Upload
catharine24
View
822
Download
4
Embed Size (px)
Citation preview
VoIP Security white paper
Page 1 out of 19 pages - Confidential and proprietary – Document4
Check Point NG FP2 VoIP Security Features
July In this document:
Abstract......................................................................................................2
VoIP Introduction.......................................................................................3
VoIP protocols ...........................................................................................5
Short introduction to H.323.........................................................................5
Short introduction SIP .................................................................................7
Why VoIP security is considered almost impossible .....................................8
Check Point FireWall-1 Security features ..................................................11
Check Point FireWall-1 Security features for H.323 ...................................11
Check Point FireWall-1 Security features for SIP.......................................13
QoS integration ........................................................................................14
VoIP Security Problems prevented with Check Point.................................15
Summary..................................................................................................17
Appendix A – VoIP Standards and Recommendations ...............................18
VoIP Security white paper
Page 2 out of 19 pages - Confidential and proprietary – Document4
Abstract
Voice over IP (VoIP), one of the fastest emerging technologies today, is a technique by
which voice is transported over data network using the Internet Protocol (IP).
VoIP is no longer a vague concept; VoIP networks are experiencing rapid growth and are
being integrated into traditional IP networks in an equally rapid manner.
Until recently, it was not possible to securely deploy VoIP ne tworks. The only way to allow
inbound calls was to leave a permanent hole from the outside world to the user's IP phone.
Obviously, this violates even the most basic firewall security policies.1 One should always
bear in mind that basically, we are talking about an IP network where security is an integral
requirement.2 In addition to the traditional threats that are introduced when deploying VoIP
networks, there are many challenges that need to be addressed without hindering
performance.
This paper describes Check Point’s NG FP2 VoIP security features and enhancements. In
order to recognize the outstanding achievement of Check Point’s VoIP security solution,
one should understand the problems of securing VoIP protocols. The following paragraph
describes the challenges that one is faced with trying to secure VoIP infrastructures using
H.323 based protocols:
1 Can we talk? VoIP's firewall challenges, Daniel Briere and Beth Gage, The Edge, 06/11/02. http://www.nwfusion.com/edge/columnists/2002/0625bleeding.html 2 VoIP, The Next Generation of Phreaking. Revision 1.1 By Ofir Arkin, @Stake
VoIP Security white paper
Page 3 out of 19 pages - Confidential and proprietary – Document4
VoIP Introduction3
VoIP is the ability to make telephone calls over IP-based data networks with a suitable
quality of service (QoS) and superior cost/benefit. Everyone is talking about VoIP and
everyone wants to be seen as a leading contender in this arena.
Equipment developers and manufacturers see a window of opportunity to innovate and
compete. They are busy developing new VoIP-enabled equipment attempting to break into
the market in time.
Internet service providers see the possibility of competing with the PSTN for customers.
Users are interested in the integration of voice and data applications in addition to the cost
savings.
Although VoIP seems to be most attractive, the technology has not been developed to the
point where it can replace the services and quality provided by the PSTN. First it must be
clear that VoIP will indeed be cost effective. In order to compete with today's PSTN, there
must be significantly lower total cost of operation. These savings will initially be seen in the
area of long distance calls. VoIP provides a competitive threat to providers of traditional
telephone services that will clearly stimulate improvements in cost and function throughout
the industry.
VoIP implementations are present in many other applications. For example, voice messages
can be prepared using a telephone and then delivered to an integrated voice/data mailbox
using Internet or intranet services. Voice annotated documents, multimedia files, etc. can
easily become standard within office suites in the near future.
3 http://www.protocols.com/papers/voip.htm
VoIP Security white paper
Page 4 out of 19 pages - Confidential and proprietary – Document4
The main justifications for development of VoIP can be summarized as follows:
• Cost reduction.
As described, there can be a real savings in long distance telephone
costs, which is extremely important to most companies, particularly
those with international markets.
• Simplification.
An integrated voice/data network allows more standardization and
reduces total equipment needs.
• Consolidation.
The ability to eliminate points of failure, consolidate accounting
systems and combine operations is obviously more efficient.
• Advanced Applications.
The long run benefits of VoIP include support for multimedia and
multi-service applications; something which today's telephone system
cannot compete with.
Growth in the VoIP market is expected to be considerable over the next 5 years. Estimates
put the annual growth rate for IP-enabled telephone equipment at 132% between 1997 and
2002 with an expected market of some $3.16B in 2002.
