• Home

  • Education

  • Askozia VoIP Security white paper - 2017, English
6
1. Network Meets VoIP Analog and ISDN phone systems are connected to the public switched telephone network (PSTN) but usually not to the internet. IP phone systems or PBXs on the other hand, are more vulnerable as they are connected to the internet through the local network (LAN) or directly through the SIP protocol. If the phone system is connected to the service provider (ISP) through the SIP protocol, it should access the internet through a firewall. However, even if is not directly connected to the internet, it can still be attacked through the LAN as IP devices are accessible from each point within. Furthermore, network switches with management features enable eavesdropping from any location within the LAN, and service access points of some routers enable eavesdropping from the internet. If an attacker gets access to the LAN, the phone system can be attacked as well. Therefore, all IP devices and the access to your router, ISP and IP devices need to be secured at best. Another possibility, which we advise against, is the IP phone system being directly connected to the Internet and either having a public IP address, or certain firewall ports being open. This case often occurs if external phones are to be connected to the system through the internet, such as for traveling employees or home office usage. 2. Common Forms of Attacks 2.1 Fraud Typically, attackers perform a port scan to look for public IP addresses. If, for example, a SIP server is located behind port 5060 and an internal extension is known, a brute force attack can be used to determine the password. page 1 Modern IP Communication bears risks How to protect your business telephony from cyber attacks Voice-over-IP (VoIP) provides many new features over PSTN. However, the interconnection with your IT infrastructure also carries risks affecting the security and integrity of your IP services. As IT networks are targeted by attackers, insufficient prevention can endanger not only the network but your telecommunication infrastructure that is build on top of it. This paper aims to educate you about possible risks, common attacks and how to prevent them from being successful.

Askozia VoIP Security white paper - 2017, English

  • Upload
    askozia

  • View
    37

  • Download
    1

Embed Size (px)

Citation preview

Page 1: Askozia VoIP Security white paper - 2017, English

1. Network Meets VoIP

Analog and ISDN phone systems areconnected to the public switchedtelephone network (PSTN) but usuallynot to the internet. IP phone systemsor PBXs on the other hand, are morevulnerable as they are connected tothe internet through the local network(LAN) or directly through the SIPprotocol.

If the phone system is connected tothe service provider (ISP) through theSIP protocol, it should access theinternet through a firewall. However,even if is not directly connected to theinternet, it can still be attackedthrough the LAN as IP devices areaccessible from each point within.Furthermore, network switches withmanagement features enableeavesdropping from any locationwithin the LAN, and service accesspoints of some routers enableeavesdropping from the internet.

If an attacker gets access to the LAN,the phone system can be attacked aswell. Therefore, all IP devices and theaccess to your router, ISP and IPdevices need to be secured at best.

Another possibility, which we adviseagainst, is the IP phone system beingdirectly connected to the Internet andeither having a public IP address, orcertain firewall ports being open. Thiscase often occurs if external phonesare to be connected to the systemthrough the internet, such as fortraveling employees or home officeusage.

2. Common Forms of Attacks

2.1 Fraud

Typically, attackers perform a portscan to look for public IP addresses. If,for example, a SIP server is locatedbehind port 5060 and an internalextension is known, a brute forceattack can be used to determine thepassword.

page 1

Modern IP Communication bears risksHow to protect your business telephony from cyber attacks

Voice-over-IP (VoIP) provides many new features over PSTN. However,the interconnection with your IT infrastructure also carries risksaffecting the security and integrity of your IP services. As IT networksare targeted by attackers, insufficient prevention can endanger notonly the network but your telecommunication infrastructure that isbuild on top of it. This paper aims to educate you about possible risks,common attacks and how to prevent them from being successful.

Page 2: Askozia VoIP Security white paper - 2017, English

Another possibility is the use ofpublicly available third-party SIP-proxies or gateways. Also, servicesmay be used illegally by means ofidentity spoofing. If an attacker usesthe highjacked system for overseacalls, victims may face high costs. Forexample, calls may be routed throughPSTN instead of the IP network, orexpensive service numbers andhotlines may be called. If a servergets hijacked, call credits may be soldto third parties.

Identity spoofing affects SIP but alsoother communication protocols. It canbe done by simply having the victim'sphone displaying another identity,but also by manipulating registrationor by man-in-the-middle attacks. Inthe latter case, incoming calls for thevictim are forwarded to IP devices ofthe attacker. Stealing registrationinformation can provide attackerswith passwords in order to act as avalid user. This can be done indifferent ways, such as througheavesdropping or faking identity andasking the victim for the registrationinformation. Attackers may aim forcall recordings, call detail records, orfurther data misuse for fraud or spam.

