SlideShare a Scribd company logo

I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source

Suhas Desai
Suhas Desai

The document discusses securing VoIP networks with open source tools. It describes how open source testing tools like SiVuS and SIP Bomber can be used to assess the security of VoIP implementations. SiVuS is a vulnerability scanner that discovers SIP components, generates attack messages, and produces a security findings report. SIP Bomber tests SIP protocol implementations by generating messages and validating passwords. The document advocates using open source tools to securely configure servers, clients, gateways, and firewalls before deploying VoIP networks.

TechnologyBusiness
1 of 19
Download to read offline
Secure Your VoIP Network with Open Source Suhas Desai www.interop.com/mumbai Friday, 9 October 2009, 12:15–01:30 PM, Bombay Exhibition Centre 10/12/2009 Track: Emerging Technology and Trends - Open Source
Agenda About VoIP Security Open Source Testing Tools Sample Testing Approach Summary Confidential © Tech Mahindra 2008 2
Agenda About VoIP Security Open Source Testing Tools Sample Testing Approach Summary Confidential © Tech Mahindra 2008 3
VoIP Overview Introduction to VoIP  VoIP is being rapidly embraced across most markets as an alternative to the traditional PSTN  VoIP deployment can impact applications, networks and infrastructure that use a wide variety of platform base  The cost savings of VoIP as compared to that of circuit switched networks is encouraging companies to move to VoIP Issues and Concerns  VoIP deployment has brought along with it many security concerns like Non- Repudiation, Authentication, Call Quality, Integrity and Privacy  VoIP calls to PSTN are not allowed in India Confidential © Tech Mahindra 2008 4
VoIP Security Threats & Impact VoIP Security Threats • An attacker tries to break telephone network and uses this network Phreaking for malicious activities like making long calls or to tap conversions. Eavesdropping • An attacker tries to intercept telephone lines with electronic devices. • Voice Phishing is used to leverage VoIP technology for social Vishing engineering to retrieve confidential information like credit card numbers, financial details. SPIT • Spamming over Internet Telephony is like e-mail spamming where VoIP calls are sent as a spam to victim. Impact  Loss of Confidentiality, Integrity and Authentication  Loss of Privacy  Non-repudiation  Social Threats  QoS Confidential © Tech Mahindra 2008 5
Possible Mitigation Considerations Deploy VoIP traffic monitors •Monitor the connections for logging the fraudulent activities. Employ encryption techniques •Strong encryption techniques allow privacy and confidentiality over the network. Use voice firewalls •Control inbound and outbound connections by filtering the traffic. Use adequate security infrastructure •Deploy secure gateways, gatekeepers & proxy servers to protect network traffic. Use IPsec tunneling •IPsec provides the secure communication over network by providing authentication and encryption. Conduct regular security audits •Audit VoIP network regularly for security vulnerabilities . Use VoIP platforms with adequate security features •Prefer proven VoIP platform with built in security features for development and deployment of VoIP applications. Confidential © Tech Mahindra 2008 6
Agenda About VoIP Security Open Source Testing Tools Sample Testing Approach Summary Confidential © Tech Mahindra 2008 7
Commercial Security Tools Need to perform security assessment of VoIP network with below tools! Commercial Security Testing Tools Tool Description CommView VoIP Analyzer Captures Real-time VoIP events. Etherpeek Sniffs VoIP traffic. EnableSecurity VoIPPack for CANVAS Performs scans, enumeration, and password attacks. Detects the actual protocol, administrative interfaces and VoIP Passive Vulnerability Scanner scanner(s). VoIPAudit VoIP vulnerability scanner. SiPBlast Tests VoIP infrastructure. NSAUDITOR SIP UDP traffic generator / flooder . Codenomicon VoIP Fuzzers Commercial versions of the free PROTOS toolset. Mu Dynamics VoIP, IPTV, IMS Fuzzing Platform Fuzzing appliance for SIP, Diameter, H.323 and MGCP protocols. Spirent ThreatEx Protocol Fuzzer and robustness tester. SiPCPE Evaluates SIP infrastructure protocol. Confidential © Tech Mahindra 2008 8
