230 likes | 429 Views
VoIP Security Overview. Rochester ISSA July 27, 2006. What is VoIP?. What is Voice Over IP (VoIP)? A suite of IP-based communications services Provides multimedia communications over IP networks Based on open IETF and ITU standards Operates over any IP network (not just the Internet)
E N D
VoIP Security Overview Rochester ISSA July 27, 2006
What is VoIP? What is Voice Over IP (VoIP)? • A suite of IP-based communications services • Provides multimedia communications over IP networks • Based on open IETF and ITU standards • Operates over any IP network (not just the Internet) • Utilizes separate paths for signaling and media • Low-cost alternative to PSTN calling
The Business Value of VoIP Cost • Toll bypass for on-net calling • Reduced network costs • Lower move/add/delete (MAD) costs • Reduced site preparation time • Network convergence Functionality • Enterprise directory integration • Unified Messaging • Callcenter applications • Interactive Voice Response (IVR) • IP Video • Instant Messaging Mobility • Location services (Find-Me/Follow-Me routing) • Wider array of service providers • Ubiquitous access
PSTN vs VoIP Public Switched Telephone Network (PSTN) • SS7 signaling protocol • Circuit-switched network (ATM/Frame Relay) • Expensive infrastructure • Reliable quality Voice Over IP (VoIP) • SIP, H.323, SCCP, MGCP, or MegaCo signaling protocol • RTP media protocol • Packet switched network • Converged infrastructure • Unreliable quality
VoIP Protocols SIP • RFC 3261 • “The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying and terminating sessions with one or more participants.” • Text based messaging • Modeled on HTTP • Uses URI to address call flow components • sip:rdh@stealthllama.org • sip:robert.hagen@globalcrossing.com • Versatile and open with many applications • Voice • Video • Gaming • Instant Messages • Presence • Call-Control INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhds Max-Forwards: 70 To: Bob <sip:bob@biloxi.com> From: Alice <sip:alice@atlanta.com>;tag=1928301774 Call-ID: a84b4c76e66710@pc33.atlanta.com CSeq: 314159 INVITE Contact: <sip:alice@pc33.atlanta.com> Content-Type: application/sdp Content-Length: 142
SIP Methods • INVITE: create a session • BYE: terminates a session • ACK: acknowledges a final response for an INVITE request • CANCEL: cancels an INVITE request • REGISTER: binds a public SIP URI to a Contact address • OPTIONS: queries a server for capabilities • SUBSCRIBE: installs a subscription for a resource • NOTIFY: informs about changes in the state of the resource • MESSAGE: delivers an Instant Message • REFER: used for call transfer, call diversion, etc. • PRACK: acknowledges a provisional response for an INVITE request • UPDATE: changes the media description (e.g. SDP) in an existing session • INFO: used to transport mid-session information • PUBLISH: publication of presence information
SIP Components • User Agents • Clients – Make requests • Servers – Accept requests • Server types • Redirect Server • Proxy Server • Registrar Server • Location Server • Gateways
Session Description Protocol (SDP) SDP • IETF RFC 2327 • “SDP is intended for describing multimedia sessions for the purposes of session announcement, session invitation, and other forms of multimedia session initiation.” • SDP includes: • The type of media (video, audio, etc.) • The transport protocol (RTP/UDP/IP, H.320, etc.) • The format of the media (H.261 video, MPEG video, etc.) • Information to receive those media (addresses, ports, formats, etc) • Crypto keys v=0 o=mhandley 2890844526 2890842807 IN IP4 126.16.64.4 s=SDP Seminar i=A Seminar on the session description protocol u=http://www.cs.ucl.ac.uk/staff/M.Handley/sdp.03.ps e=mjh@isi.edu (Mark Handley) c=IN IP4 224.2.17.12/127 t=2873397496 2873404696 a=recvonly m=audio 49170 RTP/AVP 0 m=video 51372 RTP/AVP 31 m=application 32416 udp wb a=orient:portrait
Media Protocols RTP • Real-time Transport Protocol • RFC 3550 • Standardized packet format for delivering audio and video over IP • Frequently used in streaming media systems CODECs • GIPS Enhanced G.711 • 8kHz sampling rate • Voice Activity Detection • Variable bit rate • G.711 • 8kHz sampling rate • 64kbps • G.729 • 8kHz sampling rate • 8kbps • Voice Activity Detection
