Securing Open Source Enterprise VoIP Christian Stredicke/snom.

Slides:

Advertisements

Similar presentations

The leader in session border control for trusted, first class interactive communications.

Advertisements

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

EE 545 – BOGAZICI UNIVERSITY. Agenda Introduction to IP What happened IPv5 Disadvantages of IPv4 IPv6 Overview Benefits of IPv6 over IPv4 Questions -

Broadband and Wide Area Network Services Carrier Gigabit Ethernet Multi Protocol Label Switching Vs. IP VPNs T-1 & T-3 SIP Trunks Security Network Topology.

TANDBERG Video Communication Server March TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, ~ndk/apanSIP.pdf.

Solutions for SIP The SIP enabler We enable SIP communication for business What the E-SBC can do for you.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.

© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.

Product Related Information/September 2007 How to ensure Quality of Service on Trunks.

Testing SIP Services Over IP. Agenda  SIP testing – advanced scenarios  SIP testing - Real Life Examples.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Voice and Data Integration over IP An analytical overview of voice-over-IP Prabhu Sivarja Wichita State University, Wichita, KS Spring 2003.

Virtual Data Systems, Inc. Value Proposition of IP Telephony Voice over IP Technologies.

LeadDesk Oy I I ARCHITECTURE September, 2014.

Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.

VoIP Security Sanjay Kalra Juniper Networks September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 3 VoIP Issues.

Remote Workers Without the Hassle

Securing your IP based Phone System By Kevin Moroz VP Technology Snom Inc.

VoIP - Abridged - Stephen R. Nelson November 11,

SIP Explained Gary Audin Delphi, Inc. Sponsored by

Ingate & Dialogic Technical Presentation SIP Trunking Focused.

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

Chapter 5 Networks Communicating and Sharing Resources

PART 2: Product Line. Tenor Switches & Gateways Tenor AX Series Solution For Medium to Large Enterprises  Available in 8, 16, 24 and 48 port Available.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 3: TCP/IP Architecture.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Network Services Networking for Home and Small Businesses – Chapter.

1 BBTelsys and Secure SIP Calling Providing Solutions that Work in the Real World.

Operating Systems Lesson 10. Networking Communications protocol is the set of standard rules for ◦ Data representation ◦ Signaling ◦ Authentication ◦

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Voice over IP in the Enterprise. What is VOIP? The use of data networks to carry voice without a loss of sound quality The use of data networks to carry.

DUE Voice over IP (VoIP) Linksys Ernie Friend- FSCJ.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Emerging Technologies. Emerging Technology Overview  Emerging technologies are those which are just beginning to be adopted or are at the initial acceptance.

Network Fundamentals. Network Devices Routers (Layer 3)

15-1 Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications ◦The client requested data.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

October 4-7, 2004 Los Angeles, CA VoWLAN Trends and Opportunities Kamal Anand Vice President Marketing Meru Networks

Voice over IP by Rahul varikuti course instructor: Vicky Hsu.

ﺑﺴﻢﺍﷲﺍﻠﺭﺣﻣﻥﺍﻠﺭﺣﻳﻡ. Group Members Nadia Malik01 Malik Fawad03.

October 10-13, 2006 San Diego Convention Center, San Diego California SIP Trunking… Why is it so important?

Simon Millard Professional Services Manager Aculab – booth 402 The State of SIP.

An analysis of Skype protocol Presented by: Abdul Haleem.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Implementing VoIP in a wireless world Herman Abel Product Manager Aculab (booth 402) Phone:

SIP Trunking As a Managed Service Why an E-SBC Matters By: Alon Cohen, CTO Phone.com.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

1 Interview Questions - What is the difference between TCP and UDP? - What is Nagle's Algorithm? - Describe the TCP handshaking process. - What is Slow.

October 10-13, 2006 San Diego Convention Center, San Diego California Cost Justifying the Upgrade Cost Justifying the Upgrade (TMCU-02)

Don’t Log in!. Recap on the previous units I’ve tried to make it as concise as possible but there is a bit of writing, to ensure that you have some notes.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

TMC Internet Telephony, San Diego Friday - 10/13/06, 8:45-9:30am Dr. Christian Stredicke interoperabilitytechnology leadershipreasonable solution VoIP.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Johan Delimon 26/04/2016 BE-COM E-COMMUNICATIONS EVENT THE INNER WORKINGS OF SKYPE FOR BUSINESS: NETWORKING.

