network and voip security – more important than ever mark d. collier chief technology officer...
Post on 19-Dec-2015
217 views
TRANSCRIPT
![Page 1: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/1.jpg)
Network and VoIP Security –More Important Than Ever
Mark D. CollierChief Technology OfficerSecureLogix [email protected]
![Page 2: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/2.jpg)
General Security Trends Good news
Bad news
Going forward
Network-Based Security
Managed Security Services
Internal Application/VoIP Security
OutlineOutline
![Page 3: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/3.jpg)
Basic security measures, such as anti-virus, firewalls, and anti-spyware, are ubiquitously deployed
Average losses due to security breaches are up, but down significantly from 2001 and 2002 (*)
The number of incidents is down (*)
Incidents are being reported at a greater rate (*)
General Security TrendsSome Good News
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
![Page 4: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/4.jpg)
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security TrendsSome Good News
![Page 5: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/5.jpg)
(*) Source – 2007 Computer Crime and Security Survey
General Security TrendsSome Good News
Security Trends
![Page 6: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/6.jpg)
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security TrendsSome Good News
![Page 7: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/7.jpg)
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security TrendsSome Good News
![Page 8: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/8.jpg)
Security Trends
General Security TrendsSome Bad News
(*) Source – 2007 Computer Crime and Security Survey
![Page 9: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/9.jpg)
Signature based-detection systems are being pushed to the limit
The platforms, network, and applications are getting more and more complex
Attacks are becoming increasing complex
Perimeter security has many issues
Security funding is a small part of IT spending – no more than 10% and often less than 5% (*)
Targeted attacks are increasing (*)
General Security TrendsSome Bad News
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
![Page 10: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/10.jpg)
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security TrendsSome Bad News
![Page 11: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/11.jpg)
Security Trends
General Security TrendsSome Bad News
(*) Source – 2007 Computer Crime and Security Survey
![Page 12: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/12.jpg)
Increased deployment of Intrusion Detection and Prevention Systems (IDSs and IPSs)
Possible increase the in use of Network Admission Control (NAC)
Network-Based Security solutions are available
Managed Security Services solutions are available
Increased focus on internal application security
New applications such as Voice Over IP (VoIP) moving onto the data network
General Security TrendsGoing Forward
Security Trends
![Page 13: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/13.jpg)
Enterprise customers are deploying firewalls, IDSs/IPSs, AV, anti-SPAM on network edge
Some disadvantages: Expensive
Multiple vendors and difficult to manage
Does not scale well
Network-based SecurityIntroduction
Network-basedSecurity
ClientEnterprise
ClientEnterprise
3rd Party Network
Primary Provider IP Network
Edge Edge
![Page 14: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/14.jpg)
Network-based security embeds security capability in the network
Some advantages: Leverages security capability in the network
Centralized management
Scales better
Network-based SecurityIntroduction
Network-basedSecurity
ClientEnterprise
ClientEnterprise
3rd Party Network
Edge Edge
AT&T IP NetworkVPN, Firewall, IDS, Anti-Virus, etc.
Firewall, IDS, Anti-Virus, etc.
![Page 15: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/15.jpg)
Leverages security expertise
Greatly assists with threat reconnaissance
Broad network visibility allows greater awareness and warning of attacks
The impact of major Worm attacks are seen well in advance of when they are a threat to an enterprise
The only real solution to DoS and DDoS attacks
A great defense in depth approach
Still may need network defense and internal security
Network-based SecurityAdvantages
Network-basedSecurity
![Page 16: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/16.jpg)
Network-based SecurityEarly Detection of Attacks
Network-basedSecurity
Reconnaissance Scanning System Access Damage Track Coverage
Preventive Phase(Defense)
Reactive Phase (Defense)
Web-Based Information Collection
SocialEngineering
Broad Network Mapping
TargetedScan
Service Vulnerability Exploitation
PasswordGuessing
DDOS Zombie Code Installation
System FileDelete
Log File Changes
Use of Stolen Accounts for Attack
AT&T Security ServicePrimary Emphasis
![Page 17: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/17.jpg)
Network-based SecurityDoS and DDoS Attacks
Network-basedSecurity
TARGETEDServer
AT&T IP Backbone
EnterpriseServer
![Page 18: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/18.jpg)
Network-based SecurityAT&T Offerings
Network-basedSecurity
Polic
y M
anag
emen
t
Iden
tity
Man
agem
ent
Intru
sion
Man
agem
ent
Perim
eter
Secur
ity
