voip and multimedia protocols in wireless and firewalled environments
TRANSCRIPT
The recent increase of geographically dis-persed users and telecommuting has givenrise to greater requirements for better meth-ods of collaboration and interaction betweenpersonnel. This has increased the prevalenceof technologies such as Voice over Internet
Protocol (VoIP) and multimedia protocolssuch as video-conferencing, web-casting and Instant Messaging. The capabilities of the Internet and many private networkshave ensured that all these functions are able to run across existing infrastructure,
encouraging network convergence and reduc-ing costs. However, implementing theseapplications in firewalled environments andover wireless networks poses a number ofsecurity issues, which need to be addressed aspart of any such deployment.
IDENTITY MANAGEMENT
VoIP and multimedia protocols in wireless andfirewalled environmentsMatt Gordon-Smith & Stephen Wing, Senior Consultants, Siemens Insight Consulting
Large numbers of IT departments are currently grappling with securityissues around the deployment of VoIP and multimedia protocols in wirelessand firewalled environments. What should they be considering?
Network Security July 200614
Matt Gordon-Smith Stephen Wing
Server Access ControlDistributed servers pose a particular prob-lem in the enterprise IT environment. Thebasic security model is built into eachserver, thus adding to complexity of man-agement. Pluggable authentication mod-ules (PAM) allow multiple servers to sharea common external authentication mecha-nism. Access enforcement softwareinstalled on each server then limits admin-istrator capabilities.
Enterprise Single Sign-OnA major problem for many organizationsis the number of legacy applications thatexist, each with their own user authentica-tion schemes, leaving users to remembermany user names and passwords.Enterprise Single Sign-On technology pro-vides a way for end users to sign-on withone set of credentials to gain access to allof the applications to which they are enti-tled without the need to provide any fur-ther credentials. This unifies and simplifiesthe user experience, improves security aswell as reduces the costs associated withforgotten passwords.
Auditing serviceIn order to confirm that security policiesare being followed and to comply withregulations, it is essential that all activitiesand access rights can be audited. In a
multi-platform heterogeneous environ-ment, where each platform and applica-tion produces its own log files, the cost ofcollecting, integrating and reporting thisinformation can be very high. TheAuditing Service unifies and simplifies thisby providing a common point for gather-ing, filtering, aggregating and reporting onaudit data from multiple sources.
Application securityThe key approach to unify and simplifyapplication security is to externalize it to usethe services provided by the service orientedarchitecture described above. In this way theapplications are decoupled from the securityservices and all use the same common securi-ty model with a single identity and privilegestore. This approach leads to reduced man-agement costs by reducing the user provi-sioning and administration processing need-ed. The ongoing maintenance of the applica-tion logic is made easier. It also increasesflexibility for the organization to respond tochanging security requirements and new reg-ulations.
SummaryFrom a technology perspective, the key tounifying and simplifying identity manage-ment is to adopt a service oriented archi-tecture (SOA) approach. In this approachbusiness processes and applications are
decoupled from the security functions thatare provided as common services accessedthrough open standards. Web Services areemerging as the standard for implement-ing this approach.
In order to advance its identity manage-ment capability an IT organization needsto integrate its processes and technology ina controlled and systematic way.Methodology that profiles the maturity ofthe existing processes and technologywithin an organization will all IT adminis-trators to identify the current status ofuser identification and authorization andprovide a roadmap of the evolutionrequired.
About the authorMike Small is director of security manage-ment strategy at CA. In this role he is respon-sible for defining and communicating thetechnical strategy for CA’s eTrust™ productline within Europe the Middle East andAfrica. He developed CA’s original identityand access management strategy and, prior tohis current position, he was responsible for itsimplementation. He joined CA in 1994from ICL where he was the leader and archi-tect for a number of software developmentprojects ranging from system software to arti-ficial intelligence. He is a CharteredEngineer, a Fellow of the British ComputerSociety and a Member of the Institution ofElectronic Engineers.
VoIP
VoIP
July 2006 Network Security15
This article identifies and explores someof the issues that may affect organizationsdeploying this technology.
