Voice Over IP Risks and Controls

1
(No Transcript)
2
Voice Over IP Risks and Controls

• Session Number 37
• George G. McBride
• October 5, 2004 130 PM 300 PM

3
Key Points To Cover This Afternoon

• The fundamentals and security concerns of VoIP
• Mitigating risks associated with VoIP
• Confidentiality, integrity, authentication,
  availability, access, and non-repudiation
• Determining what to look for in an audit
• Measuring risk and recommending actions to reduce
  vulnerability

4
Real Quick Introduction

• What is Voice over IP?
• Definition Transmission of voice over the IP
  Network
• Why is it important to companies?
• (and sometimes services)
• Is this brand new?
• SIP and H.323 Standards have been around since
  the mid 1990s
• Why now?

5
VoIP Introduction

• What do you need for a VoIP network?
• The IP Part A data network
• The V Part VoIP specific equipment
• H.323 and SIP are two different sets of protocols
  and have different infrastructure requirements
• There is some commonality between the two!

6
VoIP Implementation

• Who put the VoIP infrastructure in place?
• Many times, the designers and implementers are
  the traditional voice personnel
• May be just learning the new technology
• Nevertheless, the technology including products,
  protocols, and services are very new and
  experts are limited!

7
What Are The Threats?
Concern PSTN Controls VoIP Controls
Confidentiality Physical Encryption
Integrity Physical Encryption/Checksums
Availability Physical Access Control Logical Access Control
Authentication Recognition Caller ID User ID and Password
Authorization Access Control Caller ID Access Control
Design Large/Complex/Centralized VariesDistributed
Interoperability Centralized Very Tested Distributed Ad-Hoc
8
The Legal Threat

• Discussions, debates, and actions are currently
  underway to determine whether or not the
  Communications Assistance to Law Enforcement Act
  (CALEA) requirements apply to VoIP technologies.
• Service Providers Only?
• All Companies?

9
Emergency Services

• 911 Emergency Services
• PSTN/POTS locations are generally assigned by
  physical port and generally dont move around!
• VoIP Phones by definition are usually portable
  and are simply based on IP addresses
• How are location services managed? Updated?
  Logged?
• Is it real-time?

10
The Biggest Threat!

• Your organization is responsible for the costs
  related to toll fraud
• When the VoIP Gateway is compromised and hackers
  use the gateway for unlimited international
  dialing, your company is responsible for the toll
  charges
• I still dont have any figures to share. Do you?

11
Problems With Auditing VoIP

• Were often asked to audit the VoIP
  infrastructure against the current policies
• These policies do not address the minimum
  security baseline for a VoIP infrastructure
• Typical VoIP audits are also part assessment

12
The Audit Documentation Review

• Should begin with a formal review of all
  corporate documentation regarding the VoIP
  infrastructure
• IP Network Infrastructure
• Corporate Service Offerings
• VoIP Infrastructure
• Client Devices
• Acceptable Use statements
• PSTN Interface SLAs

13
Auditing Risk Management

• One of the most important aspects to manage!
• Identification and Inventory of Assets
• Understanding of threats, vulnerabilities, and
  controls
• Cannot be evaluated in isolation. Threats and
  vulnerabilities are internal and external.
• This is one area where Audit and IT Security can
  work together.

14
Auditing The Architecture

• Architecture
• Need personnel with auditing, technology, and
  product know-how!
• Start from the top down to understand the details
  are you encounter them
• There may not be a right architecture, but
  there are many wrong ones

15
Before You Begin!

• From your IT Organizations source, obtain an
  inventory of the VoIP infrastructure
• Obtain all documentation and specifications from
  the vendor to understand what you have and what
  it is supposed to do
• Obtain configuration information
• Review on-line vulnerability/risk databases

16
Auditing Concerns

• The next few slides highlight some VoIP specific
  concerns that we should review.
• Are these part of your organizations standards,
  practices, procedures, and policies?
• This is a highlight of a number of areas that
  should be reviewed. There are plenty more!

