Technology, Security Threats & Countermeasures · What is IP (Internet Protocol) ? • IP is the language that computers use to communicate over the Internet • IP is the transmission

VOIP Technology, Security Threats &

Countermeasures

GISFI # 2, Allahabad, September 17, 2010

Jaydip Sen

Innovation Lab

Tata Consultancy Services, Kolkata

Email: [email protected]

Migration to the Integrated World

Mobile Voice

Fixed VoiceConverged Voice

End-to-end Solutions (IP)


Data Communications

End-to-end Solutions (IP)

Time

What is IP (Internet Protocol) ?

• IP is the language that computers use to communicate over the Internet

• IP is the transmission mode that is expected to be used in the future for both voice and data

• IP enables today’s services to be implemented over the same access (e.g. telephony and Internet access)


• IP enables multiple services to share the one network

Broadband (IP) Telephony

• Broadband telephony is speech/voice that is packaged and transmitted partly or entirely over IP-based networks

• The concept of broadband telephony is the sum of:– Voice Over IP– Internet telephony– Related value-added services

• Full-featured broadband telephony uses IP technology both for


• Full-featured broadband telephony uses IP technology both for voice transmission and for value-added services

• Broadband telephony is in the first place a follow-on product of data communications solutions

• Broadband telephony requires a broadband connection

Evolution of Voice Telephony Products

Fixed access

Digital

IP– Broadband telephony

IP– 3G


Mobile access

Analog– AGF

Digital– AXE

Digital– GSM

Analog– NMT

IP– GPRS

Convergence of Fixed and Mobile Voice

POTS = access line

VOIP = SIP server account Mobile = HLR account

VOIP

SIP- client =

Mobile

SIM card


“IP coverage” “Radio coverage”

All devices can or will be wireless

=

Prerequisites, Business Model, Time Frame

• Prerequisites– Broadband penetration

– Established standards

– Customer needs

• Business model– IP will generate a new logic over time

– Start from where you are — convergence may be


– Start from where you are — convergence may be the best of both worlds

• Time frame– It may be a long time before IP takes over completely

Broadband vs. Conventional Telephony

• Reliability– Prioritization of voice packets– Combining different networks

• Power dependency– Broadband telephony doesn’t work if the power is off

at the customer

• Ability to reach alarm numbers


• Ability to reach alarm numbers– Position information

• Standards– Terminals– Services/networks

Business People Needs Integrated Services

Communicate with other people

• Telephone

• Voice-mail

• E-mail, sms, mms

Plan and organize your work

• Telephone

• Calendar

• Contacts

• E-mail


Collaborate with other people

• Telephone meeting

• Video meeting

• e-meeting

• Project management tools

Do business• Telephone

• E-business

• CRM

• Supply Chain mgmt

• …

Stay informed

• Telephone

• Web search

• News, …

The VOIP Funnel – Business Customers

• Business case

• Standards

Branch office (where to start)

2003

2005 2006

2002

2004

• Network management

Lab Full scale


First pilots

First full implementations

Scale up to corporate level• Network management

• QoS

Classic Centrex IP Centrex

TRENDS

Classic PBX IP PBX

Individual Customer Needs

Connectivity with control• Need to be in touch• Voice is still the “killer application”• Need to control accessibility• Want to be reachable but need to control

access based on user situationsNeed to stay informed


Need to stay informed• Need to know what is going on around them

– E.g. after 9/11, increased need for security

Greater capabilities for:• Personal telephony• Communications• Mobility

Broadband Telephony

SIP (Session Initiation Protocol)– A standard that is establishing itself– Other parties can provide services

Functionality– Telephony as software in a PC– Simple to download– Adapter or separate phone required to talk via

receiver– Personal phone number 0751121441


– Personal phone number 0751121441– SIP address [email protected] which

can be an email address

Capabilities– Call control – Availability information– Chat– Video calls

What is VoIP ?

