19
VoIP Security white paper Page 1 out of 19 pages - Confidential and proprietary – Document4 Check Point NG FP2 VoIP Security Features July In this document: Abstract ...................................................................................................... 2 VoIP Introduction ....................................................................................... 3 VoIP protocols ........................................................................................... 5 Short introduction to H.323 ......................................................................... 5 Short introduction SIP ................................................................................. 7 Why VoIP security is considered almost impossible ..................................... 8 Check Point FireWall-1 Security features ..................................................11 Check Point FireWall-1 Security features for H.323 ...................................11 Check Point FireWall-1 Security features for SIP .......................................13 QoS integration ........................................................................................14 VoIP Security Problems prevented with Check Point ................................. 15 Summary .................................................................................................. 17 Appendix A – VoIP Standards and Recommendations ...............................18

Check Point NG FP2 VoIP Security Features

Embed Size (px)

Citation preview

Page 1: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 1 out of 19 pages - Confidential and proprietary – Document4

Check Point NG FP2 VoIP Security Features

July In this document:

Abstract......................................................................................................2

VoIP Introduction.......................................................................................3

VoIP protocols ...........................................................................................5

Short introduction to H.323.........................................................................5

Short introduction SIP .................................................................................7

Why VoIP security is considered almost impossible .....................................8

Check Point FireWall-1 Security features ..................................................11

Check Point FireWall-1 Security features for H.323 ...................................11

Check Point FireWall-1 Security features for SIP.......................................13

QoS integration ........................................................................................14

VoIP Security Problems prevented with Check Point.................................15

Summary..................................................................................................17

Appendix A – VoIP Standards and Recommendations ...............................18

Page 2: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 2 out of 19 pages - Confidential and proprietary – Document4

Abstract

Voice over IP (VoIP), one of the fastest emerging technologies today, is a technique by

which voice is transported over data network using the Internet Protocol (IP).

VoIP is no longer a vague concept; VoIP networks are experiencing rapid growth and are

being integrated into traditional IP networks in an equally rapid manner.

Until recently, it was not possible to securely deploy VoIP ne tworks. The only way to allow

inbound calls was to leave a permanent hole from the outside world to the user's IP phone.

Obviously, this violates even the most basic firewall security policies.1 One should always

bear in mind that basically, we are talking about an IP network where security is an integral

requirement.2 In addition to the traditional threats that are introduced when deploying VoIP

networks, there are many challenges that need to be addressed without hindering

performance.

This paper describes Check Point’s NG FP2 VoIP security features and enhancements. In

order to recognize the outstanding achievement of Check Point’s VoIP security solution,

one should understand the problems of securing VoIP protocols. The following paragraph

describes the challenges that one is faced with trying to secure VoIP infrastructures using

H.323 based protocols:

1 Can we talk? VoIP's firewall challenges, Daniel Briere and Beth Gage, The Edge, 06/11/02. http://www.nwfusion.com/edge/columnists/2002/0625bleeding.html 2 VoIP, The Next Generation of Phreaking. Revision 1.1 By Ofir Arkin, @Stake

Page 3: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 3 out of 19 pages - Confidential and proprietary – Document4

VoIP Introduction3

VoIP is the ability to make telephone calls over IP-based data networks with a suitable

quality of service (QoS) and superior cost/benefit. Everyone is talking about VoIP and

everyone wants to be seen as a leading contender in this arena.

Equipment developers and manufacturers see a window of opportunity to innovate and

compete. They are busy developing new VoIP-enabled equipment attempting to break into

the market in time.

Internet service providers see the possibility of competing with the PSTN for customers.

Users are interested in the integration of voice and data applications in addition to the cost

savings.

Although VoIP seems to be most attractive, the technology has not been developed to the

point where it can replace the services and quality provided by the PSTN. First it must be

clear that VoIP will indeed be cost effective. In order to compete with today's PSTN, there

must be significantly lower total cost of operation. These savings will initially be seen in the

area of long distance calls. VoIP provides a competitive threat to providers of traditional

telephone services that will clearly stimulate improvements in cost and function throughout

the industry.

VoIP implementations are present in many other applications. For example, voice messages

can be prepared using a telephone and then delivered to an integrated voice/data mailbox

using Internet or intranet services. Voice annotated documents, multimedia files, etc. can

easily become standard within office suites in the near future.

3 http://www.protocols.com/papers/voip.htm

Page 4: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 4 out of 19 pages - Confidential and proprietary – Document4

The main justifications for development of VoIP can be summarized as follows:

• Cost reduction.