This expected growth is encouraging to prospective developers of VoIP products. However,
many challenges are still facing developers of VoIP equipment, both in terms of voice
quality, latency and packet loss as well as call control and system management. For more
information on these and more issues regarding VoIP, see the full article: Voice over IP
(VoIP) in techguide.com, sponsored by Telogy Networks.
VoIP Security white paper
Page 5 out of 19 pages - Confidential and proprietary – Document4
VoIP protocols
In order to provide voice services over data networks, and especially over traditional
Internet Protocol 4based networks, over the years, different standards bodies such as the
ITU-T, ETSI, IETF, ANSI and many others developed different protocols. The following
diagram5 illustrates the different standard groups. Each group has its own standard.
Figure 1: IP telephony standards groups
The most widely accepted protocols for VoIP are from the H.323 family of protocols and
from SIP.
Short introduction to H.3236
The H.323 standard provides a foundation for audio, video, and data communications across
IP-based networks, including the Internet. H.323 is an umbrella recommendation from the
International Telecommunications Union (ITU) that sets standards for multimedia
4 RFC 791 http://www.faqs.org/rfcs/rfc791.html 5 Source: IP Telephony Protocols and Architectures USNIX 1999, Melinda Shore, Nokia IP Telephony 6 Source: http://www.protocols.com/pbook/h323.htm
VoIP Security white paper
Page 6 out of 19 pages - Confidential and proprietary – Document4
communications over Local Area Networks (LANs) that do not provide a guaranteed Quality
of Service (QoS).
The H.323 standards are important building blocks for a broad new range of collaborative,
LAN-based applications for multimedia communications. It includes parts of H.225.0 - RAS,
Q.931, H.245 RTP/RTCP and audio/video codecs, such as the audio codecs (G.711, G.723.1,
G.728, etc.) and video codecs (H.261, H.263) that compress and decompress media streams.
Media streams are transported on RTP/RTCP. RTP carries the actual media and RTCP
carries status and control information. The signaling information is transported reliably over
TCP. The following protocols deal with signaling:
• RAS manages registration, admission, and status.
• Q.931 manages call setup and termination.
• H.245 negotiates channel usage and capabilities.
• H.235 manages security and authentication.
The following diagram shows H.323 protocols in relation to the OSI model
Figure 2: H.323 family and related protocols
VoIP Security white paper
Page 7 out of 19 pages - Confidential and proprietary – Document4
Short introduction SIP
The session initiation protocol (SIP) described in RFC 2543 is a signaling protocol for
setting up sessions between clients over a network, e.g. the Internet. These sessions do not
necessarily have to be Internet telephony sessions. SIP could just as well be used for setting
up gaming sessions or for distance learning where a lecture is streamed out to the
participants.
The Session Initiation Protocol (SIP) is an application- layer control (signaling) protocol for
creating, modifying and terminating sessions with one or more participants. These sessions
include Internet multimedia conferences, Internet telephone calls and multimedia
distribution. Members in a session can communicate via multicast or via a mesh of unicast
relations, or a combination of these. SIP invitations used to create sessions carry session
descriptions, which allow participants to agree on a set of compatible media types.
SIP supports user mobility by proxying and redirecting requests to the user's current
location. It follows that users can register their current location. SIP is not tied to any
particular conference control protocol.
SIP is designed to be independent of the lower- layer transport protocol and can be extended
with additional capabilities. The following diagram conta ins example of a SIP message
INVITE sip:[email protected] SIP/2.0 via: SIP/2.0/UDP 134.138.242.7:5062 from: sip:[email protected] to: sip:[email protected] call-ID: [email protected] cseq: 1444 INVITE user-agent: Ellemtel-PICo/R2H contact: sip:[email protected]:5062 content-type: application/sdp content-length: 250 v=0 o=uabfrth 955720785594 955720785594 IN IP4 134.138.242.7 s=Basic Session c=IN IP4 134.138.242.7 t=955720785594 0 m=audio 2328 RTP/AVP 8 0 96 98 99 97 a=rtpmap:96 SC6/6000 a=rtpmap:98 SC6/3000 a=rtpmap:99 RT24/2400 a=rtpmap:97 VR15/1500
Diagram 3: SIP message example
VoIP Security white paper
Page 8 out of 19 pages - Confidential and proprietary – Document4
Why VoIP security is considered almost impossible
H.323 is complex, uses dynamic ports, and includes multiple UDP streams. Punching holes
in a firewall lets voice pass through but could put networks at risk. This threat becomes dire
for businesses using server-based IP PBXs because the phone systems could be brought
down by viruses and hacker attacks. 7 In the past, different vendors that provide proprietary
security solutions for H.323 explained why it would be almost impossible to provide
firewall based security solutions. A comprehensive study that was made by Intel
Corporation discussed the different possible solutions for H.323 security problems. Based
on this study, following are some of H.323 major security related problems:
• An H.323 call contains many different simultaneous connections. At least two of the
connections are TCP. For an audio-only conference, there may be up to 4 different UDP
connections’ made.