Privacy issuesFor most applications not relying on real-time communication, the accepted way ofprotecting privacy is with the use ofencryption. However, using applicationencryption for time-critical applicationssuch as voice and multimedia services addsa significant overhead. This is because eachpacket of voice data would have to be indi-vidually encrypted by the application dur-ing sending and then decrypted at theother end creating an unacceptable delay.
Encryption would not typically bedeployed across trusted wired networks asthe physical security of the network devicesand connection points should be managedto mitigate the risk of traffic interception.This is not easy with wireless networks as amalicious party does not necessarily needphysical access to the building or computersuites to access the network. In addition tothis, wireless access points are typically lessphysically secure than wired networkequipment due to being placed outside ofthe secured environment of a data centre.
If running voice and multimedia servicesover a wireless network, then attempting toencrypt the traffic at an application levelcould cause the same severe delay as doingso over a wired network. To protect the traf-fic, the entire communication between theuser’s wireless adapter and the wireless accesspoint can be encrypted by various protocols
at a much lower layer of the connection,which is transparent to the application. Thisbypasses the need for the encryption to beperformed by the application and improvingon the significant latency issue.
“As well as the risk of a third party being able to interceptvoice and multimediatraffic over the wireless network thereis also the risk thatthey could use thosesame wireless accesspoints to connect tothe wired network”
Earlier standards for wireless encryptionsuch as the 64-bit and 128-bit WirelessEncryption Protocol (WEP) do not havemuch of a latency problem but are easilycracked and their use is no longer recom-mended. Wireless Protection Algorithm(WPA) is a more secure encryption standardwith a similar low-latency. Another alterna-tive is the later WEP2 encryption that usesthe stronger Advanced Encryption Standard(AES), which although it provides more pro-tection, increases the latency. Therefore,striking the correct balance between privacyand latency is essential.
As well as the risk of a third party beingable to intercept voice and multimedia traf-fic over the wireless network there is also therisk that they could use those same wirelessaccess points to connect to the wired net-work. By posing as a genuine user they canintercept the traffic once the wireless accesspoint decrypts it. In order to help preventthis, wireless access points should not beconfigured to authenticate by only a tradi-tional password. Implementation of moreadvanced authentication systems such as theExtensible Authentication Protocol (EAP)would allow additional authentication meth-ods such as Token Cards, Kerberos, DigitalCertificates and PKI.
In addition to issues of third party inter-ception of voice and multimedia traffic, thereare also a number of legal issues regarding theextent to which the organization is able tomonitor the usage of these applications. Thisis discussed later on in this article.
Bandwidth demandsA key element of security is availability. Ifan application is not available to its usersthen the loss of that service could preventthe business from functioning. This isespecially a concern when there are highavailability requirements such as withhealth and emergency service organiza-tions. Bandwidth is a key element in pre-venting Denial of Service (DoS) as manysuch attacks on the Internet work byremoving the available bandwidth from theusers. A DoS incident is not always theresult of a malicious third party element,
Figure 1: VoIP infrastructure
but can often be attributed to simply nothaving the required resources available inthe first place.
Therefore, attempting to run applicationswithout the required bandwidth would con-stitute the organization essentially perform-ing a DoS attack on itself. VoIP needs tooperate within a minimum guaranteedbandwidth to ensure that there is a minimalamount of delay in the voice traffic and thatthe quality of the sound is at the desiredstandard. The same applies to web confer-ences, video calls and many other multime-dia applications where they not only requirea minimum acceptable bandwidth, but alsocan make more significant demands on net-work capacity than many other applications.
Many local area networks have the avail-able capacity for these applications and thefunctionality exists within the networkdevices to reserve bandwidth for specificapplications such as VoIP. Provided thatany wide-area connections have been suit-ably specified for these applications thenthey should also be able to meet the mini-mum requirements. However the overallperformance of the network is only asgood as its lowest capacity components.
QoSTo guarantee the integrity of the VoIP con-nection, the function Quality of Service(QoS) can be used to give priority to voicetraffic over any other. QoS guarantees aregiven based on the percentage of networkpackets lost and the percentage that have tobe discarded due to late arrival. AdditionalQoS guarantees are required for VoIP overWireless (VoIPoW or VoWiFi) because ofthe potential increase in packet loss andlatency when users are roaming betweenwireless base stations. There is also the keyissue of the signal degradation presentwhen users are further away from a basestation, which in turn affects the quality ofthe traffic. The quality of VoIP communi-cation is judged via a Mean Opinion Score(MOS) test where the rating is graded from5 for excellent quality similar to perfectAM radio reception, down to 1 for badquality which would constitute a commu-nications breakdown. Organizations shouldensure that their MOS score for VoIP doesnot drop below an acceptable standardwhen used over a wireless network.