As described, there can be a real savings in long distance telephone

costs, which is extremely important to most companies, particularly

those with international markets.

• Simplification.

An integrated voice/data network allows more standardization and

reduces total equipment needs.

• Consolidation.

The ability to eliminate points of failure, consolidate accounting

systems and combine operations is obviously more efficient.

• Advanced Applications.

The long run benefits of VoIP include support for multimedia and

multi-service applications; something which today's telephone system

cannot compete with.

Growth in the VoIP market is expected to be considerable over the next 5 years. Estimates

put the annual growth rate for IP-enabled telephone equipment at 132% between 1997 and

2002 with an expected market of some $3.16B in 2002.

This expected growth is encouraging to prospective developers of VoIP products. However,

many challenges are still facing developers of VoIP equipment, both in terms of voice

quality, latency and packet loss as well as call control and system management. For more

information on these and more issues regarding VoIP, see the full article: Voice over IP

(VoIP) in techguide.com, sponsored by Telogy Networks.

Page 5: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 5 out of 19 pages - Confidential and proprietary – Document4

VoIP protocols

In order to provide voice services over data networks, and especially over traditional

Internet Protocol 4based networks, over the years, different standards bodies such as the

ITU-T, ETSI, IETF, ANSI and many others developed different protocols. The following

diagram5 illustrates the different standard groups. Each group has its own standard.

Figure 1: IP telephony standards groups

The most widely accepted protocols for VoIP are from the H.323 family of protocols and

from SIP.

Short introduction to H.3236

The H.323 standard provides a foundation for audio, video, and data communications across

IP-based networks, including the Internet. H.323 is an umbrella recommendation from the

International Telecommunications Union (ITU) that sets standards for multimedia

4 RFC 791 http://www.faqs.org/rfcs/rfc791.html 5 Source: IP Telephony Protocols and Architectures USNIX 1999, Melinda Shore, Nokia IP Telephony 6 Source: http://www.protocols.com/pbook/h323.htm

Page 6: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 6 out of 19 pages - Confidential and proprietary – Document4

communications over Local Area Networks (LANs) that do not provide a guaranteed Quality

of Service (QoS).

The H.323 standards are important building blocks for a broad new range of collaborative,

LAN-based applications for multimedia communications. It includes parts of H.225.0 - RAS,

Q.931, H.245 RTP/RTCP and audio/video codecs, such as the audio codecs (G.711, G.723.1,

G.728, etc.) and video codecs (H.261, H.263) that compress and decompress media streams.

Media streams are transported on RTP/RTCP. RTP carries the actual media and RTCP

carries status and control information. The signaling information is transported reliably over

TCP. The following protocols deal with signaling:

• RAS manages registration, admission, and status.

• Q.931 manages call setup and termination.

• H.245 negotiates channel usage and capabilities.

• H.235 manages security and authentication.

The following diagram shows H.323 protocols in relation to the OSI model

Figure 2: H.323 family and related protocols

Page 7: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 7 out of 19 pages - Confidential and proprietary – Document4

Short introduction SIP

The session initiation protocol (SIP) described in RFC 2543 is a signaling protocol for

setting up sessions between clients over a network, e.g. the Internet. These sessions do not

necessarily have to be Internet telephony sessions. SIP could just as well be used for setting

up gaming sessions or for distance learning where a lecture is streamed out to the

participants.

The Session Initiation Protocol (SIP) is an application- layer control (signaling) protocol for

creating, modifying and terminating sessions with one or more participants. These sessions

include Internet multimedia conferences, Internet telephone calls and multimedia

distribution. Members in a session can communicate via multicast or via a mesh of unicast

relations, or a combination of these. SIP invitations used to create sessions carry session

descriptions, which allow participants to agree on a set of compatible media types.

SIP supports user mobility by proxying and redirecting requests to the user's current

location. It follows that users can register their current location. SIP is not tied to any

particular conference control protocol.