Secur
eCon
nect
ivity
Mon
itorin
g
& M
gmt
Inci
dent
Man
agem
ent
Network-Based Security Platform
AT&T Internet Protect®
AT&T DDoS Defense AT&T My Internet Protect AT&T Private Intranet Protect AT&T Network-Based Firewalls AT&T Secure E-Mail Gateway AT&T Web Security Services
![Page 19: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/19.jpg)
Managed Security Services (MSS) are a viable alternative to in-house security staffing
Leverage experienced staff, who are familiar with security processes and products
Often can be more cost effective
Eliminates the need to retain and train staff
Security assessments/audits are commonly outsourced
Managed Security ServicesIntroduction
Managed SecurityServices
![Page 20: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/20.jpg)
Managed Security ServicesEnterprise Penetration
(*) Source – 2007 Computer Crime and Security Survey
Managed SecurityServices
![Page 21: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/21.jpg)
(*) Source – 2007 Computer Crime and Security Survey
Managed Security ServicesAssessments/Audits
Managed SecurityServices
![Page 22: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/22.jpg)
Managed Security ServicesAT&T Offerings
Network-basedSecurity
Premises-Based Firewalls
Managed Intrusion Detection
Endpoint Security Service
Token Authentication
![Page 23: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/23.jpg)
Despite availability of network-based security, managed services, and customer-premise edge security, securing applications is still important
Voice Over IP (VoIP) is one internal application that must be secured
Application/VoIP SecurityVoIP SecurityIntroduction
![Page 24: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/24.jpg)
An enterprise website often contains a lot of information that is useful to a hacker: Organizational structure and corporate locations
Help and technical support
Job listings
Phone numbers and extensions
Public Website ResearchIntroduction
Gathering InformationFootprinting
![Page 25: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/25.jpg)
Public Website Research Countermeasures
It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it
Try to limit amount of detail in job postings
Remove technical detail from help desk web pages
Gathering InformationFootprinting
![Page 26: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/26.jpg)
Google is incredibly good at finding details on the web: Vendor press releases and case studies
Resumes of VoIP personnel
Mailing lists and user group postings
Web-based VoIP logins
Google HackingIntroduction
Gathering InformationFootprinting
![Page 27: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/27.jpg)
Determine what your exposure is
Be sure to remove any VoIP phones which are visible to the Internet
Disable the web servers on your IP phones
There are services that can helpyou monitor your exposure: www.cyveilance.com
ww.baytsp.com
Google HackingCountermeasures
Gathering InformationFootprinting
![Page 28: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/28.jpg)
Consists of various techniques used to find hosts: Ping sweeps
ARP pings
TCP ping scans
SNMP sweeps
After hosts are found, the type of device can be determined
Classifies host/device by operating system
Once hosts are found, tools can be used to find available network services
Host/DeviceDiscovery and Identification
Gathering InformationScanning
![Page 29: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/29.jpg)
Host/Device DiscoveryPing Sweeps/ARP Pings
Gathering InformationScanning
![Page 30: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/30.jpg)
Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps
VLANs can help isolate ARP pings
Ping sweeps can be blocked at the perimeter firewall
Use secure (SNMPv3) version of SNMP
Change SNMP public strings
Host/Device DiscoveryCountermeasures
Gathering InformationScanning
![Page 31: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/31.jpg)
Involves testing open ports and services on hosts/devices to gather more information
Includes running tools to determine if open services have known vulnerabilities
Also involves scanning for VoIP-unique information such as phone numbers
Includes gathering information from TFTP servers and SNMP
EnumerationIntroduction
Gathering InformationEnumeration
![Page 32: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/32.jpg)
Vulnerability TestingTools
Gathering InformationEnumeration
![Page 33: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/33.jpg)
Vulnerability TestingCountermeasures
Gathering InformationEnumeration
The best solution is to upgrade your applications and make sure you continually apply patches
Some firewalls and IPSs can detect and mitigate vulnerability scans
![Page 34: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/34.jpg)
TFTP EnumerationIntroduction
Almost all phones we tested use TFTP to download their configuration files
The TFTP server is rarely well protected
If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password
The files are downloaded in the clear and can be easily sniffed
Configuration files have usernames, passwords, IP addresses, etc. in them
Gathering InformationEnumeration
![Page 35: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/35.jpg)
TFTP EnumerationCountermeasures
Gathering InformationEnumeration
It is difficult not to use TFTP, since it is so commonly used by VoIP vendors
