Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

Voice Security Introduction » Voice security includes traditional and VoIP systems » VoIP systems are vulnerable: » The primary vendors are improving their systems, but.. » Security is rarely a major a consideration during deployment » Platforms, network, and applications are vulnerable » Many available VoIP attack tools » Fortunately, the (mostly internal) threat is still moderate » VoIP deployment is growing » Greater integration with the data network » Application threats remain the biggest issue » SIP trunks will increase the threat

Traditional Voice Security Internet Connection Internet Public Voice Network TDM Trunks TDM Phones Servers/PCs Modem Fax PBX Modem

Traditional Voice Security Internet Connection Internet Public Voice Network TDM Trunks TDM Phones Servers/PCs Modem Fax PBX Modem Internet Attacks Scanning/DoS SPAM Web Attacks

Traditional Voice Security Internet Connection Internet Public Voice Network TDM Trunks TDM Phones Servers/PCs Modem Fax PBX Modem Internet Attacks Scanning/DoS SPAM Web Attacks Firewall/IDPS SPAM filter Web security

Traditional Voice Security Internet Connection Internet Public Voice Network TDM Trunks TDM Phones Servers/PCs Modem Fax PBX Modem Toll fraud Social engineering Harassing calls Modem issues Firewall/IDPS SPAM filter Web security

Traditional Voice Security Internet Connection Internet Public Voice Network TDM Trunks TDM Phones Servers/PCs Modem Fax PBX Modem Toll fraud Social engineering Harassing calls Modem issues Voice Firewall Firewall/IDPS SPAM filter Web security

Campus VoIP Internet Connection Internet Public Voice Network TDM Trunks TDM Phones Servers/PCs Modem Fax IP PBX CM Gate way DNS CCAdmin TFTP DHCP VM DB Voice VLAN IP Phones Data VLAN Firewall/IDPS SPAM filter Web security Voice Firewall

Campus VoIP Internet Connection Internet Public Voice Network TDM Trunks TDM Phones Servers/PCs Modem Fax IP PBX CM Gate way DNS CCAdmin TFTP DHCP VM DB Voice VLAN IP Phones Data VLAN Firewall/IDPS SPAM filter Web security Voice Firewall Toll fraud Social engineering Harassing calls Modem issues

Campus VoIP Internet Connection Internet Public Voice Network TDM Trunks TDM Phones Servers/PCs Modem Fax IP PBX CM Gate way DNS CCAdmin TFTP DHCP VM DB Voice VLAN IP Phones Data VLAN Attacks Can Originate From The Internal Network Toll fraud Social engineering Harassing calls Modem issues Firewall/IDPS SPAM filter Web security Voice Firewall

SIP Trunks Internet Connection Internet Public Voice Network SIP Trunks TDM Phones Servers/PCs Modem Fax IP PBX CM Gate way DNS CCAdmin TFTP DHCP VM DB Voice VLAN IP Phones Data VLAN Firewall/IDPS SPAM filter Web security Voice Firewall

SIP Trunks Internet Connection Internet Public Voice Network SIP Trunks TDM Phones Servers/PCs Modem Fax IP PBX CM Gate way DNS CCAdmin TFTP DHCP VM DB Voice VLAN IP Phones Data VLAN Toll fraud Social engineering Harassing calls Modem issues Voice Firewall Firewall/IDPS SPAM filter Web security

SIP Trunks Internet Connection Internet Public Voice Network SIP Trunks TDM Phones Servers/PCs Modem Fax IP PBX CM Gate way DNS CCAdmin TFTP DHCP VM DB Voice VLAN IP Phones Data VLAN Scanning Fuzzing Flood DoS Toll fraud Social engineering Harassing calls Modem issues Voice Firewall Firewall/IDPS SPAM filter Web security