2.2 Eavesdropping

Contrary to ISDN and analogtelephony, eavesdropping of IP phonecalls is much easier. As for networkconvergence, separate access tophysical phone lines or specialequipment are no longer required.Many programs are available onlinethat allow eavesdropping of VoIPcalls. User names and passwords canbe spied out, but also habits andpatterns in the way the victimcommunicates and both social andbusiness contacts. A commonapproach is a man-in-the-middleattack, where an attacker acts as aproxy between communicatingparties and can listen to or evenmanipulate all of the communication,even for encrypted SSL or SSHconnections.

The address resolution protocol (ARP)is used to map IP network addresses

to the hardware addresses used by adata link protocol. ARP-Poisoning canonly be used in LAN, but is mostefficient and dangerous. Connectionsget redirected transparently and canonly be detected by stations in thesame subnet. In order to listen toconnections outside your own LAN, aserver is usually simulated and thetraffic is routed there by means ofspurious DNS information. If theconnection needs to be redirected, thisserver then works as a proxy. It canalso be set as a target server.

Alternatively, it is possible to highjackstandard gateways and eavesdrop thedata traffic. These gatewaysintroduced to victims by means ofDHCP spoofing. DHCP stands forDynamic Host Configuration Protocol.DHCP allows to automatically acquaintcomputer systems with a networkconfiguration. By means of DHCPspoofing, victims receive forged DHCPresponses for the standard gatewayand DNS server. This allows anattacker to eavesdrop or manipulateall data packets that are being sentoutwards of the subnet, but also toforge responses to DNS requests.

Another approach is infrastructurehijacking. Potential targets includeservers, IP phones or other networkdevices. Attackers may gain access toIP devices by means of weakauthentication mechanisms andguessed or stolen passwords, or viasecurity gaps in corrupted serverservices. In case of a hijacked server,the attacker may at least protocol theconnection, but may also eavesdropcalls, or redirect them to record themor act as the actually requested callee.

2.3 Denial-of-Service

Denial-of-Service (DoS) stands for theunavailability of a service and can beprovoked in a number of ways. DoSattacks aim to create malfunction ofsystem operations. In worst case, asystem may become completelyinoperative.

As attackers want to remainunidentified, they usually indicate a

page 2

Page 3: Askozia VoIP Security white paper - 2017, English

faked return address. This approach isnamed IP spoofing. For DoS attack onlower network layers, mostly onlyrequests have to be send without theneed of a response. IP spoofing canalso be used to overload the victimwith response packets.

2.4 Spam Over Internet Telephony

The fusion of IP telephony andcomputer networks increases SPAMover internet telephony (SPIT),whereby IP phone systems gethijacked and misused to spread SPAMphone calls. As with e-mail SPAM,back-tracing is very difficult as actualoriginators can not be clearlyidentified. In order to stay hidden,attackers may use identity spoofingand bot networks formed by multiplehijacked devices. Another possible

approach to spread SPIT is theinsertion of forged RTP packets.

Despite the similarity to SPAM,opposing SPIT is much more difficult.As for e-mails, a pre-classification maylikely be unreliable. A content filtermay require too many resources andact too late during a phone call as thecallee has already been bothered. Acontent filter may still be of help forrecorded voicemail messages on amailbox.

If a hacker controls an IP device, hecan access the network and theservices it offers. Hijacked systemscan be misused as bots for SPIT or forattacks on other users. Victims oftencan trace back the trail only to thehijacked server but not the actualattacker.

3. Security measures

In this section, we are going to take alook at security measures. Werecommend to implement as many ofthese as possible to secure your IPnetwork and telephony at best.

Generally, a company guideline shouldbe defined and strictly implemented toguarantee network safety. Thisguideline should cover the followingmeasures and be regularly reviewedand updated.

fig.: common threats for IP telephony

page 3

Denial ofServiceEavesdropping

SPIT

Toll Fraud

Man-in-the-Middle Attack

Flooding

InfrastructureHijacking

InfrastructureHighjacking

High Phone BillIdentity Highjacking

Brute ForceAttack

ARP Poisining

Bot Net

IP-Spoofing

Page 4: Askozia VoIP Security white paper - 2017, English

Securing the IP PBX alone, is notsufficient to prevent it from beingattacked though. All relevant networkcomponents need to be secured.PBXs and terminal devices need to beprotected, even if the PBX is notdirectly connected to the internet, asan attack on any other networkcomponent may still be a threat to thePBX.

