680 likes | 1.06k Views
Network and VoIP Security – More Important Than Ever. Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com. Outline. Outline. General Security Trends Good news Bad news Going forward Network-Based Security Managed Security Services
E N D
Network and VoIP Security –More Important Than Ever Mark D. CollierChief Technology OfficerSecureLogix Corporationmark.collier@securelogix.com
Outline Outline General Security Trends • Good news • Bad news • Going forward Network-Based Security Managed Security Services Internal Application/VoIP Security
Security Trends General Security TrendsSome Good News Basic security measures, such as anti-virus, firewalls, and anti-spyware, are ubiquitously deployed Average losses due to security breaches are up, but down significantly from 2001 and 2002 (*) The number of incidents is down (*) Incidents are being reported at a greater rate (*) (*) Source – 2007 Computer Crime and Security Survey
Security Trends General Security TrendsSome Good News (*) Source – 2007 Computer Crime and Security Survey
Security Trends General Security TrendsSome Good News (*) Source – 2007 Computer Crime and Security Survey
Security Trends General Security TrendsSome Good News (*) Source – 2007 Computer Crime and Security Survey
Security Trends General Security TrendsSome Good News (*) Source – 2007 Computer Crime and Security Survey
Security Trends General Security TrendsSome Bad News (*) Source – 2007 Computer Crime and Security Survey
Security Trends General Security TrendsSome Bad News Signature based-detection systems are being pushed to the limit The platforms, network, and applications are getting more and more complex Attacks are becoming increasing complex Perimeter security has many issues Security funding is a small part of IT spending – no more than 10% and often less than 5% (*) Targeted attacks are increasing (*) (*) Source – 2007 Computer Crime and Security Survey
Security Trends General Security TrendsSome Bad News (*) Source – 2007 Computer Crime and Security Survey
Security Trends General Security TrendsSome Bad News (*) Source – 2007 Computer Crime and Security Survey
Security Trends General Security TrendsGoing Forward Increased deployment of Intrusion Detection and Prevention Systems (IDSs and IPSs) Possible increase the in use of Network Admission Control (NAC) Network-Based Security solutions are available Managed Security Services solutions are available Increased focus on internal application security New applications such as Voice Over IP (VoIP) moving onto the data network
Network-basedSecurity 3rd Party Network Primary Provider IP Network Edge Edge Client Enterprise Client Enterprise Network-based SecurityIntroduction Enterprise customers are deploying firewalls, IDSs/IPSs, AV, anti-SPAM on network edge Some disadvantages: • Expensive • Multiple vendors and difficult to manage • Does not scale well
Network-basedSecurity 3rd Party Network AT&T IP Network VPN, Firewall, IDS, Anti-Virus, etc. Edge Edge Firewall, IDS, Anti-Virus, etc. Client Enterprise Client Enterprise Network-based SecurityIntroduction Network-based security embeds security capability in the network Some advantages: • Leverages security capability in the network • Centralized management • Scales better
Network-basedSecurity Network-based SecurityAdvantages Leverages security expertise Greatly assists with threat reconnaissance Broad network visibility allows greater awareness and warning of attacks The impact of major Worm attacks are seen well in advance of when they are a threat to an enterprise The only real solution to DoS and DDoS attacks A great defense in depth approach Still may need network defense and internal security
Network-basedSecurity Network-based SecurityEarly Detection of Attacks Web-Based Information Collection Broad Network Mapping Service Vulnerability Exploitation DDOS Zombie Code Installation Use of Stolen Accounts for Attack Social Engineering Targeted Scan Password Guessing System File Delete Log File Changes Reconnaissance Scanning System Access Damage Track Coverage Reactive Phase (Defense) Preventive Phase (Defense) AT&T Security Service Primary Emphasis
Network-basedSecurity Network-based SecurityDoS and DDoS Attacks AT&T IP Backbone Enterprise Server TARGETED Server
Network-basedSecurity Network-based SecurityAT&T Offerings Incident Management Intrusion Management Policy Management Identity Management Monitoring & Mgmt Perimeter Security Secure Connectivity • AT&T Internet Protect® • AT&T DDoS Defense • AT&T My Internet Protect • AT&T Private Intranet Protect • AT&T Network-Based Firewalls • AT&T Secure E-Mail Gateway • AT&T Web Security Services Network-Based Security Platform
Managed SecurityServices Managed Security ServicesIntroduction Managed Security Services (MSS) are a viable alternative to in-house security staffing Leverage experienced staff, who are familiar with security processes and products Often can be more cost effective Eliminates the need to retain and train staff Security assessments/audits are commonly outsourced
Managed SecurityServices Managed Security ServicesEnterprise Penetration (*) Source – 2007 Computer Crime and Security Survey
Managed SecurityServices Managed Security ServicesAssessments/Audits (*) Source – 2007 Computer Crime and Security Survey
Network-basedSecurity Managed Security ServicesAT&T Offerings Premises-Based Firewalls Managed Intrusion Detection Endpoint Security Service Token Authentication
VoIP SecurityIntroduction Application/VoIP Security Despite availability of network-based security, managed services, and customer-premise edge security, securing applications is still important Voice Over IP (VoIP) is one internal application that must be secured
Gathering InformationFootprinting Public Website ResearchIntroduction An enterprise website often contains a lot of information that is useful to a hacker: • Organizational structure and corporate locations • Help and technical support • Job listings • Phone numbers and extensions
Gathering InformationFootprinting Public Website Research Countermeasures It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it Try to limit amount of detail in job postings Remove technical detail from help desk web pages
