Title: Voice Over IP Risks and Controls
1(No Transcript)
2Voice Over IP Risks and Controls
- Session Number 37
- George G. McBride
- October 5, 2004 130 PM 300 PM
3Key Points To Cover This Afternoon
- The fundamentals and security concerns of VoIP
- Mitigating risks associated with VoIP
- Confidentiality, integrity, authentication,
availability, access, and non-repudiation - Determining what to look for in an audit
- Measuring risk and recommending actions to reduce
vulnerability
4Real Quick Introduction
- What is Voice over IP?
- Definition Transmission of voice over the IP
Network - Why is it important to companies?
- (and sometimes services)
- Is this brand new?
- SIP and H.323 Standards have been around since
the mid 1990s - Why now?
5VoIP Introduction
- What do you need for a VoIP network?
- The IP Part A data network
- The V Part VoIP specific equipment
- H.323 and SIP are two different sets of protocols
and have different infrastructure requirements - There is some commonality between the two!
6VoIP Implementation
- Who put the VoIP infrastructure in place?
- Many times, the designers and implementers are
the traditional voice personnel - May be just learning the new technology
- Nevertheless, the technology including products,
protocols, and services are very new and
experts are limited!
7What Are The Threats?
Concern PSTN Controls VoIP Controls
Confidentiality Physical Encryption
Integrity Physical Encryption/Checksums
Availability Physical Access Control Logical Access Control
Authentication Recognition Caller ID User ID and Password
Authorization Access Control Caller ID Access Control
Design Large/Complex/Centralized VariesDistributed
Interoperability Centralized Very Tested Distributed Ad-Hoc
8The Legal Threat
- Discussions, debates, and actions are currently
underway to determine whether or not the
Communications Assistance to Law Enforcement Act
(CALEA) requirements apply to VoIP technologies. - Service Providers Only?
- All Companies?
9Emergency Services
- 911 Emergency Services
- PSTN/POTS locations are generally assigned by
physical port and generally dont move around! - VoIP Phones by definition are usually portable
and are simply based on IP addresses - How are location services managed? Updated?
Logged? - Is it real-time?
10The Biggest Threat!
- Your organization is responsible for the costs
related to toll fraud - When the VoIP Gateway is compromised and hackers
use the gateway for unlimited international
dialing, your company is responsible for the toll
charges - I still dont have any figures to share. Do you?
11Problems With Auditing VoIP
- Were often asked to audit the VoIP
infrastructure against the current policies - These policies do not address the minimum
security baseline for a VoIP infrastructure - Typical VoIP audits are also part assessment
12The Audit Documentation Review
- Should begin with a formal review of all
corporate documentation regarding the VoIP
infrastructure - IP Network Infrastructure
- Corporate Service Offerings
- VoIP Infrastructure
- Client Devices
- Acceptable Use statements
- PSTN Interface SLAs
13Auditing Risk Management
- One of the most important aspects to manage!
- Identification and Inventory of Assets
- Understanding of threats, vulnerabilities, and
controls - Cannot be evaluated in isolation. Threats and
vulnerabilities are internal and external. - This is one area where Audit and IT Security can
work together.
14Auditing The Architecture
- Architecture
- Need personnel with auditing, technology, and
product know-how! - Start from the top down to understand the details
are you encounter them - There may not be a right architecture, but
there are many wrong ones
15Before You Begin!
- From your IT Organizations source, obtain an
inventory of the VoIP infrastructure - Obtain all documentation and specifications from
the vendor to understand what you have and what
it is supposed to do - Obtain configuration information
- Review on-line vulnerability/risk databases
16Auditing Concerns
- The next few slides highlight some VoIP specific
concerns that we should review. - Are these part of your organizations standards,
practices, procedures, and policies? - This is a highlight of a number of areas that
should be reviewed. There are plenty more!
17Basic Auditing Considerations
- Physical Security
- The old telecom closets are often neglected and
may be insecure. Where is your VoIP equipment? - Protect test and trial equipment as you would
production equipment. It usually has production
grade configuration information - Ensure UPS equipment can handle the new loads
18Business Continuity Planning Disaster Recover
- Have you incorporated the entire VoIP
infrastructure into the BCP/DR efforts? - Have you tested it?
- Are the employees aware of it?
- Be aware of limited restores.
- Companies today tend to build significant
features into their VoIP phones that theyve
grown to need.
19Logical Auditing Concerns
- VLAN Usage
- Separate voice and data on logically separate
networks. - Each VLAN should have a separate DHCP Server and
management system - Promotes QoS Issues
- VLAN Jumping still an issue, depending on
equipment
20Logical Auditing Concerns (Cont)
- Firewalls
- Are you using the right one for your environment?
- Is it VoIP Specific? Does it support SIP or
H.323? What about Megaco? - Does it support Application Level Gateways or
Proxies? - Pinholing?
- Is it stateful?
21Auditing The Firewall
- Obtain the Firewall rule sets.
- Can you experiment in a lab setting? This is
great to validate the firewall rule sets! - What are the static ports?
- Port 1720 for Call Signaling
- Usually H.225 traffic.
- Any others for management?
- What are the required dynamic ports?
- Even a VoIP-aware firewall will require
reviewing, tuning, and tweaking
22Logical Auditing Concerns (Cont)
- Interfaces
- PSTN to VoIP Infrastructure
- At the Voice Gateway Are SIP, H.323, MGCP, and
Megaco connections from the data network
prohibited? - What authentication is configured? Required?
