Secure Your VoIP Network with Open Source

10/12/2009

Suhas Desai

Friday, 9 October 2009, 12:15–01:30 PM, Bombay Exhibition CentreTrack: Emerging Technology and Trends - Open Source

www.interop.com/mumbai

2Confidential © Tech Mahindra 2008

Agenda

About VoIP Security

Open Source Testing Tools

Sample Testing Approach

Summary

3Confidential © Tech Mahindra 2008

Agenda

About VoIP Security

Open Source Testing Tools

Sample Testing Approach

Summary

VoIP Overview

4Confidential © Tech Mahindra 2008

VoIP is being rapidly embraced across most markets as an alternative to the traditional PSTN

VoIP deployment can impact applications, networks and infrastructure that use a wide variety of platform base

The cost savings of VoIP as compared to that of circuit switched networks is encouraging companies to move to VoIP

Introduction to VoIP

VoIP deployment has brought along with it many security concerns like Non-Repudiation, Authentication, Call Quality, Integrity and Privacy

VoIP calls to PSTN are not allowed in India

Issues and Concerns

5Confidential © Tech Mahindra 2008

VoIP Security Threats & Impact

• An attacker tries to break telephone network and uses this network for malicious activities like making long calls or to tap conversions. Phreaking

• An attacker tries to intercept telephone lines with electronic devices. Eavesdropping

• Voice Phishing is used to leverage VoIP technology for social engineering to retrieve confidential information like credit card numbers, financial details.

Vishing

• Spamming over Internet Telephony is like e-mail spamming where VoIP calls are sent as a spam to victim.

SPIT

VoIP Security Threats

Loss of Confidentiality, Integrity and Authentication

Loss of Privacy

Non-repudiation

Social Threats

QoS

Impact

6Confidential © Tech Mahindra 2008

Possible Mitigation Considerations

•Monitor the connections for logging the fraudulent activities.

Deploy VoIP traffic monitors

•Strong encryption techniques allow privacy and confidentiality over the network.

Employ encryption techniques

•Control inbound and outbound connections by filtering the traffic.

Use voice firewalls

•Deploy secure gateways, gatekeepers & proxy servers to protect network traffic.

Use adequate security infrastructure

•IPsec provides the secure communication over network by providing authentication and encryption.

Use IPsec tunneling

•Audit VoIP network regularly for security vulnerabilities .

Conduct regular security audits

•Prefer proven VoIP platform with built in security features for development and deployment of VoIP applications.

Use VoIP platforms with adequate security features

7Confidential © Tech Mahindra 2008

Agenda

About VoIP Security

Open Source Testing Tools

Sample Testing Approach

Summary

8Confidential © Tech Mahindra 2008

Commercial Security Tools

Tool Description

CommView VoIP Analyzer Captures Real-time VoIP events.

Etherpeek Sniffs VoIP traffic.

EnableSecurity VoIPPack for CANVAS Performs scans, enumeration, and password attacks.

Passive Vulnerability ScannerDetects the actual protocol, administrative interfaces and VoIP

scanner(s).

VoIPAudit VoIP vulnerability scanner.

SiPBlast Tests VoIP infrastructure.

NSAUDITOR SIP UDP traffic generator / flooder .

Codenomicon VoIP Fuzzers Commercial versions of the free PROTOS toolset.

Mu Dynamics VoIP, IPTV, IMS Fuzzing Platform Fuzzing appliance for SIP, Diameter, H.323 and MGCP protocols.

Spirent ThreatEx Protocol Fuzzer and robustness tester.

SiPCPE Evaluates SIP infrastructure protocol.

Commercial Security Testing Tools

Need to perform security assessment of VoIP network with below tools!

9Confidential © Tech Mahindra 2008

Open Source and VoIP

Mini-SIP-Proxy, MjServer, MySIPSwitch,

NethidPro3.0.6, Net-SIP, JAIN-SIP

Proxy,OpenSBC,OpenSER,

OpenSIPS, partysip, SaRP, sipd, SIPExpress Router,

Siproxd, SIPVicious, sipX, Vocal, Yxa.

SIP Proxies

Cockatoo, Ekiga, FreeSWITCH, JPhone, Kphone,

Linphone, minisip,MjUA, OpenSIPStack, OpenZoep,

PJSUA, QuteCom ex-Open Wengo, SFLphone,

Shtoom, SipToSis, sipXezPhone, sipXphone, Twinkle,

YATE, YeaPhone.

SIP Clients

Callflow, Open Source Asterisk AMI,

pjsip-perf, miTester for SIP,PROTOS Test Suite,

SFTF, SIP CallerID, SIPbomber, Sipp, Sipper, SIP

Proxy, Sipsak, SIP Soft client, SIPVicious tool

suite, SMAP, Vovida.org load balancer.

SIP Tools

FGnomeMeeting, ohphoneX,OpenPhone

H.323 Clients

GNU Gatekeeper

H.323 Gatekeeper

AG Projects,Maxim Sobolev's RTPproxy,MediaProxy.

