Presentation is loading. Please wait.

Presentation is loading. Please wait.

Real World Practices for Securing VoIP Jeff Caldwell Director, R&D SonicWALL, Inc.

Published byAlan Stodden Modified over 9 years ago

Similar presentations

Presentation on theme: "Real World Practices for Securing VoIP Jeff Caldwell Director, R&D SonicWALL, Inc."— Presentation transcript:

1 Real World Practices for Securing VoIP Jeff Caldwell Director, R&D SonicWALL, Inc.

2 SonicWALL/SecureIT 2 Deployed Security Devices

3 SonicWALL/SecureIT 3 Mainstream VoIP Common Signaling Protocols/VoIP Technologies  H.323  ITU, 1996  SCCP/Skinny  Cisco Proprietary, Mid-1990s from Selsius Corporation  MGCP  Media Gateway Control Protocol, IETF, 1999  SIP  Session Initiated Protocol, RFC 2543, 1999  Megaco/H.248  ITU/IETF, 2000  Skype  Proprietary, initial Beta launched August 29, 2003

4 SonicWALL/SecureIT 4 Mainstream VoIP – SIP  Session Initiation Protocol  IETF Standard – Dozens of RFCs  Initial standards ratified in the late 1990s  Supports both TCP and UDP media and signaling  Media can be audio, video, etc.  A SIP network is composed of a number of logical SIP entities:  User Agent (Phone)  Initiates, receives and terminates calls  Proxy Server (Call Controller)  Acts on behalf of UA in forwarding or responding to requests  Can “fork” requests to multiple servers  Redirect Server (Call Controller)  Responds to, but does not forward requests  Registration Server (Call Controller)  Handles User Agent authentication and registration

5 SonicWALL/SecureIT 5 SIP Entity Example Redirect Server Registrar User Agent Proxy Server Gateway Circuit Switched Networks Packet Network User Agent Registrar User Agent

6 SonicWALL/SecureIT 6 Mainstream VoIP – H.323  Standard for real-time transmission of audio, video and data over packet-based networks  Employs a combination of TCP and UDP for signaling  ASN.1 used for message encoding  Considered to have more overhead than SIP  Standards developed by ITU; v1 1996, v5 2003  Entities  Terminal – Communicating endpoint on network  Gatekeeper – Address translation, registration, admission control and status  Multipoint Control Unit – Conference control and data distribution  Gateway – VoIP to PSTN/ISDN

7 SonicWALL/SecureIT 7 H.323 Entity Example Terminal (Analog Telephone Adapter [ATA]) Multipoint Control Unit Gatekeeper Gateway Terminal (H.323 Hard Phone) Terminal (H.323 Soft Phone) ILS (LDAP) Server Circuit Switched Networks Packet Network

8 SonicWALL/SecureIT 8 Mainstream VoIP – Skype  Acquired by eBay October 14, 2005  Decentralized peer-to-peer system  Skype encrypts all calls and instant messages end-to-end  Skype provides free Internet telephony in many cases  Impressively persistent in its ability to penetrate firewalls  If required by company policy, it is possible to block Skype  Concerns over unauthorized network access exist  e.g., a flaw found and fixed in October 2005 allowed the ability to take control of compromised computers via a buffer overflow exposure in Skype

9 SonicWALL/SecureIT 9 Mainstream VoIP – Others  SCCP/Skinny  Cisco Skinny Client Control Protocol  Proprietary protocol  MGCP  Media Gateway Control Protocol  Considered “Old-School” by some  Megaco (H.248)  Used between elements of a physically decomposed multimedia gateway; not for endpoint control  Quite heavyweight; used within telcos  Used for internally controlling IP telephony gateways

10 SonicWALL/SecureIT 10 VoIP Security Concern – Eavesdropping  Currently a very animated point of discussion for VoIP  Traffic Capture and Replay  VOMIT – Converts a captured phone call into a.wav file vomit -r phone.dump | waveplay -S8000 -B16 -C1  CAIN from Cain & Abel  VoIPong – Captures and dumps conversations to separate wave files. It works on SIP, H.323, SCCP, RTP and RTCP  But I have a switched network, I’m safe  APR (ARP Poison Routing) – Enables sniffing on switched networks and the interception of IP traffic on switched networks

