voip security sanjay kalra juniper networks september 10-12, 2007 los angeles convention center los...
TRANSCRIPT
VoIP SecuritySanjay KalraJuniper Networks
3
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
VoIP Issues
Enterprise
VoIP Service Provider
IP PBX Services
OtherCarrier
SOHO/Residential
Softswitch
MediaGateway Application
ServerMediaServer
OSS SoftswitchMedia
Gateway
10.1 10.1 20.1
SIP/H.323 PhonesH.323/SIPEndpoints
IP PBX Router
SIP/H.323 Phones
DataFW/NAT
Cable/DSLModem
MGCP IAD
POTS Phone WirelessIP Phone
MobilePhone
Wireless/Mobile
Base Station
Wireless/Mobile
Internetor IP NW
Hosted IP Centrex
Voice Over Broadband (Cable, DSL)
IP Network
SME
RouterClass 5Switch
POTS
Wholesale VoIP
Carrier to Enterprise Carrier to SOHO/Residential
Carrier to Carrier
Peering
SS7 INNetwork SecurityDoS attacksService theftFraudSPIT & VishingProtocol Vulnerabilities
Address TranslationConversion of private/public IP addresses Firewalls challenged by small signaling/media packetsVoIP protocols not understood by all firewall’s
Service Assurance Quality of serviceAdmission enforcementLack of reporting
Regulatory ComplianceE-911Lawful interceptCALEA support
4
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
VoIP Attack Examples
• Vishing – Spam email from Paypal asking users to leave credit card number.
• Toll Fraud – 2 people convicted to toll fraud using brute force. Resold minutes stolen from VOIP carriers.
• DOS – Buffer Overflow in Asterisk. • DOS – Session Border Controller of a carrier
compromised as could not provide security
5
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
VoIP security risks en detail
Enterprise
VoIP Service Provider
IP PBX Services
OtherCarrier
SOHO/Residential
Softswitch
MediaGateway Application
ServerMediaServer
OSS SoftswitchMedia
Gateway
10.1 10.1 20.1
SIP/H.323 PhonesH.323/SIPEndpoints
IP PBX Router
SIP/H.323 Phones
DataFW/NAT
Cable/DSLModem
MGCP IAD
POTS Phone WirelessIP Phone
MobilePhone
Wireless/Mobile
Base Station
Wireless/Mobile
Internetor IP NW
Hosted IP Centrex
Voice Over Broadband (Cable, DSL)
IP Network
SME
RouterClass 5Switch
POTS
Wholesale VoIP
Carrier to Enterprise Carrier to SOHO/Residential
Carrier to Carrier
Peering
SS7 INNetwork
Infrastructure(D)DoS attacksRoute poisoningTraffic paddingIP and ARP spoofingSession hijacking/replayVoIP protocol vulnerabilities
VoIP infrastructureServer OS vulnerabilities
Registration DoS attacksInvite overflowsExcessive call setup rateBilling fraudMalformed protocol messagesMan-in-the middle attacks DHCP/ARP spoofing
VoIP contentCall intercept
Confidentiality issuesVishingUnwanted content
Spambots collecting VoIP addressesRoute server hacks can redirect calls
Illegal call interceptRecording of conversations through accessing infrastructure (Ethereal records VoIP traffic as audio file)
6
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
VoIP Security Mitigation
IP PBX DoS or Hacking Attacks
H.323 and SIP ALGs dynamically open and close FW ports to keep network
secure
Back door to corporate network
Combination of ALGs, firewall and zone capabilities keep data
network secure
Voice call intercept
Encrypt VoIP connections with site-to-site VPN (DES, 3DES,
AES) to prevent eavesdropping
All LAN segments have voice
access
Zones enable separation of VoIP network elements to
ensure appropriate policies are applied
7
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Tiered Approach to security
• Integrated control between layers of the network• Filter at the edge
– Use equipment that can be controlled to filter at the edge
– Don’t allow unwanted traffic into the network• Provide Topology hiding at the edge
– Hide all the internal network• Centralised Management
– Alerts come to a central place– Operator can be involved in the process
• Threat risk reduced by layers– If one layer misses the threat another catches it
8
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
VoIP Security Toolkit
• IDP to mitigate VoIP attacks• Zone Based Architecture• Security through Firewall ALGs• Voice Eavesdropping Prevention through
encryption• Unauthorized Use Prevention with Policy access
control• Resilient VPN Connectivity with Dynamic Tunnel
Failover
9
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Defense Against VoIP Security Threats
VoIP Security Threat Ramifications Defense Technology
Unauthorized access to PBX or voice mail
system
All voice communications fail FW with SIP attack protection
IDP with SIP sigs/protocol anomDoS attack on PBX, IP
Phone or gateway
Hacker listens to voice mails, accesses call logs, company
directories, etc.
Zones, ALGs, policy-based access control
Toll fraudHacker utilizes PBX for
long-distance calling, increasing costs
VPNs, encryption (IPSec or other)
VPNs, encryption (IPSec or other)
Eavesdropping or man-in-the-middle
attack
Voice conversations unknowingly intercepted and
altered
Worms/trojans/viruses on IP phones, PBX
Infected PBX and/or phones rendered useless, spread
problems throughout network
IDP with SIP protocol anomaly and stateful signatures
SPIT (VoIP SPAM) and Vishing
Lost productivity, annoyance and financial Loss
ALGs, SIP attack prevention, SIP source IP limitations, UDP
Flood Protection, Authentication