Outbound Proxy Inbound Proxy SIP Call Flow BYE INVITE BYE BYE 100 Trying INVITE 200 OK INVITE 180 Ringing 200 OK 180 Ringing 100 Trying 180 Ringing 200 OK ACK Alice Bob RTP Voice Alice Calls Bob Hello. Is Bob there? No. I need Bob. Thanks. Bye. Steve answers Bob’s phone Sorry, no, can I help you
VoIP Threats VOIPSA Threat Taxonomy • Social Threats • Misrepresentation • Identity • Authority • Rights • Content • Theft of Services • Unwanted Contact • Harassment • Extortion • Unwanted Lawful Content (spam and other offensive material) • Eavesdropping • Call Pattern Tracking • Traffic Capture • Number Harvesting • Call Reconstruction (voice, video, fax, text, voicemail)
VoIP Threats VOIPSA Threat Taxonomy • Interception and Modification • Call Black Holing • Call Rerouting • Fax Alteration • Conversation Alteration • Conversation Degradation • Conversation Impersonation and Hikacking • False Caller Identification • Service Abuse • Denial of Service • VoIP Specific DoS • Request Flooding • Malformed Requests and Messages • QoS Abuse • Spoofed Messages • Call Hijacking • Network Services DoS • Underlying Operating System/Firmware DoS • Distributed DoS (DDoS) • Physical Intrusion
VoIP Threats VOIPSA Threat Taxonomy • Other Disruptions of Service • Loss of Power • Resource Exhaustion • Performance Latency and Metrics
Outbound Proxy Inbound Proxy Eavesdropping SIP Kevin Alice Bob RTP Yak Yak • DTMF intercept • IM snooping • Call pattern analysis • Number harvesting • Network discovery • Voice reconstruction • Fax reconstruction • Video reconstruction
Outbound Proxy Inbound Proxy Spoofing SIP BYE BYE RTP Alice Bob Kevin Hello? Yak Hello? Yak Kevin forges a BYE from Alice
Outbound Proxy Inbound Proxy Interception SIP 202 Accepted BYE 202 Accepted INVITE BYE BYE 202 Accepted 200 OK REFER INVITE REFER 200 OK RTP Alice Bob Kevin Yak Hello? Yak Yak Kevin forges a REFER from Bob
Countermeasures Authentication and Encryption • Digest Authentication • Used during UA registration • Authenticates UA to SIP proxy • Similar to HTTP digest from web browser to web server • Cannot be used between proxies • Transport Layer Security (TLS) • Used to secure signaling path • Authenticates each endpoint on a link • Provides encrypted path between each link • Non-transitive trust • Can be used between proxies • Requires X.509 certificates
Countermeasures Authentication and Encryption • Secure RTP (SRTP) • Used to secure the media path • Provides end-to-end security • Requires X.509 certificates • Zphone (ZRTP) • Used to secure the media path • Provides end-to-end security • IETF draft written by Phil Zimmermann • Requires no X.509 certificates • Relies on OSI layer 8 authorization
Countermeasures Physical Security • VoIP equipment in secured datacenter • Lock wiring closet doors • VoIP VLANs = Good • Separate VoIP network = Better • Separate VoIP network + Authentication + Encryption = Best! Logical Security • CIS Benchmarks applied to all host platforms • Regular patching and assessments • Network IDS • Firewall and NAT protection of gateway and proxies
SIP Standards A sampling of SIP RFCs… • RFC3261 Core SIP specification – obsoletes RFC2543 • RFC2327 SDP – Session Description Protocol • RFC1889 RTP - Real-time Transport Protocol • RFC2326 RTSP - Real-Time Streaming Protocol • RFC3262 SIP PRACK method – reliability for 1XX messages • RFC3263 Locating SIP servers – SRV and NAPTR • RFC3264 Offer/answer model for SDP use with SIP • RFC3265 SIP event notification – SUBSCRIBE and NOTIFY • RFC3266 IPv6 support in SDP • RFC3311 SIP UPDATE method – eg. changing media • RFC3325 Asserted identity in trusted networks • RFC3361 Locating outbound SIP proxy with DHCP • RFC3428 SIP extensions for Instant Messaging • RFC3515 SIP REFER method – eg. call transfer
Carrier VoIP Edge Architecture All the flows from the Customer’s GWs will be “groomed” through a single IP address on the GX side of the Acme. Customer’s are differentiated from each other via L2 VLAN tags The path taken to the Signaling element is through the Media Manager, then internally to the SIP UA Instance.