Open Source and VoIP Why Open Source?  Source code available  Easy to customize, code reuse and redistributable.  Cost Savings Open Source Tools SIP Proxies SIP Clients Mini-SIP-Proxy, MjServer, MySIPSwitch, Cockatoo, Ekiga, FreeSWITCH, JPhone, Kphone, NethidPro3.0.6, Net-SIP, JAIN-SIP Linphone, minisip,MjUA, OpenSIPStack, OpenZoep, Proxy,OpenSBC,OpenSER, PJSUA, QuteCom ex-Open Wengo, SFLphone, OpenSIPS, partysip, SaRP, sipd, SIPExpress Router, Shtoom, SipToSis, sipXezPhone, sipXphone, Twinkle, Siproxd, SIPVicious, sipX, Vocal, Yxa. YATE, YeaPhone. SIP Tools H.323 Clients Callflow, Open Source Asterisk AMI, pjsip-perf, miTester for SIP,PROTOS Test Suite, FGnomeMeeting, ohphoneX,OpenPhone SFTF, SIP CallerID, SIPbomber, Sipp, Sipper, SIP Proxy, Sipsak, SIP Soft client, SIPVicious tool suite, SMAP, Vovida.org load balancer. H.323 Gatekeeper RTP Proxies GNU Gatekeeper AG Projects,Maxim Sobolev's RTPproxy,MediaProxy. Confidential © Tech Mahindra 2008 9
Contd… PBX Platforms Security Testing Tools Asterisk, CallWeaver, OpenPBX, VoIP Sniffing Tools PBX4Linux, SIPexchange PBX Pingtel's AuthTool, Cain & Abel, Oreka, PSIPDump, rtpBreak , SIP PBX, sipwitch,sipX. SIPomatic, SIPv6 Analyzer, UCSniff, VoiPong, VoIPong ISO Bootable, VOMIT , WIST. VoIP Scanning and Enumeration Tools: IVR Platforms enumIAX, iaxscan, iWar, SCTPScan, Bayonne, CT Server, OpenVXI,SEMS, sipX PBX, SIP Forum Test Framework (SFTF), SIP-Scan, VoiceXML SIPcrack, Sipflanker, SIPSCAN , SiVuS, SMAP. VoiceMail Servers VoIP Packet Flooding Tools: IAXFlooder, INVITE Flooder, kphone-ddos , RTP Flooder, Scapy, SIPBomber, SIPsak, SIPp . Lintad, OpenUMS, SEMS,VOCP. Fax Servers VoIP Fuzzing Tools: Asteroid, PROTOS H.323 Fuzzer, PROTOS SIP Fuzzer Asterisk Fax Email Gateway, Lintad,Hylafax. VoIP Signaling Manipulation Tools: Development Platforms BYE Teardown, SipRogue, VoIPHopper H323plus, OpenBloX, Ooh323c, ++Skype. Confidential © Tech Mahindra 2008 10
Best Practices for Using Open Source Tools Monitor VoIP traffic • Continuously monitor VoIP traffic to identify VoIP attacks. Use tools - SIP-Scan, SiVuS , SMAP etc. Use encryption • Apply encryption for end points communication. Use SRTP (Secure Real Time Protocol). Use Firewalls • Put VoIP network before open source firewalls. Use firewalls - iptables. Conduct security audits • Audit VoIP network regularly for security vulnerabilities and configuration flaws. Use - VoIP Security Audit Program (VSAP). Secure gateways, gatekeepers • Control the number of concurrent connections for proper utilize bandwidth. Secure proxy servers • Authenticate authorized access control. Use Asterisk. Use IPsec tunneling • Ipsec provides secure communication over the public networks. Secure VoIP platforms • Prefer VoIP platform with built in security features for development and deployment of VoIP applications Confidential © Tech Mahindra 2008 11
Contd… Open source products/tools provides options for :  Secure configuration of servers  Secure configuration of clients  Securing gateways  Securing Firewalls VOIP/SIP Security Assessment with Open Source before deployment : VoIP Security Footprinting Scanning Testing Eavesdropping SiVuS Nessus •Cain and Abel •VoIPong •vomit Fuzzing nmap SiVuS •PROTOS SIP fuzzing suite SIP Protocol Testing •SIP Bomber
Agenda About VoIP Security Open Source Testing Tools Sample Testing Approach Summary Confidential © Tech Mahindra 2008 13
Example 1 : SiVuS Security assessment with SiVuS tool  SiVuS  SiVuS is the vulnerability scanner for VoIP networks that use the SIP protocol.  The scanner provides several powerful features to verify the robustness and secure implementation of a SIP component.  SiVuS is used to verify the robustness and security of their SIP implementations by generating the attacks that are included in the SiVuS database or by crafting their own SIP messages using the SIP message generator. 1. SIP Component Discovery 2. Message Generator Confidential © Tech Mahindra 2008 14
Example 1 : SiVuS Security assessment with SiVuS tool 3. Security Findings Report Confidential © Tech Mahindra 2008 15
Example 2 : SIP Bomber Security assessment with SIP Bomber  SIP Bomber:  SIP Bomber is used to test SIP-protocol implementation.  SIP Bomber is complied on Linux machines with asterisk server for testing of SIP server implementation. 1. Message Generator 2. Password Validation Confidential © Tech Mahindra 2008 16
Agenda About VoIP Security Open Source Testing Tools Sample Testing Approach Summary Confidential © Tech Mahindra 2008 17
Summary  Building VoIP network with open source is cost effective and reliable.  VoIP network can be secured with open source tools, its configurations and settings.  Tools like SiVuS and SIP Bomber can be used to assess your VoIP security. References Web • http://www.voipsa.org • http://www.voip-info.org Books • Patrick Park;”Voice over IP Security” - Ciscopress. • Thomas Porter, Jan Kanclirz Jr;”Practical VoIP Security” - Syngress Publishing, Inc. • James Ransome and John Rittinghouse;”Voice over Internet Protocol Security” - Elsevier • Alan B. Johnston, David M. Piscitello;”Understanding Voice over IP Security” -Artech House Confidential © Tech Mahindra 2008 18
Thank You !!

