500 likes | 623 Views
Voice Over IP Risks and Controls. Session Number 37 George G. McBride October 5, 2004 1:30 PM – 3:00 PM. Key Points To Cover This Afternoon. The fundamentals and security concerns of VoIP Mitigating risks associated with VoIP
E N D
Voice Over IP Risks and Controls Session Number 37 George G. McBride October 5, 2004 1:30 PM – 3:00 PM
Key Points To Cover This Afternoon • The fundamentals and security concerns of VoIP • Mitigating risks associated with VoIP • Confidentiality, integrity, authentication, availability, access, and non-repudiation • Determining what to look for in an audit • Measuring risk and recommending actions to reduce vulnerability
Real Quick Introduction • What is Voice over IP? • Definition: Transmission of voice over the IP Network • Why is it important to companies? • $$$ (and sometimes “services”) • Is this brand new? • SIP and H.323 Standards have been around since the mid 1990s • Why now?
VoIP Introduction • What do you need for a VoIP network? • The IP Part: A data network • The V Part: VoIP specific equipment • H.323 and SIP are two different sets of protocols and have different infrastructure requirements • There is some commonality between the two!
VoIP Implementation • Who put the VoIP infrastructure in place? • Many times, the designers and implementers are the traditional “voice” personnel • May be just learning the new technology • Nevertheless, the technology including products, protocols, and services are very new and “experts” are limited!
The Legal Threat • Discussions, debates, and actions are currently underway to determine whether or not the Communications Assistance to Law Enforcement Act (CALEA) requirements apply to VoIP technologies. • Service Providers Only? • All Companies?
Emergency Services • 911 Emergency Services • PSTN/POTS locations are generally assigned by physical port and generally don’t move around! • VoIP Phones by definition are usually “portable” and are simply based on IP addresses • How are location services managed? Updated? Logged? • Is it real-time?
The Biggest Threat! • Your organization is responsible for the costs related to toll fraud • When the VoIP Gateway is compromised and hacker’s use the gateway for unlimited international dialing, your company is responsible for the toll charges • I still don’t have any figures to share. Do you?
Problems With “Auditing” VoIP • We’re often asked to “audit” the VoIP infrastructure against the current policies • These policies do not address the minimum security baseline for a VoIP infrastructure • Typical VoIP audits are also part “assessment”
The Audit: Documentation Review • Should begin with a formal review of all corporate documentation regarding the VoIP infrastructure: • IP Network Infrastructure • Corporate Service Offerings • VoIP Infrastructure • Client Devices • Acceptable Use statements • PSTN Interface SLAs
Auditing: Risk Management • One of the most important aspects to manage! • Identification and Inventory of Assets • Understanding of threats, vulnerabilities, and controls • Cannot be evaluated in isolation. Threats and vulnerabilities are internal and external. • This is one area where Audit and IT Security can work together.
Auditing: The Architecture • Architecture: • Need personnel with auditing, technology, and product know-how! • Start from the top down to understand the details are you encounter them • There may not be a “right” architecture, but there are many “wrong” ones
Before You Begin! • From your IT Organization’s source, obtain an inventory of the VoIP infrastructure • Obtain all documentation and specifications from the vendor to understand what you have and what it is supposed to do • Obtain configuration information • Review on-line vulnerability/risk databases
Auditing Concerns • The next few slides highlight some VoIP specific concerns that we should review. • Are these part of your organization’s standards, practices, procedures, and policies? • This is a highlight of a number of areas that should be reviewed. There are plenty more!
Basic Auditing Considerations • Physical Security: • The old “telecom” closets are often neglected and may be insecure. Where is your VoIP equipment? • Protect test and trial equipment as you would production equipment. It usually has production grade configuration information • Ensure UPS equipment can handle the new loads
Business Continuity Planning & Disaster Recover • Have you incorporated the entire VoIP infrastructure into the BCP/DR efforts? • Have you tested it? • Are the employees aware of it? • Be aware of limited restores. • Companies today tend to build significant features into their VoIP phones that they’ve grown to need.
Logical Auditing Concerns • VLAN Usage: • Separate voice and data on logically separate networks. • Each VLAN should have a separate DHCP Server and management system • Promotes QoS Issues • VLAN Jumping still an issue, depending on equipment
Logical Auditing Concerns (Con’t) • Firewalls: • Are you using the right one for your environment? • Is it VoIP Specific? Does it support SIP or H.323? What about Megaco? • Does it support Application Level Gateways or Proxies? • Pinholing? • Is it stateful?
Auditing The Firewall • Obtain the Firewall rule sets. • Can you experiment in a “lab” setting? This is great to validate the firewall rule sets! • What are the static ports? • Port 1720 for Call Signaling • Usually H.225 traffic. • Any others for management? • What are the required dynamic ports? • Even a VoIP-aware firewall will require reviewing, tuning, and tweaking
Logical Auditing Concerns (Con’t) • Interfaces: • PSTN to VoIP Infrastructure: • At the Voice Gateway: Are SIP, H.323, MGCP, and Megaco connections from the data network prohibited? • What authentication is configured? Required?