• All connections except one are made to ephemeral (dynamic) ports.
• Calls can be initiated from outside the firewall, as well as from inside. In order to make
conference calls, external users need to be able to esta blish calls directly with internal users’
desktop systems.
• The addresses and port numbers are exchanged within the data stream of the “next
higher” connection. For example, the port number for the H.245 connection is established
within the Q.931 data stream. This makes it particularly difficult for address translating
firewalls, which must modify the addresses inside those data streams. To make matters
worse, it is possible in Q.931, for example, to specify that the H.245 connection should be
secured (encrypted).
• Most of the control information is encoded in ASN.1 (only the User-User Information
within Q.931 Protocol Data Units, or PDUs, is ASN.1-encoded. Other parts of each Q.931
PDU are not encoded). For those unfamiliar with ASN.1, suffice to say that it is a complex
encoding scheme, which does not end up with fixed byte offsets for address information. In
fact, the same version of the same application connecting to the same destination may
negotiate to include different options, changing the byte offsets. 8
7 Firewall limits vex VoIP users. Phil Hochmuth and Tim Greene, Network World, 07/08/02 . http://www.nwfusion.com/news/2002/0708vo ip.html 8 Source: H.323 and Firewalls: The problems and pitfalls of getting H.323 safely through firewalls, Intel Corporation.
VoIP Security white paper
Page 9 out of 19 pages - Confidential and proprietary – Document4
The ability to talk with a customer or business colleague is more than a business critical
requirement. It is one of the most primitive and basic tasks today. Whilst ensuring that the
VoIP system will work, security is an absolute requirement.
The same study 9 states that in the author’s opinion, “A Stateful Inspection firewall can
provide better support for H.323 if it can disassemble the packets on the control streams and
dynamically open up the firewall as indicated. This is better than the solution above (Packet
Filter –S.B) because the only ports that are opened are those associated with the H.323
connection. However, disassembling the packets is not as easy as it sounds due to ASN.1
encoding of the control streams.”
Check Point is addressing those issues and more.
The following diagram illustrates in a graphical way the problems of securing VoIP
connections:
As one can see, there are several possible locations for the firewall. It can either protect the
Gatekeeper, the Terminal or the Gateway. The terminal client may be located at the protect
zone or in another un-trusted network.
The next diagram illustrates the problem of protecting the signaling traffic from being abused
by the users or hackers:
9 H.323 and Firewalls: The problems and pitfalls of getting H.323 safely through firewalls, Intel Corporation., Table 1 page 12
VoIP Security white paper
Page 10 out of 19 pages - Confidential and proprietary – Document4
A VoIP call is made out of many connections. A firewall can be placed between any of the
different parties. The challenge is to understand the context of a connection. This includes
both the data and the signaling connections. VPN-1/FireWall-1 that sees LRQ/LCF in a
specific configuration will enforce the relationship between the RAS and the Q.931
connections.
Even more complicated scenario is described at the next diagram. Two GateKeepers are
being used. Note that a firewall can be placed at any point between different servers.
VoIP Security white paper
Page 11 out of 19 pages - Confidential and proprietary – Document4
Check Point FireWall-1 Security features
Using the same security infrastructure that differentiates Check Point’s solutions from other
devices, VPN-1/FireWall-1 provides extensive security support for SIP and H.323
protocols.
Check Point FireWall-1 Security features for H.323
VPN-1/FireWall-1 performs the following operations for H.323 based protocols:
• Parsing of H.323 messages is done in FireWall-1 kernel. This includes
o Parsing of LCQ/LCF H.225 RAS messages.
o Parsing of setup and connect commands in Q.931 messages.
o Parsing of H.245 protocol commands.