Recommended

Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
 
Introduction to VoIP Security
Introduction to VoIP SecurityIntroduction to VoIP Security
Introduction to VoIP Security
n|u - The Open Security Community
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
seanhn
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To Know
Dan York
 
Meletis Belsis - Voip security
Meletis Belsis - Voip securityMeletis Belsis - Voip security
Meletis Belsis - Voip security
Meletis Belsis MPhil/MRes/BSc
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Fatih Ozavci
 
Voip security
Voip securityVoip security
Voip security
Shethwala Ridhvesh
 

Recommended

Hacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysHacking Trust Relationships Between SIP Gateways
Hacking Trust Relationships Between SIP GatewaysFatih Ozavci
 
Introduction to VoIP Security
Introduction to VoIP SecurityIntroduction to VoIP Security
Introduction to VoIP Security
n|u - The Open Security Community
 
VoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacksVoIP – vulnerabilities and attacks
VoIP – vulnerabilities and attacks
n|u - The Open Security Community
 
VoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol ProblemsVoIP security: Implementation and Protocol Problems
VoIP security: Implementation and Protocol Problems
seanhn
 
Hacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To KnowHacking and Attacking VoIP Systems - What You Need To Know
Hacking and Attacking VoIP Systems - What You Need To Know
Dan York
 
Meletis Belsis - Voip security
Meletis Belsis - Voip securityMeletis Belsis - Voip security
Meletis Belsis - Voip security
Meletis Belsis MPhil/MRes/BSc
 
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and DefenceHardware Hacking Chronicles: IoT Hacking for Offence and Defence
Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
Fatih Ozavci
 
Voip security
Voip securityVoip security
Voip security
Shethwala Ridhvesh
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
Technical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishTechnical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishPrivateWave Italia SpA
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
Fatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
Voice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyVoice Over IP Overview w/Secuirty
Voice Over IP Overview w/Secuirty
Christopher Duffy
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
Fatih Ozavci
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
Fatih Ozavci
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical Overview
PrivateWave Italia SpA
 
Grandstream Final22
Grandstream Final22Grandstream Final22
Grandstream Final22
bongskey008
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Syuan Wang
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Encryption
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 
Fortinet ixia ottawa, june 2013
Fortinet ixia ottawa, june 2013Fortinet ixia ottawa, june 2013
Fortinet ixia ottawa, june 2013
juliankanarek
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
Fortinet Fortivoice - Solucion de UTM + VoIP
Fortinet Fortivoice - Solucion de UTM + VoIPFortinet Fortivoice - Solucion de UTM + VoIP
Fortinet Fortivoice - Solucion de UTM + VoIP
Suministros Obras y Sistemas
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
sbwahid
 
Fortinet Ürün Ailesi
Fortinet Ürün AilesiFortinet Ürün Ailesi
Fortinet Ürün Ailesi
Güney Bilişim
 
