technology, security threats & countermeasures · what is ip (internet protocol) ? • ip is...
TRANSCRIPT
VOIP Technology, Security Threats &
Countermeasures
GISFI # 2, Allahabad, September 17, 2010
Jaydip Sen
Innovation Lab
Tata Consultancy Services, Kolkata
Email: [email protected]
Migration to the Integrated World
Mobile Voice
Fixed VoiceConverged Voice
End-to-end Solutions (IP)
GISFI # 2, Allahabad, September 17, 2010
Data Communications
End-to-end Solutions (IP)
Time
What is IP (Internet Protocol) ?
• IP is the language that computers use to communicate over the Internet
• IP is the transmission mode that is expected to be used in the future for both voice and data
• IP enables today’s services to be implemented over the same access (e.g. telephony and Internet access)
GISFI # 2, Allahabad, September 17, 2010
• IP enables multiple services to share the one network
Broadband (IP) Telephony
• Broadband telephony is speech/voice that is packaged and transmitted partly or entirely over IP-based networks
• The concept of broadband telephony is the sum of:– Voice Over IP– Internet telephony– Related value-added services
• Full-featured broadband telephony uses IP technology both for
GISFI # 2, Allahabad, September 17, 2010
• Full-featured broadband telephony uses IP technology both for voice transmission and for value-added services
• Broadband telephony is in the first place a follow-on product of data communications solutions
• Broadband telephony requires a broadband connection
Evolution of Voice Telephony Products
Fixed access
Digital
IP– Broadband telephony
IP– 3G
GISFI # 2, Allahabad, September 17, 2010
Mobile access
Analog– AGF
Digital– AXE
Digital– GSM
Analog– NMT
IP– GPRS
Convergence of Fixed and Mobile Voice
POTS = access line
VOIP = SIP server account Mobile = HLR account
VOIP
SIP- client =
Mobile
SIM card
GISFI # 2, Allahabad, September 17, 2010
“IP coverage” “Radio coverage”
All devices can or will be wireless
=
Prerequisites, Business Model, Time Frame
• Prerequisites– Broadband penetration
– Established standards
– Customer needs
• Business model– IP will generate a new logic over time
– Start from where you are — convergence may be
GISFI # 2, Allahabad, September 17, 2010
– Start from where you are — convergence may be the best of both worlds
• Time frame– It may be a long time before IP takes over completely
Broadband vs. Conventional Telephony
• Reliability– Prioritization of voice packets– Combining different networks
• Power dependency– Broadband telephony doesn’t work if the power is off
at the customer
• Ability to reach alarm numbers
GISFI # 2, Allahabad, September 17, 2010
• Ability to reach alarm numbers– Position information
• Standards– Terminals– Services/networks
Business People Needs Integrated Services
Communicate with other people
• Telephone
• Voice-mail
• E-mail, sms, mms
Plan and organize your work
• Telephone
• Calendar
• Contacts
GISFI # 2, Allahabad, September 17, 2010
Collaborate with other people
• Telephone meeting
• Video meeting
• e-meeting
• Project management tools
Do business• Telephone
• E-business
• CRM
• Supply Chain mgmt
• …
Stay informed
• Telephone
• Web search
• News, …
The VOIP Funnel – Business Customers
• Business case
• Standards
Branch office (where to start)
2003
2005 2006
2002
2004
• Network management
Lab Full scale
GISFI # 2, Allahabad, September 17, 2010
First pilots
First full implementations
Scale up to corporate level• Network management
• QoS
Classic Centrex IP Centrex
TRENDS
Classic PBX IP PBX
Individual Customer Needs
Connectivity with control• Need to be in touch• Voice is still the “killer application”• Need to control accessibility• Want to be reachable but need to control
access based on user situationsNeed to stay informed
GISFI # 2, Allahabad, September 17, 2010
Need to stay informed• Need to know what is going on around them
– E.g. after 9/11, increased need for security
Greater capabilities for:• Personal telephony• Communications• Mobility
Broadband Telephony
SIP (Session Initiation Protocol)– A standard that is establishing itself– Other parties can provide services
Functionality– Telephony as software in a PC– Simple to download– Adapter or separate phone required to talk via
receiver– Personal phone number 0751121441
GISFI # 2, Allahabad, September 17, 2010
– Personal phone number 0751121441– SIP address [email protected] which
can be an email address
Capabilities– Call control – Availability information– Chat– Video calls
What is VoIP ?
