i n t e r o p09 suhas desai secure your vo i p network with open source
TRANSCRIPT
Secure Your VoIP Network with Open Source
10/12/2009
Suhas Desai
Friday, 9 October 2009, 12:15–01:30 PM, Bombay Exhibition CentreTrack: Emerging Technology and Trends - Open Source
www.interop.com/mumbai
2Confidential © Tech Mahindra 2008
Agenda
About VoIP Security
Open Source Testing Tools
Sample Testing Approach
Summary
3Confidential © Tech Mahindra 2008
Agenda
About VoIP Security
Open Source Testing Tools
Sample Testing Approach
Summary
VoIP Overview
4Confidential © Tech Mahindra 2008
VoIP is being rapidly embraced across most markets as an alternative to the traditional PSTN
VoIP deployment can impact applications, networks and infrastructure that use a wide variety of platform base
The cost savings of VoIP as compared to that of circuit switched networks is encouraging companies to move to VoIP
Introduction to VoIP
VoIP deployment has brought along with it many security concerns like Non-Repudiation, Authentication, Call Quality, Integrity and Privacy
VoIP calls to PSTN are not allowed in India
Issues and Concerns
5Confidential © Tech Mahindra 2008
VoIP Security Threats & Impact
• An attacker tries to break telephone network and uses this network for malicious activities like making long calls or to tap conversions. Phreaking
• An attacker tries to intercept telephone lines with electronic devices. Eavesdropping
• Voice Phishing is used to leverage VoIP technology for social engineering to retrieve confidential information like credit card numbers, financial details.
Vishing
• Spamming over Internet Telephony is like e-mail spamming where VoIP calls are sent as a spam to victim.
SPIT
VoIP Security Threats
Loss of Confidentiality, Integrity and Authentication
Loss of Privacy
Non-repudiation
Social Threats
QoS
Impact
6Confidential © Tech Mahindra 2008
Possible Mitigation Considerations
•Monitor the connections for logging the fraudulent activities.
Deploy VoIP traffic monitors
•Strong encryption techniques allow privacy and confidentiality over the network.
Employ encryption techniques
•Control inbound and outbound connections by filtering the traffic.
Use voice firewalls
•Deploy secure gateways, gatekeepers & proxy servers to protect network traffic.
Use adequate security infrastructure
•IPsec provides the secure communication over network by providing authentication and encryption.
Use IPsec tunneling
•Audit VoIP network regularly for security vulnerabilities .
Conduct regular security audits
•Prefer proven VoIP platform with built in security features for development and deployment of VoIP applications.
Use VoIP platforms with adequate security features
7Confidential © Tech Mahindra 2008
Agenda
About VoIP Security
Open Source Testing Tools
Sample Testing Approach
Summary
8Confidential © Tech Mahindra 2008
Commercial Security Tools
Tool Description
CommView VoIP Analyzer Captures Real-time VoIP events.
Etherpeek Sniffs VoIP traffic.
EnableSecurity VoIPPack for CANVAS Performs scans, enumeration, and password attacks.
Passive Vulnerability ScannerDetects the actual protocol, administrative interfaces and VoIP
scanner(s).
VoIPAudit VoIP vulnerability scanner.
SiPBlast Tests VoIP infrastructure.
NSAUDITOR SIP UDP traffic generator / flooder .
Codenomicon VoIP Fuzzers Commercial versions of the free PROTOS toolset.
Mu Dynamics VoIP, IPTV, IMS Fuzzing Platform Fuzzing appliance for SIP, Diameter, H.323 and MGCP protocols.
Spirent ThreatEx Protocol Fuzzer and robustness tester.
SiPCPE Evaluates SIP infrastructure protocol.
Commercial Security Testing Tools
Need to perform security assessment of VoIP network with below tools!
9Confidential © Tech Mahindra 2008
Open Source and VoIP
Mini-SIP-Proxy, MjServer, MySIPSwitch,
NethidPro3.0.6, Net-SIP, JAIN-SIP
Proxy,OpenSBC,OpenSER,
OpenSIPS, partysip, SaRP, sipd, SIPExpress Router,
Siproxd, SIPVicious, sipX, Vocal, Yxa.
SIP Proxies
Cockatoo, Ekiga, FreeSWITCH, JPhone, Kphone,
Linphone, minisip,MjUA, OpenSIPStack, OpenZoep,
PJSUA, QuteCom ex-Open Wengo, SFLphone,
Shtoom, SipToSis, sipXezPhone, sipXphone, Twinkle,
YATE, YeaPhone.
SIP Clients
Callflow, Open Source Asterisk AMI,
pjsip-perf, miTester for SIP,PROTOS Test Suite,
SFTF, SIP CallerID, SIPbomber, Sipp, Sipper, SIP
Proxy, Sipsak, SIP Soft client, SIPVicious tool
suite, SMAP, Vovida.org load balancer.
SIP Tools
FGnomeMeeting, ohphoneX,OpenPhone
H.323 Clients
GNU Gatekeeper
H.323 Gatekeeper
AG Projects,Maxim Sobolev's RTPproxy,MediaProxy.
