session 37 voip risks and controls. ©2004 lucent technologies world wide services 2 voice over ip...
Post on 28-Dec-2015
217 Views
Preview:
TRANSCRIPT
Session 37VoIP Risks and Controls
©2004 Lucent Technologies World Wide Services2
Voice Over IP Risks and Controls
Session Number 37
George G. McBride
October 5, 2004 1:30 PM – 3:00 PM
©2004 Lucent Technologies World Wide Services3
Key Points To Cover This Afternoon
The fundamentals and security concerns of VoIP
Mitigating risks associated with VoIP Confidentiality, integrity, authentication,
availability, access, and non-repudiation Determining what to look for in an audit Measuring risk and recommending actions to
reduce vulnerability
©2004 Lucent Technologies World Wide Services4
Real Quick Introduction
What is Voice over IP?– Definition: Transmission of voice over the IP Network
Why is it important to companies?– $$$ (and sometimes “services”)
Is this brand new?– SIP and H.323 Standards have been around since
the mid 1990s Why now?
©2004 Lucent Technologies World Wide Services5
VoIP Introduction
What do you need for a VoIP network?– The IP Part: A data network– The V Part: VoIP specific equipment
H.323 and SIP are two different sets of protocols and have different infrastructure requirements– There is some commonality between the two!
©2004 Lucent Technologies World Wide Services6
VoIP Implementation
Who put the VoIP infrastructure in place?– Many times, the designers and
implementers are the traditional “voice” personnel
• May be just learning the new technology
– Nevertheless, the technology including products, protocols, and services are very new and “experts” are limited!
©2004 Lucent Technologies World Wide Services7
What Are The Threats?
Concern PSTN Controls VoIP ControlsConfidentiality Physical Encryption
Integrity Physical Encryption/Checksums
Availability Physical Access Control Logical Access Control
Authentication Recognition & Caller ID User ID and Password
Authorization Access Control & Caller ID Access Control
Design Large/Complex/Centralized Varies…Distributed
Interoperability Centralized & Very Tested Distributed & Ad-Hoc
©2004 Lucent Technologies World Wide Services8
The Legal Threat
Discussions, debates, and actions are currently underway to determine whether or not the Communications Assistance to Law Enforcement Act (CALEA) requirements apply to VoIP technologies.– Service Providers Only?– All Companies?
©2004 Lucent Technologies World Wide Services9
Emergency Services
911 Emergency Services– PSTN/POTS locations are generally
assigned by physical port and generally don’t move around!
– VoIP Phones by definition are usually “portable” and are simply based on IP addresses
• How are location services managed? Updated? Logged?
• Is it real-time?
©2004 Lucent Technologies World Wide Services10
The Biggest Threat!
Your organization is responsible for the costs related to toll fraud
When the VoIP Gateway is compromised and hacker’s use the gateway for unlimited international dialing, your company is responsible for the toll charges
I still don’t have any figures to share. Do you?
©2004 Lucent Technologies World Wide Services11
Problems With “Auditing” VoIP
We’re often asked to “audit” the VoIP infrastructure against the current policies
These policies do not address the minimum security baseline for a VoIP infrastructure
Typical VoIP audits are also part “assessment”
©2004 Lucent Technologies World Wide Services12
The Audit: Documentation Review
Should begin with a formal review of all corporate documentation regarding the VoIP infrastructure:– IP Network Infrastructure– Corporate Service Offerings– VoIP Infrastructure
• Client Devices
– Acceptable Use statements– PSTN Interface SLAs
©2004 Lucent Technologies World Wide Services13
Auditing: Risk Management
One of the most important aspects to manage!– Identification and Inventory of Assets– Understanding of threats, vulnerabilities, and
controls– Cannot be evaluated in isolation. Threats and
vulnerabilities are internal and external. This is one area where Audit and IT
Security can work together.
©2004 Lucent Technologies World Wide Services14
Auditing: The Architecture
Architecture:– Need personnel with auditing, technology, and
product know-how!– Start from the top down to understand the
details are you encounter them– There may not be a “right” architecture, but
there are many “wrong” ones
©2004 Lucent Technologies World Wide Services15
Before You Begin!
From your IT Organization’s source, obtain an inventory of the VoIP infrastructure
Obtain all documentation and specifications from the vendor to understand what you have and what it is supposed to do
Obtain configuration information Review on-line vulnerability/risk databases
©2004 Lucent Technologies World Wide Services16
Auditing Concerns
The next few slides highlight some VoIP specific concerns that we should review.– Are these part of your organization’s standards,
practices, procedures, and policies?
This is a highlight of a number of areas that should be reviewed. There are plenty more!
