220 likes | 359 Views
PacSec.JP/core04. Voice over IP (VoIP) security. Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom nico@securite.org - http://www.securite.org/nico/ version 1.0. Introduction. Voice over IP and IP telephony Network convergence
E N D
PacSec.JP/core04 Voice over IP (VoIP) security Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom nico@securite.org - http://www.securite.org/nico/ version 1.0
Introduction • Voice over IP and IP telephony • Network convergence • Telephone and IT • PoE (Power over Ethernet) • Mobility and Roaming • Telco • Switched -> Packet (IP) • Closed world -> Open world • Vendors and Time to Market • Security and privacy • IPhreakers • VoIP vs 3G
Architecture : protocols • Signaling • User location • Session • Setup • Negotiation • Modification • Closing • Transport • Encoding, transport, etc.
Architecture : protocols • SIP • IETF - 5060/5061 (TLS) - “HTTP-like, all in one” • Proprietary extensions • Protocol becoming an architecture • “End-to-end” (between IP PBX) • Inter-AS MPLS VPNs • Transitive trust • IM extensions (SIMPLE) • H.323 • Protocol family • H.235 (security), Q.931+H.245 (management), RTP, CODECs, etc. • ASN.1
Architecture : protocols • RTP (Real Time Protocol) • 5004/udp • RTCP • No QoS/bandwidth management • Packet reordering • CODECs • old: G.711 (PSTN/POTS - 64Kb/s) • current: G.729 (8Kb/s)
Architecture : network • LAN • Ethernet (routers and switches) • xDSL/cable/WiFi • VLANs (data/voice+signaling) • WAN • Internet • VPN • Leased line • MPLS
Architecture : network • QoS (Quality of service) • Bandwidth • Latency (150-400ms) and Jitter (<<150ms) • Packet loss (1-3%)
Architecture : systems • Systems • SIP Proxy • Call Manager/IP PBX • User management and reporting (HTTP, etc) • Off-path with IP • H.323: GK (GateKeeper) • Authentication server (Radius) • Billing servers (CDR/billing) • DNS, TFTP, DHCP servers
Architecture : systems • Voice Gateway (IP-PSTN) • Gateway Control Protocols • Signaling: SS7 interface • Media Gateway Controller • Controls the MG (Megaco/H.248) • SIP interface • Signaling Gateway • Interface between MGC and SS7 • MxUA, SCTP - ISUP, Q.931 • Transport • Media Gateway: audio conversion
Architecture : firewall/VPN • Firewall • “Non-stateful” filtering • “Stateful” filtering • Application layer filtering (ALGs) • NAT / “firewall piercing” • (H.323 : 2xTCP, 4x dynamic UDP - 1719,1720) • (SIP : 5060/udp) • Encrypted VPN • SSL/TLS • IPsec • Where to encrypt (LAN-LAN, phone-phone, etc) ? • Impact on QoS • What is IPv6 going to change ?
Architecture : phones • IP phones • Softphone or Hardphone ? • “Toaster” • Updates/patches • Intelligence • Intelligence removed from the network and put on the end device • Flows between the phone and other systems • SIP • RTP • (T)FTP • CRL • etc.
Architecture : example PSTN POTS LAN SIP IP PBX IP VPN (MPLS) IP PBX POTS internet GSM VGW SIP voice SIP signaling SIP
Other phone networks • POTS/PSTN [TDM] • “Wireless”/DECT phone • GSM • Satellite • Signaling (SS7)
Attacks • IPhreakers • IP knowledge • Known weaknesses • Evolution 2600Hz -> voicemail/int’l GWs -> IP telephony • Internal or external threat ? • Targets: home user, enterprise, government, etc ? • Protocol implementations • PROTOS • The human element
Attacks : denial of service • Denial of service • Network • Protocol (SIP INVITE) • Systems / Applications • Phone • Availability (BC/DR) • Requires: power • Alternatives (Business Continuity/Disaster Recovery) ? • E911 (laws and technical aspect) • GSM • PSTN-to-GSM
Attacks : fraud • Call-ID spoofing • User rights takeover • Fake authentication server • Effects • Access to voicemail • Value added numbers • Social engineering • Replay
Attacks: interception • Interception • Discussion • “Who talks with who” • Network sniffing • Servers (SIP, CDR, etc) • LAN • Physical access to the LAN • ARP attacks • Unauthenticated devices (phones and servers) • Different layers (MAC address, user, physical port, etc)
Attack: interception • Where to intercept ? • Where is the user located ? • Networks crossed ? • Lawful Intercept • CALEA • ETSI standard • Architecture and risks
Attacks : systems • Systems • Mostly none is hardened by default • Worms, exploits, Trojan horses
Attacks : phone • (S)IP phone • Startup • DHCP, TFTP, etc. • Physical access • Hidden configuration tabs • TCP/IP stacks • Firmware/configuration • Trojan horse/rootkit
Defense • Signaling: SIP • Secure SIP vs SS7 (physical security) • Transport: Secure RTP (with MiKEY) • Network: QoS [LLQ] (and rate-limit) • Firewall: application level filtering • Phone: signed firmware • Identification: TLS • Clients by the server • Servers by the client • 3P: project, security processes and policies
Conclusion • Conclusion • Other presentations • Backbone and Infrastructure Security • http://www.securite.org/presentations/secip/ • (Distributed) Denial of Service • http://www.securite.org/presentations/ddos/ • Q&A Image: www.shawnsclipart.com/funkycomputercrowd.html