Jain Sip Tutorial
Jain Sip TutorialJain Sip Tutorial
Jain Sip Tutorialrajibdk
 
Spying The Wire
Spying The WireSpying The Wire
Spying The Wire
Don Anto
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
Strategic Personal Branding MOGHIMI
Strategic Personal Branding MOGHIMIStrategic Personal Branding MOGHIMI
Strategic Personal Branding MOGHIMI
Bahman Moghimi
 
Suhas Desai Clubhack09 Open Source Data Security 0.2
Suhas Desai Clubhack09 Open Source Data Security 0.2Suhas Desai Clubhack09 Open Source Data Security 0.2
Suhas Desai Clubhack09 Open Source Data Security 0.2Suhas Desai
 

More Related Content

What's hot

The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
Fatih Ozavci
 
Technical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishTechnical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishPrivateWave Italia SpA
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
Fatih Ozavci
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Fatih Ozavci
 
Voice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyVoice Over IP Overview w/Secuirty
Voice Over IP Overview w/Secuirty
Christopher Duffy
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
Fatih Ozavci
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
Fatih Ozavci
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical Overview
PrivateWave Italia SpA
 
Grandstream Final22
Grandstream Final22Grandstream Final22
Grandstream Final22
bongskey008
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Syuan Wang
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Encryption
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 
Fortinet ixia ottawa, june 2013
Fortinet ixia ottawa, june 2013Fortinet ixia ottawa, june 2013
Fortinet ixia ottawa, june 2013
juliankanarek
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
Fatih Ozavci
 
Fortinet Fortivoice - Solucion de UTM + VoIP
Fortinet Fortivoice - Solucion de UTM + VoIPFortinet Fortivoice - Solucion de UTM + VoIP
Fortinet Fortivoice - Solucion de UTM + VoIP
Suministros Obras y Sistemas
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
sbwahid
 
Fortinet Ürün Ailesi
Fortinet Ürün AilesiFortinet Ürün Ailesi
Fortinet Ürün Ailesi
Güney Bilişim
 
Jain Sip Tutorial
Jain Sip TutorialJain Sip Tutorial
Jain Sip Tutorialrajibdk
 
Spying The Wire
Spying The WireSpying The Wire
Spying The Wire
Don Anto
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 

What's hot (20)

The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
 
Technical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishTechnical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - english
 
Hacking SIP Like a Boss!
Hacking SIP Like a Boss!Hacking SIP Like a Boss!
Hacking SIP Like a Boss!
 
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
 
Voice Over IP Overview w/Secuirty
Voice Over IP Overview w/SecuirtyVoice Over IP Overview w/Secuirty
Voice Over IP Overview w/Secuirty
 
VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP VoIP Wars : Return of the SIP
VoIP Wars : Return of the SIP
 
VoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco PhonesVoIP Wars: Attack of the Cisco Phones
VoIP Wars: Attack of the Cisco Phones
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical Overview
 
Grandstream Final22
Grandstream Final22Grandstream Final22
Grandstream Final22
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice Encryption
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduino
 
Fortinet ixia ottawa, june 2013
Fortinet ixia ottawa, june 2013Fortinet ixia ottawa, june 2013
Fortinet ixia ottawa, june 2013
 
VoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers AwakenVoIP Wars: The Phreakers Awaken
VoIP Wars: The Phreakers Awaken
 
Fortinet Fortivoice - Solucion de UTM + VoIP
Fortinet Fortivoice - Solucion de UTM + VoIPFortinet Fortivoice - Solucion de UTM + VoIP
Fortinet Fortivoice - Solucion de UTM + VoIP
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communications
 
Fortinet Ürün Ailesi
Fortinet Ürün AilesiFortinet Ürün Ailesi
Fortinet Ürün Ailesi
 
Jain Sip Tutorial
Jain Sip TutorialJain Sip Tutorial
Jain Sip Tutorial
 
Spying The Wire
Spying The WireSpying The Wire
Spying The Wire
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
 

Viewers also liked

Strategic Personal Branding MOGHIMI
Strategic Personal Branding MOGHIMIStrategic Personal Branding MOGHIMI
Strategic Personal Branding MOGHIMI
Bahman Moghimi
 
