140 likes | 285 Views
A Comparison of Traditional Telephony Security with VoIP. Roy Ford. Agenda. Into to Telephony (Traditional and VoIP) Security Risks Risk Mitigations Conclusions. The Telephone. PBX. Phone Switch. T1 Trunk. Local Loop. Call Setup. SS7 Network. The Telephone.
E N D
A Comparison of Traditional Telephony Security with VoIP Roy Ford
Agenda • Into to Telephony (Traditional and VoIP) • Security Risks • Risk Mitigations • Conclusions
The Telephone PBX Phone Switch T1 Trunk Local Loop Call Setup SS7 Network
The Telephone • Mixture of Analog and Multiplexed digital technology • Centralized switches that provide power and establish circuits between phones • 2 Types of signaling • In-band DTMF signaling at phone • Out-of-band signaling between Switch nodes over the SS7 network
VoIP SIP Servers Gateway LAN Internet PSTN
VoIP • Distributed architecture of Phones, gateways and servers over an IP Network • 2 Protocols used to carry voice and signaling • Real Time Protocol (RTP) carries voice in UDP packets • Session Initialization Protocol (SIP) does call setup
SIP Invite INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhds Max-Forwards: 70 To: Bob <sip:bob@biloxi.com> From: Alice <sip:alice@atlanta.com>;tag=1928301774 Call-ID: a84b4c76e66710@pc33.atlanta.com CSeq: 314159 INVITE Contact: <sip:alice@pc33.atlanta.com> Content-Type: application/sdp Content-Length: 142
Traditional Telephony Risks • Wire Tapping • Toll Fraud • Phone Phreaking • Call Forward All • Caller ID Spoofing & SS7 Security • User Identification
VoIP Risks • Denial of Service • Man in the Middle • Caller ID Spoofing and interception of Call Setup Information • Toll Fraud • User Authentication • Device Web Servers • VoIP Fuzzing
VoIP and Firewalls • VoIP does not like Firewalls • Firewall Techniques • VoIP Aware firewalls • STUN • TURN
Risk Mitigation - Traditional • Physical Security • Physical plant & Access Console • Wire Tap protection • Proper Configuration of Call Forwarding • Toll Fraud • Caller ID Spoofing
Risk Mitigation - VoIP • Segregation of VoIP Traffic • DoS isolation • Encryption • Man in the Middle protection • Server Configuration • Toll Fraud • User Authentication • Device Web Servers • Just Say No • VoIP Fuzzing
Conclusions • Encryption required for VoIP • Infrastructure issues with VoIP and Traditional Telephony Similar • The phone is an attack vector in VoIP