Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fortinet VoIP Security June 2007 Carl Windsor.

Published byMadison Stewart Modified over 7 years ago

Similar presentations

Presentation on theme: "Fortinet VoIP Security June 2007 Carl Windsor."— Presentation transcript:

1 Fortinet VoIP Security June 2007 Carl Windsor

2 The VoIP Security Problem
VoIP developed by voice specialists Security an afterthought Primary concern is voice quality and latency Consumer VoIP became commonplace overnight Vendor interoperability In 2007 Voice over IP (VoIP) systems will be the target of cyber attacks. VoIP technology was deployed hastily without fully understanding security. SANS Institute: Security Trends for 2007

3 Common VoIP Security Issues – Sharing Resources
VoIP commonly shares data networks Data network traffic can impact the voice network Large file transfers increase latency and jitter VoIP should be treated as the highest priority Mail, FTP, HTTP lower priority Virus/Worm infections on the data network can cause high volumes of traffic and effectively DoS VoIP systems Slammer Nimda

4 Common VoIP Security Issues – Plaintext transmission
VoIP communications often unencrypted Secure VoIP implementations vendor specific Is there a risk to data in transit?

5 Common VoIP Security Issues – Plaintext transmission

6 Common VoIP Security Issues – Plaintext transmission

7 Common VoIP Security Issues – Plaintext transmission
What if this was the sound of you entering your voice banking pin or credit card number?

8 Common VoIP Security Issues – Dynamic Ports and NAT
The VoIP payload, RTP traffic, is dynamically assigned an even port number in the range of non-privileged UDP ports ( ) and specified in the packet body of the signalling protocol.

9 Example VoIP Packet (Header) Source IP Source Port Destination IP
Destination Port 5346 389 Message Body …… Source IP: Source (RTP) Port: 5005

10 Common VoIP Security Issues – Dynamic Ports and NAT
Options: Don’t allow VoIP communications through your firewall Open a large range of possibly damaging application ports as per their firewall or application's vendor advice To establish outbound NetMeeting connections through a firewall, the firewall must be configured to do the following: Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731 Pass through secondary TCP and UDP connections on dynamically assigned ports ( )

11 Common VoIP Security Issues – Dynamic Ports and NAT
The VoIP payload, RTP traffic, is dynamically assigned an even port number in the range of non-privileged UDP ports ( ) and specified in the packet body of the session protocol. What happens when you use Network Address Translation?

12 Example VoIP Packet (Header) Source IP Source Port Destination IP
Destination Port 5346 389 Message Body …… Source IP: Source (RTP) Port: 5005

13 Example VoIP Packet – NAT Applied
(Header) Source IP Source Port Destination IP Destination Port 23456 389 Message Body …… Source IP: Source (RTP) Port: 5005

14 Future Security Threats
Follow what happened to and multiply by 100 DoS SPAM Misconfigured relay SPAM Botnet SPAM Real threat or hype?

15 Future Security Threats
Not so far in the….. Future Security Threats Introducing Javabot DOS: Send successive INVITE with different transactions to the target (IP phone or SIP server). To paralyze a SIP server, you may need many bots SPIT: Send media audio to some SIP user (Username +IP) SCAN: take a list of destinations and send respective INVITE messages to a SIP server. Depending on the response of the server, a destination is matched as an existent user or not. CRACK: if by scanning you discover the SIP username of one user, you can try to crack its password REGISTER: if by cracking you have the password of a user, you can register instead of it and transfer calls

16 Enhancing Your VoIP Security
Fortinet Enhancing Your VoIP Security 16

17 Fortigate VoIP Support
Support for VLANs Segregate your data and voice networks Support for QoS Prioritise your Voice traffic over less critical Guarantee bandwidth for VoIP traffic High Speed and throughput Encryption ASIC Accelelerated 3DES/AES IPSEC VPN Small Packet Performance High numbers of concurrent sessions Wirespeed small packet performance

18 Fortigate VoIP Support
The FortiGate series now supports three major VoIP protocol application layer gateways (ALGs) H.323, SIP, and SCCP (Skinny) Each ALG allows the FortiGate to provide: NAT of VoIP traffic Pinhole Firewall your VoIP devices, monitoring and blocking of unwanted VoIP traffic IPS protection of VoIP protocol Protocol anomalies, denial of service attacks, buffer overflows, and header manipulation attacks

19 Fortigate VoIP Support
Application awareness - NAT (Header) Source IP Source Port Destination IP Destination Port 23456 Message Body …… Source IP: Source (RTP) Port: Application aware firewalls understand that the data payload needs modifying as well as the header

20 Fortigate VoIP Support
Application awareness

21 Fortigate VoIP Support
The FortiGate series now supports three major VoIP protocol application layer gateways (ALGs) H.323, SIP, and SCCP (Skinny) Each ALG allows the FortiGate to provide: NAT of VoIP traffic Pinhole Firewall your VoIP devices, monitoring and blocking of unwanted VoIP traffic IPS protection of VoIP protocol Protocol anomalies, denial of service attacks, buffer overflows, and header manipulation attacks

22 Fortigate VoIP Support
Intrusion and DoS prevention

23 Fortigate VoIP Support
Logging and reporting

24 Example Deployment – Distributed Call Centre

25 Example Deployment – Corporate Offices

26 Future Fortinet Developments
Convert SIP over TCP to UDP Support SIP on dynamically chose ports (MSN, AIM, ICQ, Yahoo) SIP header compression/decompression SIP/SIMPLE AV scanning New Vendor Specific ALGs Stream Control Transmission Protocol (SCTP) Support Call recording and archive Anti-SPIT

27 Questions

Download ppt "Fortinet VoIP Security June 2007 Carl Windsor."

Similar presentations

The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
Voice over IP Fundamentals

Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
29.1 Chapter 29 Multimedia Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

29.1 Chapter 29 Multimedia Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.

5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.
VoIP Security Sanjay Kalra Juniper Networks September 10-12, 2007 Los Angeles Convention Center Los Angeles, California www.ITEXPO.com 3 VoIP Issues.

VoIP Security Sanjay Kalra Juniper Networks September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 3 VoIP Issues.
IT Expo SECURITY Scott Beer Director, Product Support Ingate +1-613-963-0933.

IT Expo SECURITY Scott Beer Director, Product Support Ingate
Ingate & Dialogic Technical Presentation SIP Trunking Focused.

Ingate & Dialogic Technical Presentation SIP Trunking Focused.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.

Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV 12 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
TCP/IP Protocol Suite 1 Chapter 25 Upon completion you will be able to: Multimedia Know the characteristics of the 3 types of services Understand the methods.

TCP/IP Protocol Suite 1 Chapter 25 Upon completion you will be able to: Multimedia Know the characteristics of the 3 types of services Understand the methods.
Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.

Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.

Similar presentations

Ads by Google