Suhas Desai Clubhack09 Open Source Data Security 0.2
Suhas Desai Clubhack09 Open Source Data Security 0.2Suhas Desai Clubhack09 Open Source Data Security 0.2
Suhas Desai Clubhack09 Open Source Data Security 0.2Suhas Desai
 
Profile DDS Update
Profile DDS UpdateProfile DDS Update
Profile DDS UpdateBui Binh
 
Introduction to e-commerce session 3 moghimi
Introduction to e-commerce session 3 moghimiIntroduction to e-commerce session 3 moghimi
Introduction to e-commerce session 3 moghimi
Bahman Moghimi
 
Comparación de CobiT 5 con CobiT 4.1
Comparación de CobiT 5 con CobiT 4.1Comparación de CobiT 5 con CobiT 4.1
Comparación de CobiT 5 con CobiT 4.1Slime Argentina
 
COBIT 5 & 4.1 Comparison
COBIT 5 & 4.1 ComparisonCOBIT 5 & 4.1 Comparison
COBIT 5 & 4.1 Comparison
Anthony Dehnashi
 

Viewers also liked (7)

Strategic Personal Branding MOGHIMI
Strategic Personal Branding MOGHIMIStrategic Personal Branding MOGHIMI
Strategic Personal Branding MOGHIMI
 
Suhas Desai Clubhack09 Open Source Data Security 0.2
Suhas Desai Clubhack09 Open Source Data Security 0.2Suhas Desai Clubhack09 Open Source Data Security 0.2
Suhas Desai Clubhack09 Open Source Data Security 0.2
 
E11063 01
E11063 01E11063 01
E11063 01
 
Profile DDS Update
Profile DDS UpdateProfile DDS Update
Profile DDS Update
 
Introduction to e-commerce session 3 moghimi
Introduction to e-commerce session 3 moghimiIntroduction to e-commerce session 3 moghimi
Introduction to e-commerce session 3 moghimi
 
Comparación de CobiT 5 con CobiT 4.1
Comparación de CobiT 5 con CobiT 4.1Comparación de CobiT 5 con CobiT 4.1
Comparación de CobiT 5 con CobiT 4.1
 
COBIT 5 & 4.1 Comparison
COBIT 5 & 4.1 ComparisonCOBIT 5 & 4.1 Comparison
COBIT 5 & 4.1 Comparison
 

Similar to I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source

VoIP Security
VoIP SecurityVoIP Security
VoIP Security
Dayanand Prabhakar
 
VoIP (Voice over Internet Protocol)
VoIP (Voice over Internet Protocol)VoIP (Voice over Internet Protocol)
VoIP (Voice over Internet Protocol)
Abdullah Shah
 
voip gateway
voip gateway voip gateway
voip gateway
Nayomi Ranamuka
 
Voippresentation
VoippresentationVoippresentation
Voippresentationeliran2
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
Flavio Eduardo de Andrade Goncalves
 
Understanding VoIP - 1
Understanding VoIP - 1Understanding VoIP - 1
Understanding VoIP - 1Adebayo Ojo
 
Analysis of VoIP Forensics with Digital Evidence Procedure
Analysis of VoIP Forensics with Digital Evidence ProcedureAnalysis of VoIP Forensics with Digital Evidence Procedure
Analysis of VoIP Forensics with Digital Evidence Procedure
ijsrd.com
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitShah Sheikh
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In VoipWaqas Daar
 
VOIP
VOIPVOIP
VOIP
guest43d211
 
"Open Source VoIP" by Daniel Constantin Mierla @ eLiberatica 2007
"Open Source VoIP" by Daniel Constantin Mierla @ eLiberatica 2007"Open Source VoIP" by Daniel Constantin Mierla @ eLiberatica 2007
"Open Source VoIP" by Daniel Constantin Mierla @ eLiberatica 2007
eLiberatica
 
Grokking TechTalk #18B: VoIP Architecture For Telecommunications
Grokking TechTalk #18B: VoIP Architecture For TelecommunicationsGrokking TechTalk #18B: VoIP Architecture For Telecommunications
Grokking TechTalk #18B: VoIP Architecture For Telecommunications
Grokking VN
 
AN OVERVIEW OF VOICE OVER INTERNET PROTOCOL (VOIP
AN OVERVIEW OF VOICE OVER INTERNET PROTOCOL (VOIPAN OVERVIEW OF VOICE OVER INTERNET PROTOCOL (VOIP
AN OVERVIEW OF VOICE OVER INTERNET PROTOCOL (VOIP
Sean Flores
 
