Embed Size (px)
DESCRIPTION
Citation preview
15 April 2008
IP Telephony Security: Deploying Secure IP Telephony in the
aspect of Network infrastructure
The objective is to integrate IP telephony and traditional data services onto a shared network infrastructure without compromising the security of either service. Protective
mechanisms against all types of attacks must be applied in a holistic manner throughout the enterprise network.
15 April 2008
IP Telephony Security: Deploying Secure IP Telephony in the
aspect of Network infrastructure
Prepared by :
Maheen mehnaz
ID # 071-618-056
Ete ~ 605
Section ~ 02
Prepared for :
Dr. Mashiur Rahman
NNoorr tthh SSoouu tthh UUnn iivveerr ssiittyy
IP Telephony Security
I
Abstract This paper provides best-practice information to interested parties for designing and implementing secure IP telephony networks. Many enterprises, whether large or small, are now considering implementation of IP Telephony systems and services in their networks. What has been a separate circuit switched telephony network on its own, is with the advent of IP Telephony suddenly a part of the IT and IP infrastructure, available and manageable as virtually any other application within that framework. Questions then arise whether telephony is as secure as it was when it was a technology and network on its own, or if even IP Telephony may compromise the integrity and availability of other applications, especially if IP Telephony becomes integrated with these other applications. And one has to also consider the impact of IP Telephony calls originating from an external IP network.
This document has the purpose to clarify the issues mentioned above and provides an outline for the measures, which need to be taken in order to securely implement IP Telephony in enterprise networks. As we will see, already today there are technologies and products available that can be installed and used to secure the usage of IP Telephony as well as other related applications.
IP Telephony Security
April 15, 2008
1
Contents Introduction ........................................................................................................................... 2Section: 1 ............................................................................................................................... 2Identifying and Understanding the Risks .............................................................................. 2Threats in voice over IP (VoIP)............................................................................................. 2Section: 2 ............................................................................................................................... 3Attacks against the IP Telephony Network ........................................................................... 3
Packet Sniffers/Call Interception....................................................................................... 3Virus and Trojan-Horse Applications ............................................................................... 3
Toll Fraud .............................................................................................................................. 3IP Spoofing............................................................................................................................ 3Denial of Service ................................................................................................................... 3Application Layer Attacks..................................................................................................... 4Section: 3 ............................................................................................................................... 4Security Solutions of IP Telephony....................................................................................... 4
Encryption ..................................................................................................................... 4Section: 4 ............................................................................................................................... 6
Designing Guidelines for Small IP Telephony system ..................................................... 7Section: 5 ............................................................................................................................... 9 Defining a Security Framework ..8 Section: 6 ............................................................................................................................. 10
IP Telephony Security
April 15, 2008
2
Introduction
As voice over IP (VoIP) installations increasingly evolve from PBX trunking over private data networks to IP telephony (IPT)-based it becomes increasingly important to recognize and address associated security issues. The risk and threat to enterprises deploying IP telephony are very real, and although few incidents have been reported in public, these are expected to increase in number as IP telephony deployments increase in number and size.
To mitigate these threats appropriately, the actual risks must be identified and mapped to a security framework. This framework can then be used to establish security requirements for the products used to obtain an appropriate level of security for the IPT solution. However, since IP telephony is a service that enables direct communication between end-user IP phones throughout an enterprise, it is critical that security measures allow this type of peer-to-peer traffic flow while protecting the telephony service.
Section: 1 Identifying and Understanding the Risks
IP telephony is still a young technology with rapidly evolving products, and the initial focus typically is on issues other than security, such as telephony-grade reliability, voice quality, and telephony features. General security risks can be grouped into the four areas:
1. Interception and impersonation of IPT sessions invading privacy or tampering with information 2. Intrusion of other network services facilitated by the IPT implementation 3. Non-authorized or fraudulent use of IPT equipment 4. Malicious degradation of voice service (denial-of-service, virus, and hacker attacks)
Threats in voice over IP (VoIP)
Threats associated with VoIP are narrowed into the following categories:
Service disruption and annoyance The attempt to disrupt the VoIP service, including management, provisioning, access, and operations. Attacks in this category can affect any network element that supports the VoIP service, including routers, DNS servers, SIP proxies, session border controllers, and so on.
