Presentation is loading. Please wait.

Presentation is loading. Please wait.

CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006.

Published byClay Scruton Modified over 9 years ago

Similar presentations

Presentation on theme: "CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006."— Presentation transcript:

1 CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006

2 Copyright Above Security 2006 2 Voice over IP is popular! More VoIP PBXs are now being sold than circuit-switched PBXs Businesses are deploying VoIP for all sorts of reasons: -Security is probably not one of them Voice over IP security

3 Copyright Above Security 2006 3 Why worry about voice security? Telephone access is business-critical in almost all organisations Confidential information passes over the phones Emergency response often involves phone systems (911) Long distance fraud (Miami – 10M calls) PBX is now in the hands of IT (we use to worry about its security) Voice over IP security

4 Copyright Above Security 2006 4 2005-2006 VOIP State of the market Report Major Concerns - Distributed Networking Associates Identity Management / Authentication Spoofed Voice Server or IP-Pbx Voice conversation intercepted (Lan, Wan and Internet) Increase Toll Fraud Availability (DoS) Voice over IP security

5 Copyright Above Security 2006 5 Security knowledge is being lost In the seventies, some people would make long distance calls for free (or bill them to innocent victims) by using blue boxes to inject MF tones during call setup In the eighties and nineties, voice networks migrated to digital voice transmission and ISDN-like transport One of the less well-known goals of this migration was to separate the control signals from the voice traffic -If the user has no access to the control channel, the user cannot hack the phone system Voice over IP security

6 Copyright Above Security 2006 6 So we go back to the seventies Much of the Voice over IP setups mixes control and data traffic Blue box tone generators get replaced with Ethernet sniffer programs and other PC-based malware Same problems, but with a new twist: attacks can be automated Voice over IP security

7 Copyright Above Security 2006 7 A typical (simplified) VoIP configuration Voice over IP security

8 Copyright Above Security 2006 8 Let us not forget the previous users Voice over IP security

9 Copyright Above Security 2006 9 And the un-intended users… Voice over IP security

10 Copyright Above Security 2006 10 There are other un-intended users… Voice over IP security

11 Copyright Above Security 2006 11 And still other un-intended users! Voice over IP security

12 Copyright Above Security 2006 12 More…. Voice over IP security

13 Copyright Above Security 2006 13 VOIP Threats DoS -Packet and Data Flood -Endpoint (PIN change) -QoS -VLAN Theft and Fraud -Sniffing (eavesdropping) -Spoofing (mac, IP, arp, ANI, ect..) -Toll and Voicemail (and maybe e-mail) “text to speech” Voice over IP security

14 Copyright Above Security 2006 14 The Voice over IP protocol landscape Several different protocols in use at the same time -Some are used to communicate call information data (signalling) -Some transport the actual voice and/or video streams -Some do both -Some are standardized, some are proprietary And then there are the extensions… -Multiple competing extensions to the same protocol -Multiple security extensions to the same protocol Wireless integration Voice over IP security

15 Copyright Above Security 2006 15 Base protocols for IP phones Voice over IP security

16 Copyright Above Security 2006 16 Issues about base protocols and phones Most of these protocols do not have security protection features Even if they do, the IP phones typically do not support them The phones (depending on brand and model) also have other network vulnerabilities: -Remote management access to the phone (SNMP), sometimes in read/write, sometimes with a fixed community name -Remote login access to the phone -VxWorks debug access to the phone Voice over IP security

17 Copyright Above Security 2006 17 Network layer 2 attacks: MAC address spoofing An attacker equipment can modify its MAC address at will -and impersonate other equipments (including phones) The attacker can generate many packets with many different source MAC addresses -this can cause the network to crash -or allow the attacker to listen to traffic he/she should not be able to access Voice over IP security

18 Copyright Above Security 2006 18 Network layer 2 attacks: ARP cache poisoning ARP is the protocol used to associate Ethernet and IP addresses dynamically Supports broadcast and unicast communication methods Attacker can use ARP attacks to reroute IP traffic, including voice Voice over IP security

19 Copyright Above Security 2006 19 Network layer 2 attacks: VLAN boundary crossing Virtual LANs are used to group network switch ports into zones -Communication between VLANs must go over a router or gateway -Groups of VLANs can be transported over a single physical link between switches on a VLAN trunk On some network switches, VLAN trunk setup is automatic -This feature is enabled by default -A client system can convince the switch that a user port should become a trunk by sending the right packets to it -Ports that become trunks make all VLANs accessible by default -Attackers can use this to access other VLANs Voice over IP security

20 Copyright Above Security 2006 20 VoIP signalling protocol attacks Voice over IP security

21 Copyright Above Security 2006 21 H.323 protocol components security By default, no protection is built in the protocols -Everything is in cleartext, with nothing signed, no replay protection, etc. -An attacker with enough access can listen to/alter the messages at will Cisco recommends protecting the protocol with IPSEC -Requires X.509 certificates and public key certificate servers in order to scale H.323 transports IP addresses and port numbers in the application stream -In cleartext, it is already difficult to pass H.323 over NAT gateways -Forget it once H.323 is encrypted -Implies the H.323 NAT box must be an endpoint, decrypt the traffic, and re-encrypt it before forwarding Voice over IP security

