Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to VoIP security Mark Fawcett, Head of Global Professional Services, Aculab.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to VoIP security Mark Fawcett, Head of Global Professional Services, Aculab."— Presentation transcript:

1 Introduction to VoIP security Mark Fawcett, Head of Global Professional Services, Aculab

2

3 Session agenda Introduction to VoIP security Security – the basics Essential technology and terminology Threats and vulnerabilities Best practices for VoIP security – recommendations

4 Session agenda Introduction to VoIP security Security – the basics Essential technology and terminology Threats and vulnerabilities Best practices for VoIP security – recommendations

5 Introduction to VoIP security What do we mean by VoIP security? Different things to different people Private users, business users, 3 rd party providers, carriers Privacy Protection Technology

6 The state of VoIP security – are we in trouble?

7 Introduction to VoIP security So, we’re all doomed Not really Security and fraud are not new e-Security is pretty good VoIP security is similar We’re all saved Not really Poacher vs. gamekeeper People will make mistakes Time to look in more detail…

8 Introduction to VoIP security What are the real threats? Remember, the PSTN isn’t secure either Before we look at the details, let’s start with the basics… Eavesdropping Unauthorised call capture, either internally or externally Includes remote speakerphone activation Toll fraud Internal misuse or external access to call services Rogue call placement DoS (Denial of Service) Attacks against call servers, gateways and other network elements

9 Session agenda Introduction to VoIP security Security – the basics Essential technology and terminology Threats and vulnerabilities Best practices for VoIP security – recommendations

10 Security – the basics, 3 principles It’s all about information (spoken, printed, transmitted, etc.) Worldwide principles: DOD, CESG, Academia Eavesdropping Unauthorised call capture, either internally or externally Includes remote speakerphone activation Toll fraud Internal misuse or external access to call services Rogue call placement DoS (Denial of Service) Attacks against call servers, gateways and other network elements Confidentiality Only those who need to know… Integrity Who, what, where, when… Availability When it absolutely, positively has to be there…

11 Security: the basics, threat assessment So, we have the 3 tenets Confidentiality Integrity Availability But how do we apply them? Threat assessment Ask a number of questions Specific to the requirement Relate them to the 3 tenets Always think consequences

12 Security: the basics, threat assessment The wrong questions Can I be overheard or recorded? Am I talking to who I think I’m talking to? Can I get through when I need to? The right questions What am I trying to protect? What could happen if I can’t get through? What information could be compromised if I’m recorded? What are the costs to my business of toll-fraud / DoS? What are the real and important consequences?

13 Consequences Depends on circumstance Consider monitoring of VoIP On the Internet Joe Public – worried about credit card details – little threat Terrorist – worried about being monitored – big threat On a private business LAN Secure premises, no wireless – little threat Open premises/access, aggressive competitors – high threat

14 Consequences: a question of balance If you focus on Confidentiality It’s to the detriment of Integrity and Availability What-ifs and backup plans get forgotten Example – ACME holding corp. Need secure communications – so all comms are secured System’s comms keys expire 1 st Jan No sys-admin on duty No fallback in place No communications at all

15 Security – the basics, some truisms Security is a form of risk management Security through obscurity is not security A chain is only as strong as its weakest link Nothing is 100% certain… …except death…...and taxes

16 Session agenda Introduction to VoIP security Security – the basics Essential technology and terminology Threats and vulnerabilities Best practices for VoIP security – recommendations

17 Encryption Think of locking a valuable in a safe with a padlock and key The valuable is your data The padlock is the algorithm The key is…the key There are two main types of lock and key…

18 Encryption Symmetric Basic, strong, padlock 2 copies of the same key AES, DES Asymmetric Complex strong padlock 2 different key holes 2 different keys Diffie-Hellman, RSA

19 A word of warning…

20 Symmetric Uses a single key to lock/unlock the padlock The algorithm (padlock) can come in a variety of forms Some are more complex than others All are fast (lightweight) Lots of different modes

21 Asymmetric Uses one key to lock the padlock, the other to unlock it The padlock is very complicated How’s your prime number and factoring mathematics? The algorithms are slow How does it work in practice? Keys come in pairs, public/private I publish (or send you) my public key You write something You encrypt (lock) it using my public key I (and only I) can decrypt (unlock) it using my private key

22 To summarise Symmetric Good, strong but basic padlock Needs copies of the same key – vulnerable to compromise Fast Asymmetric Good, strong and complex padlock Uses different keys – much less vulnerable to compromise Slow

23 Need a fast encryption/decryption algorithm for RTP comms Symmetric (AES etc.) Relies on a shared, common, key Change the key regularly - how to exchange it securely? Symmetric keys are typically short (in comparison to traffic) We need a reliable, secure exchange mechanism Does not need to be fast (real-time) So we can use asymmetric algorithm to exchange keys …we have the power… How to make this work for VoIP

24 VoIP security – essential technology and terminology..we have the power, are we ready for some terms… TLS Secure RTP (SRTP) SIPS IPsec MIKEY HMAC SHA-1 / MD5