• A suite of IP-based communications services

• Provides multimedia communications over IP networks

• Based on open IETF and ITU standards

• Operates over any IP network (not just the Internet)

• Utilizes separate paths for signaling and media

• Low-cost alternative to PSTN calling


• Low-cost alternative to PSTN calling

The Business Value of VoIP

Cost• Toll bypass for on-net calling• Reduced network costs• Lower move/add/delete (MAD) costs• Reduced site preparation time• Network convergence

Functionality• Enterprise directory integration


• Enterprise directory integration• Unified Messaging• Call center applications• Interactive Voice Response (IVR)• IP Video• Instant Messaging

Mobility• Location services (Find-Me/Follow-Me routing)• Wider array of service providers• Ubiquitous access

PSTN vs VoIP

Public Switched Telephone Network (PSTN)• SS7 signaling protocol

• Circuit-switched network (ATM/Frame Relay)

• Expensive infrastructure

• Reliable quality

Voice Over IP (VoIP)


Voice Over IP (VoIP)• SIP, H.323, SCCP, MGCP, or MegaCo signaling protocol

• RTP media protocol

• Packet switched network

• Converged infrastructure

• Unreliable quality

VoIP ProtocolsSIP

• RFC 3261• “The Session Initiation Protocol (SIP) is an

application-layer control (signaling) protocol for creating, modifying and terminating sessions with one or more participants.”

• Text based messaging• Modeled on HTTP • Uses URI to address call flow

components • sip:[email protected]

INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhds Max-Forwards: 70 To: Bob <sip:[email protected]> From: Alice <sip:[email protected]>;tag=1928301774 Call-ID: [email protected] CSeq: 314159 INVITE Contact: <sip:[email protected]> Content-Type: application/sdp Content-Length: 142


• sip:[email protected]• sip:[email protected]

• Versatile and open with many applications• Voice• Video• Gaming• Instant Messages• Presence• Call-Control

• INVITE: create a session

• BYE: terminates a session

• ACK: acknowledges a final response for an INVITE request

• CANCEL: cancels an INVITE request

• REGISTER: binds a public SIP URI to a Contact address

• OPTIONS: queries a server for capabilities

• SUBSCRIBE: installs a subscription for a resource

SIP Methods


• NOTIFY: informs about changes in the state of the resource

• MESSAGE: delivers an Instant Message

• REFER: used for call transfer, call diversion, etc.

• PRACK: acknowledges a provisional response for an INVITE request

• UPDATE: changes the media description (e.g. SDP) in an existing session

• INFO: used to transport mid-session information

• PUBLISH: publication of presence information

SIP Components

•User Agents• Clients – Make requests

• Servers – Accept requests

•Server types• Redirect Server

• Proxy Server


• Proxy Server

• Registrar Server

• Location Server

•Gateways

Session Description Protocol (SDP)

SDP• IETF RFC 2327

• “SDP is intended for describing multimedia sessions for the purposes of session announcement, session invitation, and other forms of multimedia session initiation.”

v=0 o=mhandley 2890844526 2890842807 IN IP4 126.16.64.4 s=SDP Seminar i=A Seminar on the session description protocol u=http://www.cs.ucl.ac.uk/staff/M.Handley/sdp.03.ps [email protected] (Mark Handley) c=IN IP4 224.2.17.12/127t=2873397496 2873404696 a=recvonly m=audio 49170 RTP/AVP 0 m=video 51372 RTP/AVP 31


session initiation.”