17
Basic Auditing Considerations

• Physical Security
• The old telecom closets are often neglected and
  may be insecure. Where is your VoIP equipment?
• Protect test and trial equipment as you would
  production equipment. It usually has production
  grade configuration information
• Ensure UPS equipment can handle the new loads

18
Business Continuity Planning Disaster Recover

• Have you incorporated the entire VoIP
  infrastructure into the BCP/DR efforts?
• Have you tested it?
• Are the employees aware of it?
• Be aware of limited restores.
• Companies today tend to build significant
  features into their VoIP phones that theyve
  grown to need.

19
Logical Auditing Concerns

• VLAN Usage
• Separate voice and data on logically separate
  networks.
• Each VLAN should have a separate DHCP Server and
  management system
• Promotes QoS Issues
• VLAN Jumping still an issue, depending on
  equipment

20
Logical Auditing Concerns (Cont)

• Firewalls
• Are you using the right one for your environment?
• Is it VoIP Specific? Does it support SIP or
  H.323? What about Megaco?
• Does it support Application Level Gateways or
  Proxies?
• Pinholing?
• Is it stateful?

21
Auditing The Firewall

• Obtain the Firewall rule sets.
• Can you experiment in a lab setting? This is
  great to validate the firewall rule sets!
• What are the static ports?
• Port 1720 for Call Signaling
• Usually H.225 traffic.
• Any others for management?
• What are the required dynamic ports?
• Even a VoIP-aware firewall will require
  reviewing, tuning, and tweaking

22
Logical Auditing Concerns (Cont)

• Interfaces
• PSTN to VoIP Infrastructure
• At the Voice Gateway Are SIP, H.323, MGCP, and
  Megaco connections from the data network
  prohibited?
• What authentication is configured? Required?

23
The Firewall

• A Great Cisco Whitepaper highlights key areas
  where voice and data traffic intersect and should
  have firewall protection
• PC Based IP Phones (d) requiring access to the
  voice segment (v) to place calls
• IP Phones (d) and call managers (v) accessing
  voice-mail
• Users (d) accessing the proxy server (v)
• Proxy Server (v) accessing network resources (d)
• IP Phones (v) to call processing manager (v) or
  proxy server (v) because the interaction uses the
  data segment to communicate

24
Firewall NAT

• NAT, Network Address Translation helps to
  efficiently utilize resources and to provide some
  level of security.
• Full Cone (11 address and port)
• Restricted Cone same as full cone, incoming
  packets are rejected unless an outbound one
  originated the traffic (looks at IP Address Only)
• Port Restricted Cone Like Restricted Cone but
  restricts the inbound packet as it must be
  returning to the same outbound port
• Symmetric NAT Different mapping for each
  inbound outbound pair.

25
Logical Auditing Concerns (Cont)

• Remote Management
• Use SSH only for remote administration and
  management.
• Telnet is dead.
• For the truly paranoid, use dedicated consoles
  for each management server
• How are the configuration files protected?
  Backed-up?

26
QoS Quality of Service

• Is Quality of Service a Security Issue?
• It is when the security features impact the VoIP
  QoS levels.
• Youll invariably be asked about it ? during your
  Audit
• The next few slides highlight some QoS issues

27
QoS

• Latency time from source to destination. The
  ITU-T recommended upper bounds for latency is to
  be less than 150ms.
• Queuing
• Encoding
• Packetization
• Transmission

28
Jitter

• Jitter the time differences between packet
  arrival on the receiving end.
• Jitter often affects QoS more than latency
• Caused by low bandwidth
• Can cause packets to be processed out of sequence
  and/or dropped if they fall outside of the
  receiving buffer
• Firewalls are a big source of jitter introduction

29
Bandwidth Packet Loss

• What is the available bandwidth for VoIP traffic?
  If on a VLAN, this answer is easy to compute.
  If on a shared network, this is quite a bit
  different (and more variable).
• Packet Loss results from excessive latency or
  jitter as well as a result of voice-data riding
  over UDP.