©2004 Lucent Technologies World Wide Services17
Basic Auditing Considerations
Physical Security:– The old “telecom” closets are often
neglected and may be insecure. Where is your VoIP equipment?
– Protect test and trial equipment as you would production equipment. It usually has production grade configuration information
– Ensure UPS equipment can handle the new loads
©2004 Lucent Technologies World Wide Services18
Business Continuity Planning & Disaster Recover
Have you incorporated the entire VoIP infrastructure into the BCP/DR efforts?
Have you tested it? Are the employees aware of it? Be aware of limited restores. Companies today tend to build significant
features into their VoIP phones that they’ve grown to need.
©2004 Lucent Technologies World Wide Services19
Logical Auditing Concerns
VLAN Usage:– Separate voice and data on logically separate
networks.• Each VLAN should have a separate DHCP Server
and management system• Promotes QoS Issues• VLAN Jumping still an issue, depending on
equipment
©2004 Lucent Technologies World Wide Services20
Logical Auditing Concerns (Con’t)
Firewalls:– Are you using the right one for your
environment?• Is it VoIP Specific? Does it support SIP or H.323?
What about Megaco?
– Does it support Application Level Gateways or Proxies?
– Pinholing?– Is it stateful?
©2004 Lucent Technologies World Wide Services21
Auditing The Firewall
Obtain the Firewall rule sets.– Can you experiment in a “lab” setting? This is great to
validate the firewall rule sets! What are the static ports?
– Port 1720 for Call Signaling– Usually H.225 traffic. – Any others for management?
What are the required dynamic ports? Even a VoIP-aware firewall will require reviewing,
tuning, and tweaking
©2004 Lucent Technologies World Wide Services22
Logical Auditing Concerns (Con’t)
Interfaces:– PSTN to VoIP Infrastructure:
• At the Voice Gateway: Are SIP, H.323, MGCP, and Megaco connections from the data network prohibited?
• What authentication is configured? Required?
©2004 Lucent Technologies World Wide Services23
The Firewall
A Great Cisco Whitepaper highlights key areas where voice and data traffic intersect and should have firewall protection:
– PC Based IP Phones (d) requiring access to the voice segment (v) to place calls
– IP Phones (d) and call managers (v) accessing voice-mail– Users (d) accessing the proxy server (v)– Proxy Server (v) accessing network resources (d)– IP Phones (v) to call processing manager (v) or proxy
server (v) because the interaction uses the data segment to communicate
©2004 Lucent Technologies World Wide Services24
Firewall NAT
NAT, Network Address Translation helps to efficiently utilize resources and to provide some level of security.
– Full Cone (1:1 address and port)– Restricted Cone – same as full cone, incoming packets
are rejected unless an outbound one originated the traffic (looks at IP Address Only)
– Port Restricted Cone – Like Restricted Cone but restricts the inbound packet as it must be returning to the same outbound port
– Symmetric NAT – Different mapping for each inbound – outbound pair.
©2004 Lucent Technologies World Wide Services25
Logical Auditing Concerns (Con’t)
Remote Management– Use SSH only for remote administration and
management.• Telnet is dead.
– For the truly paranoid, use dedicated consoles for each management server
– How are the configuration files protected? Backed-up?
©2004 Lucent Technologies World Wide Services26
QoS: Quality of Service
Is Quality of Service a “Security Issue”?– It is when the security features impact the VoIP
QoS levels.– You’ll invariably be asked about it during
your Audit
The next few slides highlight some QoS issues
©2004 Lucent Technologies World Wide Services27
QoS
Latency – time from source to destination. The ITU-T recommended upper bounds for latency is to be less than 150ms.– Queuing– Encoding– Packetization– Transmission
©2004 Lucent Technologies World Wide Services28
Jitter
Jitter – the time differences between packet arrival on the receiving end.– Jitter often affects QoS more than latency– Caused by low bandwidth– Can cause packets to be processed out of
sequence and/or dropped if they fall outside of the receiving buffer
– Firewalls are a big source of jitter introduction
©2004 Lucent Technologies World Wide Services29
Bandwidth & Packet Loss
What is the available bandwidth for VoIP traffic? If on a VLAN, this answer is easy to compute. If on a shared network, this is quite a bit different (and more variable).
Packet Loss results from excessive latency or jitter; as well as a result of voice-data riding over UDP.
©2004 Lucent Technologies World Wide Services30
What about H.235
Provides H.323 Security Features through defined profiles which provide different levels of security.
These must be required, not an optional implementation as clients may chose not to use the features.
©2004 Lucent Technologies World Wide Services31
H.235v2/3
Builds up from H.235 and offers enhanced encryption as well as:– Annex D: Shared secrets and keyed hashes– Annex E: Digital signatures on every message– Annex F: Digital signatures and shared secret
establishment Is it required?
