1 / 22

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom nico@securite.org - http://www.securit

PacSec.JP/core04. Voice over IP (VoIP) security. Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom nico@securite.org - http://www.securite.org/nico/ version 1.0. Introduction. Voice over IP and IP telephony Network convergence

braeden
Download Presentation

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom nico@securite.org - http://www.securit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PacSec.JP/core04 Voice over IP (VoIP) security Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom nico@securite.org - http://www.securite.org/nico/ version 1.0

  2. Introduction • Voice over IP and IP telephony • Network convergence • Telephone and IT • PoE (Power over Ethernet) • Mobility and Roaming • Telco • Switched -> Packet (IP) • Closed world -> Open world • Vendors and Time to Market • Security and privacy • IPhreakers • VoIP vs 3G

  3. Architecture : protocols • Signaling • User location • Session • Setup • Negotiation • Modification • Closing • Transport • Encoding, transport, etc.

  4. Architecture : protocols • SIP • IETF - 5060/5061 (TLS) - “HTTP-like, all in one” • Proprietary extensions • Protocol becoming an architecture • “End-to-end” (between IP PBX) • Inter-AS MPLS VPNs • Transitive trust • IM extensions (SIMPLE) • H.323 • Protocol family • H.235 (security), Q.931+H.245 (management), RTP, CODECs, etc. • ASN.1

  5. Architecture : protocols • RTP (Real Time Protocol) • 5004/udp • RTCP • No QoS/bandwidth management • Packet reordering • CODECs • old: G.711 (PSTN/POTS - 64Kb/s) • current: G.729 (8Kb/s)

  6. Architecture : network • LAN • Ethernet (routers and switches) • xDSL/cable/WiFi • VLANs (data/voice+signaling) • WAN • Internet • VPN • Leased line • MPLS

  7. Architecture : network • QoS (Quality of service) • Bandwidth • Latency (150-400ms) and Jitter (<<150ms) • Packet loss (1-3%)

  8. Architecture : systems • Systems • SIP Proxy • Call Manager/IP PBX • User management and reporting (HTTP, etc) • Off-path with IP • H.323: GK (GateKeeper) • Authentication server (Radius) • Billing servers (CDR/billing) • DNS, TFTP, DHCP servers

  9. Architecture : systems • Voice Gateway (IP-PSTN) • Gateway Control Protocols • Signaling: SS7 interface • Media Gateway Controller • Controls the MG (Megaco/H.248) • SIP interface • Signaling Gateway • Interface between MGC and SS7 • MxUA, SCTP - ISUP, Q.931 • Transport • Media Gateway: audio conversion

  10. Architecture : firewall/VPN • Firewall • “Non-stateful” filtering • “Stateful” filtering • Application layer filtering (ALGs) • NAT / “firewall piercing” • (H.323 : 2xTCP, 4x dynamic UDP - 1719,1720) • (SIP : 5060/udp) • Encrypted VPN • SSL/TLS • IPsec • Where to encrypt (LAN-LAN, phone-phone, etc) ? • Impact on QoS • What is IPv6 going to change ?

  11. Architecture : phones • IP phones • Softphone or Hardphone ? • “Toaster” • Updates/patches • Intelligence • Intelligence removed from the network and put on the end device • Flows between the phone and other systems • SIP • RTP • (T)FTP • CRL • etc.

  12. Architecture : example PSTN POTS LAN SIP IP PBX IP VPN (MPLS) IP PBX POTS internet GSM VGW SIP voice SIP signaling SIP

  13. Other phone networks • POTS/PSTN [TDM] • “Wireless”/DECT phone • GSM • Satellite • Signaling (SS7)

  14. Attacks • IPhreakers • IP knowledge • Known weaknesses • Evolution 2600Hz -> voicemail/int’l GWs -> IP telephony • Internal or external threat ? • Targets: home user, enterprise, government, etc ? • Protocol implementations • PROTOS • The human element

  15. Attacks : denial of service • Denial of service • Network • Protocol (SIP INVITE) • Systems / Applications • Phone • Availability (BC/DR) • Requires: power • Alternatives (Business Continuity/Disaster Recovery) ? • E911 (laws and technical aspect) • GSM • PSTN-to-GSM

  16. Attacks : fraud • Call-ID spoofing • User rights takeover • Fake authentication server • Effects • Access to voicemail • Value added numbers • Social engineering • Replay

  17. Attacks: interception • Interception • Discussion • “Who talks with who” • Network sniffing • Servers (SIP, CDR, etc) • LAN • Physical access to the LAN • ARP attacks • Unauthenticated devices (phones and servers) • Different layers (MAC address, user, physical port, etc)

  18. Attack: interception • Where to intercept ? • Where is the user located ? • Networks crossed ? • Lawful Intercept • CALEA • ETSI standard • Architecture and risks

  19. Attacks : systems • Systems • Mostly none is hardened by default • Worms, exploits, Trojan horses

  20. Attacks : phone • (S)IP phone • Startup • DHCP, TFTP, etc. • Physical access • Hidden configuration tabs • TCP/IP stacks • Firmware/configuration • Trojan horse/rootkit

  21. Defense • Signaling: SIP • Secure SIP vs SS7 (physical security) • Transport: Secure RTP (with MiKEY) • Network: QoS [LLQ] (and rate-limit) • Firewall: application level filtering • Phone: signed firmware • Identification: TLS • Clients by the server • Servers by the client • 3P: project, security processes and policies

  22. Conclusion • Conclusion • Other presentations • Backbone and Infrastructure Security • http://www.securite.org/presentations/secip/ • (Distributed) Denial of Service • http://www.securite.org/presentations/ddos/ • Q&A Image: www.shawnsclipart.com/funkycomputercrowd.html

More Related