3.1 Secure Passwords

For increased protection against allattacks, long and secure passwordsare required. Instead of names,birthdays, or entire words, securepasswords need to contain letters,numbers, and special characters. Ifusers still use simple passwords, theadministrator should consequentlyenforce secure passwords, eitherthrough strict guidelines or byassigning passwords to every user.AskoziaPBX automatically generates asecure password for each newlycreated phone account.

3.2 Firewall

A packet filter included in a corporatenetwork firewall can filter theincoming and outgoing data traffic.This increases network protectionfrom attackers as well as unwantedoutgoing data packets, for example toavoid network devices being misusedas parts of a bot network.

AskoziaPBX has an internal firewall. Inaddition to the network firewallproviding basic security, this internalfirewall should also be activated. Thisinternal firewall only providesprotection for the PBX, but does notreplace a network firewall. Thenetwork firewall performs an addresstranslation (NAT). Therefore, only theserver and address range of the ISPcan communicate with the PBXthrough the internet. This optionprovides much more security thanchanging SIP ports. If a server or PBXis running on a public IP address, it isonly a matter of time until thechanged SIP port is found.

3.3 Fail2Ban

As part of Askozia's internal firewall,Fail2Ban can be activated as ameasure against brute-force attacks.IP addresses are blocked if theyrepeatedly attempt to log in withincorrect passwords within a timewindow specified by the administrator.To prevent attackers from guessing aninternal number, AskoziaPBX also usesthe option alwaysauthreject = yes.Answers to requests are always thesame, regardless of whether theusername is correct or not.

3.4 Avoid Port Forwarding

We strongly recommend to avoid portforwarding, as well as DMZs(demilitarized zones) and hosting onhome routers. Instead, access toexternal devices should beimplemented through virtual privatenetworks (VPNs). If at all, portforwarding should only beimplemented with a most securepassword and active Fail2Ban.

3.5 Call Rights

Limiting call rights should be takeninto account, as it may protect bothagainst abuse by internal users andfrom outside attacks. In AskoziaPBX,restrictive dial patterns can be definedto prevent calls to countries thatnormally should not be called. At thesame time, calls to national phonenumbers with high charges should beblocked. Sometimes not all threats canbe prevented, for example in case ofregular international calls. In that case,at least the number of calls or the callduration should be limited. If thesethresholds are exceeded and an attackis considered to be likely, calls can beblocked completely. A furtherprecaution could be a VoIP prepaidcredit to limit the impact of asuccessful attack.

3.6 Separating Telephony and Data

NGN ports (Next Generation Network)for dedicated VoIP lines are alreadyoffered by various ISPs. Also, data andtelephony networks should be

page 4

Page 5: Askozia VoIP Security white paper - 2017, English

separated by means of virtual localnetworks (VLAN). A VLAN is a logicalsubnet within a switch or network.Within a network, a VLAN may expandacross several switches. Physicalnetworks are separated into subnetsand VLAN-capable switches assurethat data packets are not transferredinto other subnets.

3.7 SIP Proxy

Considering the costs, it may makesense for larger installations to use anexternal server as SIP proxy forincoming calls. A proxy server acts asmiddleman, that receives requests ofone party, and establishes a connectsto another party through its own IPaddress.

3.8 Encryption

Encryption between IP PBX andphones based on Secure SIP (SIPS)und Secure RTP (SRTP) can preventcalls from being eavesdropped. InAskoziaPBX, required certificates canbe created or uploaded in the settingsfor secure calling.

3.9 Blacklist and Whitelist

To further prevent potential threats,certain numbers can be blocked oraccepted. In the extended providersettings of AskoziaPBX, blacklistsallow to block certain numbers fromcalling through this provider. In thefirewall settings of AskoziaPBX, thewhitelist allows to add certainnumbers as exceptions for Fail2Ban.

3.10 Access Privileges

To further increase security, onlyrequired devices should be permittedaccess to the network. Unuseddevices should be disconnected.Furthermore, access rights shouldonly be assigned to specific users andonly as far as actually necessary. InAskoziaPBX, client user interfaceslimit user access to certain settings.This way, only the systemadministrator has access to the wholePBX and sensitive settings in terms ofsecurity.

