1 / 16

Enterprise VoIP Security Threats

Enterprise VoIP Security Threats. Agenda: Introduction Why worry? What do we need to look at? What have I seen in the past? What can I do to be prepared? Questions & Discussion. Introduction. VoIP = Voice + IP Simple Equation for VoIP Security: VoIP Risks = Current Risks + VoIP Risks

katy
Download Presentation

Enterprise VoIP Security Threats

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enterprise VoIP Security Threats • Agenda: • Introduction • Why worry? • What do we need to look at? • What have I seen in the past? • What can I do to be prepared? • Questions & Discussion

  2. Introduction • VoIP = Voice + IP • Simple Equation for VoIP Security: VoIP Risks = Current Risks + VoIP Risks • Too many companies haven’t cleaned up their current infrastructure

  3. Challenges Along The Way • Relatively new technology (at least adaptation is new) • Often implemented by the voice team, not the data team • “man” pages often exceed 500 pages per component. And each implementation can have ten or more systems. • Implementations usually slide from trial to production without any security review

  4. Traditional Risk Assessment • Identify assets • Classify and prioritize assets • Identify vulnerabilities, controls, threats (including likelihood and impact) • Measure risk • Mitigate risk • Monitor • Do it again

  5. VoIP Security Assessments • Same process. • Completed with a different group of assets, threats, vulnerabilities, and controls. • Readiness review? • Review the current infrastructure prior to VoIP deployment • Allows mitigation of identified risks concurrent with VoIP planning, design, and pilot program. • Must hold full-scale deployment until all identified risks are mitigated

  6. When To Add Security? • Do we add security at: • Planning/Design/Pilot/Roll-Out/Regular Risk Assessment? • The RFI/RFQ stage (and keeping them around): • Make security part of your requirements to ensure that the solution can meet your requirements before you buy the equipment. • Security can support the planning and design phase and make recommendations before decisions are finalized. • Security can perform a risk assessment of the design, infrastructure, and configuration prior to pilot program. • Security can monitor and continually assess the pilot infrastructure and configuration. • Security can mitigate the risks before the deployment.

  7. What Do We Need To Review? • IP Infrastructure: • VLAN Configuration • Firewall configurations • Existing policies, procedures, standards, and practices • IDS/IPS • Incident Response • Configuration Management, Change Management, Business Continuity Planning, Commissioning and Decommissioning, and other programs

  8. What Else Do We Need To Review? • VoIP Infrastructure: • Are the Security features enabled? • Are they tested in all scenarios? • IPSec enabled? • QoS measured? • Latency and Jitter consistent in production environment • Firewalls: • Where: PSTN Interfaces, Data and IP Segment Intersects • What Types? What Traffic? Reviews? Pinholing? • NAT effects and capacity

  9. Experiences from the Trenches • Poor management (storage and transmission) of the encryption keys • Random responses to invalidly formatted or excessive packet transmissions • Security mechanisms susceptible to “bidding-down” attacks • Firewalls that require just a bit of “tuning” to disable that service that isn’t required or the ports that can be closed

  10. Experiences from the Trenches • Default administration accounts • Ineffective encryption (It may be AES, but not in use at key points) • Web-Server interfaces (It may be easier for the admin as well as the bad-guys!) • DHCP and TFTP Server Spoofing and Insertion Attacks

  11. What’s In YourToolbox? • In order to perform a technical based review, you’ll need some tools: • Sniffers • Injectors • Vulnerability Scanners • Some important documents from the ITU, NIST, ETSI, and most importantly, equipment vendors!

  12. VoIP Tools • Sniffers & Analyzers • VoIP Specific or Generic • Injectors • Vendor Tools • Assessment • Proprietary Tools

  13. SiVus

  14. Additional Resources • National Institute of Standards and Technology: Security Considerations for Voice Over IP Systems: http://csrc.nist.gov/publications/nistpubs/ • SiVus at VoP Security: http://www.vopsecurity.org/ • IETF/ITU Documents • ETSI Tiphon Documents • Miscellaneous Vendor Documentation and White Papers

  15. Lucent Technologies Bell Labs Innovations George G. McBride Managing Principle Lucent Worldwide Services Lucent Technologies Inc. Room 2N-611G 101 Crawfords Corner Road Holmdel, NJ 07733 Phone: +1.732.949.3408 E-mail: gmcbride@lucent.com Anything Else? • Please contact me with any questions, comments, complaints, or new developments.

More Related