11 SonicWALL/SecureIT 11 VoIP Security Concern – Eavesdropping  If media is encrypted, but signaling is not  Invasion of privacy vulnerability – Number Harvesting  Builds a list of “real” phone numbers for future use (SPIT)  Invasion of privacy vulnerability – Call Pattern Tracking  Who is calling whom? When? How long?  VoIP protection against eavesdropping  When implemented correctly – Better than POTS  When implemented incorrectly – More vulnerable than POTS

12 SonicWALL/SecureIT 12 VoIP Security Concern – Denial of Service  IP phones are participants in a network – No different than PCs that are participants in the same network  Request Flooding  H.323 Setup floods  SIP INVITE floods  Malformed Signaling  c07-SIP PROTOS – http://www.ee.oulu.fihttp://www.ee.oulu.fi  CERT® Advisory CA-2003-06 affected Alcatel, Cisco, Ingate, IPTel, Mediatrix Telecom, Nortel and others  c07-h2250v4 PROTOS – http://www.ee.oulu.fihttp://www.ee.oulu.fi  CERT® Advisory CA-2004-01 affected H.323 implementations of Cisco, Hewlett Packard, Microsoft, Nortel and others

13 SonicWALL/SecureIT 13 VoIP Security Concern – Quality of Service  QoS at Layer 2, 3 and 4+  Layer 2: 802.11p  Requires 802.11q VLAN header support  Layer 3: DSCP – Differentiated services  Contained within the IP header  802.11p/DSCP rely upon correct and accurate packet coloring  Vulnerable to injected higher-color network saturation  Dependent upon capability of intermediate network equipment  Layer 4: VoIP Aware Stateful BWM is most reliable  Requires VoIP awareness and multiple stream identification and coalation  Most effective when combined with Layer 2/3 marking/coloring

14 SonicWALL/SecureIT 14 VoIP Security Concern – Degradation of Quality  “Test shows VoIP call quality can improve with SSL VPN links”, Network World, February 20, 2006  TCP packet reordering and compression improved the quality of calls as compared to the “Reference” non-SSL link  With a Bad network, MOS rating improved from below 2.5 to above 3.5 for some vendors  A 3.0 MOS (Mean Opinion Score) rating is commonly considered as the minimum acceptable level

15 SonicWALL/SecureIT 15 VoIP Security Concern – Denial of Service  Interjected Signaling  Unsolicited “End Session” or “BYE” packets will terminate calls  Underlying OS DoS  A soft client is only as reliable as the OS it runs on  Microsoft  Distributed DoS  Multiple focused external attacks on a given Gateway  SYNFlood attacks, Malformed ICMP Nuke attacks, etc., can be mitigated or eliminated effectively with a proper firewall

16 SonicWALL/SecureIT 16 VoIP Security Concern – Interception/Modification  Call Black Holes  A directed attack utilizing Dynamic Routing at intermediate routers sending calls to unconnected networks  Call Hijacking  A directed attack utilizing Dynamic Routing at intermediate routers sending calls to unintended “other” receiver  Media Alteration  Modification of media stream  Caller ID Falsification  Caller ID modification – On-the-fly via interception or intended falsification by the call initiator

17 SonicWALL/SecureIT 17 VoIP Security Practices – Quality of Service  Appropriate Bandwidth  20-100 Kbps/voice call  Up to 2 Mbps/video call  Bandwidth Management  Coalesces disparate streams into a single flow  Improves performance by slowing down undesirable flows more than desirable flows  QoS  802.11p layer 2  DSCP layer 3

18 SonicWALL/SecureIT 18 VoIP Security Practices – Media and Signaling Encryption  IPSec VPN  Currently the most complete solution  Complexity of configuration is a barrier  Not supported by many vendors  TLS (Transport Layer Security), IETF  Interoperability concerns  Issues with key exchange  SSL (Secure Sockets Layer), Netscape, IETF  Generally not supported for peer-to-peer  Hub and spoke deployments

19 SonicWALL/SecureIT 19 Firewall – NAT/Port Considerations  VoIP issues with classic stateful NAT firewalls  Inbound access to UDP/TCP ports are restricted by default  RTP dynamically assigned an “even” port 1024-65534  It would be necessary to open up the entire firewall  RTCP port is dynamically remapped with Symmetric NAT  VoIP endpoints each have a unique IP  NAT turns all “internal” IPs into a single “external” IP  All incoming calls are to a single IP. Which endpoint is the actual intended IP?  VoIP requires an ALG or SBC solution