3.11 System Hardening

To prevent attacks on your networkinfrastructure, all network devicesshould always be updated to latestsoftware version available andsecurity updates should be realized asquickly as possible. Beside your IPphone system, this also counts for IPphones, routers, switches, firewalls,and all other network devices. Unusedservices should be deactivated.

3.12 High Availability

If there is an attack and an attackersuccessfully forced the phone systemto fail, you should have a plan B. Thiscan be high availability (HA) andshould particularly be realized bycompanies with high call loads. Theidea is to provide a second phonesystem with the same configuration inorder to quickly replace a failed PBX.

4. Summary

IT and VoIP security can not beseparated. To prevent your networkand telephony infrastructure frombeing hijacked, as many securitymeasures as possible need to beimplemented. Where complete safetycan not be guaranteed, thesemeasures help to strongly minimizethe risk of a successful attack. Regularreviews and updating, both yournetwork and IP telephonyinfrastructure as well as your securityguidelines is a key to keep yourbusiness save. If your business doesnot have the required know-how, aspecialized network security companycan help you through the process.Investing in security is definitely aworthwhile investment.

page 5

Page 6: Askozia VoIP Security white paper - 2017, English

page 6

All solutions can be used on-site or inthe cloud, with IP phones of yourchoice and can be configured andmanaged through the most intuitiveuser interface. No matter if you havequestions regarding the installation,configuration or operation ofAskoziaPBX, our support team hasyour back and offers you conditionswell-matched with your businessneeds.

Learn more about how Askozia canboost your business at askozia.com

About Askozia

Askozia started out in 2006 bydeveloping AskoziaPBX, a highlyintuitive telephone system firmwarefor embedded appliances. Over theyears, Askozia has evolved into aninternational developer of realtime IPcommunication technologies and PBXsoftware for service providers, SMBsand system integrators worldwide.

Askozia uses open standards forinteroperability and no proprietarylock-in. The pricing is fair andexcludes licenses limiting thenumbers of users, phones or phonelines.


White Paper: VoIP In A Broadband Access Networkjakab/edu/litr/NGN/VoIP/metaswitch_voip_pwp.pdf · The term “Voice over IP” (VoIP) describes the transport of voice over IP based

White Paper: VoIP In A Broadband Access Networkjakab/edu/litr/NGN/VoIP/metaswitch_voip_pwp.pdf · The term “Voice over IP” (VoIP) describes the transport of voice over IP based

Documents
05 PBX Security in the VoIP environment - white paper 14 03 13 _2_

05 PBX Security in the VoIP environment - white paper 14 03 13 _2_

Documents
Askozia 19" Telephony Server V2 - Webinar 2016, deutsch

Askozia 19" Telephony Server V2 - Webinar 2016, deutsch

Technology
Seguridad en Redes Convergentes: Seguridad en Voz sobre IP (VoIP). White Hack 2004

Seguridad en Redes Convergentes: Seguridad en Voz sobre IP (VoIP). White Hack 2004

Technology
Allworx VoIP White Paper

Allworx VoIP White Paper

Documents
Monitoring and Managing Voice over Internet Protocol (VoIP) · Network Instruments White Paper Monitoring and Managing Voice over Internet Protocol (VoIP) As with most new technologies,

Monitoring and Managing Voice over Internet Protocol (VoIP) · Network Instruments White Paper Monitoring and Managing Voice over Internet Protocol (VoIP) As with most new technologies,

Documents
Your Guide to Troubleshooting VoIP - VIAVI Solutions · Your Guide to Troubleshooting VoIP ... This white paper guides you through the essentials of VoIP troubleshooting, ... MPLS

Your Guide to Troubleshooting VoIP - VIAVI Solutions · Your Guide to Troubleshooting VoIP ... This white paper guides you through the essentials of VoIP troubleshooting, ... MPLS

Documents
Askozia PBX - brochure 2015, English

Askozia PBX - brochure 2015, English

Business
Wholesale rates with incremet 1 Wholesales voip services |White … · 2019. 2. 6. · Wholesales voip services |White lebel Resellers | VoIP Provider Tel.: +30 215 0000 215 | | info@sipon.eu

Wholesale rates with incremet 1 Wholesales voip services |White … · 2019. 2. 6. · Wholesales voip services |White lebel Resellers | VoIP Provider Tel.: +30 215 0000 215 | | [email protected]

Documents
Allworx VoIP White Paper June 2005 VoIP Tutorial.pdf6/13/05 • Page 5 Allworx VoIP White Paper Allworx VoIP Features The Allworx 10x server is a sophisticated VoIP PBX and gateway

Allworx VoIP White Paper June 2005 VoIP Tutorial.pdf6/13/05 • Page 5 Allworx VoIP White Paper Allworx VoIP Features The Allworx 10x server is a sophisticated VoIP PBX and gateway

Documents
Introduction - what is Askozia?