Bandwidth can also be an issue throughfirewalls. Although many modern firewallshave a large capacity for traffic, many olderimplementations are more restrictive. Nomatter what the bandwidth potential of a
firewall, if it is highly utilised, then theremay not be significant enough resourcesavailable to pass VoIP and multimedia traf-fic through without experiencing a delay.
Firewall configurationThe basic principle of a firewall is that youuse it to deny access to all traffic and thenonly allow through that communicationwhich you have explicitly permitted withinthe firewall rulebase. Therefore the moreconnections that are permitted to passthrough the firewall and the larger therange of addresses that can communicatethrough, the weaker the security providedby the firewall.
“As well as the risk of a third party being able to interceptvoice and multimediatraffic over the wireless network thereis also the risk thatthey could use thosesame wireless accesspoints to connect tothe wired network”
A number of problems can arise from theimplementation of VoIP through a firewall.Many existing enterprise firewalls are unableto distinguish between voice and data trafficin order to prioritise the voice communica-tion and avoid latency as discussed previous-ly. Configuring numerous User DatagramProtocol (UDP) ports to be constantly opencan enable some firewalls to overcome thislatency, but this would seriously weaken theeffectiveness of the firewall.
Issues can also stem from the fact thatconnections cannot be initiated into a securefirewalled environment without the originat-ing address and destination network portalready being configured in the rulebase.Potentially this could open up the firewalledenvironment to a significant number ofaddresses. Using a peer-to-peer connectioninitiated from inside the firewalled environ-ment would solve this, but once open thereis a permanent hole in the firewall and theperson on the other end of the connection,or someone posing as them, could take
advantage of this to access the firewalledenvironment without authorisation.
Network resilienceWith separate data and voice networks andwith multimedia services provided throughtelevision, video or satellite, the failure of oneelement would not normally have an impacton another. Although the failure of thephone network could affect the use of thevideoconferencing suite, the overall impact
VoIP
Network Security July 200616
Recommendations
Based on the issues outlined within this arti-cle, the following are recommendations fororganizations wishing to deploy VoIP andmultimedia protocols in wireless and fire-walled environments. As the scope of thisarticle is only to identify the issues withthese implementations rather than to detailpossible mitigations, this section gives ahigh-level summary of suggested actions inthe form of a conclusion:
• Implement encryption on all wireless con-nections that will provide the best balancebetween privacy and latency. In additionuse a stronger wireless authenticationmethod than the traditional password. Allwireless access points should be physicallyplaced out of site and reach.
• Ensure all network equipment can handlethe required bandwidth, including increas-ing the capacity of Wide Area Network(WAN) links if applicable. Consider the useof Internet Virtual Private Network (VPN)connections to replace leased lines forgreater bandwidth, as well as flexibility andcost savings. Ensure that there are no bot-tlenecks and that time-critical traffic such asvoice and multimedia is given priority.Ensure that appropriate QoS is implementedon all wireless as well as wired networks.
• Ensure that all existing firewalls are ableto prioritise voice traffic over data traffic.Upgrade or replace those that do not.
• Protect Internet gateways by implementingeither voice-aware firewalls or an applica-tion gateway server within the InternetDemilitarised Zone (DMZ) to allow incomingVoIP calls and multimedia traffic initiatedfrom external parties without compromisingthe security of the gateway firewall.
• Build resilience into the network in termsof dual switches, routers, firewalls and sys-tem/application servers. Also configurediverse routing and backup connectionswith automatic fail over. Don’t let a smallnetwork failure disrupt all communication.Ensure that appropriate technical supportis available for any additional servicesbeing run across the network.
• Seek legal advice about what is and what isnot permitted under the law regarding themonitoring of network communication.