SIP is designed to be independent of the lower- layer transport protocol and can be extended

with additional capabilities. The following diagram conta ins example of a SIP message

INVITE sip:[email protected] SIP/2.0 via: SIP/2.0/UDP 134.138.242.7:5062 from: sip:[email protected] to: sip:[email protected] call-ID: [email protected] cseq: 1444 INVITE user-agent: Ellemtel-PICo/R2H contact: sip:[email protected]:5062 content-type: application/sdp content-length: 250 v=0 o=uabfrth 955720785594 955720785594 IN IP4 134.138.242.7 s=Basic Session c=IN IP4 134.138.242.7 t=955720785594 0 m=audio 2328 RTP/AVP 8 0 96 98 99 97 a=rtpmap:96 SC6/6000 a=rtpmap:98 SC6/3000 a=rtpmap:99 RT24/2400 a=rtpmap:97 VR15/1500

Diagram 3: SIP message example

Page 8: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 8 out of 19 pages - Confidential and proprietary – Document4

Why VoIP security is considered almost impossible

H.323 is complex, uses dynamic ports, and includes multiple UDP streams. Punching holes

in a firewall lets voice pass through but could put networks at risk. This threat becomes dire

for businesses using server-based IP PBXs because the phone systems could be brought

down by viruses and hacker attacks. 7 In the past, different vendors that provide proprietary

security solutions for H.323 explained why it would be almost impossible to provide

firewall based security solutions. A comprehensive study that was made by Intel

Corporation discussed the different possible solutions for H.323 security problems. Based

on this study, following are some of H.323 major security related problems:

• An H.323 call contains many different simultaneous connections. At least two of the

connections are TCP. For an audio-only conference, there may be up to 4 different UDP

connections’ made.

• All connections except one are made to ephemeral (dynamic) ports.

• Calls can be initiated from outside the firewall, as well as from inside. In order to make

conference calls, external users need to be able to esta blish calls directly with internal users’

desktop systems.

• The addresses and port numbers are exchanged within the data stream of the “next

higher” connection. For example, the port number for the H.245 connection is established

within the Q.931 data stream. This makes it particularly difficult for address translating

firewalls, which must modify the addresses inside those data streams. To make matters

worse, it is possible in Q.931, for example, to specify that the H.245 connection should be

secured (encrypted).

• Most of the control information is encoded in ASN.1 (only the User-User Information

within Q.931 Protocol Data Units, or PDUs, is ASN.1-encoded. Other parts of each Q.931

PDU are not encoded). For those unfamiliar with ASN.1, suffice to say that it is a complex

encoding scheme, which does not end up with fixed byte offsets for address information. In

fact, the same version of the same application connecting to the same destination may

negotiate to include different options, changing the byte offsets. 8

7 Firewall limits vex VoIP users. Phil Hochmuth and Tim Greene, Network World, 07/08/02 . http://www.nwfusion.com/news/2002/0708vo ip.html 8 Source: H.323 and Firewalls: The problems and pitfalls of getting H.323 safely through firewalls, Intel Corporation.

Page 9: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 9 out of 19 pages - Confidential and proprietary – Document4

The ability to talk with a customer or business colleague is more than a business critical

requirement. It is one of the most primitive and basic tasks today. Whilst ensuring that the

VoIP system will work, security is an absolute requirement.

The same study 9 states that in the author’s opinion, “A Stateful Inspection firewall can

provide better support for H.323 if it can disassemble the packets on the control streams and

dynamically open up the firewall as indicated. This is better than the solution above (Packet

Filter –S.B) because the only ports that are opened are those associated with the H.323

connection. However, disassembling the packets is not as easy as it sounds due to ASN.1

encoding of the control streams.”

Check Point is addressing those issues and more.

The following diagram illustrates in a graphical way the problems of securing VoIP

connections:

As one can see, there are several possible locations for the firewall. It can either protect the

Gatekeeper, the Terminal or the Gateway. The terminal client may be located at the protect

zone or in another un-trusted network.

The next diagram illustrates the problem of protecting the signaling traffic from being abused

by the users or hackers:

9 H.323 and Firewalls: The problems and pitfalls of getting H.323 safely through firewalls, Intel Corporation., Table 1 page 12

Page 10: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 10 out of 19 pages - Confidential and proprietary – Document4

A VoIP call is made out of many connections. A firewall can be placed between any of the

different parties. The challenge is to understand the context of a connection. This includes

both the data and the signaling connections. VPN-1/FireWall-1 that sees LRQ/LCF in a

specific configuration will enforce the relationship between the RAS and the Q.931

connections.

Even more complicated scenario is described at the next diagram. Two GateKeepers are

being used. Note that a firewall can be placed at any point between different servers.

Page 11: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 11 out of 19 pages - Confidential and proprietary – Document4

Check Point FireWall-1 Security features

Using the same security infrastructure that differentiates Check Point’s solutions from other

devices, VPN-1/FireWall-1 provides extensive security support for SIP and H.323

protocols.