23The Firewall
- A Great Cisco Whitepaper highlights key areas
where voice and data traffic intersect and should
have firewall protection - PC Based IP Phones (d) requiring access to the
voice segment (v) to place calls - IP Phones (d) and call managers (v) accessing
voice-mail - Users (d) accessing the proxy server (v)
- Proxy Server (v) accessing network resources (d)
- IP Phones (v) to call processing manager (v) or
proxy server (v) because the interaction uses the
data segment to communicate
24Firewall NAT
- NAT, Network Address Translation helps to
efficiently utilize resources and to provide some
level of security. - Full Cone (11 address and port)
- Restricted Cone same as full cone, incoming
packets are rejected unless an outbound one
originated the traffic (looks at IP Address Only) - Port Restricted Cone Like Restricted Cone but
restricts the inbound packet as it must be
returning to the same outbound port - Symmetric NAT Different mapping for each
inbound outbound pair.
25Logical Auditing Concerns (Cont)
- Remote Management
- Use SSH only for remote administration and
management. - Telnet is dead.
- For the truly paranoid, use dedicated consoles
for each management server - How are the configuration files protected?
Backed-up?
26QoS Quality of Service
- Is Quality of Service a Security Issue?
- It is when the security features impact the VoIP
QoS levels. - Youll invariably be asked about it ? during your
Audit - The next few slides highlight some QoS issues
27QoS
- Latency time from source to destination. The
ITU-T recommended upper bounds for latency is to
be less than 150ms. - Queuing
- Encoding
- Packetization
- Transmission
28Jitter
- Jitter the time differences between packet
arrival on the receiving end. - Jitter often affects QoS more than latency
- Caused by low bandwidth
- Can cause packets to be processed out of sequence
and/or dropped if they fall outside of the
receiving buffer - Firewalls are a big source of jitter introduction
29Bandwidth Packet Loss
- What is the available bandwidth for VoIP traffic?
If on a VLAN, this answer is easy to compute.
If on a shared network, this is quite a bit
different (and more variable). - Packet Loss results from excessive latency or
jitter as well as a result of voice-data riding
over UDP.
30What about H.235
- Provides H.323 Security Features through defined
profiles which provide different levels of
security. - These must be required, not an optional
implementation as clients may chose not to use
the features.
31H.235v2/3
- Builds up from H.235 and offers enhanced
encryption as well as - Annex D Shared secrets and keyed hashes
- Annex E Digital signatures on every message
- Annex F Digital signatures and shared secret
establishment - Is it required?
32What about Session Initiation Protocol (SIP)?
- SIP Offers HTTP Digest Authentication
- Based on a challenge-response system
- Replaces HTTP Basic Authentication so that the
password is not sent in the clear! - S/MIME can be used to enable public key
distribution as well as authentication and
integrity protection - Authentication (and Integrity) of signaling data
- Confidentiality of signaling data
33SIP Security With TLS
- TLS Successor of SSL protects SIP signaling
(integrity, confidentiality, replay) - Only works with TCP based SIP signaling
- Must be configured hop-by-hop between user agents
and proxies or between proxies - Provides key management with mutual
authentication and secure key distribution
34SIP Security
- Besides TLS, SIP also supports
- HTTP Digest
- IPSec (With IKE)
- IPSec (With manual key exchange)
- S/MIME
- Be aware of bidding down attacks
35SRTP
- Secure Real-time Transport Protocol
- A profile of RTP offers confidentiality,
authentication, and replay protection - Encrypts Payloads
- Independent of the key management system
- Independent of the RTP stack chosen
- Can use AES
- Hardware Crypto Support, although it was designed
with low computational requirements.
36SRTP Audit Points
- Keep these things in mind
- How are the encryption keys distributed?
- Pre-Shared
- Public Key
- Diffie-Hellman Key Exchange using Public Key
- Diffie-Hellman Key Exchange using Pre-Shared
Secret - Is it only being used for encryption or also
integrity and replay-attack protection?
37What Im Seeing
- Default administration accounts
- Ineffective encryption (It may be AES, but not in
use at key points) - Web-Server interfaces (It may be easier for the
admin and the bad-guys!) - DHCP and TFTP Server Spoofing and Insertion
Attacks
38What Im Seeing
- Random responses to invalidly formatted or
excessive packets - Security mechanisms susceptible to bidding-down
attacks - Firewalls that require just a bit of tuning to
disable that service that isnt required or the
ports that can be closed
39Whats in my toolbox?
- In order to perform a technical based review,
youll need some tools - Sniffers
- Injectors
- Vulnerability Scanners
- Some important documents from the ITU, NIST,
ETSI, and most importantly, equipment vendors!
40Network Sniffers
- Empirix Hammer Call Analyzer
- VoIP Specific
- Great for beginners through advanced users
- Very expensive
41VoIP Sniffers Also Do Call Analysis
42Network Sniffers
- Ethereal
- Requires more work to decode the packets and
review traffic - Its Open Source, its free, and its supported
through a large user community
43Network Traffic Injectors
Available From http//www.komodia.com/ Great
Packet Crafting Tool
44SiVus
45SiVus
46Various Documents
47Additional Resources
- National Institute of Standards and Technology
Security Considerations for Voice Over IP
Systems http//csrc.nist.gov/publications/nistpu
bs/ - Empirix Call Analyzer http//www.empirix.com/Empi
rix/NetworkIPStorageTest/ - SiVus at VoP Security http//www.vopsecurity.org/
- IETF/ITU Documents
- ETSI Tiphon Documents
- J. Halpern, IP Telephony Security in Depth,
Cisco
48VoIP Summary
- Know your stuff! Or hire those that do!
- VoIP technology is still evolving and is very
complex! - Its more than just voice on the IP network
- Look for everything you would look for with a
standard Audit and youll knock out a lot of the
common audit findings. - Watch mis-configurations on VoIP. Understand the
configurations. What looks good may not be.
49Contact Information
- Please contact me with any questions, comments,
complaints, or new developments.