Presentation is loading. Please wait.

Presentation is loading. Please wait.

Real World Practices for Securing VoIP Jeff Caldwell Director, R&D SonicWALL, Inc.

Similar presentations

Presentation on theme: "Real World Practices for Securing VoIP Jeff Caldwell Director, R&D SonicWALL, Inc."— Presentation transcript:

1 Real World Practices for Securing VoIP Jeff Caldwell Director, R&D SonicWALL, Inc.

2 SonicWALL/SecureIT 2 Deployed Security Devices

3 SonicWALL/SecureIT 3 Mainstream VoIP Common Signaling Protocols/VoIP Technologies  H.323  ITU, 1996  SCCP/Skinny  Cisco Proprietary, Mid-1990s from Selsius Corporation  MGCP  Media Gateway Control Protocol, IETF, 1999  SIP  Session Initiated Protocol, RFC 2543, 1999  Megaco/H.248  ITU/IETF, 2000  Skype  Proprietary, initial Beta launched August 29, 2003

4 SonicWALL/SecureIT 4 Mainstream VoIP – SIP  Session Initiation Protocol  IETF Standard – Dozens of RFCs  Initial standards ratified in the late 1990s  Supports both TCP and UDP media and signaling  Media can be audio, video, etc.  A SIP network is composed of a number of logical SIP entities:  User Agent (Phone)  Initiates, receives and terminates calls  Proxy Server (Call Controller)  Acts on behalf of UA in forwarding or responding to requests  Can “fork” requests to multiple servers  Redirect Server (Call Controller)  Responds to, but does not forward requests  Registration Server (Call Controller)  Handles User Agent authentication and registration

5 SonicWALL/SecureIT 5 SIP Entity Example Redirect Server Registrar User Agent Proxy Server Gateway Circuit Switched Networks Packet Network User Agent Registrar User Agent

6 SonicWALL/SecureIT 6 Mainstream VoIP – H.323  Standard for real-time transmission of audio, video and data over packet-based networks  Employs a combination of TCP and UDP for signaling  ASN.1 used for message encoding  Considered to have more overhead than SIP  Standards developed by ITU; v1 1996, v5 2003  Entities  Terminal – Communicating endpoint on network  Gatekeeper – Address translation, registration, admission control and status  Multipoint Control Unit – Conference control and data distribution  Gateway – VoIP to PSTN/ISDN

7 SonicWALL/SecureIT 7 H.323 Entity Example Terminal (Analog Telephone Adapter [ATA]) Multipoint Control Unit Gatekeeper Gateway Terminal (H.323 Hard Phone) Terminal (H.323 Soft Phone) ILS (LDAP) Server Circuit Switched Networks Packet Network

8 SonicWALL/SecureIT 8 Mainstream VoIP – Skype  Acquired by eBay October 14, 2005  Decentralized peer-to-peer system  Skype encrypts all calls and instant messages end-to-end  Skype provides free Internet telephony in many cases  Impressively persistent in its ability to penetrate firewalls  If required by company policy, it is possible to block Skype  Concerns over unauthorized network access exist  e.g., a flaw found and fixed in October 2005 allowed the ability to take control of compromised computers via a buffer overflow exposure in Skype

9 SonicWALL/SecureIT 9 Mainstream VoIP – Others  SCCP/Skinny  Cisco Skinny Client Control Protocol  Proprietary protocol  MGCP  Media Gateway Control Protocol  Considered “Old-School” by some  Megaco (H.248)  Used between elements of a physically decomposed multimedia gateway; not for endpoint control  Quite heavyweight; used within telcos  Used for internally controlling IP telephony gateways

10 SonicWALL/SecureIT 10 VoIP Security Concern – Eavesdropping  Currently a very animated point of discussion for VoIP  Traffic Capture and Replay  VOMIT – Converts a captured phone call into a.wav file vomit -r phone.dump | waveplay -S8000 -B16 -C1  CAIN from Cain & Abel  VoIPong – Captures and dumps conversations to separate wave files. It works on SIP, H.323, SCCP, RTP and RTCP  But I have a switched network, I’m safe  APR (ARP Poison Routing) – Enables sniffing on switched networks and the interception of IP traffic on switched networks

11 SonicWALL/SecureIT 11 VoIP Security Concern – Eavesdropping  If media is encrypted, but signaling is not  Invasion of privacy vulnerability – Number Harvesting  Builds a list of “real” phone numbers for future use (SPIT)  Invasion of privacy vulnerability – Call Pattern Tracking  Who is calling whom? When? How long?  VoIP protection against eavesdropping  When implemented correctly – Better than POTS  When implemented incorrectly – More vulnerable than POTS

12 SonicWALL/SecureIT 12 VoIP Security Concern – Denial of Service  IP phones are participants in a network – No different than PCs that are participants in the same network  Request Flooding  H.323 Setup floods  SIP INVITE floods  Malformed Signaling  c07-SIP PROTOS –  CERT® Advisory CA-2003-06 affected Alcatel, Cisco, Ingate, IPTel, Mediatrix Telecom, Nortel and others  c07-h2250v4 PROTOS –  CERT® Advisory CA-2004-01 affected H.323 implementations of Cisco, Hewlett Packard, Microsoft, Nortel and others

13 SonicWALL/SecureIT 13 VoIP Security Concern – Quality of Service  QoS at Layer 2, 3 and 4+  Layer 2: 802.11p  Requires 802.11q VLAN header support  Layer 3: DSCP – Differentiated services  Contained within the IP header  802.11p/DSCP rely upon correct and accurate packet coloring  Vulnerable to injected higher-color network saturation  Dependent upon capability of intermediate network equipment  Layer 4: VoIP Aware Stateful BWM is most reliable  Requires VoIP awareness and multiple stream identification and coalation  Most effective when combined with Layer 2/3 marking/coloring