SIP Trunks Internet Connection Internet Public Voice Network SIP Trunks TDM Phones Servers/PCs Modem Fax IP PBX CM Gate way DNS CCAdmin TFTP DHCP VM DB Voice VLAN IP Phones Data VLAN Scanning Fuzzing Flood DoS Toll fraud Social engineering Harassing calls Modem issues Voice Firewall SIP Firewall Firewall/IDPS SPAM filter Web security

SecureLogix corporate confidential » IP PBX: » Server platforms » Various gateway cards » Adjunct systems » Network: » Switches, routers, firewalls » Shared links » VLAN configurations » Endpoints: » IP phones and softphones » Protocol Issues (SIP) : Many Components in VoIP

SecureLogix corporate confidential Vulnerabilities At Many Layers General Purpose Operating System Network Stack (IP, UDP, TCP) VoIP Protocols Services TFTP, SNMP, DHCP, DB, Web Server Voice Application Worms/Viruses Targeting The Operating System Trivial DoS Attacks MITM Attacks TFTP Brute Force Attack SNMP Enumeration DHCP Starvation SQL Attacks Flood DoS Fuzzing Application Attacks Poor Configuration Weak Passwords Insecure Management Insecure Architecture IP PBX Vulnerabilities

SecureLogix corporate confidential IP PBX CM Gate way DNS CCAdmin TFTP DHCP VM DB Eavesdropping Resource Starvation Physical Attacks SPIT Phishing Toll Fraud Modems DoS Floods Unauthorized Access Fuzzing DoS Sniffing IP PBX Vulnerabilities

SecureLogix corporate confidential IP PBX CM Gate way DNS CCAdmin TFTP DHCP VM DB Other Common Services DHCP DNS SNMP Web Server RTP TDM Interfaces Underlying OS Management Interfaces TFTPSignaling Network Stacks SQL IP PBX Vulnerabilities

SecureLogix corporate confidential Network Vulnerabilities » The network can also be attacked: » Platform attacks » DoS » Shared link saturation » Eavesdropping » Incorrect VLAN configuration » Man-in-the-middle attacks Network Vulnerabilities

SecureLogix corporate confidential IP Phone Vulnerabilities » IP phones can also be attacked: » Physical access » Poor passwords » Signaling/media » DoS » Unnecessary services IP Phone Vulnerabilities

SecureLogix corporate confidential IP Phone Vulnerabilities » Directory Scanning » Fuzzing » Flood-based Denial of Service (DoS) » Registration manipulation » Call termination » RTP manipulation Protocol Vulnerabilities (SIP)

1. INVITE (spoofed source IP) Proxy Server Send INVITEs/OPTIONs/REGISTERS To Scan For IP Phones Send INVITEs/OPTIONs/REGISTERS To Scan For IP Phones Directory Scanning

Proxy Server Location Server Malformed SIP Fuzzing

1. INVITE (spoofed source IP) Proxy Server Send INVITEs Send enough INVITEs to Ring All Phones Send INVITEs Send enough INVITEs to Ring All Phones Flood-based DoS

Location Server Registrar 2. To contact Use for 60 minutes dereks Phone 1. REGISTER Contact Expires: OK 4. To contact Use for 30 minutes 3. REGISTER Contact Expires: 1800 Registration Manipulation

OK 6. INVITE 8. RTP Conversation 9. SIP BYE 7. SIP CANCEL Call Termination

RTP Tunneling

RTP Manipulation

SecureLogix corporate confidential IP Phone Vulnerabilities » Toll fraud » Minor misuse » Dial through fraud » Social engineering » Harassing callers » Various modem issues » Poorly secured modems used for remote access » ISP modems Application Issues

SecureLogix corporate confidential IP Phone Vulnerabilities » Develop a voice/VoIP security policy » Address application issues at the perimeter » Prioritize security during VoIP deployments » Consider a VoIP security assessment » Follow good basic data network security for internal network » Deploy SIP security when using SIP trunks Best Practices

SecureLogix corporate confidential IP Phone Vulnerabilities » » » » » Vendor sites Resources

Questions?