Some vendors offer more secure alternatives
Firewalls can be used to restrict access to TFTP servers to valid devices
![Page 36: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/36.jpg)
SNMP EnumerationIntroduction
SNMP is enabled by default on most IP PBXs and IP phones
Simple SNMP sweeps will garner lots of useful information
If you know the device type, you can use snmpwalk with the appropriate OID
You can find the OID using Solarwinds MIB
Default “passwords”, called community strings, are common
Gathering InformationEnumeration
![Page 37: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/37.jpg)
Disable SNMP on any devices where it is not needed
Change default public and private community strings
Try to use SNMPv3, which supports authentication
SNMP EnumerationCountermeasures
Gathering InformationEnumeration
![Page 38: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/38.jpg)
The VoIP network and supporting infrastructure are vulnerable to attacks
VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter
Attacks include: Flooding attacks
Network availability attacks
Supporting infrastructure attacks
Network Infrastructure DoSAttacking The NetworkNetwork DoS
![Page 39: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/39.jpg)
Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests
Flooding AttacksIntroduction
Attacking The NetworkNetwork DoS
![Page 40: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/40.jpg)
Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling)
Use rate limiting in network switches
Use anti-DoS/DDoS products
Some vendors have DoS support in their products (in newer versions of software)
Flooding AttacksCountermeasures
Attacking The NetworkNetwork DoS
![Page 41: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/41.jpg)
This type of attack involves an attacker trying to crash the underlying operating system: Fuzzing involves sending malformed packets, which exploit a
weakness in software
Packet fragmentation
Buffer overflows
Network Availability AttacksAttacking The NetworkNetwork DoS
![Page 42: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/42.jpg)
A network IPS is an inline device that detects and blocks attacks
Some firewalls also offer this capability
Host based IPS software also provides this capability
Network Availability Attacks Countermeasures
Attacking The NetworkNetwork DoS
![Page 43: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/43.jpg)
VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc.
DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones
DNS cache poisoning involves tricking a DNS server into using a fake DNS response
Supporting Infrastructure AttacksAttacking The NetworkNetwork DoS
![Page 44: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/44.jpg)
Configure DHCP servers not to lease addresses to unknown MAC addresses
DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries
Supporting Infrastructure AttacksCountermeasures
Attacking The NetworkNetwork DoS
![Page 45: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/45.jpg)
VoIP configuration files, signaling, and media are vulnerable to eavesdropping
Attacks include: TFTP configuration file sniffing (already discussed)
Number harvesting and call pattern tracking
Conversation eavesdropping
By sniffing signaling, it is possible to build a directory of numbers and track calling patterns
voipong automates the process of logging all calls
Wireshark is very good at sniffing VoIP signaling
Network EavesdroppingIntroduction
Attacking The NetworkEavesdropping
![Page 46: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/46.jpg)
Conversation RecordingWireshark
Attacking The NetworkEavesdropping
![Page 47: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/47.jpg)
Other tools include: vomit
Voipong
voipcrack (not public)
DTMF decoder
Conversation RecordingOther Tools
Attacking The NetworkEavesdropping
![Page 48: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/48.jpg)
Use encryption: Many vendors offer encryption for signaling
Use the Transport Layer Security (TLS) for signaling
Many vendors offer encryption for media
Use Secure Real-time Transport Protocol (SRTP)
Use ZRTP
Use proprietary encryption if you have to
Network EavesdroppingCountermeasures
Attacking The NetworkEavesdropping
![Page 49: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/49.jpg)
The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing: Eavesdropping on the conversation
Causing a DoS condition
Altering the conversation by omitting, replaying, or inserting media
Redirecting calls
Network InterceptionIntroduction
Attacking The NetworkNet/App Interception
![Page 50: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/50.jpg)
The most common network-level MITM attack is ARP poisoning
Involves tricking a host into thinking the MAC address of the attacker is the intended address
There are a number of tools available to support ARP poisoning: Cain and Abel
ettercap
Dsniff
hunt
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
![Page 51: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/51.jpg)
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
![Page 52: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/52.jpg)
Network InterceptionCountermeasures
Attacking The NetworkNet/App Interception
Some countermeasures for ARP poisoning are: Static OS mappings
Switch port security