RTP Proxies
Source code available
Easy to customize, code reuse and redistributable.
Cost Savings
Why Open Source?
Open Source Tools
10Confidential © Tech Mahindra 2008
Asterisk, CallWeaver, OpenPBX, PBX4Linux, SIPexchange PBX Pingtel'sSIP PBX, sipwitch,sipX.
PBX Platforms
Bayonne, CT Server, OpenVXI,SEMS, sipX PBX,
VoiceXML
IVR Platforms
Lintad, OpenUMS, SEMS,VOCP.
VoiceMail Servers
H323plus, OpenBloX, Ooh323c, ++Skype.
Development Platforms
VoIP Sniffing Tools
AuthTool, Cain & Abel, Oreka, PSIPDump, rtpBreak ,
SIPomatic, SIPv6 Analyzer, UCSniff, VoiPong,
VoIPong ISO Bootable, VOMIT , WIST.
VoIP Scanning and Enumeration Tools:
enumIAX, iaxscan, iWar, SCTPScan,
SIP Forum Test Framework (SFTF), SIP-Scan,
SIPcrack, Sipflanker, SIPSCAN , SiVuS, SMAP.
VoIP Packet Flooding Tools:
IAXFlooder, INVITE Flooder, kphone-ddos ,
RTP Flooder, Scapy, SIPBomber, SIPsak, SIPp .
VoIP Fuzzing Tools:
Asteroid, PROTOS H.323 Fuzzer, PROTOS SIP Fuzzer
VoIP Signaling Manipulation Tools:
BYE Teardown, SipRogue, VoIPHopper
Security Testing Tools
Asterisk Fax Email Gateway, Lintad,Hylafax.
Fax Servers
Contd…
11Confidential © Tech Mahindra 2008
Best Practices for Using Open Source Tools
• Continuously monitor VoIP traffic to identify VoIP attacks. Use tools - SIP-Scan, SiVuS , SMAP etc.
Monitor VoIP traffic
• Apply encryption for end points communication. Use SRTP (Secure Real Time Protocol).
Use encryption
• Put VoIP network before open source firewalls. Use firewalls - iptables.
Use Firewalls
• Audit VoIP network regularly for security vulnerabilities and configuration flaws. Use - VoIP Security Audit Program (VSAP).
Conduct security audits
• Control the number of concurrent connections for proper utilize bandwidth.
Secure gateways, gatekeepers
• Authenticate authorized access control. Use Asterisk.
Secure proxy servers
• Ipsec provides secure communication over the public networks.
Use IPsec tunneling
• Prefer VoIP platform with built in security features for development and deployment of VoIP applications
Secure VoIP platforms
Open source products/tools provides options for :
Secure configuration of servers
Secure configuration of clients
Securing gateways
Securing Firewalls
VOIP/SIP Security Assessment with Open Source before deployment :
Footprinting
SiVuS
nmap
Scanning
Nessus
SiVuS
VoIP Security Testing
Eavesdropping
•Cain and Abel
•VoIPong
•vomit
Fuzzing
•PROTOS SIP fuzzing suite
SIP Protocol Testing
•SIP Bomber
Contd…
13Confidential © Tech Mahindra 2008
Agenda
About VoIP Security
Open Source Testing Tools
Sample Testing Approach
Summary
14Confidential © Tech Mahindra 2008
Example 1 : SiVuS
Security assessment with SiVuS tool
2. Message Generator1. SIP Component Discovery
SiVuS SiVuS is the vulnerability scanner for VoIP networks that use the SIP protocol.
The scanner provides several powerful features to verify the robustness and secure implementation of a SIP component.
SiVuS is used to verify the robustness and security of their SIP implementations by generating the attacks that are included in the SiVuS database or by crafting their own SIP messages using the SIP message generator.
15Confidential © Tech Mahindra 2008
Example 1 : SiVuS
3. Security Findings Report
Security assessment with SiVuS tool
16Confidential © Tech Mahindra 2008
Security assessment with SIP Bomber
2. Password Validation1. Message Generator
SIP Bomber: SIP Bomber is used to test SIP-protocol implementation.
SIP Bomber is complied on Linux machines with asterisk server for testing of SIP server implementation.
Example 2 : SIP Bomber
17Confidential © Tech Mahindra 2008
Agenda
About VoIP Security
Open Source Testing Tools
Sample Testing Approach
Summary
18Confidential © Tech Mahindra 2008
Summary
Building VoIP network with open source is cost effective and reliable.
VoIP network can be secured with open source tools, its configurations and settings.
Tools like SiVuS and SIP Bomber can be used to assess your VoIP security.
References Web
• http://www.voipsa.org
• http://www.voip-info.org
Books
• Patrick Park;”Voice over IP Security” - Ciscopress.
• Thomas Porter, Jan Kanclirz Jr;”Practical VoIP Security” - Syngress Publishing, Inc.
• James Ransome and John Rittinghouse;”Voice over Internet Protocol Security” - Elsevier
• Alan B. Johnston, David M. Piscitello;”Understanding Voice over IP Security” -Artech House
Thank You !!