• A suite of IP-based communications services
• Provides multimedia communications over IP networks
• Based on open IETF and ITU standards
• Operates over any IP network (not just the Internet)
• Utilizes separate paths for signaling and media
• Low-cost alternative to PSTN calling
GISFI # 2, Allahabad, September 17, 2010
• Low-cost alternative to PSTN calling
The Business Value of VoIP
Cost• Toll bypass for on-net calling• Reduced network costs• Lower move/add/delete (MAD) costs• Reduced site preparation time• Network convergence
Functionality• Enterprise directory integration
GISFI # 2, Allahabad, September 17, 2010
• Enterprise directory integration• Unified Messaging• Call center applications• Interactive Voice Response (IVR)• IP Video• Instant Messaging
Mobility• Location services (Find-Me/Follow-Me routing)• Wider array of service providers• Ubiquitous access
PSTN vs VoIP
Public Switched Telephone Network (PSTN)• SS7 signaling protocol
• Circuit-switched network (ATM/Frame Relay)
• Expensive infrastructure
• Reliable quality
Voice Over IP (VoIP)
GISFI # 2, Allahabad, September 17, 2010
Voice Over IP (VoIP)• SIP, H.323, SCCP, MGCP, or MegaCo signaling protocol
• RTP media protocol
• Packet switched network
• Converged infrastructure
• Unreliable quality
VoIP ProtocolsSIP
• RFC 3261• “The Session Initiation Protocol (SIP) is an
application-layer control (signaling) protocol for creating, modifying and terminating sessions with one or more participants.”
• Text based messaging• Modeled on HTTP • Uses URI to address call flow
components • sip:[email protected]
INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhds Max-Forwards: 70 To: Bob <sip:[email protected]> From: Alice <sip:[email protected]>;tag=1928301774 Call-ID: [email protected] CSeq: 314159 INVITE Contact: <sip:[email protected]> Content-Type: application/sdp Content-Length: 142
GISFI # 2, Allahabad, September 17, 2010
• sip:[email protected]• sip:[email protected]
• Versatile and open with many applications• Voice• Video• Gaming• Instant Messages• Presence• Call-Control
• INVITE: create a session
• BYE: terminates a session
• ACK: acknowledges a final response for an INVITE request
• CANCEL: cancels an INVITE request
• REGISTER: binds a public SIP URI to a Contact address
• OPTIONS: queries a server for capabilities
• SUBSCRIBE: installs a subscription for a resource
SIP Methods
GISFI # 2, Allahabad, September 17, 2010
• NOTIFY: informs about changes in the state of the resource
• MESSAGE: delivers an Instant Message
• REFER: used for call transfer, call diversion, etc.
• PRACK: acknowledges a provisional response for an INVITE request
• UPDATE: changes the media description (e.g. SDP) in an existing session
• INFO: used to transport mid-session information
• PUBLISH: publication of presence information
SIP Components
•User Agents• Clients – Make requests
• Servers – Accept requests
•Server types• Redirect Server
• Proxy Server
GISFI # 2, Allahabad, September 17, 2010
• Proxy Server
• Registrar Server
• Location Server
•Gateways
Session Description Protocol (SDP)
SDP• IETF RFC 2327
• “SDP is intended for describing multimedia sessions for the purposes of session announcement, session invitation, and other forms of multimedia session initiation.”
v=0 o=mhandley 2890844526 2890842807 IN IP4 126.16.64.4 s=SDP Seminar i=A Seminar on the session description protocol u=http://www.cs.ucl.ac.uk/staff/M.Handley/sdp.03.ps [email protected] (Mark Handley) c=IN IP4 224.2.17.12/127t=2873397496 2873404696 a=recvonly m=audio 49170 RTP/AVP 0 m=video 51372 RTP/AVP 31
GISFI # 2, Allahabad, September 17, 2010
session initiation.”
• SDP includes:• The type of media (video, audio,
etc.)• The transport protocol
(RTP/UDP/IP, H.320, etc.)• The format of the media (H.261
video, MPEG video, etc.)• Information to receive those media
(addresses, ports, formats, etc)• Crypto keys
m=video 51372 RTP/AVP 31 m=application 32416 udp wb a=orient:portrait
Media Protocols
RTP• Real-time Transport Protocol
• RFC 3550• Standardized packet format for delivering audio and video over IP• Frequently used in streaming media systems
CODECs• GIPS Enhanced G.711
GISFI # 2, Allahabad, September 17, 2010
• 8kHz sampling rate• Voice Activity Detection• Variable bit rate
• G.711• 8kHz sampling rate• 64kbps
• G.729• 8kHz sampling rate• 8kbps• Voice Activity Detection
SIP Call Flow
Outbound Proxy Inbound Proxy
INVITE
INVITE
INVITE
100 Trying 180 Ringing
100 Trying
180 Ringing180 Ringing 200 OK
200 OK
200 OK
BYE BYE
BYE
GISFI # 2, Allahabad, September 17, 2010
BobAlice
200 OK
RTP VoiceAlice Calls Bob
Steve answers Bob’s phone
Is Bob there?