Introduction - what is Askozia?

Business
VoIP acceptance, VoIP connectivi ty, VoIP conformance ...albedotelecom.com/src/lib/BR-VoIP-Lab.pdf · VoIP_LAB_SPA (C) ALBEDO TELECOM - 2009 VoIP acceptance, VoIP connectivi ty, VoIP

VoIP acceptance, VoIP connectivi ty, VoIP conformance ...albedotelecom.com/src/lib/BR-VoIP-Lab.pdf · VoIP_LAB_SPA (C) ALBEDO TELECOM - 2009 VoIP acceptance, VoIP connectivi ty, VoIP

Documents
Askozia Telefonanlage: Fallstudie einer DECT-Installation

Askozia Telefonanlage: Fallstudie einer DECT-Installation

Technology
White Label Hosted VoIP Platform for Resellers and Service

White Label Hosted VoIP Platform for Resellers and Service

Documents
Askozia 19" Telephony Server v2 - flyer 2015, English

Askozia 19" Telephony Server v2 - flyer 2015, English

Technology
EOS VoIP White Paper

EOS VoIP White Paper

Documents
How to Install Askozia

How to Install Askozia

Documents
VoIP White Paper - SatLabssatlabs.org/pdf/VoIP_over_DVB-RCS_by_NERA.pdf · A Radio Resource and QoS Perspective ... 2.3 Techniques for achieving better BW efficiency ... VoIP White

VoIP White Paper - SatLabssatlabs.org/pdf/VoIP_over_DVB-RCS_by_NERA.pdf · A Radio Resource and QoS Perspective ... 2.3 Techniques for achieving better BW efficiency ... VoIP White

Documents
Cloud VOIP Deployment White Paper 2011 · 2011. 10. 21. · Source: Gartner (March 2011) Crexendo Cloud VOIP Deployment White Paper. Crexendo Cloud VoIP services are SaaS-based deployments

Cloud VOIP Deployment White Paper 2011 · 2011. 10. 21. · Source: Gartner (March 2011) Crexendo Cloud VOIP Deployment White Paper. Crexendo Cloud VoIP services are SaaS-based deployments

Documents
WHITE PAPER: VoIP Service Provider Compliance with Communications Taxes … ·  · 2014-06-16WHITE PAPER: VoIP Service Provider Compliance with Communications Taxes and Regulatory

WHITE PAPER: VoIP Service Provider Compliance with Communications Taxes … ·  · 2014-06-16WHITE PAPER: VoIP Service Provider Compliance with Communications Taxes and Regulatory

Documents
Askozia All-IP White Paper - 2016, deutsch

Askozia All-IP White Paper - 2016, deutsch

Technology
Askozia Desktop Telephony Server - Handzettel 2016, deutsch

Askozia Desktop Telephony Server - Handzettel 2016, deutsch

Technology
Askozia 19" Telephony Server v2 - webinar 2016, English

Askozia 19" Telephony Server v2 - webinar 2016, English

Technology
Askozia PBX - Broschüre 2015, deutsch

Askozia PBX - Broschüre 2015, deutsch

Business
VoIP White Paper

VoIP White Paper

Documents
VocalTec VOIP Virtual Private Network White Paper · VocalTec VOIP Virtual Private Network White Paper Release 1.4 January 2001. VocalTec Communications VocalTec - VPN White Paper

VocalTec VOIP Virtual Private Network White Paper · VocalTec VOIP Virtual Private Network White Paper Release 1.4 January 2001. VocalTec Communications VocalTec - VPN White Paper

Documents
White paper - Recursos VoIP

White paper - Recursos VoIP

Documents
White Paper: Using LiveAction Software for Successful VoIP Deployments

White Paper: Using LiveAction Software for Successful VoIP Deployments

Documents
Askozia y snom presentan su solución integrada

Askozia y snom presentan su solución integrada

Sales
Askozia und Baudisch Intercom - Webinar 2015, deutsch

Askozia und Baudisch Intercom - Webinar 2015, deutsch

Technology