Presentation is loading. Please wait.

Presentation is loading. Please wait.

CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change.

Published byAlban Malone Modified over 9 years ago

Similar presentations

Presentation on theme: "CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change."— Presentation transcript:

1 CHAPTER 10 Voice Security

2 VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change to content. Privacy: A third party should not be able to read the data Authenticity Each party should be confident they are communicating with whom each claims to be Availability/Protection from Denial-of Service The VoIP service should be available to users at all times

3 Shared-Key: A common shared-key between users Each pair of users must have the same key Does not scale well with multiple pairs of users The key is used to encrypt the message A hash is calculated from the shared key

4 Asymmetric Key: Each user has a Private-key as well as a Public-key Only the corresponding public-key can decrypt the message that is encrypted with the private-key Only the corresponding private-key can decrypt the message that is encrypted with the public-key Has a one-to-one relationship between keys Keys can be exchanged over an unsecured network

5 Asymmetric Key: Phases Authentication phase Secure communication phase CPU-intensive process Unique shared secret per session

6 Digital Signature: Uses a set of complimentary algorithms for signing and for verification A Digital signature is obtained from a Certificate Authority (CA) A hash of the message is created with the private key to create a Digital Signature Recipient verifies the signature by running a verification algorithm over the message content using the public-key of the sender

7 Digital Signature continued: Uses a set of complimentary algorithms for signing and for verification Digital signatures provide authentication Digital signatures provide message integrity Each signature is appended to the message in clear text Digital signatures do not provide privacy

8 Certificate Authority: The Certificate Authority receives the public-key at the time of key generation. The Certificate Authority will verify the identity of the sender and issue a certificate Each device in the system has a public-key of the CA At the time of contact each system will: Present its certificate to it’s peer Each will run a verification If verified the keys are stored

9 Public-key: Common Protocols Transport layer Security (TLS)  Independent of applications  Rides on top of Transport layer protocols  Can be used with multiple services Record Protocol  Lower-layer protocol  Provides privacy and integrity  Used DES or RC4 for encryption Client layer  Authenticates  Negotiates

10 TLS:

11 Public-key: Common Protocols continued Ipsec  Uses Authentication Header (AH)  Uses Encapsulation Security Payload (ESP)  AH provides authentication and integrity  ESP provides privacy, authenticity, and integrity  Tunnel-mode  Protects only the payload  Header inserted between the Ip header and the transport layer header (TCP/UDP)  Transport-mode  Encapsulates the entire packet  Ipsec header is added between the outer and inner IP headers

12 Public-key: Common Protocols continued Ipsec

13 Public-key: Common Protocols continued IPsec

14 Public-key: Common Protocols continued IPsec

15 Public-key: Common Protocols continued Secure Real Time Protocol (SRTP)  Integrity  Authentication  Privacy

16 Protecting Voice Devices: Disable Unused Ports/Services  Disable Telnet  Disable Trivial File Transport Protocol Simple Network management Protocol  Use only read-only mode Disable Unused Ports on layer 2 switches  Administrative shut down

17 Protecting Voice Devices continued: Host-based Intrusion Protection System (HIPS)  Software agent installed on each device  Collects information about traffic  Information compared against a set of rules  System can take preventative action Terminating application Rate-limit data

18 Protecting Voice Infrastructure: Segmentation  VLAN’s  IP addressing  Traffic types  Separate DHCP servers Traffic Policing  Limit bandwidth to Codec used  G.711 is 64 kbps plus overhead  Queuing techniques 802.1x Authentication  EAP protocol  RADIUS authentication server  Layer 2

19 Protecting Voice Infrastructure continued: 802.1x Authentication

20 Protecting Voice Infrastructure continued: Layer 2 tools DHCP Snooping  Only allow DHCP offers from known sources  Enabled on switches  Switch(config)#ip dhcp snooping  Switch(config-if)#ip dhcp snooping trust  Switch(config-if)#ip dhcp snooping limit rate [rate]  Switch(config)#ip dhcp snooping vlan number [number]  DHCP snooping binding database (IP-to-MAC)

21 Protecting Voice Infrastructure continued: Layer 2 tools IP Source Guard  Used with DHCP Snooping  On untrusted ports only DHCP messages allowed until DHCP response is received  Uses DHCP snooping binding database  Per port  Installs a Vlan Access Control List (VACL)

22 Protecting Voice Infrastructure continued: Layer 2 tools Dynamic ARP Inspection  Attacker sends it’s own MAC address as a reply  Man-in-the-middle attack  Uses the DHCP binding database  Drops malicious packets

23 Protecting Voice Infrastructure continued: Layer 2 tools CAM overflow and Port Security  Attacker sends fictitious MAC addresses to fill CAM table  When CAM table is filled switch will forward packets out all active ports (broadcast)  Use port security features  Switch(config-if)#switchport port-security maximum [number]

24 Protecting Voice Infrastructure continued: Layer 2 tools Circumventing VLANs  Uses trunk ports to obtain access  802.1q or ISL  Disable DTP on non trunk ports  Switch(config-if)#switchport mode access

25 Protecting Voice Infrastructure continued: Layer 2 tools NIPS Network Based Intrusion Protection System  In series  In parallel  Examines every packet  Does not protect against “Atomic” attacks  Delay is a problem for voice

26 Protecting Voice Infrastructure continued: Layer 2 tools BPDU Guard and Root Guard  Exploits Spanning-tree protocol  Listens on configured ports for BPDU’s  Rogue device tries to become the root bridge  Violation can disable the port  Used with portfast  Root Guard will port into a root-inconsistent state  Root Guard will allow the device to participate in spanning-tree

27 Protecting Voice Infrastructure continued: Layer 3 tools Routing authentication  Not available for all protocols  Can use simple password  Can use Message-digest (MD5) encryption  Not available on RIPv1  Shared keys between systems

28 Protecting Voice Infrastructure continued: Layer 3 tools TCP intercepts  Denial of Service attacks  Sends multiple “syn” packets  Never completes the three-way handshake  Uses falsified IP addresses  Can limit half-open secessions  Intercept mode allows the router to respond before forwarding packets to client

29 Protecting Voice Infrastructure: Security Planning and Policies Transitive trust  Eliminate re-authentication at each device VoIP Protocol-Specific Issues  Use of computer based softphones VLAN’s Trunking Double tagging

30 Protecting Voice Infrastructure continued: Security Planning and Policies Complexity tradeoffs  Bandwidth overhead  Delay  CA cost NAT/Firewall Traversal  Opens pathways for voice traffic  Does not work well with encryption (port numbers) Password and Access Control  Minimum length  Complexity  Equipment access

31 End of Chapter 10

Download ppt "CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Internet Security CSCE 813 IPsec

Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.

1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden +46 470 70 86 49 IP Security.

Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Similar presentations

Ads by Google