enterprise voip security threats agenda: introduction why worry? what do we need to look at? ...
TRANSCRIPT
Enterprise VoIP Security Threats
Agenda: Introduction Why worry? What do we need to look at? What have I seen in the past? What can I do to be prepared? Questions & Discussion
Introduction
VoIP = Voice + IP
Simple Equation for VoIP Security:
VoIP Risks = Current Risks + VoIP Risks
Too many companies haven’t cleaned up their current infrastructure
Challenges Along The Way
Relatively new technology (at least adaptation is new)
Often implemented by the voice team, not the data team
“man” pages often exceed 500 pages per component. And each implementation can have ten or more systems.
Implementations usually slide from trial to production without any security review
Traditional Risk Assessment
Identify assets Classify and prioritize assets Identify vulnerabilities, controls, threats
(including likelihood and impact) Measure risk Mitigate risk Monitor Do it again
VoIP Security Assessments
Same process. Completed with a different group of assets,
threats, vulnerabilities, and controls.
Readiness review? Review the current infrastructure prior to VoIP
deployment Allows mitigation of identified risks concurrent
with VoIP planning, design, and pilot program.• Must hold full-scale deployment until all identified risks are
mitigated
When To Add Security?
Do we add security at: Planning/Design/Pilot/Roll-Out/Regular Risk
Assessment? The RFI/RFQ stage (and keeping them around):
• Make security part of your requirements to ensure that the solution can meet your requirements before you buy the equipment.
• Security can support the planning and design phase and make recommendations before decisions are finalized.
• Security can perform a risk assessment of the design, infrastructure, and configuration prior to pilot program.
• Security can monitor and continually assess the pilot infrastructure and configuration.
• Security can mitigate the risks before the deployment.
What Do We Need To Review?
IP Infrastructure: VLAN Configuration Firewall configurations Existing policies, procedures, standards, and
practices IDS/IPS Incident Response Configuration Management, Change Management,
Business Continuity Planning, Commissioning and Decommissioning, and other programs
What Else Do We Need To Review?
VoIP Infrastructure: Are the Security features enabled?
• Are they tested in all scenarios?
IPSec enabled? QoS measured?
• Latency and Jitter consistent in production environment
Firewalls:• Where: PSTN Interfaces, Data and IP Segment Intersects• What Types? What Traffic? Reviews? Pinholing?• NAT effects and capacity
Experiences from the Trenches
Poor management (storage and transmission) of the encryption keys
Random responses to invalidly formatted or excessive packet transmissions
Security mechanisms susceptible to “bidding-down” attacks
Firewalls that require just a bit of “tuning” to disable that service that isn’t required or the ports that can be closed
Experiences from the Trenches
Default administration accounts
Ineffective encryption (It may be AES, but not in use at key points)
Web-Server interfaces (It may be easier for the admin as well as the bad-guys!)
DHCP and TFTP Server Spoofing and Insertion Attacks
In order to perform a technical based review, you’ll need some tools: Sniffers Injectors Vulnerability Scanners
Some important documents from the ITU, NIST, ETSI, and most importantly, equipment vendors!
What’s In Your Toolbox?
VoIP Tools
Sniffers & Analyzers VoIP Specific or Generic
Injectors
Vendor Tools
Assessment
Proprietary Tools
SiVus
Additional Resources
National Institute of Standards and Technology: Security Considerations for Voice Over IP Systems: http://csrc.nist.gov/publications/nistpubs/
SiVus at VoP Security: http://www.vopsecurity.org/
IETF/ITU Documents ETSI Tiphon Documents Miscellaneous Vendor Documentation and
White Papers
Anything Else?
Lucent TechnologiesBell Labs Innovations
Lucent Technologies Inc.Room 2N-611G101 Crawfords Corner RoadHolmdel, NJ 07733Phone: +1.732.949.3408E-mail: [email protected]
George G. McBrideManaging Principle
Lucent Worldwide Services
Please contact me with any questions, comments, complaints, or new developments.