Eavesdropping and traffic analysis The attack aims to extract verbal or textual (for example, credit card number or pin) content from a conversation or analyze communications between parties to establish communication patterns, which can later be used to support other attacks.
Masquerading and impersonation In this category, targets include users, end user devices, and network elements and can be realized by manipulating the signaling or media streams remotely or through unauthorized access to VoIP components (for example, signaling gateways, the SIP registrar, or DNS servers). For example, if a telecommunications provider is using only caller ID information
IP Telephony Security
April 15, 2008
3
to authenticate subscribers to their voice mailboxes, it is possible for an attacker to spoof caller ID information to gain access to a user s voice mailbox.
Unauthorized access The difference between masquerading and unauthorized access is that the attacker does not need to impersonate another user or network element, but rather can gain direct access using a vulnerability such as a buffer overflow, default configuration, and poor signaling or network access controls.
Fraud Fraud can be realized by manipulating the signaling messages or the configuration of VoIP components, including the billing systems.
Section: 2 Attacks against the IP Telephony Network
Packet Sniffers/Call Interception A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a particular collision domain. Sniffers are used legitimately in networks today to aid in troubleshooting and traffic analysis.
Virus and Trojan-Horse Applications The primary vulnerabilities for end-user workstations are viruses and Trojan horse attacks. Viruses refer to malicious software that is attached to another program to execute a particular unwanted function on a user's workstation.
Toll Fraud This attack constitutes theft of service, namely phone calls. There are numerous methods the hacker could use to accomplish this task. In its basic case toll fraud includes an unauthorized user accessing an unattended IP phone to place calls. A more complex attack might include placing a rogue IP phone or gateway on the network to place unauthorized calls.
IP Spoofing An IP spoofing attack occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. A hacker can do this in one of two ways. The hacker uses either an IP address that is within the range of trusted IP addresses for a network or an authorized external IP address that is trusted.
Denial of Service Certainly the most publicized form of attack, denial of service (DoS) attacks are also among the most difficult to completely eliminate. Even among the hacker community, DoS attacks are regarded as trivial and considered bad form because they require so little effort to execute. These attacks include the following:
TCP SYN Flood Ping of Death UDP fragment flood
IP Telephony Security
April 15, 2008
4
ICMP fragment flood If not properly mitigated, all of these sample DoS attacks could render a voice segment unusable.
Application Layer Attacks Application layer attacks can be implemented using several different methods. One of the most common methods is exploiting well-known weaknesses in software that are commonly found on servers, such as send mail, HTTP, and FTP. By exploiting these weaknesses, hackers can gain access to a computer with the permissions of the account running the application.
Section: 3 Security Solutions of IP Telephony
Encryption S/MIME (Secure/Multipurpose Internet Mail Extensions). Provides a way to send and
receive secure MIME data. Based on the MIME standard, S/MIME provides the following cryptographic security services for electronic messaging applications: authentication, message integrity and non-repudiation of origin (using digital signatures) and privacy and data security (using encryption) and by hop-by-hop
SIPS (requires Transport Layer Security, TLS, on whole signaling path). A client/server protocol that allows peers to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery
Key exchange done using MIKEY (Multimedia Internet KEYing). A key management scheme that can be used for real-time applications (both for peer-to-peer communication and group communication) supporting SRTP
Denial of service (DoS) attacks DoS against SIP (over UDP). ICMP Error Message (Port Unreachable, Protocol
Unreachable, Network Unreachable) sent to the target where a caller is sending SIP (over UDP) messages
Using SIP CANCEL message. Preventing UAs from making and receiving calls and making UAs drop the call and using SIP BYE message
DoS attacks Example Preventing SIP Client-A from making call
IP Telephony Security
April 15, 2008
5
The attacker messages cancel a pending request with same Call-ID,TO, From Cseq fields SIP Client-A drops the call just initiated
Call Hijacking
After INVITE message, a 301 Moved Permanently message would hijack the call towards whomever the attacker decides (himself of another client)
Identity Theft
Registering address instead of other (if requires authentication might use another type of attack)
IP Telephony Security
April 15, 2008
6
SPAM over Internet Telephony (SPIT)
Same thread as with email (hundreds of calls just with publicity messages, the phone is ringing all day, etc.). Problem increase with respect to traditional telephony
Solutions of SPAM over Internet Telephony (SPIT) Most E-mail filters rely on content analysis. But in voice calls, it is too late to analyze
media for spamming. Voice Spam Detection is difficult Detection in real time before the media arrives Great variety of solution Black lists (worst case) White list (it is ok)
Grey-listing (faulty system that would be preventable)
Section: 4 Designing Secure IP Telephony Solutions
Small IP Telephony Design The small IP telephony design utilizes the small network design. The corporate Internet module has been modified to support voice services including Public Switched Telephone Network (PSTN) access for WAN backup and local calls, and VLANs for data/voice segmentation. The campus has been modified to support IP phones, PC-based IP Phones, proxy services, and VLANs. The entire small business design is shown in here for reference:
Figure 1 Small Network Detailed Model
Voice Threats Mitigated Unauthorized access This type of access is mitigated through filtering at the firewall. Toll fraud Access control limits only known telephony devices from communicating
with one another. Denial of service TCP setup controls limit exposure to the call-processing manager.