Check Point FireWall-1 Security features for H.323

VPN-1/FireWall-1 performs the following operations for H.323 based protocols:

• Parsing of H.323 messages is done in FireWall-1 kernel. This includes

o Parsing of LCQ/LCF H.225 RAS messages.

o Parsing of setup and connect commands in Q.931 messages.

o Parsing of H.245 protocol commands.

• Parsing Fast start commands, encapsulate H.245 in H.225 messages.

• Performing Stateful inspection operations on open RTP/RTCP ports based on

H.323 signaling context and H.245, T.120 in case of H.225 RAS (LRQ/LCF),

FireWall-1 also opens the H.225 Q.931 ports dynamically. In this event, FireWall-1

enforces security restrictions which are far beyond the basic operation of dynamic

port allocation:

o Always enforces the control-data connection relationship.

o The H.323 service will not allow one type of connection to exist

independently of the other. The system does not allow any data

connection to open if the negotiation for it in the control connection

was not seen.

• FireWall-1 supports Gatekeeper direct and indirect routing modes. This allows

the highest level of flexibility in the network architecture.

o Direct (only RAS messages)

o Call Setup (Q.931)

o Call Setup & Call Control (Q.931 and H.245)

• Gateway supported routing modes:

o Call Setup (Q.931)

o Call Setup & Call Control (Q.931 and H.245)

• Since different part of the signaling is being done by different entities, FireWall-1

is enforcing security restrictions over Handover domains: VPN-1/FireWall-1

Page 12: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 12 out of 19 pages - Confidential and proprietary – Document4

disables the possibility to abuse the redirection capabilities of the signaling protocols

to allow unsolicited or non-VoIP communication. The following Handover types are

supported:

o Gatekeeper -> Gateway / End Point handover after Q.931/H.245 Gateway ->

End Point /(Gateway) ha ndover after Q.931/H.245

o Cascaded10: Gatekeeper -> Gateway ->End Point.

All the capabilities that were mentioned are fully supported from the Policy Editor

GUI:

o VoIP domains.

o Definitions of Gateway object, Gatekeeper objects.

o Definitions of Endpoints domain, Routing mode.

H.323 logging

As a company that focus on security, special attention was given to H.323 logging.

Check Point will generate the following logs:

• Call logs: Each log entry contain the IP source and destination, and H.323

protocol types, including call logging of each message and Phone number from

LRQ

• Setup messages logs (H.225 Q.931)

• Registration logs, which contains the H.323 phone numbers.

• Reject logs with detailed description.

10 The cascaded is not really a type, since the End Point of a Gateway is not supposed to be an IP End Point. We allow this type, since a Gateway can perform redirections between its own IP addresses

Page 13: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 13 out of 19 pages - Confidential and proprietary – Document4

Check Point FireWall-1 Security features for SIP

Check Point FireWall-1/VPN1 provides the following security options for SIP Voice over

IP sessions:

• Rule-Based SIP support with full GUI support.

• Ability to parse SIP header to determine multimedia type and associated

media port

• Ability to open RTP/RTCP ports, as indicated in SDP header, and monitor the

states of those connections.

• The SIP service always enforces the control-data connection relationship. The

SIP service will not allow one type of connection to exist independently of the

other. This ensures the security and integrity of billing processes.

• Validate SIP protocol call flow according to the RFC, and drop out of state

SIP messages.

• Ability to define SIP Handover Domain object, thus disabling the possibility

to abuse the redirection capabilities of the signaling protocols to allow non-VoIP

communication.

• Handles extensive SIP protocol feature set: re-invite messages (with the

ability to limit the re-invite messages), hold, and Call conference…

SIP logging

Check Point VPN-1/FireWall-1 will generate the following logs:

• Call logs: Each log will contain the “from” and “to” SIP URLs and phone

numbers.

• Registration logs, which contain the SIP URLs.

• Reject logs with detailed description.

Page 14: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 14 out of 19 pages - Confidential and proprietary – Document4

QoS integration

As described previously, quality of service (QoS) is essential for VoIP systems. Check Point

architecture allows to integrate it’s QoS solution (Check Point FloodGate-1) and VoIP

security features.

Check Point FloodGate-1 is a policy-based, Quality of Service (QoS) solution for VPNs,

private WANs and Internet links, which is tightly integrated with VPN-1/FireWall-1.

It optimizes network performance by assigning priority to business-critical applications and

end users. In order to support the special business requirements of VoIP applications,

FloodGate-1 supports the VoIP-tuned mechanism LLQ – Low Latency Queuing.