VOIP services
VOIP servicesVOIP services
VOIP services
Pankaj Saharan
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshop
Felipe Prado
 
Nuron VoIP Application Product and Solution
Nuron VoIP Application Product and SolutionNuron VoIP Application Product and Solution
Nuron VoIP Application Product and Solution
Laith Kassis
 

Similar to I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source (20)

VoIP Security
VoIP SecurityVoIP Security
VoIP Security
 
Voip
VoipVoip
Voip
 
Voice over IP
Voice over IPVoice over IP
Voice over IP
 
Testing
TestingTesting
Testing
 
VoIP (Voice over Internet Protocol)
VoIP (Voice over Internet Protocol)VoIP (Voice over Internet Protocol)
VoIP (Voice over Internet Protocol)
 
voip gateway
voip gateway voip gateway
voip gateway
 
Voippresentation
VoippresentationVoippresentation
Voippresentation
 
Number one-issue-voip-today-fraud
Number one-issue-voip-today-fraudNumber one-issue-voip-today-fraud
Number one-issue-voip-today-fraud
 
Understanding VoIP - 1
Understanding VoIP - 1Understanding VoIP - 1
Understanding VoIP - 1
 
Analysis of VoIP Forensics with Digital Evidence Procedure
Analysis of VoIP Forensics with Digital Evidence ProcedureAnalysis of VoIP Forensics with Digital Evidence Procedure
Analysis of VoIP Forensics with Digital Evidence Procedure
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
 
Security Issues In Voip
Security Issues In VoipSecurity Issues In Voip
Security Issues In Voip
 
VOIP
VOIPVOIP
VOIP
 
"Open Source VoIP" by Daniel Constantin Mierla @ eLiberatica 2007
"Open Source VoIP" by Daniel Constantin Mierla @ eLiberatica 2007"Open Source VoIP" by Daniel Constantin Mierla @ eLiberatica 2007
"Open Source VoIP" by Daniel Constantin Mierla @ eLiberatica 2007
 
Grokking TechTalk #18B: VoIP Architecture For Telecommunications
Grokking TechTalk #18B: VoIP Architecture For TelecommunicationsGrokking TechTalk #18B: VoIP Architecture For Telecommunications
Grokking TechTalk #18B: VoIP Architecture For Telecommunications
 
Vo ip sip
Vo ip sipVo ip sip
Vo ip sip
 
AN OVERVIEW OF VOICE OVER INTERNET PROTOCOL (VOIP
AN OVERVIEW OF VOICE OVER INTERNET PROTOCOL (VOIPAN OVERVIEW OF VOICE OVER INTERNET PROTOCOL (VOIP
AN OVERVIEW OF VOICE OVER INTERNET PROTOCOL (VOIP
 
VOIP services
VOIP servicesVOIP services
VOIP services
 
DEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshopDEFCON 23 - Fatih Ozavci - the art of voip workshop
DEFCON 23 - Fatih Ozavci - the art of voip workshop
 
Nuron VoIP Application Product and Solution
Nuron VoIP Application Product and SolutionNuron VoIP Application Product and Solution
Nuron VoIP Application Product and Solution
 

Recently uploaded

Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 

Recently uploaded (20)

Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 

I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source

  • 1. Secure Your VoIP Network with Open Source Suhas Desai www.interop.com/mumbai Friday, 9 October 2009, 12:15–01:30 PM, Bombay Exhibition Centre 10/12/2009 Track: Emerging Technology and Trends - Open Source
  • 2. Agenda About VoIP Security Open Source Testing Tools Sample Testing Approach Summary Confidential © Tech Mahindra 2008 2
  • 3. Agenda About VoIP Security Open Source Testing Tools Sample Testing Approach Summary Confidential © Tech Mahindra 2008 3
  • 4. VoIP Overview Introduction to VoIP  VoIP is being rapidly embraced across most markets as an alternative to the traditional PSTN  VoIP deployment can impact applications, networks and infrastructure that use a wide variety of platform base  The cost savings of VoIP as compared to that of circuit switched networks is encouraging companies to move to VoIP Issues and Concerns  VoIP deployment has brought along with it many security concerns like Non- Repudiation, Authentication, Call Quality, Integrity and Privacy  VoIP calls to PSTN are not allowed in India Confidential © Tech Mahindra 2008 4
  • 5. VoIP Security Threats & Impact VoIP Security Threats • An attacker tries to break telephone network and uses this network Phreaking for malicious activities like making long calls or to tap conversions. Eavesdropping • An attacker tries to intercept telephone lines with electronic devices. • Voice Phishing is used to leverage VoIP technology for social Vishing engineering to retrieve confidential information like credit card numbers, financial details. SPIT • Spamming over Internet Telephony is like e-mail spamming where VoIP calls are sent as a spam to victim. Impact  Loss of Confidentiality, Integrity and Authentication  Loss of Privacy  Non-repudiation  Social Threats  QoS Confidential © Tech Mahindra 2008 5
  • 6. Possible Mitigation Considerations Deploy VoIP traffic monitors •Monitor the connections for logging the fraudulent activities. Employ encryption techniques •Strong encryption techniques allow privacy and confidentiality over the network. Use voice firewalls •Control inbound and outbound connections by filtering the traffic. Use adequate security infrastructure •Deploy secure gateways, gatekeepers & proxy servers to protect network traffic. Use IPsec tunneling •IPsec provides the secure communication over network by providing authentication and encryption. Conduct regular security audits •Audit VoIP network regularly for security vulnerabilities . Use VoIP platforms with adequate security features •Prefer proven VoIP platform with built in security features for development and deployment of VoIP applications. Confidential © Tech Mahindra 2008 6
  • 7. Agenda About VoIP Security Open Source Testing Tools Sample Testing Approach Summary Confidential © Tech Mahindra 2008 7
  • 8. Commercial Security Tools Need to perform security assessment of VoIP network with below tools! Commercial Security Testing Tools Tool Description CommView VoIP Analyzer Captures Real-time VoIP events. Etherpeek Sniffs VoIP traffic. EnableSecurity VoIPPack for CANVAS Performs scans, enumeration, and password attacks. Detects the actual protocol, administrative interfaces and VoIP Passive Vulnerability Scanner scanner(s). VoIPAudit VoIP vulnerability scanner. SiPBlast Tests VoIP infrastructure. NSAUDITOR SIP UDP traffic generator / flooder . Codenomicon VoIP Fuzzers Commercial versions of the free PROTOS toolset. Mu Dynamics VoIP, IPTV, IMS Fuzzing Platform Fuzzing appliance for SIP, Diameter, H.323 and MGCP protocols. Spirent ThreatEx Protocol Fuzzer and robustness tester. SiPCPE Evaluates SIP infrastructure protocol. Confidential © Tech Mahindra 2008 8
  • 9. Open Source and VoIP Why Open Source?  Source code available  Easy to customize, code reuse and redistributable.  Cost Savings Open Source Tools SIP Proxies SIP Clients Mini-SIP-Proxy, MjServer, MySIPSwitch, Cockatoo, Ekiga, FreeSWITCH, JPhone, Kphone, NethidPro3.0.6, Net-SIP, JAIN-SIP Linphone, minisip,MjUA, OpenSIPStack, OpenZoep, Proxy,OpenSBC,OpenSER, PJSUA, QuteCom ex-Open Wengo, SFLphone, OpenSIPS, partysip, SaRP, sipd, SIPExpress Router, Shtoom, SipToSis, sipXezPhone, sipXphone, Twinkle, Siproxd, SIPVicious, sipX, Vocal, Yxa. YATE, YeaPhone. SIP Tools H.323 Clients Callflow, Open Source Asterisk AMI, pjsip-perf, miTester for SIP,PROTOS Test Suite, FGnomeMeeting, ohphoneX,OpenPhone SFTF, SIP CallerID, SIPbomber, Sipp, Sipper, SIP Proxy, Sipsak, SIP Soft client, SIPVicious tool suite, SMAP, Vovida.org load balancer. H.323 Gatekeeper RTP Proxies GNU Gatekeeper AG Projects,Maxim Sobolev's RTPproxy,MediaProxy. Confidential © Tech Mahindra 2008 9