20 SonicWALL/SecureIT 20 Firewall Solution – SBC  Session Border Controller  A dedicated appliance which implements firewall/NAT traversal  Tricks the existing firewall  Placed in the Signaling and Media Path between calling and called parties  Breaks end-to-end security unless private keys are told to the SBC  Implemented as a B2BUA – Back-to-back User Agent  Can run into scalability issues

21 SonicWALL/SecureIT 21 Firewall Solutions – ALG  An Application Layer Gateway is a firewall which understands VoIP media  Embedded software on a firewall  Dynamically identifies, opens and closes ports as needed  Transforms outer (NAT) and inner (DPT) IPs & ports on-the-fly  May be able to identify and coalesce disparate streams into a single call flow for monitoring and QoS  Should be able to identify and protect against malformed signaling and media  Since it is not terminating/re-initiating calls, a proper ALG can scale beyond an SBC on a price/call metric

22 SonicWALL/SecureIT 22 NIST Recommendations  NIST Special Publication 800-58, January 2005  Logically distinct networks  Use an ALG firewall or Session Border Controller  STUN – Simple Traversal of UDP through NAT, does not work with Symmetric NAT  TURN – Traversal Using Relay NAT, works with STUN, limited to a single peer behind a NAT device  ICE – Interactive Connectivity Establishment, uses STUN, TURN, RSIP – requires additional SDB attributes  UPnP – Universal Plug and Play, multi-NAT scalability and security issues  Strong authentication and IPSec or SSH to access controller  Use end-point encryption or Site-to-Site IPSec tunnels  Don’t use soft phones – PCs are too vulnerable  Stay away from 802.11 a/b/g phones without IPSec

23 SonicWALL/SecureIT 23 VoIP Security Practices – Endpoint and Call Manager Protection  UTM Firewall  Unified Threat Management – GAV, IPS  Physical and Logical Security  Access to Call Manager must be restricted  It is only as secure as the weakest password  Redundant Power  VoIP requires AC power to operate; PSTN does not  End-to-end Encryption  TLS, SRTP covers media only  IPSec, SSL covers media and signaling

24 SonicWALL/SecureIT 24 References  NETWORKWORLD- http://www.networkworld.comhttp://www.networkworld.com  SonicWALL, “Beyond Interoperability: Network Security as a Voice over IP (VoIP) Enabler”- http://www.sonicwall.comhttp://www.sonicwall.com  VOIPSA- http://voipsa.orghttp://voipsa.org  CERT- http://www.cert.orghttp://www.cert.org  University of Oulu, Finland- http://www.ee.oulo.fi/?enhttp://www.ee.oulo.fi/?en  NIST, “Security Considerations for Voice Over IP Systems”- http://csrc.nist.gov http://csrc.nist.gov

25 Thank you. Jeff Caldwell Director, R&D jcaldwell@sonicwall.com www.sonicwall.com

Download ppt "Real World Practices for Securing VoIP Jeff Caldwell Director, R&D SonicWALL, Inc."

Similar presentations

The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
1 IP Telephony (VoIP) CSI4118 Fall 2005. 2 Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.

1 IP Telephony (VoIP) CSI4118 Fall Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.
H. 323 Chapter 4.

H. 323 Chapter 4.
A Presentation on H.323 Deepak Bote. Email, IM, blog…

A Presentation on H.323 Deepak Bote. , IM, blog…
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
Voice over IP Fundamentals

Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
April 12, 2004 H.323: Hardware and Software Vulnerabilities 1 H.323 Hardware and Software Vulnerabilities Jeremy Freeman Brian Leger Robert Muller.

April 12, 2004 H.323: Hardware and Software Vulnerabilities 1 H.323 Hardware and Software Vulnerabilities Jeremy Freeman Brian Leger Robert Muller.
Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)
24/08/2005 IP Telephony1 Guided by: Presented by: Dr.S.K.Ghosh Nitesh Jain 05IT6008 M.Tech 1 st year.

24/08/2005 IP Telephony1 Guided by: Presented by: Dr.S.K.Ghosh Nitesh Jain 05IT6008 M.Tech 1 st year.
SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.
Copyright Security-Assessment.com 2005 Voice over IP What You Don’t Know Can Hurt You by Darren Bilby.

Copyright Security-Assessment.com 2005 Voice over IP What You Don’t Know Can Hurt You by Darren Bilby.
Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)

Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

Similar presentations

Ads by Google