Voice over IP Fundamentals

1
Voice over IP Fundamentals

• CHAPTER 10
• Voice Security

2
VoIP Security Requirements Integrity The
recipient should receive the packets that the
originator sends without and change to
content. Privacy A third party should not be
able to read the data Authenticity Each party
should be confident they are communicating with
whom each claims to be Availability/Protection
from Denial-of Service The VoIP service should
be available to users at all times
3

• Shared-Key
• A common shared-key between users
• Each pair of users must have the same key
• Does not scale well with multiple pairs of users
• The key is used to encrypt the message
• A hash is calculated from the shared key

4

• Asymmetric Key
• Each user has a Private-key as well as a
  Public-key
• Only the corresponding public-key can decrypt the
  message that is encrypted with the private-key
• Only the corresponding private-key can decrypt
  the message that is encrypted with the public-key
• Has a one-to-one relationship between keys
• Keys can be exchanged over an unsecured network

5

• Asymmetric Key
• Phases
• Authentication phase
• Secure communication phase
• CPU-intensive process
• Unique shared secret per session

6

• Digital Signature
• Uses a set of complimentary algorithms for
  signing and for verification
• A Digital signature is obtained from a
  Certificate Authority (CA)
• A hash of the message is created with the private
  key to create a Digital Signature
• Recipient verifies the signature by running a
  verification algorithm over the message content
  using the public-key of the sender

7

• Digital Signature continued
• Uses a set of complimentary algorithms for
  signing and for verification
• Digital signatures provide authentication
• Digital signatures provide message integrity
• Each signature is appended to the message in
  clear text
• Digital signatures do not provide privacy

8

• Certificate Authority
• The Certificate Authority receives the public-key
  at the time of key generation.
• The Certificate Authority will verify the
  identity of the sender and issue a certificate
• Each device in the system has a public-key of the
  CA
• At the time of contact each system will
• Present its certificate to its peer
• Each will run a verification
• If verified the keys are stored

9

• Public-key
• Common Protocols
• Transport layer Security (TLS)
• Independent of applications
• Rides on top of Transport layer protocols
• Can be used with multiple services
• Record Protocol
• Lower-layer protocol
• Provides privacy and integrity
• Used DES or RC4 for encryption
• Client layer
• Authenticates
• Negotiates

10
TLS
11

• Public-key
• Common Protocols continued
• Ipsec
• Uses Authentication Header (AH)
• Uses Encapsulation Security Payload (ESP)
• AH provides authentication and integrity
• ESP provides privacy, authenticity, and integrity
• Tunnel-mode
• Protects only the payload
• Header inserted between the Ip header and the
  transport layer header (TCP/UDP)
• Transport-mode
• Encapsulates the entire packet
• Ipsec header is added between the outer and inner
  IP headers

12

• Public-key
• Common Protocols continued
• Ipsec

13
Public-key Common Protocols continued IPsec
14
Public-key Common Protocols continued IPsec
15

• Public-key
• Common Protocols continued
• Secure Real Time Protocol (SRTP)
• Integrity
• Authentication
• Privacy

16

• Protecting Voice Devices
• Disable Unused Ports/Services
• Disable Telnet
• Disable Trivial File Transport Protocol
• Simple Network management Protocol
• Use only read-only mode
• Disable Unused Ports on layer 2 switches
• Administrative shut down

17

• Protecting Voice Devices continued
• Host-based Intrusion Protection System (HIPS)
• Software agent installed on each device
• Collects information about traffic
• Information compared against a set of rules
• System can take preventative action
• Terminating application
• Rate-limit data

18

• Protecting Voice Infrastructure
• Segmentation
• VLANs
• IP addressing
• Traffic types
• Separate DHCP servers
• Traffic Policing
• Limit bandwidth to Codec used
• G.711 is 64 kbps plus overhead
• Queuing techniques
• 802.1x Authentication
• EAP protocol
• RADIUS authentication server
• Layer 2

19

• Protecting Voice Infrastructure continued
• 802.1x Authentication

20

• Protecting Voice Infrastructure continued
• Layer 2 tools
• DHCP Snooping
• Only allow DHCP offers from known sources
• Enabled on switches
• Switch(config)ip dhcp snooping
• Switch(config-if)ip dhcp snooping trust
• Switch(config-if)ip dhcp snooping limit rate
  rate
• Switch(config)ip dhcp snooping vlan number
  number
• DHCP snooping binding database (IP-to-MAC)

21

• Protecting Voice Infrastructure continued
• Layer 2 tools
• IP Source Guard
• Used with DHCP Snooping
• On untrusted ports only DHCP messages allowed
  until DHCP response is received
• Uses DHCP snooping binding database
• Per port
• Installs a Vlan Access Control List (VACL)

22

• Protecting Voice Infrastructure continued
• Layer 2 tools
• Dynamic ARP Inspection
• Attacker sends its own MAC address as a reply
• Man-in-the-middle attack
• Uses the DHCP binding database
• Drops malicious packets

23

• Protecting Voice Infrastructure continued
• Layer 2 tools
• CAM overflow and Port Security
• Attacker sends fictitious MAC addresses to fill
  CAM table
• When CAM table is filled switch will forward
  packets out all active ports (broadcast)
• Use port security features
• Switch(config-if)switchport port-security
  maximum number

24

• Protecting Voice Infrastructure continued
• Layer 2 tools
• Circumventing VLANs
• Uses trunk ports to obtain access
• 802.1q or ISL
• Disable DTP on non trunk ports
• Switch(config-if)switchport mode access

25

• Protecting Voice Infrastructure continued
• Layer 2 tools
• NIPS Network Based Intrusion Protection System
• In series
• In parallel
• Examines every packet
• Does not protect against Atomic attacks
• Delay is a problem for voice

26

• Protecting Voice Infrastructure continued
• Layer 2 tools
• BPDU Guard and Root Guard
• Exploits Spanning-tree protocol
• Listens on configured ports for BPDUs
• Rogue device tries to become the root bridge
• Violation can disable the port
• Used with portfast
• Root Guard will port into a root-inconsistent
  state
• Root Guard will allow the device to participate
  in spanning-tree

27

• Protecting Voice Infrastructure continued
• Layer 3 tools
• Routing authentication
• Not available for all protocols
• Can use simple password
• Can use Message-digest (MD5) encryption
• Not available on RIPv1
• Shared keys between systems

28

• Protecting Voice Infrastructure continued
• Layer 3 tools
• TCP intercepts
• Denial of Service attacks
• Sends multiple syn packets
• Never completes the three-way handshake
• Uses falsified IP addresses
• Can limit half-open secessions
• Intercept mode allows the router to respond
  before forwarding packets to client

29

• Protecting Voice Infrastructure
• Security Planning and Policies
• Transitive trust
• Eliminate re-authentication at each device
• VoIP Protocol-Specific Issues
• Use of computer based softphones
• VLANs
• Trunking
• Double tagging

30

• Protecting Voice Infrastructure continued
• Security Planning and Policies
• Complexity tradeoffs
• Bandwidth overhead
• Delay
• CA cost
• NAT/Firewall Traversal
• Opens pathways for voice traffic
• Does not work well with encryption (port numbers)
• Password and Access Control
• Minimum length
• Complexity
• Equipment access

31
End of Chapter 10