IP Telephony Security
April 15, 2008
7
IP spoofing RFC 2827 and 1918 filters are placed at the Internet service provider (ISP) edge and local firewall router.
Designing Guidelines for Small IP Telephony system Designing include routing, NAT, VLAN, voice services, VPN, and stateful firewall. Router setup is the greatest flexibility for the small network because the router supports all the advanced services that may be necessary in today s networks. Firewall must be setup cause:
First, firewalls are generally Ethernet only, requiring some conversion to access PSTN and the WAN. This access would then most likely occur through the use of an additional router.
Second, firewalls in this small scale of a design generally do not support enough interfaces or VLANs to provide segmentation between the Internet edge, public service, data, and voice segments.
Third, for the branch mode of operation, firewalls do not support the same backup voice services for local call processing that routers do in case of head end failure.
Medium IP Telephony Design Medium IP telephony design has been modified to support IP phones, PC-based IP Phones, voice services, proxy services, PSTN for WAN backup and local calls, and VLANs for data/voice segmentation. The entire medium business design is shown here for reference:
Figure 2 Medium Network Detailed Model
Voice Threats Mitigated Packet sniffers/call interception A switched infrastructure limits the effectiveness of
sniffing.
IP Telephony Security
April 15, 2008
8
Virus and Trojan-horse applications Host-based virus scanning prevents most viruses and many Trojan horses.
Unauthorized access This type of access is mitigated through the use of HIDS and application access control.
Application layer attacks Operating systems, davices, and applications are kept up-to-date with the latest security fixes, and most servers are additionally protected by HIDS.
Toll fraud The call-processing manager will not allow unknown phones to be configured.
Denial of service Separation of the voice and data segments significantly reduces the likelihood of an attack.
Large IP Telephony Design Some changes have been made to the design, including:
PC-based IP Phones were added to data segments of the R&D and marketing user groups. An additional voice segment was added for the voice-mail system. PSTN for local calls was added to the edge distribution module. The call-processing segment in the server module was made highly available and front
ended with a pair of stateful firewalls. HIDS was installed on all voice-related services. NIDS was tuned to the correct flows in the voice and related segments.
The entire enterprise design is shown in Figure for reference:
Figure 3 Large Network Detailed Model
Voice Threats Mitigated Packet sniffers/call interception A switched infrastructure limits the effectiveness of
sniffing.
IP Telephony Security
April 15, 2008
9
Virus and Trojan-horse applications Host-based virus scanning prevents most viruses and many Trojan horses.
Unauthorized access This type of access is mitigated through the use of HIDS and application access control.
Caller identity spoofing Arpwatch notifies the administrator of the unknown device. Toll fraud Access control limits only known telephony networks from communicating
with one another.
Section: 5 Defining a Security Framework Two main principles of a security framework are the simplification of design and configuration, and the limitation of exposure. A useful strategy is to divide the actual solution into domains and to limit access rights to each domain depending on functions and associated trust levels within each domain.
Figure 4 Conceptual IP Telephony Security Model
End-User Devices: IP Phone The IP phone is an end-user device that provides voice and call signaling connections, and in some cases, advanced feature support, Web browsing, wireless connectivity, etc.