Proper use of VLANs
Signaling encryption/authentication
ARP poisoning detection tools, such as arpwatch
![Page 53: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/53.jpg)
VoIP systems are vulnerable to application attacks against the various VoIP protocols
Attacks include: Fuzzing attacks
Flood-based DoS
Signaling and media manipulation
Attacking The ApplicationAttacking The Application
![Page 54: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/54.jpg)
Fuzzing describes attacks where malformed packets are sent to a VoIP system in an attempt to crash it
Research has shown that VoIP systems, especially those employing SIP, are vulnerable to fuzzing attacks
There are many public domain tools available for fuzzing: Protos suite
Asteroid
Fuzzy Packet
NastySIP
Scapy
FuzzingIntroduction
Attacking The ApplicationFuzzing
SipBomber
SFTF
SIP Proxy
SIPp
SIPsak
![Page 55: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/55.jpg)
There are some commercial tools available: Beyond Security BeStorm
Codenomicon
MuSecurity Mu-4000 Security Analyzer
Security Innovation Hydra
Sipera Systems LAVA tools
FuzzingCommercial Tools
Attacking The ApplicationFuzzing
![Page 56: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/56.jpg)
Make sure your vendor has tested their systems for fuzzing attacks
Consider running your own tests
An VoIP-aware IPS can monitor for and block fuzzing attacks
FuzzingCountermeasures
Attacking The ApplicationFuzzing
![Page 57: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/57.jpg)
Several tools are available to generate floods at the application layer: rtpflood – generates a flood of RTP packets
inviteflood – generates a flood of SIP INVITE packets
SiVuS – a tool which a GUI that enables a variety of flood-based attacks
Virtually every device we tested was susceptible to these attacks
Attacking The ApplicationFlood-Based DoSFlood-Based DoS
![Page 58: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/58.jpg)
There are several countermeasures you can use for flood-based DoS: Use VLANs to separate networks
Use TCP and TLS for SIP connections
Use rate limiting in switches
Enable authentication for requests
Use SIP firewalls/IPSs to monitor and block attacks
Flood-Based DoSCountermeasures
Attacking The ApplicationFlood-Based DoS
![Page 59: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/59.jpg)
Proxy
User
Proxy
Attacker
HijackedMedia
HijackedSession
User
Registration ManipulationAttacking The Application Sig/Media Manipulation
![Page 60: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/60.jpg)
Attacker SendsBYE Messages
To UAs
Attacker
Proxy Proxy
User User
Session TeardownAttacking The Application Sig/Media Manipulation
![Page 61: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/61.jpg)
Attacker Sendscheck-sync Messages
To UA
Attacker
Proxy Proxy
User User
IP Phone RebootAttacking The Application Sig/Media Manipulation
![Page 62: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/62.jpg)
Attacker SeesPackets And
Inserts/Mixes InNew Audio
Attacker
Proxy Proxy
User User
Audio Insertion/MixingAttacking The Application Sig/Media Manipulation
![Page 63: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/63.jpg)
Some countermeasures for signaling and media manipulation include: Use digest authentication where possible
Use TCP and TLS where possible
Use SIP-aware firewalls/IPSs to monitor for and block attacks
Use audio encryption to prevent RTP injection/mixing
Attacking The Application Sig/Media ManipulationSignaling/Media Manipulation
Countermeasures
![Page 64: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/64.jpg)
Voice SPAM refers to bulk, automatically generated, unsolicited phone calls
Similar to telemarketing, but occurring at the frequency of email SPAM
Not an issue yet, but will become prevalent when: The network makes it very inexpensive or free to generate calls
Attackers have access to VoIP networks that allow generation of a large number of calls
It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access
Voice SPAMIntroduction
Social AttacksVoice SPAM
![Page 65: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/65.jpg)
Some potential countermeasures for voice SPAM are: Authenticated identity movements, which may help to identify callers
Legal measures
Network-based filtering
Enterprise voice SPAM filters: Black lists/white lists
Approval systems
Audio content filtering
Turing tests
Voice SPAMCountermeasures
Social AttacksVoice SPAM
![Page 66: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/66.jpg)
VoIP PhishingIntroduction
Similar to email phishing, but with a phone number delivered though email or voice
When the victim dials the number, the recording requests entry of personal information
Social AttacksPhishing
![Page 67: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/67.jpg)
VoIP PhishingCountermeasures
Traditional email spam/phishing countermeasures come in to play here.
Educating users is a key
Social AttacksPhishing
![Page 68: Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com](https://reader030.vdocuments.net/reader030/viewer/2022032703/56649d2a5503460f949fe7ce/html5/thumbnails/68.jpg)
Final Thoughts
General network security is improving in some ways, but new threats are emerging
Network-based security and managed security services can be used to improve enterprise security
Don’t neglect internal security and key applications
Final Thoughts