22 Copyright Above Security 2006 22 SIP protocol security By default, no protection is built in the protocol (like H.323) -Everything is in cleartext, with nothing signed, no replay protection, etc. -An attacker with enough access can listen to/alter the messages at will SIP can be protected with TLS or IPSEC -Requires X.509 certificates and public key certificate servers in order to scale SIP also transports IP addresses and port numbers in the application stream -SIP is designed to go over proxies -It may be difficult to maintain end-to-end security when communicating with points outside the organization Voice over IP security

23 Copyright Above Security 2006 23 SIP Vulnerabilities INVITE -Vulnerabilities in message exchange between 2 SIP endpoints during call setup SIP proxy server -Cisco ASN.1 -Decoding error in SSL implementation (also in H.323) Voice over IP security

24 Copyright Above Security 2006 24 VoIP transport protocol attacks Voice over IP security

25 Copyright Above Security 2006 25 Voice transport protocol issues RTP (Real Time Protocol) and RTCP (Real Time Control Protocol) are used to transport the actual voice in both H.323 and SIP configurations -By default, all voice traffic is in cleartext and can be captured with already existing attack tools SRTP (Secure Real Time Protocol) -Can encrypt and authenticate the voice traffic -Relies on the Mikey protocol -Needs an X.509 certificate infrastructure in order to scale Voice over IP security

26 Copyright Above Security 2006 26 DOS TLS Connection Reset -By sending a crafted packet, you can force a reset on the signalling channel between the phone and the server Packet replay -Out of sequence packets can add delay and degrade QoS Services -DoS on DHCP, DNS, TFTP…. Wireless -Jamming Voice over IP security

27 Copyright Above Security 2006 27 Call Hijacking and/or eavesdropping ARP Spoofing -Duplicate an end-point or a gateway Registration (UA) -Redirect incoming calls Proxy -Intercept SIP messages Toll -Rogue devices can be used to place long distance call on PSTN ANI -Caller ID spoofing Voice over IP security

28 Copyright Above Security 2006 28 Security Pathway Architecture -Switches, VLANs, Nat and Firewall -Encryption -Mac Filtering -Services (DHCP, TFTP…ect..) Hardening -PBX -Gateway -Accounting (call data) -Voice Mail -SoftPhones Voice over IP security

29 Copyright Above Security 2006 29 Security Pathway Authentication -SIPS = HTTPS -Certificates -MAC Filtering -Radius Physical security -PBX, Gateway…..ect… -Switches (heat on Power Over Ethernet) -Sniffers Voice over IP security

30 Copyright Above Security 2006 30 Security Pathway Logging and Monitoring -Centralize logs -Synchronize logs -IDS -Vulnerabilities Pen-Test often -External -Internal -Wireless Voice over IP security

31 Copyright Above Security 2006 31 Questions and Contact Robert Potvin, CISSP robert.potvin@abovesecurity.com 450-430-8166 #2108 Voice over IP security

Download ppt "CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006."

Similar presentations

Computer Networks TCP/IP Protocol Suite.

Computer Networks TCP/IP Protocol Suite.
Virtual Trunk Protocol

Virtual Trunk Protocol
Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Unleashing the Power of IP Communications Calling Across The Boundaries Mike Burkett, VP Products April 25, 2002.

Unleashing the Power of IP Communications Calling Across The Boundaries Mike Burkett, VP Products April 25, 2002.
Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.
Pune, India, 13 – 15 December 2010 ITU-T Kaleidoscope 2010 Beyond the Internet? - Innovations for future networks and services Ivan Gaboli, Virgilio Puglia.

Pune, India, 13 – 15 December 2010 ITU-T Kaleidoscope 2010 Beyond the Internet? - Innovations for future networks and services Ivan Gaboli, Virgilio Puglia.
Communicating over the Network

Communicating over the Network
Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation
Introducing VoIP Voice Over Internet Protocol. What is VoIP? Hardware and Software that enables users to use Internet as a transmission medium for telephone.

Introducing VoIP Voice Over Internet Protocol. What is VoIP? Hardware and Software that enables users to use Internet as a transmission medium for telephone.
1 IP Telephony (VoIP) CSI4118 Fall 2005. 2 Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.

1 IP Telephony (VoIP) CSI4118 Fall Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.
Chapter 1 Data Communications and NM Overview 1-1 Chapter 1

Chapter 1 Data Communications and NM Overview 1-1 Chapter 1
Presented By:- Yash Jariwala Paras Patel Deep Amrutiya.

Presented By:- Yash Jariwala Paras Patel Deep Amrutiya.
SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer 651.796.7043

SIP Trunking A VASP Perspective Thomas Roel Convergence Sales Engineer
Chapter 1: Introduction to Scaling Networks

Chapter 1: Introduction to Scaling Networks
Packetizer ® Copyright © 2007 A Concept for the Advanced Multimedia System (AMS) Paul E. Jones Rapporteur ITU-T Q12/16 July 30, 2007.

Packetizer ® Copyright © 2007 A Concept for the Advanced Multimedia System (AMS) Paul E. Jones Rapporteur ITU-T Q12/16 July 30, 2007.
Copyright © Open Text Corporation. All rights reserved. Slide 1 Automatic Routing With Captaris FaxPress and FaxPress Premier Darin McGinnes Sales Engineer.

Copyright © Open Text Corporation. All rights reserved. Slide 1 Automatic Routing With Captaris FaxPress and FaxPress Premier Darin McGinnes Sales Engineer.
Technical Track www.odva.org Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.

Technical Track Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.
1 Authentication Applications Ola Flygt Växjö University, Sweden +46 470 70 86 49.

1 Authentication Applications Ola Flygt Växjö University, Sweden
Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.

Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.

Similar presentations

Ads by Google