99, are you SUREThis connection is secure? 99? 99? Can you hear me now??
Voice Over IP,A Security Overview
Christopher Duffy, CISSP
VoIP Security Overview
• Definitions• Under the Covers of SIP• Threats in VoIP /VoIP Telephony• Best Practices• References
“Voice over IP is the John Travolta of Internet technologies. It was big once, everyone laughed at it, and it faded away…. only to come back bigger than ever.” - (Alan Cohen VP Cisco)
CONVERGENCE!
• VoIP resides on your Data Network– Runs on OS– Is an Application on Your Servers– Uses same Infrastructure
Global Definitions
• VoIP – Voice over Internet Protocol (also called IP Telephony, & Internet telephony) – is the routing of voice conversations over the
Internet or any other packet switched network.
• PSTN – (Public Switched Telephone Network)– is the concentration of the world's public circuit-
switched telephone networks, in much the same way that the Internet is the concentration of the world's public IP-based packet-switched networks.
Global Definitions (Cont)
• PBX – Private Branch eXchange – is a telephone exchange that is owned by a private
business, as opposed to one owned by a common carrier or by a telephone company.
QOS
• QOS (Quality Of Service) – A defined measure of performance in a data
communications system. For example, to ensure that real time voice is delivered without drops
– a traffic contract is negotiated between the customer and network provider that guarantees a minimum bandwidth along with the maximum delay that can be tolerated in milliseconds.
Latency
• Latency (Delay)– The time from when words are spoken until they
are heard at the other end– the amount of time it takes a packet to travel
from source to destination. • Together, latency and bandwidth define the speed and
capacity of a network.• Voice delays of 80 ms (Toll Quality) is a good threshold.
If that threshold is passed the communication returns annoying. Ear can accept 120 -180 ms delay.
Jitter
• Jitter (variation in delay)– a variation in packet transit delay caused by
queuing, contention and serialization effects on the path through the network. In general, higher levels of jitter are more likely to occur on either slow or heavily congested links. • 20 milliseconds is threshold for tolerance on a call
Protocols
• H.323 – International Telecommunications Union -
Telecommunications (ITU-T) standard for real-time multimedia communications and conferencing over packet-based networks.
– CODECS• G.711 - audio codec 56/64 kbps (Toll Quality)• G.723.1 - speech codec for 5.3 and 6.3 kbps • G.729 - speech codec for 8/13 kbps
Protocols
• SIP ( Session Initiation Protocol)– is an IP telephony signaling protocol used to
establish, modify and terminate VOIP telephone calls.
– SIP is comparable to a Telephone Operator. Other technology is used once connected.
• SIP has become the standard for VOIP, or H323. The protocol resembles the HTTP protocol, is text based, and very open and flexible. It has therefore largely replaced the H323 standard.
Session Initiated Protocol
• Application layer protocol, similar to http• Client-server model• Uses requests and responses for transactions• Request and responses are transmitted in
ASCII• plaintext (like http)
SIP Entities• A SIP network is composed of a number of logical SIP entities:
– User Agent (Phone)• Initiates, receives and terminates calls
– Proxy Server (Call Controller)• Acts on behalf of UA in forwarding or responding to requests• Can “fork” requests to multiple servers
– Redirect Server (Call Controller)• Responds to, but does not forward requests
– Registration Server (Call Controller)• Handles User Agent authentication and registration
15
SIP Entity Example
User AgentHard phone
ProxyServer
VoIP Gateway
User AgentSoft phone
User Agent802.11X Traditional
Digital
Analog
Registration Server
Packet SwitchedNetwork
Circuit SwitchedNetworks
Registration Server PBX
VoIP Threats: Denial of Service
• IP phones shadow computers. Both are residents on the same network– Request Flooding• H.323 Setup floods• SIP INVITE floods
– Malformed Signaling• c07-SIP PROTOS
– CERT® Advisory CA-2003-06 affected Alcatel, Cisco, Ingate, IPTel, Mediatrix Telecom, Nortel and others
VoIP Security Concern – Denial of Service
• Interjected Signaling– Unsolicited “End Session” or “BYE” packets will
terminate calls• Underlying OS DoS– A soft client is only as reliable as the OS it runs on– Microsoft
• Distributed DoS– Multiple focused external attacks on a given Gateway– SYNFlood attacks, Malformed ICMP Nuke attacks, etc.,
can be mitigated or eliminated effectively with a proper firewall
• Phishing via VoIP , “Vishing”• SPAM Over Internet Telephony (SPIT)• Voice Over Misconfigured Internet Telephones– Converts a captured phone call into a .wav file
vomit -r phone.dump | waveplay -S8000 -B16 -C1
• Eavesdropping• SIP Server Impersonation• Registration Hijacking• Call Hijacking
SonicWALL/SecureIT 19
VoIP Threat:Eavesdropping
• IP to Circuit Based– APR (ARP Poison Routing) – Enables sniffing on
switched networks and the interception of IP traffic on switched networks
VoIP Threats: Eavesdropping
• If media is encrypted, but signaling is not– Invasion of privacy vulnerability – Number Harvesting
• Builds a list of “real” phone numbers for future use (SPIT)– Invasion of privacy vulnerability – Call Pattern
Tracking• Who is calling whom? When? How long?