30
What about H.235

• Provides H.323 Security Features through defined
  profiles which provide different levels of
  security.
• These must be required, not an optional
  implementation as clients may chose not to use
  the features.

31
H.235v2/3

• Builds up from H.235 and offers enhanced
  encryption as well as
• Annex D Shared secrets and keyed hashes
• Annex E Digital signatures on every message
• Annex F Digital signatures and shared secret
  establishment
• Is it required?

32
What about Session Initiation Protocol (SIP)?

• SIP Offers HTTP Digest Authentication
• Based on a challenge-response system
• Replaces HTTP Basic Authentication so that the
  password is not sent in the clear!
• S/MIME can be used to enable public key
  distribution as well as authentication and
  integrity protection
• Authentication (and Integrity) of signaling data
• Confidentiality of signaling data

33
SIP Security With TLS

• TLS Successor of SSL protects SIP signaling
  (integrity, confidentiality, replay)
• Only works with TCP based SIP signaling
• Must be configured hop-by-hop between user agents
  and proxies or between proxies
• Provides key management with mutual
  authentication and secure key distribution

34
SIP Security

• Besides TLS, SIP also supports
• HTTP Digest
• IPSec (With IKE)
• IPSec (With manual key exchange)
• S/MIME
• Be aware of bidding down attacks

35
SRTP

• Secure Real-time Transport Protocol
• A profile of RTP offers confidentiality,
  authentication, and replay protection
• Encrypts Payloads
• Independent of the key management system
• Independent of the RTP stack chosen
• Can use AES
• Hardware Crypto Support, although it was designed
  with low computational requirements.

36
SRTP Audit Points

• Keep these things in mind
• How are the encryption keys distributed?
• Pre-Shared
• Public Key
• Diffie-Hellman Key Exchange using Public Key
• Diffie-Hellman Key Exchange using Pre-Shared
  Secret
• Is it only being used for encryption or also
  integrity and replay-attack protection?

37
What Im Seeing

• Default administration accounts
• Ineffective encryption (It may be AES, but not in
  use at key points)
• Web-Server interfaces (It may be easier for the
  admin and the bad-guys!)
• DHCP and TFTP Server Spoofing and Insertion
  Attacks

38
What Im Seeing

• Random responses to invalidly formatted or
  excessive packets
• Security mechanisms susceptible to bidding-down
  attacks
• Firewalls that require just a bit of tuning to
  disable that service that isnt required or the
  ports that can be closed

39
Whats in my toolbox?

• In order to perform a technical based review,
  youll need some tools
• Sniffers
• Injectors
• Vulnerability Scanners
• Some important documents from the ITU, NIST,
  ETSI, and most importantly, equipment vendors!

40
Network Sniffers

• Empirix Hammer Call Analyzer
• VoIP Specific
• Great for beginners through advanced users
• Very expensive

41
VoIP Sniffers Also Do Call Analysis
42
Network Sniffers

• Ethereal
• Requires more work to decode the packets and
  review traffic
• Its Open Source, its free, and its supported
  through a large user community

43
Network Traffic Injectors
Available From http//www.komodia.com/ Great
Packet Crafting Tool
44
SiVus
45
SiVus
46
Various Documents
47
Additional Resources

• National Institute of Standards and Technology
  Security Considerations for Voice Over IP
  Systems http//csrc.nist.gov/publications/nistpu
  bs/
• Empirix Call Analyzer http//www.empirix.com/Empi
  rix/NetworkIPStorageTest/
• SiVus at VoP Security http//www.vopsecurity.org/
  
• IETF/ITU Documents
• ETSI Tiphon Documents
• J. Halpern, IP Telephony Security in Depth,
  Cisco

48
VoIP Summary

• Know your stuff! Or hire those that do!
• VoIP technology is still evolving and is very
  complex!
• Its more than just voice on the IP network
• Look for everything you would look for with a
  standard Audit and youll knock out a lot of the
  common audit findings.
• Watch mis-configurations on VoIP. Understand the
  configurations. What looks good may not be.

49
Contact Information

• Please contact me with any questions, comments,
  complaints, or new developments.