• Parsing Fast start commands, encapsulate H.245 in H.225 messages.
• Performing Stateful inspection operations on open RTP/RTCP ports based on
H.323 signaling context and H.245, T.120 in case of H.225 RAS (LRQ/LCF),
FireWall-1 also opens the H.225 Q.931 ports dynamically. In this event, FireWall-1
enforces security restrictions which are far beyond the basic operation of dynamic
port allocation:
o Always enforces the control-data connection relationship.
o The H.323 service will not allow one type of connection to exist
independently of the other. The system does not allow any data
connection to open if the negotiation for it in the control connection
was not seen.
• FireWall-1 supports Gatekeeper direct and indirect routing modes. This allows
the highest level of flexibility in the network architecture.
o Direct (only RAS messages)
o Call Setup (Q.931)
o Call Setup & Call Control (Q.931 and H.245)
• Gateway supported routing modes:
o Call Setup (Q.931)
o Call Setup & Call Control (Q.931 and H.245)
• Since different part of the signaling is being done by different entities, FireWall-1
is enforcing security restrictions over Handover domains: VPN-1/FireWall-1
VoIP Security white paper
Page 12 out of 19 pages - Confidential and proprietary – Document4
disables the possibility to abuse the redirection capabilities of the signaling protocols
to allow unsolicited or non-VoIP communication. The following Handover types are
supported:
o Gatekeeper -> Gateway / End Point handover after Q.931/H.245 Gateway ->
End Point /(Gateway) ha ndover after Q.931/H.245
o Cascaded10: Gatekeeper -> Gateway ->End Point.
All the capabilities that were mentioned are fully supported from the Policy Editor
GUI:
o VoIP domains.
o Definitions of Gateway object, Gatekeeper objects.
o Definitions of Endpoints domain, Routing mode.
H.323 logging
As a company that focus on security, special attention was given to H.323 logging.
Check Point will generate the following logs:
• Call logs: Each log entry contain the IP source and destination, and H.323
protocol types, including call logging of each message and Phone number from
LRQ
• Setup messages logs (H.225 Q.931)
• Registration logs, which contains the H.323 phone numbers.
• Reject logs with detailed description.
10 The cascaded is not really a type, since the End Point of a Gateway is not supposed to be an IP End Point. We allow this type, since a Gateway can perform redirections between its own IP addresses
VoIP Security white paper
Page 13 out of 19 pages - Confidential and proprietary – Document4
Check Point FireWall-1 Security features for SIP
Check Point FireWall-1/VPN1 provides the following security options for SIP Voice over
IP sessions:
• Rule-Based SIP support with full GUI support.
• Ability to parse SIP header to determine multimedia type and associated
media port
• Ability to open RTP/RTCP ports, as indicated in SDP header, and monitor the
states of those connections.
• The SIP service always enforces the control-data connection relationship. The
SIP service will not allow one type of connection to exist independently of the
other. This ensures the security and integrity of billing processes.
• Validate SIP protocol call flow according to the RFC, and drop out of state
SIP messages.
• Ability to define SIP Handover Domain object, thus disabling the possibility
to abuse the redirection capabilities of the signaling protocols to allow non-VoIP
communication.
• Handles extensive SIP protocol feature set: re-invite messages (with the
ability to limit the re-invite messages), hold, and Call conference…
SIP logging
Check Point VPN-1/FireWall-1 will generate the following logs:
• Call logs: Each log will contain the “from” and “to” SIP URLs and phone
numbers.
• Registration logs, which contain the SIP URLs.
• Reject logs with detailed description.
VoIP Security white paper
Page 14 out of 19 pages - Confidential and proprietary – Document4
QoS integration
As described previously, quality of service (QoS) is essential for VoIP systems. Check Point
architecture allows to integrate it’s QoS solution (Check Point FloodGate-1) and VoIP
security features.
Check Point FloodGate-1 is a policy-based, Quality of Service (QoS) solution for VPNs,
private WANs and Internet links, which is tightly integrated with VPN-1/FireWall-1.
It optimizes network performance by assigning priority to business-critical applications and
end users. In order to support the special business requirements of VoIP applications,
FloodGate-1 supports the VoIP-tuned mechanism LLQ – Low Latency Queuing.
This mechanism is tuned to achieve best latency for constant bit rate applications, like VoIP.