• SDP includes:• The type of media (video, audio,

etc.)• The transport protocol

(RTP/UDP/IP, H.320, etc.)• The format of the media (H.261

video, MPEG video, etc.)• Information to receive those media

(addresses, ports, formats, etc)• Crypto keys

m=video 51372 RTP/AVP 31 m=application 32416 udp wb a=orient:portrait

Media Protocols

RTP• Real-time Transport Protocol

• RFC 3550• Standardized packet format for delivering audio and video over IP• Frequently used in streaming media systems

CODECs• GIPS Enhanced G.711


• 8kHz sampling rate• Voice Activity Detection• Variable bit rate

• G.711• 8kHz sampling rate• 64kbps

• G.729• 8kHz sampling rate• 8kbps• Voice Activity Detection

SIP Call Flow

Outbound Proxy Inbound Proxy

INVITE

INVITE

INVITE

100 Trying 180 Ringing

100 Trying

180 Ringing180 Ringing 200 OK

200 OK

200 OK

BYE BYE

BYE


BobAlice

200 OK

RTP VoiceAlice Calls Bob

Steve answers Bob’s phone

Is Bob there?

Sorry, no, can I help you

No. I need Bob.

Thanks. Bye.

ACK

Hello.

SIP Standards

A sampling of SIP RFCs…• RFC3261 Core SIP specification – obsoletes RFC2543• RFC2327 SDP – Session Description Protocol• RFC1889 RTP - Real-time Transport Protocol• RFC2326 RTSP - Real-Time Streaming Protocol• RFC3262 SIP PRACK method – reliability for 1XX messages• RFC3263 Locating SIP servers – SRV and NAPTR• RFC3264 Offer/answer model for SDP use with SIP


• RFC3264 Offer/answer model for SDP use with SIP• RFC3265 SIP event notification – SUBSCRIBE and NOTIFY• RFC3266 IPv6 support in SDP• RFC3311 SIP UPDATE method – eg. changing media• RFC3325 Asserted identity in trusted networks• RFC3361 Locating outbound SIP proxy with DHCP• RFC3428 SIP extensions for Instant Messaging• RFC3515 SIP REFER method – eg. call transfer

Complexities of VOIP Architecture

GISFI # 2, Allahabad, September 17, 2010Copied from NSA Security Guidance for Deploying IP Telephony Systems, Report Number: I332-016R-2005

VOIP Security Threats


Robert Wood

Most Common VOIP Security Mistakes

1. Treating VOIP security the same way as Network security2. Not treating VOIP security the same way as Network

Security

How it’s the Same

• Uses mostly the same protocols• Uses mostly the same Operating

How it’s Different

• Some unique protocols• Traditional Security devices


• Uses mostly the same Operating Systems

• Many of the same threats

• Traditional Security devices (IDS/Firewalls can disrupt service)

• People treat it like the old phone system!

What we Commonly See

• Segmentation without monitoring• Improperly configured systems• Little device hardening• Little understanding of privacy threats• No regular security assessments ON the

VOIP segment

VoIP Threats

VOIP Threat Taxonomy• Social Threats

• Misrepresentation• Identity• Authority• Rights• Content

• Theft of Services


• Theft of Services• Unwanted Contact

• Harassment• Extortion• Unwanted Lawful Content (spam and other offensive material)

• Eavesdropping• Call Pattern Tracking• Traffic Capture

• Number Harvesting• Call Reconstruction (voice, video, fax, text, voicemail)

VoIP ThreatsVOIP Threat Taxonomy

• Interception and Modification• Call Black Holing• Call Rerouting• Fax Alteration• Conversation Alteration• Conversation Degradation• Conversation Impersonation and Hikacking• False Caller Identification

• Service Abuse


• Service Abuse• Denial of Service• VoIP Specific DoS

• Request Flooding• Malformed Requests and Messages• QoS Abuse• Spoofed Messages• Call Hijacking

• Network Services DoS• Underlying Operating System/Firmware DoS• Distributed DoS (DDoS)

• Physical Intrusion

VoIP Threats

VOIP Threat Taxonomy• Other Disruptions of Service

• Loss of Power• Resource Exhaustion• Performance Latency and Metrics


Summary of VOIP Risks?

