Enterprise VoIP Security Threats

Agenda: Introduction Why worry? What do we need to look at? What have I seen in the past? What can I do to be prepared? Questions & Discussion

Introduction

VoIP = Voice + IP

Simple Equation for VoIP Security:

VoIP Risks = Current Risks + VoIP Risks

Too many companies haven’t cleaned up their current infrastructure

Challenges Along The Way

Relatively new technology (at least adaptation is new)

Often implemented by the voice team, not the data team

“man” pages often exceed 500 pages per component. And each implementation can have ten or more systems.

Implementations usually slide from trial to production without any security review

Traditional Risk Assessment

Identify assets Classify and prioritize assets Identify vulnerabilities, controls, threats

(including likelihood and impact) Measure risk Mitigate risk Monitor Do it again

VoIP Security Assessments

Same process. Completed with a different group of assets,

threats, vulnerabilities, and controls.

Readiness review? Review the current infrastructure prior to VoIP

deployment Allows mitigation of identified risks concurrent

with VoIP planning, design, and pilot program.• Must hold full-scale deployment until all identified risks are

mitigated

When To Add Security?

Do we add security at: Planning/Design/Pilot/Roll-Out/Regular Risk

Assessment? The RFI/RFQ stage (and keeping them around):

• Make security part of your requirements to ensure that the solution can meet your requirements before you buy the equipment.

• Security can support the planning and design phase and make recommendations before decisions are finalized.

• Security can perform a risk assessment of the design, infrastructure, and configuration prior to pilot program.

• Security can monitor and continually assess the pilot infrastructure and configuration.

• Security can mitigate the risks before the deployment.

What Do We Need To Review?

IP Infrastructure: VLAN Configuration Firewall configurations Existing policies, procedures, standards, and

practices IDS/IPS Incident Response Configuration Management, Change Management,

Business Continuity Planning, Commissioning and Decommissioning, and other programs

What Else Do We Need To Review?

VoIP Infrastructure: Are the Security features enabled?

• Are they tested in all scenarios?

IPSec enabled? QoS measured?

• Latency and Jitter consistent in production environment

Firewalls:• Where: PSTN Interfaces, Data and IP Segment Intersects• What Types? What Traffic? Reviews? Pinholing?• NAT effects and capacity

Experiences from the Trenches

Poor management (storage and transmission) of the encryption keys

Random responses to invalidly formatted or excessive packet transmissions

Security mechanisms susceptible to “bidding-down” attacks

Firewalls that require just a bit of “tuning” to disable that service that isn’t required or the ports that can be closed

Experiences from the Trenches

Default administration accounts

Ineffective encryption (It may be AES, but not in use at key points)

Web-Server interfaces (It may be easier for the admin as well as the bad-guys!)

DHCP and TFTP Server Spoofing and Insertion Attacks

In order to perform a technical based review, you’ll need some tools: Sniffers Injectors Vulnerability Scanners

Some important documents from the ITU, NIST, ETSI, and most importantly, equipment vendors!

What’s In Your Toolbox?

VoIP Tools

Sniffers & Analyzers VoIP Specific or Generic

Injectors

Vendor Tools

Assessment

Proprietary Tools

SiVus

Additional Resources

National Institute of Standards and Technology: Security Considerations for Voice Over IP Systems: http://csrc.nist.gov/publications/nistpubs/

SiVus at VoP Security: http://www.vopsecurity.org/

IETF/ITU Documents ETSI Tiphon Documents Miscellaneous Vendor Documentation and

White Papers

Anything Else?

Lucent TechnologiesBell Labs Innovations

Lucent Technologies Inc.Room 2N-611G101 Crawfords Corner RoadHolmdel, NJ 07733Phone: +1.732.949.3408E-mail: gmcbride@lucent.com

George G. McBrideManaging Principle

Lucent Worldwide Services

Please contact me with any questions, comments, complaints, or new developments.