Sorry, no, can I help you
No. I need Bob.
Thanks. Bye.
ACK
Hello.
SIP Standards
A sampling of SIP RFCs…• RFC3261 Core SIP specification – obsoletes RFC2543• RFC2327 SDP – Session Description Protocol• RFC1889 RTP - Real-time Transport Protocol• RFC2326 RTSP - Real-Time Streaming Protocol• RFC3262 SIP PRACK method – reliability for 1XX messages• RFC3263 Locating SIP servers – SRV and NAPTR• RFC3264 Offer/answer model for SDP use with SIP
GISFI # 2, Allahabad, September 17, 2010
• RFC3264 Offer/answer model for SDP use with SIP• RFC3265 SIP event notification – SUBSCRIBE and NOTIFY• RFC3266 IPv6 support in SDP• RFC3311 SIP UPDATE method – eg. changing media• RFC3325 Asserted identity in trusted networks• RFC3361 Locating outbound SIP proxy with DHCP• RFC3428 SIP extensions for Instant Messaging• RFC3515 SIP REFER method – eg. call transfer
Complexities of VOIP Architecture
GISFI # 2, Allahabad, September 17, 2010Copied from NSA Security Guidance for Deploying IP Telephony Systems, Report Number: I332-016R-2005
VOIP Security Threats
GISFI # 2, Allahabad, September 17, 2010
Robert Wood
Most Common VOIP Security Mistakes
1. Treating VOIP security the same way as Network security2. Not treating VOIP security the same way as Network
Security
How it’s the Same
• Uses mostly the same protocols• Uses mostly the same Operating
How it’s Different
• Some unique protocols• Traditional Security devices
GISFI # 2, Allahabad, September 17, 2010
• Uses mostly the same Operating Systems
• Many of the same threats
• Traditional Security devices (IDS/Firewalls can disrupt service)
• People treat it like the old phone system!
What we Commonly See
• Segmentation without monitoring• Improperly configured systems• Little device hardening• Little understanding of privacy threats• No regular security assessments ON the
VOIP segment
VoIP Threats
VOIP Threat Taxonomy• Social Threats
• Misrepresentation• Identity• Authority• Rights• Content
• Theft of Services
GISFI # 2, Allahabad, September 17, 2010
• Theft of Services• Unwanted Contact
• Harassment• Extortion• Unwanted Lawful Content (spam and other offensive material)
• Eavesdropping• Call Pattern Tracking• Traffic Capture
• Number Harvesting• Call Reconstruction (voice, video, fax, text, voicemail)
VoIP ThreatsVOIP Threat Taxonomy
• Interception and Modification• Call Black Holing• Call Rerouting• Fax Alteration• Conversation Alteration• Conversation Degradation• Conversation Impersonation and Hikacking• False Caller Identification
• Service Abuse
GISFI # 2, Allahabad, September 17, 2010
• Service Abuse• Denial of Service• VoIP Specific DoS
• Request Flooding• Malformed Requests and Messages• QoS Abuse• Spoofed Messages• Call Hijacking
• Network Services DoS• Underlying Operating System/Firmware DoS• Distributed DoS (DDoS)
• Physical Intrusion
VoIP Threats
VOIP Threat Taxonomy• Other Disruptions of Service
• Loss of Power• Resource Exhaustion• Performance Latency and Metrics
GISFI # 2, Allahabad, September 17, 2010
Summary of VOIP Risks?
•Service Disruption or Denial of Service
•Theft of Service or Data
•Infrastructure Attacks
•Voice SPAM (Vishing, Mailbox Stuffing, Unsolicited Calling)
GISFI # 2, Allahabad, September 17, 2010
Stuffing, Unsolicited Calling)
•Call Hijacking and Spoofing
•Call Eavesdropping or recording
•Voicemail Hacking
Every other network and system vulnerability not unique to VOIP!
Threat Model for VOIP Systems
Supporting Applications Layer
VOIP Application Layer
VOIP Environment
VOIPVOIP
Voice Mail
Gateway
GISFI # 2, Allahabad, September 17, 2010
HW Platform, OS
Facility/Infrastructure
VOIP Protocol LayerSignaling and Transfer Protocols
Configuration DatabasesNetworkNetwork
IP PhonesFirewall
Call Manager Servers
Fax
SBC
What are the Threat Vectors?