•Service Disruption or Denial of Service

•Theft of Service or Data

•Infrastructure Attacks

•Voice SPAM (Vishing, Mailbox Stuffing, Unsolicited Calling)


Stuffing, Unsolicited Calling)

•Call Hijacking and Spoofing

•Call Eavesdropping or recording

•Voicemail Hacking

Every other network and system vulnerability not unique to VOIP!

Threat Model for VOIP Systems

Supporting Applications Layer

VOIP Application Layer

VOIP Environment

VOIPVOIP

Voice Mail

Gateway


HW Platform, OS

Facility/Infrastructure

VOIP Protocol LayerSignaling and Transfer Protocols

Configuration DatabasesNetworkNetwork

IP PhonesFirewall

Call Manager Servers

Fax

SBC

What are the Threat Vectors?

•OS Exploits

•Signaling Attacks

•Endpoint Admin Privilege Exploits

•Proxy Impersonation

•Real Time Protocol (RTP) Attacks

•VoIP Wiretapping


•VoIP Wiretapping

•VoWiFi Attacks

•DoS Attacks

•Spam for Internet Telephony (SPIT)

•IP PBX and Telephony Server Exploits

•Vishing (VoIP Phishing)

Who are You Protecting Against?

Malicious Attack


Unintentional Exposure Intentional Exposure

Malicious Attack

“Risk is Irrelevant of Intent”

Specialized Hacking Tools

•SIPScan - enumerate SIP interfaces•TFTPBrute - TFTP directory attacking•UDP and RTP Flooder - DoS tools•hping2 – TCP session flooding•Registration Hijacker - tool to take over H.323 session•SIVUS - SIP authentication and registration auditor


•Vomit - RTP Playback•VOIP HOPPER – IP Phone mimicing tool•LDAPMiner - collect ldap directory information•Dsniff - various utilitarian tools (macof and arpspoof)•Wireshark (Ethereal) / tcpdump - packet capture and protocol analysis

Hardware Can be Gussed

"Your call is being answered by Audix. [USER'S NAME] {is not available ... to leave a message wait for the tone, is busy ... to leave a message wait for the tone}."

"[USER'S NAME] {is on the phone, is unavailable}


"[USER'S NAME] {is on the phone, is unavailable} Please leave your message after the tone. When done, hang up or press the pound key."

"Record your message at the tone. When you are finished, hang up or hold for more options."

DDoS Attack

?


call

Toll Fraud


Hacker sells your company calling information

Your company gets the bill

Call Manager OS


Call Manager OS

?


Call Forwarding/Spoofing

?


call

?

Expose Private Conversations

!


call

!

Block Certain Calls

555-1212999-1213

?


999-1213987-6543

Log Call Activity


call

Hijacking/Injection Attack


call



call


call


call

Eavesdropping


Kevin

SIP


BobAliceRTP

YakYak

•DTMF intercept•IM snooping•Call pattern analysis•Number harvesting•Network discovery

•Voice reconstruction•Fax reconstruction•Video reconstruction

Spoofing


BYE

SIP

BYE


BobAliceRTP

Kevin

Kevin forges a BYE from Alice

Hello?Hello?Yak Yak

Recording


call

Interception


REFER

202 Accepted

REFER

202 Accepted

202 AcceptedSIP

INVITE

BYE

BYE

BYEINVITE

200 OK


BobAliceRTP

Kevin

REFER

Kevin forges a REFER from Bob

Hello?Yak

Yak

Yak

INVITE

200 OK

Key Mitigation Strategies

•Create VOIP Specific Security Policies

•Segmentation as appropriate– Restrict logical network access to critical servers and VoIP call

processors

– Utilize separate VLANs for voice and data

•Device Hardening– Do not use default passwords


– Turn off unnecessary services

– Apply vendor supplied patches in a timely manner

– Perform vendor installation security checklist to h arden applications

•Perform Security Assessments on and against the VOIP infrastructure

•Apply Appropriate Encryption

Key Mitigation Strategies

•Utilize VoIP aware Firewalls, Intrusion Prevention Systems (IPS) and Session Border Controllers (SBC) when possible

•Utilize end-to-end QoS

•Continue to protect against traditional system attacks (Toll Fraud, Modem Security, Social Networking Attacks & etc.)