Gathering InformationFootprinting Google HackingIntroduction Google is incredibly good at finding details on the web: • Vendor press releases and case studies • Resumes of VoIP personnel • Mailing lists and user group postings • Web-based VoIP logins
Gathering InformationFootprinting Google HackingCountermeasures Determine what your exposure is Be sure to remove any VoIP phones which are visible to the Internet Disable the web servers on your IP phones There are services that can helpyou monitor your exposure: • www.cyveilance.com • ww.baytsp.com
Gathering InformationScanning Host/DeviceDiscovery and Identification Consists of various techniques used to find hosts: • Ping sweeps • ARP pings • TCP ping scans • SNMP sweeps After hosts are found, the type of device can be determined Classifies host/device by operating system Once hosts are found, tools can be used to find available network services
Gathering InformationScanning Host/Device DiscoveryPing Sweeps/ARP Pings
Gathering InformationScanning Host/Device DiscoveryCountermeasures Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps VLANs can help isolate ARP pings Ping sweeps can be blocked at the perimeter firewall Use secure (SNMPv3) version of SNMP Change SNMP public strings
Gathering InformationEnumeration EnumerationIntroduction Involves testing open ports and services on hosts/devices to gather more information Includes running tools to determine if open services have known vulnerabilities Also involves scanning for VoIP-unique information such as phone numbers Includes gathering information from TFTP servers and SNMP
Gathering InformationEnumeration Vulnerability TestingTools
Gathering InformationEnumeration Vulnerability TestingCountermeasures The best solution is to upgrade your applications and make sure you continually apply patches Some firewalls and IPSs can detect and mitigate vulnerability scans
Gathering InformationEnumeration TFTP EnumerationIntroduction Almost all phones we tested use TFTP to download their configuration files The TFTP server is rarely well protected If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password The files are downloaded in the clear and can be easily sniffed Configuration files have usernames, passwords, IP addresses, etc. in them
Gathering InformationEnumeration TFTP EnumerationCountermeasures It is difficult not to use TFTP, since it is so commonly used by VoIP vendors Some vendors offer more secure alternatives Firewalls can be used to restrict access to TFTP servers to valid devices
Gathering InformationEnumeration SNMP EnumerationIntroduction SNMP is enabled by default on most IP PBXs and IP phones Simple SNMP sweeps will garner lots of useful information If you know the device type, you can use snmpwalk with the appropriate OID You can find the OID using Solarwinds MIB Default “passwords”, called community strings, are common
Gathering InformationEnumeration SNMP EnumerationCountermeasures Disable SNMP on any devices where it is not needed Change default public and private community strings Try to use SNMPv3, which supports authentication
Attacking The NetworkNetwork DoS Network Infrastructure DoS The VoIP network and supporting infrastructure are vulnerable to attacks VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter Attacks include: • Flooding attacks • Network availability attacks • Supporting infrastructure attacks
Attacking The NetworkNetwork DoS Flooding AttacksIntroduction Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests
Attacking The NetworkNetwork DoS Flooding AttacksCountermeasures Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling) Use rate limiting in network switches Use anti-DoS/DDoS products Some vendors have DoS support in their products (in newer versions of software)
Attacking The NetworkNetwork DoS Network Availability Attacks This type of attack involves an attacker trying to crash the underlying operating system: • Fuzzing involves sending malformed packets, which exploit a weakness in software • Packet fragmentation • Buffer overflows
Attacking The NetworkNetwork DoS Network Availability Attacks Countermeasures A network IPS is an inline device that detects and blocks attacks Some firewalls also offer this capability Host based IPS software also provides this capability
Attacking The NetworkNetwork DoS Supporting Infrastructure Attacks VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc. DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones DNS cache poisoning involves tricking a DNS server into using a fake DNS response
Attacking The NetworkNetwork DoS Supporting Infrastructure AttacksCountermeasures Configure DHCP servers not to lease addresses to unknown MAC addresses DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries
Attacking The NetworkEavesdropping Network EavesdroppingIntroduction VoIP configuration files, signaling, and media are vulnerable to eavesdropping Attacks include: • TFTP configuration file sniffing (already discussed) • Number harvesting and call pattern tracking • Conversation eavesdropping By sniffing signaling, it is possible to build a directory of numbers and track calling patterns voipong automates the process of logging all calls Wireshark is very good at sniffing VoIP signaling
Attacking The NetworkEavesdropping Conversation RecordingWireshark
Attacking The NetworkEavesdropping Conversation RecordingOther Tools Other tools include: • vomit • Voipong • voipcrack (not public) • DTMF decoder
Attacking The NetworkEavesdropping Network EavesdroppingCountermeasures Use encryption: • Many vendors offer encryption for signaling • Use the Transport Layer Security (TLS) for signaling • Many vendors offer encryption for media • Use Secure Real-time Transport Protocol (SRTP) • Use ZRTP • Use proprietary encryption if you have to
Attacking The NetworkNet/App Interception Network InterceptionIntroduction The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing: • Eavesdropping on the conversation • Causing a DoS condition • Altering the conversation by omitting, replaying, or inserting media • Redirecting calls
Attacking The NetworkNet/App Interception Network InterceptionARP Poisoning The most common network-level MITM attack is ARP poisoning Involves tricking a host into thinking the MAC address of the attacker is the intended address There are a number of tools available to support ARP poisoning: • Cain and Abel • ettercap • Dsniff • hunt