•OS Exploits
•Signaling Attacks
•Endpoint Admin Privilege Exploits
•Proxy Impersonation
•Real Time Protocol (RTP) Attacks
•VoIP Wiretapping
GISFI # 2, Allahabad, September 17, 2010
•VoIP Wiretapping
•VoWiFi Attacks
•DoS Attacks
•Spam for Internet Telephony (SPIT)
•IP PBX and Telephony Server Exploits
•Vishing (VoIP Phishing)
Who are You Protecting Against?
Malicious Attack
GISFI # 2, Allahabad, September 17, 2010
Unintentional Exposure Intentional Exposure
Malicious Attack
“Risk is Irrelevant of Intent”
Specialized Hacking Tools
•SIPScan - enumerate SIP interfaces•TFTPBrute - TFTP directory attacking•UDP and RTP Flooder - DoS tools•hping2 – TCP session flooding•Registration Hijacker - tool to take over H.323 session•SIVUS - SIP authentication and registration auditor
GISFI # 2, Allahabad, September 17, 2010
•Vomit - RTP Playback•VOIP HOPPER – IP Phone mimicing tool•LDAPMiner - collect ldap directory information•Dsniff - various utilitarian tools (macof and arpspoof)•Wireshark (Ethereal) / tcpdump - packet capture and protocol analysis
Hardware Can be Gussed
"Your call is being answered by Audix. [USER'S NAME] {is not available ... to leave a message wait for the tone, is busy ... to leave a message wait for the tone}."
"[USER'S NAME] {is on the phone, is unavailable}
GISFI # 2, Allahabad, September 17, 2010
"[USER'S NAME] {is on the phone, is unavailable} Please leave your message after the tone. When done, hang up or press the pound key."
"Record your message at the tone. When you are finished, hang up or hold for more options."
DDoS Attack
?
GISFI # 2, Allahabad, September 17, 2010
call
Toll Fraud
GISFI # 2, Allahabad, September 17, 2010
Hacker sells your company calling information
Your company gets the bill
Call Manager OS
GISFI # 2, Allahabad, September 17, 2010
Call Manager OS
?
GISFI # 2, Allahabad, September 17, 2010
Call Forwarding/Spoofing
?
GISFI # 2, Allahabad, September 17, 2010
call
?
Expose Private Conversations
!
GISFI # 2, Allahabad, September 17, 2010
call
!
Block Certain Calls
555-1212999-1213
?
GISFI # 2, Allahabad, September 17, 2010
999-1213987-6543
Log Call Activity
GISFI # 2, Allahabad, September 17, 2010
call
Hijacking/Injection Attack
GISFI # 2, Allahabad, September 17, 2010
call
Call Forwarding/Spoofing
GISFI # 2, Allahabad, September 17, 2010
call
Call Forwarding/Spoofing
call
GISFI # 2, Allahabad, September 17, 2010
call
Eavesdropping
Outbound Proxy Inbound Proxy
Kevin
SIP
GISFI # 2, Allahabad, September 17, 2010
BobAliceRTP
YakYak
•DTMF intercept•IM snooping•Call pattern analysis•Number harvesting•Network discovery
•Voice reconstruction•Fax reconstruction•Video reconstruction
Spoofing
Outbound Proxy Inbound Proxy
BYE
SIP
BYE
GISFI # 2, Allahabad, September 17, 2010
BobAliceRTP
Kevin
Kevin forges a BYE from Alice
Hello?Hello?Yak Yak
Recording
GISFI # 2, Allahabad, September 17, 2010
call
Interception
Outbound Proxy Inbound Proxy
REFER
202 Accepted
REFER
202 Accepted
202 AcceptedSIP
INVITE
BYE
BYE
BYEINVITE
200 OK
GISFI # 2, Allahabad, September 17, 2010
BobAliceRTP
Kevin
REFER
Kevin forges a REFER from Bob
Hello?Yak
Yak
Yak
INVITE
200 OK
Key Mitigation Strategies
•Create VOIP Specific Security Policies
•Segmentation as appropriate– Restrict logical network access to critical servers and VoIP call
processors
– Utilize separate VLANs for voice and data
•Device Hardening– Do not use default passwords
GISFI # 2, Allahabad, September 17, 2010
– Turn off unnecessary services
– Apply vendor supplied patches in a timely manner
– Perform vendor installation security checklist to h arden applications
•Perform Security Assessments on and against the VOIP infrastructure
•Apply Appropriate Encryption
Key Mitigation Strategies
•Utilize VoIP aware Firewalls, Intrusion Prevention Systems (IPS) and Session Border Controllers (SBC) when possible
•Utilize end-to-end QoS
•Continue to protect against traditional system attacks (Toll Fraud, Modem Security, Social Networking Attacks & etc.)