©2004 Lucent Technologies World Wide Services32
What about Session Initiation Protocol (SIP)?
SIP Offers HTTP Digest Authentication– Based on a challenge-response system– Replaces HTTP Basic Authentication so that the
password is not sent in the clear! S/MIME can be used to enable public key
distribution as well as authentication and integrity protection
– Authentication (and Integrity) of signaling data– Confidentiality of signaling data
©2004 Lucent Technologies World Wide Services33
SIP Security With TLS
TLS: Successor of SSL protects SIP signaling (integrity, confidentiality, replay)
Only works with TCP based SIP signaling Must be configured hop-by-hop between
user agents and proxies or between proxies
Provides key management with mutual authentication and secure key distribution
©2004 Lucent Technologies World Wide Services34
SIP Security
Besides TLS, SIP also supports:– HTTP Digest– IPSec (With IKE)– IPSec (With manual key exchange)– S/MIME
Be aware of bidding down attacks
©2004 Lucent Technologies World Wide Services35
SRTP
Secure Real-time Transport Protocol– A “profile” of RTP offers confidentiality,
authentication, and replay protection– Encrypts Payloads– Independent of the key management system– Independent of the RTP stack chosen– Can use AES– Hardware Crypto Support, although it was
designed with low computational requirements.
©2004 Lucent Technologies World Wide Services36
SRTP Audit Points
Keep these things in mind:– How are the encryption keys distributed?
• Pre-Shared• Public Key• Diffie-Hellman Key Exchange using Public Key• Diffie-Hellman Key Exchange using Pre-Shared Secret
– Is it only being used for encryption or also integrity and replay-attack protection?
©2004 Lucent Technologies World Wide Services37
What I’m Seeing…
Default administration accounts Ineffective encryption (It may be AES, but
not in use at key points) Web-Server interfaces (It may be easier
for the admin and the bad-guys!) DHCP and TFTP Server Spoofing and
Insertion Attacks
©2004 Lucent Technologies World Wide Services38
What I’m Seeing
Random responses to invalidly formatted or excessive packets
Security mechanisms susceptible to “bidding-down” attacks
Firewalls that require just a bit of “tuning” to disable that service that isn’t required or the ports that can be closed
©2004 Lucent Technologies World Wide Services39
What’s in my toolbox?
In order to perform a technical based review, you’ll need some tools:– Sniffers– Injectors– Vulnerability Scanners
Some important documents from the ITU, NIST, ETSI, and most importantly, equipment vendors!
©2004 Lucent Technologies World Wide Services40
Network Sniffers
Empirix Hammer Call Analyzer
VoIP Specific Great for beginners
through advanced users
Very expensive
©2004 Lucent Technologies World Wide Services41
VoIP Sniffers Also Do Call Analysis
©2004 Lucent Technologies World Wide Services42
Network Sniffers
Ethereal Requires more work
to decode the packets and review traffic
It’s Open Source, it’s free, and it’s supported through a large user community
©2004 Lucent Technologies World Wide Services43
Network Traffic Injectors
Available From:http://www.komodia.com/
Great Packet Crafting Tool
©2004 Lucent Technologies World Wide Services44
SiVus
©2004 Lucent Technologies World Wide Services45
SiVus
©2004 Lucent Technologies World Wide Services46
Various Documents
©2004 Lucent Technologies World Wide Services47
Additional Resources
National Institute of Standards and Technology: Security Considerations for Voice Over IP Systems: http://csrc.nist.gov/publications/nistpubs/
Empirix Call Analyzer: http://www.empirix.com/Empirix/Network+IP+Storage+Test/
SiVus at VoP Security: http://www.vopsecurity.org/ IETF/ITU Documents ETSI Tiphon Documents J. Halpern, “IP Telephony Security in Depth”, Cisco
©2004 Lucent Technologies World Wide Services48
VoIP Summary
Know your stuff! Or hire those that do!– VoIP technology is still evolving and is very complex!
It’s more than just voice on the IP network Look for everything you would look for with a
standard Audit and you’ll knock out a lot of the “common” audit findings.
Watch mis-configurations on VoIP. Understand the configurations. What looks good may not be.
©2004 Lucent Technologies World Wide Services49
Contact Information
Lucent TechnologiesBell Labs Innovations
Lucent Technologies Inc.Room 2N-611G101 Crawfords Corner RoadHolmdel, NJ 07733Phone: +1.732.949.3408E-mail: gmcbride@lucent.com
George McBrideSenior Manager
Lucent Worldwide Services
Please contact me with any questions, comments, complaints, or new developments.
top related