14 SonicWALL/SecureIT 14 VoIP Security Concern – Degradation of Quality  “Test shows VoIP call quality can improve with SSL VPN links”, Network World, February 20, 2006  TCP packet reordering and compression improved the quality of calls as compared to the “Reference” non-SSL link  With a Bad network, MOS rating improved from below 2.5 to above 3.5 for some vendors  A 3.0 MOS (Mean Opinion Score) rating is commonly considered as the minimum acceptable level

15 SonicWALL/SecureIT 15 VoIP Security Concern – Denial of Service  Interjected Signaling  Unsolicited “End Session” or “BYE” packets will terminate calls  Underlying OS DoS  A soft client is only as reliable as the OS it runs on  Microsoft  Distributed DoS  Multiple focused external attacks on a given Gateway  SYNFlood attacks, Malformed ICMP Nuke attacks, etc., can be mitigated or eliminated effectively with a proper firewall

16 SonicWALL/SecureIT 16 VoIP Security Concern – Interception/Modification  Call Black Holes  A directed attack utilizing Dynamic Routing at intermediate routers sending calls to unconnected networks  Call Hijacking  A directed attack utilizing Dynamic Routing at intermediate routers sending calls to unintended “other” receiver  Media Alteration  Modification of media stream  Caller ID Falsification  Caller ID modification – On-the-fly via interception or intended falsification by the call initiator

17 SonicWALL/SecureIT 17 VoIP Security Practices – Quality of Service  Appropriate Bandwidth  20-100 Kbps/voice call  Up to 2 Mbps/video call  Bandwidth Management  Coalesces disparate streams into a single flow  Improves performance by slowing down undesirable flows more than desirable flows  QoS  802.11p layer 2  DSCP layer 3

18 SonicWALL/SecureIT 18 VoIP Security Practices – Media and Signaling Encryption  IPSec VPN  Currently the most complete solution  Complexity of configuration is a barrier  Not supported by many vendors  TLS (Transport Layer Security), IETF  Interoperability concerns  Issues with key exchange  SSL (Secure Sockets Layer), Netscape, IETF  Generally not supported for peer-to-peer  Hub and spoke deployments

19 SonicWALL/SecureIT 19 Firewall – NAT/Port Considerations  VoIP issues with classic stateful NAT firewalls  Inbound access to UDP/TCP ports are restricted by default  RTP dynamically assigned an “even” port 1024-65534  It would be necessary to open up the entire firewall  RTCP port is dynamically remapped with Symmetric NAT  VoIP endpoints each have a unique IP  NAT turns all “internal” IPs into a single “external” IP  All incoming calls are to a single IP. Which endpoint is the actual intended IP?  VoIP requires an ALG or SBC solution

20 SonicWALL/SecureIT 20 Firewall Solution – SBC  Session Border Controller  A dedicated appliance which implements firewall/NAT traversal  Tricks the existing firewall  Placed in the Signaling and Media Path between calling and called parties  Breaks end-to-end security unless private keys are told to the SBC  Implemented as a B2BUA – Back-to-back User Agent  Can run into scalability issues

21 SonicWALL/SecureIT 21 Firewall Solutions – ALG  An Application Layer Gateway is a firewall which understands VoIP media  Embedded software on a firewall  Dynamically identifies, opens and closes ports as needed  Transforms outer (NAT) and inner (DPT) IPs & ports on-the-fly  May be able to identify and coalesce disparate streams into a single call flow for monitoring and QoS  Should be able to identify and protect against malformed signaling and media  Since it is not terminating/re-initiating calls, a proper ALG can scale beyond an SBC on a price/call metric

22 SonicWALL/SecureIT 22 NIST Recommendations  NIST Special Publication 800-58, January 2005  Logically distinct networks  Use an ALG firewall or Session Border Controller  STUN – Simple Traversal of UDP through NAT, does not work with Symmetric NAT  TURN – Traversal Using Relay NAT, works with STUN, limited to a single peer behind a NAT device  ICE – Interactive Connectivity Establishment, uses STUN, TURN, RSIP – requires additional SDB attributes  UPnP – Universal Plug and Play, multi-NAT scalability and security issues  Strong authentication and IPSec or SSH to access controller  Use end-point encryption or Site-to-Site IPSec tunnels  Don’t use soft phones – PCs are too vulnerable  Stay away from 802.11 a/b/g phones without IPSec

23 SonicWALL/SecureIT 23 VoIP Security Practices – Endpoint and Call Manager Protection  UTM Firewall  Unified Threat Management – GAV, IPS  Physical and Logical Security  Access to Call Manager must be restricted  It is only as secure as the weakest password  Redundant Power  VoIP requires AC power to operate; PSTN does not  End-to-end Encryption  TLS, SRTP covers media only  IPSec, SSL covers media and signaling

24 SonicWALL/SecureIT 24 References  NETWORKWORLD- http://www.networkworld.com  SonicWALL, “Beyond Interoperability: Network Security as a Voice over IP (VoIP) Enabler”- http://www.sonicwall.com  VOIPSA- http://voipsa.org  CERT- http://www.cert.org  University of Oulu, Finland-  NIST, “Security Considerations for Voice Over IP Systems”-

25 Thank you. Jeff Caldwell Director, R&D

Download ppt "Real World Practices for Securing VoIP Jeff Caldwell Director, R&D SonicWALL, Inc."

Similar presentations

Ads by Google