VoIP
July 2006 Network Security17
Email is without a doubt vital to almostall businesses today. Unfortunately, the vastmajority of emails now passing across theInternet consist not of essential business
messages or even personal correspondence,but spam. As well as straightforward spam,dark traffic comprises directory harvestattacks (DHA); email Denial of Service
(DoS) attacks; malformed SMTP packets,invalid recipient addresses, and otherrequests and communications unrelated tothe delivery of valid email messages.
Most conventional spam, is purely com-mercial in its intent, setting out to encour-age Internet users to buy goods or services.Others are so-called “blended threats”,messages that use social engineering tech-niques to persuade recipients to open themessage and, typically, activate a trojan,virus or other malware.
Damage and disruptionBut a growing percentage of dark trafficaims to cause damage or disruption to a company or to its IT assets. DoSattacks delivered over email, for example,
Shedding light onDark Traffic attacks Soeren Bech, EMEA Business Director, TumbleweedCommunications
Surveys of businesses and other organizations that rely on the Internet for their communicationsshow that around 83% of inbound email traffic iseither spam, or other types of illegitimate messages (1). Together theseare known as “dark traffic”.
Soeren Bech
would not be the total loss of all communi-cation. With voice services being integratedinto data networks, videoconferencing merg-ing in the same way and audio/video down-loads and streaming also available by thesame medium, a failure of that mediumwould have a significant impact on the abili-ty of the network users to continue working.
Not only are there the possible outagerisks to consider, but also additional sup-port costs would be incurred for managingthese extra services and the additionalhelpdesk calls for when they go wrong. Ifsomeone loses their network connectionand that network also carries their voicetraffic, how do they call the helpdesk?Increased resilience and component redun-dancy need to be carefully considered asnetworks converge.
Legal considerations Network and application monitoring is anessential part of managing and maintain-ing the health of any network and the sys-tems that run across it. Monitoring toolsmay be used which not only take a highlevel view of the network but which couldpotentially read the data being sent acrossit. If the network is carrying VoIP trafficand the monitoring software were able toreproduce the voice output then this couldbe considered an illegal act.
Taking the UK as an example, theRegulation of Investigatory Powers (RIP) Act 2000 is a framework for the lawful interception of all postal,
telecommunications and digital communi-cations. It replaces the Interception ofCommunications Act 1985 and all otherprior legislation in this area. Under theInterception of Communications Act 1985it was illegal to tap into any publictelecommunications network without awarrant from the Home Secretary.
However, private telecommunicationsnetworks such as internal systems or officenetworks were excluded and were not covered by any other law in this way. This meant that organizations could dowhat they wanted with the information on their own networks with relativeimpunity. By monitoring within a firewalled environment, it would havebeen simple to claim immunity throughthe operation of a private network.
The RIP Act 2000, which repeals thisolder legislation, makes allowances forprivate networks and defines them as any private telecommunications systemthat is attached to a public telecommuni-cations system such as an internal phonesystem linked into the public phone net-work. It also expands on the definitionof “public telecommunication systems” as not just those granted a licence underthe Telecommunications Act 1984, butany telecommunications service offeredto the public in the UK. This wouldinclude both private VoIP & multimediasystems linked in to external ones as wellas private VoIP and multimedia systemson a private network connected to anInternet Service Provider (ISP).
Under the RIP Act 2000, some legitimateprivate interceptions are permitted, includ-ing monitoring for regulatory practices andstandards, to detect crime and unauthoriseduse and in the interests of national security.All these permitted interceptions haverequirements and provisions within the RIPAct 2000 that need to be applied andadhered to. Organizations affected by thisact also need to be aware it intersects withthe Data Protection Act (1998) and theHuman Rights Act (1998) against whichany action must be balanced.
About the authorsMatt Gordon-Smith is a SeniorConsultant with Siemens InsightConsulting, leading the SecurityArchitecture & Design team. He has anhonours Bachelors degree in Information& Computer Science and is a CertifiedInformation Systems Security Professional(CISSP). He started his career in IBM,initially as a Network Architect and thenas a Security Architect.
Stephen Wing is a Senior Consultant atSiemens Insight Consulting within theDefence Services team – part of Insight’sTechnical Assurance service line. He hasbeen involved for the last 15 years in theimplementation of security solutions acrossthree continents, working with organizationsranging from small companies to multi-nationals. He became a Chartered Memberof the British Computer Society in 2005.
DETECTING ATTACKS