1. Must authenticate itself to the call control server or a proxy server upon initial registration. 2. Must support strong authentication for any remote configuration or software upgrade.
IP Telephony Security
April 15, 2008
10
3. Should support a configurable access control list to control any incoming traffic (e.g., H.323/SIP, RTP, HTTP, FTP, DHCP). 4. When supporting an additional Ethernet port for PC connectivity, should have this implemented via a switching function combined with VLAN functionality.
IPT Media related server: The Voice Gateway The voice gateway is a network entity that provides media conversion (and in some cases, signaling conversion) between the IP network and the public switched telephone network.
1. Must support strong authentication for any configuration or software upgrades. 2. Provides denial-of-service protection on the IP interface. 3. Should be configured to route calls only via the call control server. 4. Has a server component that should be configured with both virus protection and host-based intrusion detection. 5. Should support a media protocol authentication on a per-packet basis.
IPT Call Control-Related Servers: The Call Control Server It contains all routing, service, and user information, and it can control access to servers containing this information.
1. Is a software entity typically implemented on commercially availably operating systems. All standard security precautions should be taken
turning off all unused services, keeping patching of OS and services up-to-date, and using only the operating system for the call control server. 2. Implemented on secure operating systems (e.g., Linux, Unix) by leading vendors. 3. Should have all user or device access to servers authenticated and authorized. 4. Must support strong authentication for any configuration or software upgrades. 5. Should support application-level, hop-by-hop signaling message authentication. 6. Should support encryption of call setup information.
IPT Operational and Management Access All IPT operational and management access must be restricted and accessed only via strong authentication control.
Section: 6
Conclusion
After all VoIP technology reaches across the globe penetrating all types of markets. In Bangladesh now Call Center(s) are establishing everywhere so security system should be taken as the size of networks and enterprise. It is true that VoIP security is an issue and one that is being addressed. More and more VoIP service providers are looking at ways to provide VoIP security for their customers to remove the vulnerability that exists for security risks.
IP Telephony Security
April 15, 2008
11
Every business regardless of size has concern over keeping their business dealings safe and secure. One of the challenges seen today has to do with computers and hackers. Since VoIP or Voice over IP technology uses the computer to create voice streams, many business owners have questions regarding VoIP security.
Appendix: Architecture Taxonomy
Firewall: Stateful packet-filtering device that maintains state tables for IP-based protocols. Traffic is allowed to cross the firewall only if it conforms to the access-control filters defined, or if it is part of an already established session in the state table. Router: A wide spectrum of flexible network devices, which provide many routing and security services for all performance requirements. Most devices are modular and have a range of LAN and WAN physical interfaces. Host IDS: Host intrusion detection system is a software application that monitors activity on an individual host. Monitoring techniques can include validating operating system and application calls, checking log files, file system information, and network connections. Network IDS: Network intrusion detection system. Typically used in a nondisruptive manner, this device captures traffic on a LAN segment and tries to match the real-time traffic against known attack signatures. Signatures range from atomic (single packet and direction) signatures to composite (multipacket) signatures requiring state tables and Layer 7 application tracking. Application server: Provides application services directly or indirectly for enterprise end users. Services can include workflow, general office, and security applications. Management server: Provides network management services for the operators of enterprise networks. Services can include general configuration management, monitoring of network security devices, and operation of the security functions. Call-process manager: Provides call setup/establishment and customizable user-based configurations; also known as IP PBX.
Voice-mail system: Provides IP-based voice-mail storage and autoattendant. PC-based IP Phone: Any application that has the ability to reside on a user system (for example, desktop) and place calls to other IP telephony systems over the IP network.
IP Telephony Security
April 15, 2008
12
Voice-enabled router: A router as defined previously with the additional capabilities of call processing (as listed previously) and legacy voice systems support (for example, Public Switched Telephone Network [PSTN]).
References
RFC 2543 SIP: Session Initiation Protocol: http://www.cisco.com/warp/public/788/voip/voice_rfcs.html RFC 2705 MGCP: Media Gateway Control Protocol http://www.ietf.org/rfc/rfc2705.txt?number=2705
Partner Product References
Diagram legend