GISFI # 2, Allahabad, September 17, 2010
Security Solutions
GISFI # 2, Allahabad, September 17, 2010
Robert Wood
Network Solutions: Security Policy
• Establish a corporate security policy
– Acceptable Use Policy– Analog/Dial-in/ISDN Line Policy– Anti-Virus Process– E-mail Policy
• Automatic Forwarding• Usage
GISFI # 2, Allahabad, September 17, 2010
• Retention– Ethics Policy– Password Protection Policy– Patch Management Process– Router Security Policy– Server Security Policy– Risk Assessment Policy– VPN Security Policy– Wireless Security Policy
http://www.sans.org/resources/policies/#template
Security Solutions: Network
GISFI # 2, Allahabad, September 17, 2010Network Design by Cisco Systems
Security Solutions: DoS & DDoS
• Provide redundancy through:– Mesh Corporate WAN design
– Utilizing multiple ISPs
– Fallback PSTN Gateway(s)
– Uninterruptible Power Supplies
• Negotiate QoS agreements
GISFI # 2, Allahabad, September 17, 2010
Security Solutions: Hacking
• Segment networks into separate VLANs– Voice network
– Data network
– Monitoring and control network
GISFI # 2, Allahabad, September 17, 2010
Security Solutions: Hacking
• Maintain VoIP application server updates– Call manager server(s)
– Voicemail server(s)
– Gateway server(s)• Install current Operating System patches• Install current application software patches
GISFI # 2, Allahabad, September 17, 2010
Security Solutions: Spoofing
• Eliminate unknown devices– DHCP Snooping
– DAI: Dynamic Address Resolution Protocol Inspection
– IP Source Guard
• Eliminate unknown software– Digital Signatures
GISFI # 2, Allahabad, September 17, 2010
Security Solutions: Threats
• Manage and prevent threats via:– Stateful Firewalls
– Virus Filters
– Intrusion Detection (NIDS)
– Intrusion Prevention (HIPS)
– Filter unnecessary ports on:
GISFI # 2, Allahabad, September 17, 2010
– Filter unnecessary ports on:• Routers• Switches• PCs• IP Telephones• Firewalls
Security Solutions: Complete
GISFI # 2, Allahabad, September 17, 2010
Network Diagram Legend
GISFI # 2, Allahabad, September 17, 2010
Summary of Countermeasures
Authentication and Encryption
• Digest Authentication• Used during UA registration• Authenticates UA to SIP proxy• Similar to HTTP digest from web browser to web server• Cannot be used between proxies
GISFI # 2, Allahabad, September 17, 2010
• Transport Layer Security (TLS)• Used to secure signaling path• Authenticates each endpoint on a link• Provides encrypted path between each link• Non-transitive trust• Can be used between proxies• Requires X.509 certificates
Summary of Countermeasures
Authentication and Encryption
• Secure RTP (SRTP)• Used to secure the media path• Provides end-to-end security• Requires X.509 certificates
GISFI # 2, Allahabad, September 17, 2010
• Zphone (ZRTP)• Used to secure the media path• Provides end-to-end security• IETF draft written by Phil Zimmermann• Requires no X.509 certificates• Relies on OSI layer 8 authorization
Summary of Countermeasures
Physical Security• VoIP equipment in secured datacenter
• Lock wiring closet doors
• VoIP VLANs = Good
• Separate VoIP network = Better
• Separate VoIP network + Authentication + Encryption = Best!
GISFI # 2, Allahabad, September 17, 2010
Logical Security• CIS Benchmarks applied to all host platforms
• Regular patching and assessments
• Network IDS
• Firewall and NAT protection of gateway and proxies
Conclusion• VOIP will lead to convergence of voice and data into a common
infrastructure for wiring, routers, network connectivity.• Companies will be able to deploy, manage and maintain one network to
serve all communication needs, saving on infrastructure costs and resources.
• With VoIP the Internet becomes the backbone of a company’s phone network. This leads to a number of threats:– Hackers
GISFI # 2, Allahabad, September 17, 2010
– Worms– Viruses– DoS attacks
• “The challenge of VoIP security is not new. History has shown that advances and trends in information technology typically outpace the corresponding realistic security requirements. Such requirements are often tackled only after these technologies have been widely adopted and deployed” – Cable Datacom News
Thank You!
GISFI # 2, Allahabad, September 17, 201066
Thank You!