This mechanism is tuned to achieve best latency for constant bit rate applications, like VoIP.

In order to limit the number of connections admitted, one should use LLQ with a per

connection guarantee. For voice application, one wants to give each conversation a

guaranteed bandwidth. Usually one should set an admission policy that does not accept

additional calls if bandwidth is not adequate.

Page 15: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 15 out of 19 pages - Confidential and proprietary – Document4

VoIP Security Problems prevented with Check Point

At Black Hat 2002 presentation, Ofir Arkin, Managing Security Architect for @stake 11

described several attacks against VoIP based systems.12 The following examples, taken from

his presentation, describe two different types of attacks that can easily be mitigated by

anyone that is using a properly configured VPN-1/FireWall-1, due to its Stateful Inspection

mechanism.

SIP Denial of Service

There are many Simple Denial-of-Service attacks against SIP when using the UDP protocol.

Since UDP is an asynchrono us protocol, if one can guess the target network a caller is

sending its SIP signaling over UDP to, sending an ICMP Error Message such as Port

Unreachable, Protocol Unreachable, Network Unreachable or even Host Unreachable, will

terminate the signaling and the call in any state. This can be achieved by using “CANCEL”s

or using “BYE” commands anytime.

Since Check Point solutions tracks the state of a SIP connection it will limit any command

abusing.

11 [email protected] 12 VoIP, The Next Generation of Phreaking. Revision 1.1 By Ofir Arkin, @Stake

Page 16: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 16 out of 19 pages - Confidential and proprietary – Document4

In this example, a Check Point Gateway that will be located in front of SIP phone A, will

drop the packet arriving from attacker C even if C is using the right protocol parameters,

since the call was originated from SIP phone B

Call Hijacking

In the following example, Sip phone A sends an INVITE request to SIP phone B. The

attacker C is sending a 301 message indicating that the called party has moved, and will give

his own forwarding address.

Another variant of this attack involve a DoS attack on SIP phone A and spoofed registration

on the SIP Registration server.

Check Point Gateway that will be installed in front of either SIP phone A or the Registration

Server or even both could easily prevent those types of attacks. This is achieved since the SIP

connections are examined based on the hand-over domains as well and the connection

Page 17: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 17 out of 19 pages - Confidential and proprietary – Document4

specific signaling parameters. In addition, Check Point ensures that spoofed IP connections

will be blocked.

It is important to mention that there are other types o f attacks that can be blocked using

Check Point VoIP solutions.

Summary

VPN-1/FireWall-1 is the best-suited solution to protect VoIP based applications. Its

inspection code is based on the Stateful Inspection original patent and it is integrated with

other generic security features of FireWall-1. Combined with the integration of FloodGate -1

and the rich logging and debugging information enables positioning this solution not only as

the best secure platform for VoIP applications, but also as VoIP best infrastructure system.

Page 18: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 18 out of 19 pages - Confidential and proprietary – Document4

Appendix A – VoIP Standards and Recommendations

Signaling: ITU-T Standards and Recommendations

Standard Description

H.323 V2 Packet-based mutlimedia communications systems

H.225.0 Call signalling protocols and media stream pac ketization for packet -based multimedia

(includes Q.931 and RAS)

H.225.0 Annex G Gatekeeper to gatekeeper (inter-domain) communications

H.245 Control protocol for multimedia communications

H.235 Security and encryption for H -series multimedia terminals

H.450.x Supplementary services for multimedia:

1. Generic functional protocol for the support of supplementary services in H.323

2. Call transfer

3. Diversion

4. Hold

5. Park & pickup

6. Call waiting

7. Message waiting indication

H.323 Annex D Real -time fax using T.38

H.323 Annex E Call connection over UDP

H.323 Annex F Single-use device

T.38 Procedures for real-time group 3 facsimile communications over IP networks

T.120 series Data protocols for multimendia conferencing

Signaling: IETF RFCs and Drafts

Standard Description

RFC 2543 SIP: Session initiation protocol

RFC 2327 SDP: Session description protocol

Internet Draft SAP: Session announcement protocol

Media Transport: IETF RFCs

Standard Description

RFC 1889 RTP: Real-time transport protocol

Page 19: Check Point NG FP2 VoIP Security Features

VoIP Security white paper

Page 19 out of 19 pages - Confidential and proprietary – Document4

RFC 1889 RTCP: Real-time transport control protocol

RFC 2326 RTSP: Real -time streaming protocol