul><li>TLS (Transport Layer Security), IETF </li></ul><ul><ul><li>Interoperability concerns </li></ul></ul><ul><ul><li>Issues with key exchange </li></ul></ul><ul><li>SSL (Secure Sockets Layer), Netscape, IETF </li></ul><ul><ul><li>Generally not supported for peer-to-peer </li></ul></ul><ul><ul><li>Hub and spoke deployments </li></ul></ul>
  25. 25. Firewall – NAT/Port Considerations <ul><li>VoIP issues with classic stateful NAT firewalls </li></ul><ul><ul><li>Inbound access to UDP/TCP ports are restricted by default </li></ul></ul><ul><ul><ul><li>RTP dynamically assigned an “even” port 1024-65534 </li></ul></ul></ul><ul><ul><ul><li>It would be necessary to open up the entire firewall </li></ul></ul></ul><ul><ul><ul><li>RTCP port is dynamically remapped with Symmetric NAT </li></ul></ul></ul><ul><ul><li>VoIP endpoints each have a unique IP </li></ul></ul><ul><ul><ul><li>NAT turns all “internal” IPs into a single “external” IP </li></ul></ul></ul><ul><ul><ul><li>All incoming calls are to a single IP. Which endpoint is the actual intended IP? </li></ul></ul></ul><ul><ul><li>VoIP requires either </li></ul></ul><ul><ul><ul><li>Application Layer Gateway </li></ul></ul></ul><ul><ul><ul><li>Session Border Controller </li></ul></ul></ul>
  26. 26. Firewall Solution – SBC <ul><li>Session Border Controller </li></ul><ul><ul><li>A dedicated appliance which implements firewall/NAT traversal </li></ul></ul><ul><ul><li>Tricks the existing firewall </li></ul></ul><ul><ul><li>Placed in the Signaling and Media Path between calling and called parties </li></ul></ul><ul><ul><li>Breaks end-to-end security unless private keys are told to the SBC </li></ul></ul><ul><ul><li>Implemented as a B2BUA – Back-to-back User Agent </li></ul></ul><ul><ul><li>Can run into scalability issues </li></ul></ul>
  27. 27. Firewall Solutions – ALG <ul><li>An Application Layer Gateway is a firewall which understands VoIP media </li></ul><ul><ul><li>Embedded software on a firewall </li></ul></ul><ul><ul><li>Dynamically identifies, opens and closes ports as needed </li></ul></ul><ul><ul><li>Transforms outer (NAT) and inner (DPT) IPs & ports on-the-fly </li></ul></ul><ul><ul><li>May be able to identify and coalesce disparate streams into a single call flow for monitoring and QoS </li></ul></ul><ul><ul><li>Should be able to identify and protect against malformed signaling and media </li></ul></ul><ul><ul><li>Since it is not terminating/re-initiating calls, a proper ALG can scale beyond an SBC on a price/call metric </li></ul></ul>
  28. 28. NIST Recommendations <ul><li>NIST Special Publication 800-58, January 2005 </li></ul><ul><ul><li>Logically distinct networks </li></ul></ul><ul><ul><li>Use an ALG firewall or Session Border Controller </li></ul></ul><ul><ul><ul><li>STUN – Simple Traversal of UDP through NAT, does not work with Symmetric NAT </li></ul></ul></ul><ul><ul><ul><li>TURN – Traversal Using Relay NAT, works with STUN, limited to a single peer behind a NAT device </li></ul></ul></ul><ul><ul><ul><li>ICE – Interactive Connectivity Establishment, uses STUN, TURN, RSIP – requires additional SDB attributes </li></ul></ul></ul><ul><ul><ul><li>UPnP – Universal Plug and Play, multi-NAT scalability and security issues </li></ul></ul></ul><ul><ul><li>Strong authentication and IPSec or SSH to access controller </li></ul></ul><ul><ul><li>Use end-point encryption or Site-to-Site IPSec tunnels </li></ul></ul><ul><ul><li>Don’t use soft phones – PCs are too vulnerable </li></ul></ul><ul><ul><li>Stay away from 802.11 a/b/g phones without IPSec </li></ul></ul>
  29. 29. VoIP Security Practices – Endpoint and Call Manager Protection <ul><li>UTM Firewall </li></ul><ul><ul><li>Unified Threat Management </li></ul></ul><ul><li>Physical and Logical Security </li></ul><ul><ul><li>Access to Call Manager must be restricted </li></ul></ul><ul><ul><li>It is only as secure as the weakest password </li></ul></ul><ul><li>Redundant Power </li></ul><ul><ul><li>VoIP requires AC power to operate; PSTN does not </li></ul></ul><ul><li>End-to-end Encryption </li></ul><ul><ul><li>TLS, SRTP covers media only </li></ul></ul><ul><ul><li>IPSec, SSL covers media and signaling </li></ul></ul>
  30. 30. References <ul><li>VOIPSA- http://voipsa.org </li></ul><ul><li>CERT- http://www.cert.org </li></ul><ul><li>NIST, “Security Considerations for Voice Over IP Systems”- http://csrc.nist.gov </li></ul>
  31. 32. Best Practices