RTP Proxies

Source code available

Easy to customize, code reuse and redistributable.

Cost Savings

Why Open Source?

Open Source Tools

10Confidential © Tech Mahindra 2008

Asterisk, CallWeaver, OpenPBX, PBX4Linux, SIPexchange PBX Pingtel'sSIP PBX, sipwitch,sipX.

PBX Platforms

Bayonne, CT Server, OpenVXI,SEMS, sipX PBX,

VoiceXML

IVR Platforms

Lintad, OpenUMS, SEMS,VOCP.

VoiceMail Servers

H323plus, OpenBloX, Ooh323c, ++Skype.

Development Platforms

VoIP Sniffing Tools

AuthTool, Cain & Abel, Oreka, PSIPDump, rtpBreak ,

SIPomatic, SIPv6 Analyzer, UCSniff, VoiPong,

VoIPong ISO Bootable, VOMIT , WIST.

VoIP Scanning and Enumeration Tools:

enumIAX, iaxscan, iWar, SCTPScan,

SIP Forum Test Framework (SFTF), SIP-Scan,

SIPcrack, Sipflanker, SIPSCAN , SiVuS, SMAP.

VoIP Packet Flooding Tools:

IAXFlooder, INVITE Flooder, kphone-ddos ,

RTP Flooder, Scapy, SIPBomber, SIPsak, SIPp .

VoIP Fuzzing Tools:

Asteroid, PROTOS H.323 Fuzzer, PROTOS SIP Fuzzer

VoIP Signaling Manipulation Tools:

BYE Teardown, SipRogue, VoIPHopper

Security Testing Tools

Asterisk Fax Email Gateway, Lintad,Hylafax.

Fax Servers

Contd…

11Confidential © Tech Mahindra 2008

Best Practices for Using Open Source Tools

• Continuously monitor VoIP traffic to identify VoIP attacks. Use tools - SIP-Scan, SiVuS , SMAP etc.

Monitor VoIP traffic

• Apply encryption for end points communication. Use SRTP (Secure Real Time Protocol).

Use encryption

• Put VoIP network before open source firewalls. Use firewalls - iptables.

Use Firewalls

• Audit VoIP network regularly for security vulnerabilities and configuration flaws. Use - VoIP Security Audit Program (VSAP).

Conduct security audits

• Control the number of concurrent connections for proper utilize bandwidth.

Secure gateways, gatekeepers

• Authenticate authorized access control. Use Asterisk.

Secure proxy servers

• Ipsec provides secure communication over the public networks.

Use IPsec tunneling

• Prefer VoIP platform with built in security features for development and deployment of VoIP applications

Secure VoIP platforms

Open source products/tools provides options for :

Secure configuration of servers

Secure configuration of clients

Securing gateways

Securing Firewalls

VOIP/SIP Security Assessment with Open Source before deployment :

Footprinting

SiVuS

nmap

Scanning

Nessus

SiVuS

VoIP Security Testing

Eavesdropping

•Cain and Abel

•VoIPong

•vomit

Fuzzing

•PROTOS SIP fuzzing suite

SIP Protocol Testing

•SIP Bomber

Contd…

13Confidential © Tech Mahindra 2008

Agenda

About VoIP Security

Open Source Testing Tools

Sample Testing Approach

Summary

14Confidential © Tech Mahindra 2008

Example 1 : SiVuS

Security assessment with SiVuS tool

2. Message Generator1. SIP Component Discovery

SiVuS SiVuS is the vulnerability scanner for VoIP networks that use the SIP protocol.

The scanner provides several powerful features to verify the robustness and secure implementation of a SIP component.

SiVuS is used to verify the robustness and security of their SIP implementations by generating the attacks that are included in the SiVuS database or by crafting their own SIP messages using the SIP message generator.

15Confidential © Tech Mahindra 2008

Example 1 : SiVuS

3. Security Findings Report

Security assessment with SiVuS tool

16Confidential © Tech Mahindra 2008

Security assessment with SIP Bomber

2. Password Validation1. Message Generator

SIP Bomber: SIP Bomber is used to test SIP-protocol implementation.

SIP Bomber is complied on Linux machines with asterisk server for testing of SIP server implementation.

Example 2 : SIP Bomber

17Confidential © Tech Mahindra 2008

Agenda

About VoIP Security

Open Source Testing Tools

Sample Testing Approach

Summary

18Confidential © Tech Mahindra 2008

Summary

Building VoIP network with open source is cost effective and reliable.

VoIP network can be secured with open source tools, its configurations and settings.

Tools like SiVuS and SIP Bomber can be used to assess your VoIP security.

References Web

• http://www.voipsa.org

• http://www.voip-info.org

Books

• Patrick Park;”Voice over IP Security” - Ciscopress.

• Thomas Porter, Jan Kanclirz Jr;”Practical VoIP Security” - Syngress Publishing, Inc.

• James Ransome and John Rittinghouse;”Voice over Internet Protocol Security” - Elsevier

• Alan B. Johnston, David M. Piscitello;”Understanding Voice over IP Security” -Artech House

Thank You !!