In order to limit the number of connections admitted, one should use LLQ with a per
connection guarantee. For voice application, one wants to give each conversation a
guaranteed bandwidth. Usually one should set an admission policy that does not accept
additional calls if bandwidth is not adequate.
VoIP Security white paper
Page 15 out of 19 pages - Confidential and proprietary – Document4
VoIP Security Problems prevented with Check Point
At Black Hat 2002 presentation, Ofir Arkin, Managing Security Architect for @stake 11
described several attacks against VoIP based systems.12 The following examples, taken from
his presentation, describe two different types of attacks that can easily be mitigated by
anyone that is using a properly configured VPN-1/FireWall-1, due to its Stateful Inspection
mechanism.
SIP Denial of Service
There are many Simple Denial-of-Service attacks against SIP when using the UDP protocol.
Since UDP is an asynchrono us protocol, if one can guess the target network a caller is
sending its SIP signaling over UDP to, sending an ICMP Error Message such as Port
Unreachable, Protocol Unreachable, Network Unreachable or even Host Unreachable, will
terminate the signaling and the call in any state. This can be achieved by using “CANCEL”s
or using “BYE” commands anytime.
Since Check Point solutions tracks the state of a SIP connection it will limit any command
abusing.
11 [email protected] 12 VoIP, The Next Generation of Phreaking. Revision 1.1 By Ofir Arkin, @Stake
VoIP Security white paper
Page 16 out of 19 pages - Confidential and proprietary – Document4
In this example, a Check Point Gateway that will be located in front of SIP phone A, will
drop the packet arriving from attacker C even if C is using the right protocol parameters,
since the call was originated from SIP phone B
Call Hijacking
In the following example, Sip phone A sends an INVITE request to SIP phone B. The
attacker C is sending a 301 message indicating that the called party has moved, and will give
his own forwarding address.
Another variant of this attack involve a DoS attack on SIP phone A and spoofed registration
on the SIP Registration server.
Check Point Gateway that will be installed in front of either SIP phone A or the Registration
Server or even both could easily prevent those types of attacks. This is achieved since the SIP
connections are examined based on the hand-over domains as well and the connection
VoIP Security white paper
Page 17 out of 19 pages - Confidential and proprietary – Document4
specific signaling parameters. In addition, Check Point ensures that spoofed IP connections
will be blocked.
It is important to mention that there are other types o f attacks that can be blocked using
Check Point VoIP solutions.
Summary
VPN-1/FireWall-1 is the best-suited solution to protect VoIP based applications. Its
inspection code is based on the Stateful Inspection original patent and it is integrated with
other generic security features of FireWall-1. Combined with the integration of FloodGate -1
and the rich logging and debugging information enables positioning this solution not only as
the best secure platform for VoIP applications, but also as VoIP best infrastructure system.
VoIP Security white paper
Page 18 out of 19 pages - Confidential and proprietary – Document4
Appendix A – VoIP Standards and Recommendations
Signaling: ITU-T Standards and Recommendations
Standard Description
H.323 V2 Packet-based mutlimedia communications systems
H.225.0 Call signalling protocols and media stream pac ketization for packet -based multimedia
(includes Q.931 and RAS)
H.225.0 Annex G Gatekeeper to gatekeeper (inter-domain) communications
H.245 Control protocol for multimedia communications
H.235 Security and encryption for H -series multimedia terminals
H.450.x Supplementary services for multimedia:
1. Generic functional protocol for the support of supplementary services in H.323
2. Call transfer
3. Diversion
4. Hold
5. Park & pickup
6. Call waiting
7. Message waiting indication
H.323 Annex D Real -time fax using T.38
H.323 Annex E Call connection over UDP
H.323 Annex F Single-use device
T.38 Procedures for real-time group 3 facsimile communications over IP networks
T.120 series Data protocols for multimendia conferencing
Signaling: IETF RFCs and Drafts
Standard Description
RFC 2543 SIP: Session initiation protocol
RFC 2327 SDP: Session description protocol
Internet Draft SAP: Session announcement protocol
Media Transport: IETF RFCs
Standard Description
RFC 1889 RTP: Real-time transport protocol
VoIP Security white paper
Page 19 out of 19 pages - Confidential and proprietary – Document4
RFC 1889 RTCP: Real-time transport control protocol
RFC 2326 RTSP: Real -time streaming protocol