• VoIP protection against eavesdropping– When implemented correctly – Better than POTS– When implemented incorrectly – More vulnerable
than POTS
VoIP Security Concern – Quality of Service
• QoS at Layer 2, 3 and 4+– Layer 2: 802.11p
• Requires 802.11q VLAN header support– Layer 3: DSCP – Differentiated services
• Contained within the IP header– 802.11p/DSCP rely upon correct and accurate packet
coloring– Vulnerable to injected higher-color network saturation– Dependent upon capability of intermediate network
equipment– Layer 4: VoIP Aware Stateful BWM is most reliable
• Requires VoIP awareness and multiple stream identification and coalation
• Most effective when combined with Layer 2/3 marking/coloring
22
VoIP Security Concern – Interception/Modification
• Call Black Holes– A directed attack utilizing Dynamic Routing at
intermediate routers sending calls to unconnected networks
• Call Hijacking– A directed attack utilizing Dynamic Routing at
intermediate routers sending calls to unintended “other” receiver
• Media Alteration– Modification of media stream
• Caller ID Falsification– Caller ID modification – On-the-fly via interception or
intended falsification by the call initiator
VoIP Security Practices
• Bandwidth Management– Prioritize (Layer 7) – Segment onto Logically distinct networks (NIST 800-58)
• Separate VLANs
• QoS– Edge points
• ISP Router• SOHO Router
– Internally• Physical– Port Management
VoIP Security Practices – Media and Signaling Encryption
• IPSec VPN– Currently the most complete solution– Complexity of configuration is a barrier– Not supported by many vendors
• TLS (Transport Layer Security), IETF– Interoperability concerns– Issues with key exchange
• SSL (Secure Sockets Layer), Netscape, IETF– Generally not supported for peer-to-peer– Hub and spoke deployments
Firewall – NAT/Port Considerations
• VoIP issues with classic stateful NAT firewalls– Inbound access to UDP/TCP ports are restricted by default
• RTP dynamically assigned an “even” port 1024-65534• It would be necessary to open up the entire firewall• RTCP port is dynamically remapped with Symmetric NAT
– VoIP endpoints each have a unique IP• NAT turns all “internal” IPs into a single “external” IP• All incoming calls are to a single IP. Which endpoint is the actual
intended IP?– VoIP requires either
• Application Layer Gateway• Session Border Controller
Firewall Solution – SBC• Session Border Controller– A dedicated appliance which implements
firewall/NAT traversal– Tricks the existing firewall– Placed in the Signaling and Media Path between
calling and called parties
– Breaks end-to-end security unless private keys are told to the SBC
– Implemented as a B2BUA – Back-to-back User Agent– Can run into scalability issues
Firewall Solutions – ALG• An Application Layer Gateway is a firewall which
understands VoIP media– Embedded software on a firewall– Dynamically identifies, opens and closes ports as
needed– Transforms outer (NAT) and inner (DPT) IPs & ports
on-the-fly– May be able to identify and coalesce disparate
streams into a single call flow for monitoring and QoS– Should be able to identify and protect against
malformed signaling and media– Since it is not terminating/re-initiating calls, a proper
ALG can scale beyond an SBC on a price/call metric
NIST Recommendations• NIST Special Publication 800-58, January 2005
– Logically distinct networks– Use an ALG firewall or Session Border Controller
• STUN – Simple Traversal of UDP through NAT, does not work with Symmetric NAT
• TURN – Traversal Using Relay NAT, works with STUN, limited to a single peer behind a NAT device
• ICE – Interactive Connectivity Establishment, uses STUN, TURN, RSIP – requires additional SDB attributes
• UPnP – Universal Plug and Play, multi-NAT scalability and security issues
– Strong authentication and IPSec or SSH to access controller– Use end-point encryption or Site-to-Site IPSec tunnels– Don’t use soft phones – PCs are too vulnerable– Stay away from 802.11 a/b/g phones without IPSec
VoIP Security Practices – Endpoint and Call Manager Protection
• UTM Firewall– Unified Threat Management
• Physical and Logical Security– Access to Call Manager must be restricted– It is only as secure as the weakest password
• Redundant Power– VoIP requires AC power to operate; PSTN does not
• End-to-end Encryption – TLS, SRTP covers media only– IPSec, SSL covers media and signaling
References
• VOIPSA- http://voipsa.org• CERT- http://www.cert.org• NIST, “Security Considerations for Voice Over
IP Systems”- http://csrc.nist.gov
Best Practices