© ITT Educational Services, Inc. All rights reserved. IS3120 Network Communications Infrastructure Unit 7 Layer 3 Networking, Campus Backbones, WANs, and.

IP Telephony (VoIP).

ETHANE: TAKING CONTROL OF THE ENTERPRISE

VoIP—Voice over Internet Protocol

Ingate & Dialogic Technical Presentation

Presentation transcript:

Securing Open Source Enterprise VoIP Christian Stredicke/snom

September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 3 SIP is the ketchup of the burger Finally the VoIP industry is splitting up into layers: SIP is the ketchup that makes it a tasty combination Hosting Consulting ITSP Hard Phones SIP PBX The Past: Everything is provided (more or less) by one large company The Future: Specialized vendors offering excellent products in a specific area Problem: Products are getting very complex and it is hard to stay competitive ATA SBC Soft Phones IVR

September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 4 Selling Security There is probably no company without firewall any more –Security for and Web is a must have today –Administrators who don‘t understand that are jobless Offer two contracts –One where you make the customer responsible for all security breaks (system without security) –Another one where they just waive your liability (system with security) They will pick the contract that includes security

September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 5 The Evolution of VoIP Privacy “We got transfer working” Use SRTP (but no TLS) VPN TLS + SRTP

September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 6 How to listen to VoIP calls* Ethernet Switch The LAN is the problem! Tools: arp-sk - ARP Swiss Army Knife Tool arp-scan … ARP * If you are just using plain SIP The PC puts itself into the communication stream by pretending to have same MAC address as the phone (PC are pretty fast these days and respond faster than VoIP phones)

September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 7 SRTP scrambles the voice Ethernet Header IPUDPRTPCodec Ethernet Checksum MAC Ethernet Header IPUDPRTPCodec Ethernet Checksum AES “Counter” X The AES Counter is used for XOR the audio data The MAC is a hash over the codec content and makes sure that only the one who knows the counter value can generate the packet With every packet, the counter is pseudorandomly incremented The key is to negotiate the initial counter value securely

September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 8 Key Exchange Algorithms (so far) Sig. Conf. Forking Media before Answer Shared- key conf. PKI?Rekey Bid-down protectio n MIKEY-PSKNo Yes No*Yes MIKEY-RSANo Yes MIKEY-DHNo Yes MIKEY- DHHMAC No No*Yes MIKEY-RSA-RNoYesNoYes SDESYesYes*NoYesNoYes*No SDES-EMYesYes*Yes NoYesNo EKTYes* Yes NoYes* SDP-DHNo ZRTPNoYes No Yes DTLSNoYes No Yes Source: Dan Wing, Overview of SIP Media Security Options, March 21, 2006 (IETF 65)

September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 9 How TLS works Known from other protocols (https, secure SMTP, …) Looks like TCP from the application point of view Uses strong cryptographical methods (RSA, DH) How can you trust the other side? –Certificates –Must be issued by someone that you trust –Preset list or load the root certificate Problem: –Requires at the very least TCP support (most PBXs don't have this today) –Problems for embedded devices (OpenSSL takes several MB)

September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 10 Is VPN the solution? Very well established Secure Latest generations address latency –UDP or GRE Nice side effects: –No more NAT problems –VPN servers are widely available (OpenVPN) –No more port-playing with national carriers Problems: –Media Relay through the central VPN node –Setup is not as easy as TLS

September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 11 DoS is becoming a pain Brute force attacks: –ping –f (start is several times) –Downloading of s (LOL) –Just don‘t hang up (ENUM) Bad software –INVITE of Death (DoS LOL) –Accepting INVITE without any kind of authentication “If you have Gigabit Ethernet, make sure you can process one million ping packets per second”

September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 12 Simple Steps to Increase Security Put your VoIP network into a VLAN –Give higher priority bits for that LAN –Have a mini-SBC between the LANs –Limit bandwidth on trunk level Set the expectations right –Making phone calls over the public Internet has no QoS –Seriously consider PSTN termination Think about upgrade paths Backup

September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 13 The Bottom Line You must address privacy in the enterprise TLS and SRTP are a good solution VPN is even better as is solves NAT as well Think pessimistic about bandwidth utilization