Transcription
Hosted byBest Practices for Securing IPTelephonyIrwin Lazar, CISSPSenior AnalystBurton Group
Hosted byAgenda VoIP overview VoIP risks Mitigation strategies Recommendations
Hosted byVoIP Overview
Hosted byVoIP Functional DiagramSoftswitchGatewayPSTNSoft PhoneIP PhoneIP LANSoft PhoneQoS-enabledWANIP Phone
Hosted bySignaling ConceptsCall Server2 – Call Setup3 – E.164 LookupIP Phone5 – Ringback1 – Offhook& Dial7 – ConnectRTP StreamIP WAN4– CallSetup5 – RingIP Phone6 – OffhookPSTN
Hosted byWhat Do These Diagrams Tell Us? Voice & data share a commoninfrastructure No different from a risk perspective Anything that affects data will affect voice This represents a major change in theway voice services are provided Historically functions were separate
Hosted byHypothesis Enterprises implementing VoIP have aneven greater need to protect theirnetworks than before There is no fallback mechanism if security iscompromised Both data and voice will be effected
Hosted byProtocols to KnowSignaling protocols: H.323 - used by most vendors Cisco & Siemens use proprietary alternatives SIP - Session Initiation Protocol Emerging “IP” based protocol H.323 relies on gateways, SIP allowsdirect any-to-any communications Though in reality they are implemented thesame way
Hosted byMore Protocols to KnowVoice Bearer Transport Protocols RTP - Real-Time Protocol RTCP - Real-Time Control Protocol UDP - User Datagram Protocol
Hosted byVoIP Risks
Hosted bySpecific Risks to VoIP External threats Hacks against phones, call control servers, gatewaysDenial of Service (DoS) attacksTrojans, viruses, wormsIllicit phone system usageVoIP spamCompromise of call data Internal Threats Eavesdroppers Illicit phone system usage Compromise of call data
Hosted byA Few Possible Scenarios DoS attack on inbound calling gateway Worm attack takes down call servers Worm/Virus causes excessive networkcongestion Unauthorized calls routed through your gateway Calls are secretly recorded Improper long distance usage
Hosted byScared Yet? Well you should be! BUT! You ought to be protecting againstmost of this stuff already A few of these risks are already outthere Unauthorized phone use, outsidehacking Mitigation strategies are available
Hosted byIP Telephony Security Mitigation Strategies
Hosted byBasic Secure IP Telephony Design Network security principles: Logical separation of voice and data viaVLANs wherever possible Minimize interconnection points VoIP-aware firewalls at interconnectionpoints Host-based intrusion detection & virusdetection on all call management devices Intrusion detection at network exit/entrypoints
Hosted byFirewall Concerns Firewalls must be VoIP-aware VoIP relies on dynamic port creation forvoice traffic Signaling protocols use well known ports NAT may get in the way Solution: Session Border Controllers Kagoor, Acme Packets, Jasomi, Nextone, etc. SBCs track call establishment anddynamically handle NAT and port filtering May also act as a calling proxy
Hosted bySecurity ArchitectureData VLANExternalSubnet ASBCCallServerCall Server VLANSubnet BXSubnet AData to DataFullVoice to VoiceFullVoice to DataBlockedCall Server to VoiceFullCall Server to DataLimitedSubnet BVoice VLAN
Hosted byLogical Separation Issues Requires Ethernet switches to support802.1Q VLAN Trunking Two implementation methods Ethernet switch in IP phone Ethernet switch in closet performsseparation Difficult to implement in softphoneenvironments
Hosted byPhones at 802.1Q TrunksData SubnetPhoneSubnetL2SwitchIP PhoneDesktopPC
Hosted byCall Security Options End-point security: User authentication for hard/softphones 802.1x - based Phone authentication to callcontroller Use of MAC address filters to preventrogue assignment of IP addressesand transfer of configuration files
Hosted byCall Security Options (2) Call data security SSL/TLS encryption between end-points andcall control servers Negative performance impact S/MIME signing & encryption of call data SRTP - Secure RTP Prevent anonymous in-bound calling Inbound calls only accepted from trusted orverifiable sources Use of trusted certificate authority
Hosted byCall Security Options (3) Protection against Denial of ServiceAttacks Only an issue when there is directconnectivity of VoIP “Islands” Use of DoS mitigation techniques ordevices E.g. Arbor Networks, Riverhead(Cisco)
Hosted byDoes it Work? “Breaking through IP telephony security”Network World - May 24, 2004 Mier test of Avaya & Cisco VoIP Security Bottom line: Both systems were reasonablysecure IF security architectures were fullyimplementedFindings: Both were secure against hacker attacksagainst call control infrastructure Both were susceptible to passive probes Avaya phones could be disrupted
Hosted byFuture Developments Security becoming increasingly important Encryption more widely available (CiscoCall Manager 4.0) Better availability of VoIP-aware securityproducts Increasing use of softphones presents newchallenges Remote users also present challenges One solution: Zultys builds IPsec clientdirectly into phones Growing concerns as we evolve past“Islands” of VoIP
Hosted byWhat About Public Services? Public VoIP services are rapidly emerging Network complexity transferred to a serviceprovider
Hosted byService ArchitectureClass 5SwitchEnterprise versSIPNetworkGatewayService Provider Network
Hosted byService Issues Security Risks to corporate data stored on andcarried by service providers Risks of denial of service attacks onprovider infrastructure Risks to enterprise data network Risks of data carried over the publicInternet (for broadband service providers) Eavesdropping Reliance on service provider for securitymanagement Are services subject to wiretapping laws?
Hosted byRecommendations
Hosted byRecommendations Conduct security assessment as part of yourVoIP planning Recommended evaluation criteria: Corporate security policies Firewall capabilitiesCost vs. RiskNetwork capabilities (to support 802.1Qfor example)
Recommended SecurityGuidelinesHosted by Best practices: Logical separate of voice and data (use VLANs in theLAN) Firewalls/IDS at interconnection points Host-based IDS for call control servers Authenticate both phone and user Implement QoS mechanisms to prioritize voice Encrypt where necessary For users of public services Work carefully with providers to understand securitymethodologies & services
Hosted byWhat is your primary area of concernwith regard to VoIP security?54%lHackers disruptingsystemlHackers misusingsystemlInternal misuse?lNo concerns?33%10%3%1234
Hosted byWho is responsible for VoIPsecurity in your organization?50%llllInternal networksecurity team?23%VoIP managementteamNetwork managementteamNobody20%8%1234
Hosted byIs encryption of voice a requirement?42%1. Yes31%28%2. No3. Not sure123
Hosted byWho manages your VoIP environment?75%lOutsourced privatesolutionlOutsource publicsolutionll14%3%In-sourcedNot sure?8%1234
Mier test of Avaya & Cisco VoIP Security Findings: Both were secure against hacker attacks against call control infrastructure Both were susceptible to passive probes Avaya phones could be disrupted Bottom line: Both systems were reasonably secure IF security architectures were fully implemented. Hosted by Future Developments Security becoming increasingly important Encryption .