The Firewall • A Great Cisco Whitepaper highlights key areas where voice and data traffic intersect and should have firewall protection: • PC Based IP Phones (d) requiring access to the voice segment (v) to place calls • IP Phones (d) and call managers (v) accessing voice-mail • Users (d) accessing the proxy server (v) • Proxy Server (v) accessing network resources (d) • IP Phones (v) to call processing manager (v) or proxy server (v) because the interaction uses the data segment to communicate
Firewall NAT • NAT, Network Address Translation helps to efficiently utilize resources and to provide some level of security. • Full Cone (1:1 address and port) • Restricted Cone – same as full cone, incoming packets are rejected unless an outbound one originated the traffic (looks at IP Address Only) • Port Restricted Cone – Like Restricted Cone but restricts the inbound packet as it must be returning to the same outbound port • Symmetric NAT – Different mapping for each inbound – outbound pair.
Logical Auditing Concerns (Con’t) • Remote Management • Use SSH only for remote administration and management. • Telnet is dead. • For the truly paranoid, use dedicated consoles for each management server • How are the configuration files protected? Backed-up?
QoS: Quality of Service • Is Quality of Service a “Security Issue”? • It is when the security features impact the VoIP QoS levels. • You’ll invariably be asked about it during your Audit • The next few slides highlight some QoS issues
QoS • Latency – time from source to destination. The ITU-T recommended upper bounds for latency is to be less than 150ms. • Queuing • Encoding • Packetization • Transmission
Jitter • Jitter – the time differences between packet arrival on the receiving end. • Jitter often affects QoS more than latency • Caused by low bandwidth • Can cause packets to be processed out of sequence and/or dropped if they fall outside of the receiving buffer • Firewalls are a big source of jitter introduction
Bandwidth & Packet Loss • What is the available bandwidth for VoIP traffic? If on a VLAN, this answer is easy to compute. If on a shared network, this is quite a bit different (and more variable). • Packet Loss results from excessive latency or jitter; as well as a result of voice-data riding over UDP.
What about H.235 • Provides H.323 Security Features through defined profiles which provide different levels of security. • These must be required, not an optional implementation as clients may chose not to use the features.
H.235v2/3 • Builds up from H.235 and offers enhanced encryption as well as: • Annex D: Shared secrets and keyed hashes • Annex E: Digital signatures on every message • Annex F: Digital signatures and shared secret establishment • Is it required?
What about Session Initiation Protocol (SIP)? • SIP Offers HTTP Digest Authentication • Based on a challenge-response system • Replaces HTTP Basic Authentication so that the password is not sent in the clear! • S/MIME can be used to enable public key distribution as well as authentication and integrity protection • Authentication (and Integrity) of signaling data • Confidentiality of signaling data
SIP Security With TLS • TLS: Successor of SSL protects SIP signaling (integrity, confidentiality, replay) • Only works with TCP based SIP signaling • Must be configured hop-by-hop between user agents and proxies or between proxies • Provides key management with mutual authentication and secure key distribution
SIP Security • Besides TLS, SIP also supports: • HTTP Digest • IPSec (With IKE) • IPSec (With manual key exchange) • S/MIME • Be aware of bidding down attacks
SRTP • Secure Real-time Transport Protocol • A “profile” of RTP offers confidentiality, authentication, and replay protection • Encrypts Payloads • Independent of the key management system • Independent of the RTP stack chosen • Can use AES • Hardware Crypto Support, although it was designed with low computational requirements.
SRTP Audit Points • Keep these things in mind: • How are the encryption keys distributed? • Pre-Shared • Public Key • Diffie-Hellman Key Exchange using Public Key • Diffie-Hellman Key Exchange using Pre-Shared Secret • Is it only being used for encryption or also integrity and replay-attack protection?
What I’m Seeing… • Default administration accounts • Ineffective encryption (It may be AES, but not in use at key points) • Web-Server interfaces (It may be easier for the admin and the bad-guys!) • DHCP and TFTP Server Spoofing and Insertion Attacks
What I’m Seeing • Random responses to invalidly formatted or excessive packets • Security mechanisms susceptible to “bidding-down” attacks • Firewalls that require just a bit of “tuning” to disable that service that isn’t required or the ports that can be closed
What’s in my toolbox? • In order to perform a technical based review, you’ll need some tools: • Sniffers • Injectors • Vulnerability Scanners • Some important documents from the ITU, NIST, ETSI, and most importantly, equipment vendors!
Empirix Hammer Call Analyzer VoIP Specific Great for beginners through advanced users Very expensive Network Sniffers
Ethereal Requires more work to decode the packets and review traffic It’s Open Source, it’s free, and it’s supported through a large user community Network Sniffers
Network Traffic Injectors Available From: http://www.komodia.com/ Great Packet Crafting Tool
Additional Resources • National Institute of Standards and Technology: Security Considerations for Voice Over IP Systems:http://csrc.nist.gov/publications/nistpubs/ • Empirix Call Analyzer:http://www.empirix.com/Empirix/Network+IP+Storage+Test/ • SiVus at VoP Security:http://www.vopsecurity.org/ • IETF/ITU Documents • ETSI Tiphon Documents • J. Halpern, “IP Telephony Security in Depth”, Cisco
VoIP Summary • Know your stuff! Or hire those that do! • VoIP technology is still evolving and is very complex! • It’s more than just voice on the IP network • Look for everything you would look for with a standard Audit and you’ll knock out a lot of the “common” audit findings. • Watch mis-configurations on VoIP. Understand the configurations. What looks good may not be.
Lucent Technologies Bell Labs Innovations George McBride Senior Manager Lucent Worldwide Services Lucent Technologies Inc. Room 2N-611G 101 Crawfords Corner Road Holmdel, NJ 07733 Phone: +1.732.949.3408 E-mail: gmcbride@lucent.com Contact Information • Please contact me with any questions, comments, complaints, or new developments.