  • 10. Contd… PBX Platforms Security Testing Tools Asterisk, CallWeaver, OpenPBX, VoIP Sniffing Tools PBX4Linux, SIPexchange PBX Pingtel's AuthTool, Cain & Abel, Oreka, PSIPDump, rtpBreak , SIP PBX, sipwitch,sipX. SIPomatic, SIPv6 Analyzer, UCSniff, VoiPong, VoIPong ISO Bootable, VOMIT , WIST. VoIP Scanning and Enumeration Tools: IVR Platforms enumIAX, iaxscan, iWar, SCTPScan, Bayonne, CT Server, OpenVXI,SEMS, sipX PBX, SIP Forum Test Framework (SFTF), SIP-Scan, VoiceXML SIPcrack, Sipflanker, SIPSCAN , SiVuS, SMAP. VoiceMail Servers VoIP Packet Flooding Tools: IAXFlooder, INVITE Flooder, kphone-ddos , RTP Flooder, Scapy, SIPBomber, SIPsak, SIPp . Lintad, OpenUMS, SEMS,VOCP. Fax Servers VoIP Fuzzing Tools: Asteroid, PROTOS H.323 Fuzzer, PROTOS SIP Fuzzer Asterisk Fax Email Gateway, Lintad,Hylafax. VoIP Signaling Manipulation Tools: Development Platforms BYE Teardown, SipRogue, VoIPHopper H323plus, OpenBloX, Ooh323c, ++Skype. Confidential © Tech Mahindra 2008 10
  • 11. Best Practices for Using Open Source Tools Monitor VoIP traffic • Continuously monitor VoIP traffic to identify VoIP attacks. Use tools - SIP-Scan, SiVuS , SMAP etc. Use encryption • Apply encryption for end points communication. Use SRTP (Secure Real Time Protocol). Use Firewalls • Put VoIP network before open source firewalls. Use firewalls - iptables. Conduct security audits • Audit VoIP network regularly for security vulnerabilities and configuration flaws. Use - VoIP Security Audit Program (VSAP). Secure gateways, gatekeepers • Control the number of concurrent connections for proper utilize bandwidth. Secure proxy servers • Authenticate authorized access control. Use Asterisk. Use IPsec tunneling • Ipsec provides secure communication over the public networks. Secure VoIP platforms • Prefer VoIP platform with built in security features for development and deployment of VoIP applications Confidential © Tech Mahindra 2008 11
  • 12. Contd… Open source products/tools provides options for :  Secure configuration of servers  Secure configuration of clients  Securing gateways  Securing Firewalls VOIP/SIP Security Assessment with Open Source before deployment : VoIP Security Footprinting Scanning Testing Eavesdropping SiVuS Nessus •Cain and Abel •VoIPong •vomit Fuzzing nmap SiVuS •PROTOS SIP fuzzing suite SIP Protocol Testing •SIP Bomber
  • 13. Agenda About VoIP Security Open Source Testing Tools Sample Testing Approach Summary Confidential © Tech Mahindra 2008 13
  • 14. Example 1 : SiVuS Security assessment with SiVuS tool  SiVuS  SiVuS is the vulnerability scanner for VoIP networks that use the SIP protocol.  The scanner provides several powerful features to verify the robustness and secure implementation of a SIP component.  SiVuS is used to verify the robustness and security of their SIP implementations by generating the attacks that are included in the SiVuS database or by crafting their own SIP messages using the SIP message generator. 1. SIP Component Discovery 2. Message Generator Confidential © Tech Mahindra 2008 14
  • 15. Example 1 : SiVuS Security assessment with SiVuS tool 3. Security Findings Report Confidential © Tech Mahindra 2008 15
  • 16. Example 2 : SIP Bomber Security assessment with SIP Bomber  SIP Bomber:  SIP Bomber is used to test SIP-protocol implementation.  SIP Bomber is complied on Linux machines with asterisk server for testing of SIP server implementation. 1. Message Generator 2. Password Validation Confidential © Tech Mahindra 2008 16
  • 17. Agenda About VoIP Security Open Source Testing Tools Sample Testing Approach Summary Confidential © Tech Mahindra 2008 17
  • 18. Summary  Building VoIP network with open source is cost effective and reliable.  VoIP network can be secured with open source tools, its configurations and settings.  Tools like SiVuS and SIP Bomber can be used to assess your VoIP security. References Web • http://www.voipsa.org • http://www.voip-info.org Books • Patrick Park;”Voice over IP Security” - Ciscopress. • Thomas Porter, Jan Kanclirz Jr;”Practical VoIP Security” - Syngress Publishing, Inc. • James Ransome and John Rittinghouse;”Voice over Internet Protocol Security” - Elsevier • Alan B. Johnston, David M. Piscitello;”Understanding Voice over IP Security” -Artech House Confidential © Tech Mahindra 2008 18