Security Solutions


Robert Wood

Network Solutions: Security Policy

• Establish a corporate security policy

– Acceptable Use Policy– Analog/Dial-in/ISDN Line Policy– Anti-Virus Process– E-mail Policy

• Automatic Forwarding• Usage


• Retention– Ethics Policy– Password Protection Policy– Patch Management Process– Router Security Policy– Server Security Policy– Risk Assessment Policy– VPN Security Policy– Wireless Security Policy

http://www.sans.org/resources/policies/#template

Security Solutions: Network

GISFI # 2, Allahabad, September 17, 2010Network Design by Cisco Systems

Security Solutions: DoS & DDoS

• Provide redundancy through:– Mesh Corporate WAN design

– Utilizing multiple ISPs

– Fallback PSTN Gateway(s)

– Uninterruptible Power Supplies

• Negotiate QoS agreements


Security Solutions: Hacking

• Segment networks into separate VLANs– Voice network

– Data network

– Monitoring and control network


Security Solutions: Hacking

• Maintain VoIP application server updates– Call manager server(s)

– Voicemail server(s)

– Gateway server(s)• Install current Operating System patches• Install current application software patches


Security Solutions: Spoofing

• Eliminate unknown devices– DHCP Snooping

– DAI: Dynamic Address Resolution Protocol Inspection

– IP Source Guard

• Eliminate unknown software– Digital Signatures


Security Solutions: Threats

• Manage and prevent threats via:– Stateful Firewalls

– Virus Filters

– Intrusion Detection (NIDS)

– Intrusion Prevention (HIPS)

– Filter unnecessary ports on:


– Filter unnecessary ports on:• Routers• Switches• PCs• IP Telephones• Firewalls

Security Solutions: Complete


Network Diagram Legend


Summary of Countermeasures

Authentication and Encryption

• Digest Authentication• Used during UA registration• Authenticates UA to SIP proxy• Similar to HTTP digest from web browser to web server• Cannot be used between proxies


• Transport Layer Security (TLS)• Used to secure signaling path• Authenticates each endpoint on a link• Provides encrypted path between each link• Non-transitive trust• Can be used between proxies• Requires X.509 certificates


Authentication and Encryption

• Secure RTP (SRTP)• Used to secure the media path• Provides end-to-end security• Requires X.509 certificates


• Zphone (ZRTP)• Used to secure the media path• Provides end-to-end security• IETF draft written by Phil Zimmermann• Requires no X.509 certificates• Relies on OSI layer 8 authorization


Physical Security• VoIP equipment in secured datacenter

• Lock wiring closet doors

• VoIP VLANs = Good

• Separate VoIP network = Better

• Separate VoIP network + Authentication + Encryption = Best!


Logical Security• CIS Benchmarks applied to all host platforms

• Regular patching and assessments

• Network IDS

• Firewall and NAT protection of gateway and proxies

Conclusion• VOIP will lead to convergence of voice and data into a common

infrastructure for wiring, routers, network connectivity.• Companies will be able to deploy, manage and maintain one network to

serve all communication needs, saving on infrastructure costs and resources.

• With VoIP the Internet becomes the backbone of a company’s phone network. This leads to a number of threats:– Hackers


– Worms– Viruses– DoS attacks

• “The challenge of VoIP security is not new. History has shown that advances and trends in information technology typically outpace the corresponding realistic security requirements. Such requirements are often tackled only after these technologies have been widely adopted and deployed” – Cable Datacom News

Thank You!


Thank You!

Technology, Security Threats & Countermeasures · What is IP (Internet Protocol) ? • IP is the language that computers use to communicate over the Internet • IP is the transmission

Documents