25 VoIP security – essential technology and terminology TLS Secure RTP (SRTP) SIPS IPsec MIKEY HMAC SHA-1 / MD5 Transport Layer Security (TLS) - Cryptographic protocol for Internet applications (supersedes SSL) - TLS involves three basic phases: Peer negotiation for algorithm support Key exchange and authentication (RSA, Diffie-Hellman, etc.) Message encryption and authentication (Symmetric ciphers: Triple DES, AES; Cryptographic hash function: HMAC-MD5 or HMAC-SHA )

26 VoIP security – essential technology and terminology TLS Secure RTP (SRTP) SIPS IPsec MIKEY HMAC SHA-1 / MD5 Secure RTP (IETF RFC 3711) Encryption (confidentiality) Authentication (message integrity) Anti-replay protection - Used for voice and video - Supports both unicast and multicast - No key management mechanism - Utilised only one cipher (AES)

27 VoIP security – essential technology and terminology TLS Secure RTP (SRTP) SIPS IPsec MIKEY HMAC SHA-1 / MD5 Secure SIP (SIP with TLS) - Requires support for SIP over TCP (still part of the IETF RFC 3261) - Protects SIP messages against Encryption (confidentiality) Authentication (message integrity) Anti-replay protection - Integrated key management with mutual authentication and secure key distribution - Applied between proxies or UA/proxy

28 VoIP security – essential technology and terminology TLS Secure RTP (SRTP) SIPS IPsec MIKEY HMAC SHA-1 / MD5 IPsec – secure form of IP tunnelling Encryption (confidentiality) Authentication (message integrity) Anti-replay protection - Operates at the network layer (OSI L3) while TLS, SRTP, SIPS @ OSI L4-L7 - Mainly used for VPN communications - Mandatory security scheme for IPv6 - Two operation modes: -Transport (message body encryption) - Tunnel (whole packet)

29 VoIP security – essential technology and terminology TLS Secure RTP (SRTP) SIPS IPsec MIKEY HMAC SHA-1 / MD5 MIKEY – Key management procedure - Negotiation of cryptographic keys and security parameters (SP) - Multimedia Internet KEYing (IETF RFC 3830) - Designed for real time traffic (SIP/RTP calls, RTSP, streaming, groups, multicast) - Single or multiple crypto sessions (RTP/RTCP encrypted separately) Symmetric key distribution (pre-shared keys, HMAC integrity protection) Asymmetric key distribution Diffie-Hellman key agreement protected by digital signatures

30 VoIP security – essential technology and terminology TLS Secure RTP (SRTP) SIPS IPsec MIKEY HMAC SHA-1 / MD5 HMAC – keyed-Hash Message Authentication Code - Verifies data integrity and authenticity of a message - IETF RFC 2202 - SHA-1 and MD5 are two main types of cryptographic hash functions - Operate on 512-bit blocks - Cryptographic strength depends on the hash functions

31 We have looked at TLS Secure RTP (SRTP) SIPS IPsec MIKEY HMAC SHA-1 / MD5 …we have even more power… VoIP security – essential technology and terminology

32 Session agenda Introduction to VoIP security Security – the basics Essential technology and terminology Threats and vulnerabilities Best practices for VoIP security – recommendations

33 SIP specific vulnerabilities Eavesdropping General/directory scanning Flooding/Fuzzing Registration highjack/manipulation Man-in-the-middle

34 SIP specific vulnerabilities Session tear-down Reboot attacks Redirection RTP SPIT Vishing

35 What does it all mean? Confused, uncertain? You are not alone, what does it all mean?

36 What does it all mean – an opinion The reality – business VoIP deployments are growing, security is keeping pace Large scale VoIP is being deployed within business LANs PSTN provides a ‘firebreak’ Firewalls/SBCs can provide IP ‘firebreaks’ The reality – private users VoIP is used over the Internet (or on connected systems) Tend to be on ‘soft’ devices More vulnerable to attack and compromise Used as a vector to gain remote access

37 What does it all mean – an opinion The reality – third party carriers Huge amount of cheap call providers Often use VoIP for long-haul/international legs What is that VoIP being carried over? How vulnerable are those links?

38 What does it all mean – an opinion The reality – tier 1 and 2 carriers AT&T, BT et al. moving to IP core networks Does this mean IP/SIP all the way for voice? Does this mean end-end security will be provided? Does this mean end-end security could be added by user? Will an IP carrier look anything like a current, Internet/LAN call?

39 Session agenda Introduction to VoIP security Security – the basics Essential technology and terminology Threats and vulnerabilities Best practices for VoIP security – recommendations

40 Recommendations KISS Don’t just install products Audit and trace Apply updates Test and attack Holistic approach

41 Recommendations Separate voice and data on different networks Logical or physical Different subnets (address blocks) for voice and data traffic Apply call control security - SIPS Additionally apply voice traffic security (SRTP) Secure access Remote administration of network devices WPA not WEP for wireless

42 Recommendations - additional Border controls Use protocol breaks Allow VoIP traffic via an ‘intelligent’ firewall Don’t rely on firewall bypass protocols/techniques (STUN etc.) Stateful packet rules and filtering Avoid soft-phones if possible Session Border Controllers can be used

43 Sample network architecture VoIP calls pass via the firewall (STUN, TURN, ICE) Separate VoIP and data logical/physical subnets SIP and RTP are disallowed, OAM&P is via IPsec or SSH SecureRTP and SIPS are applied

44 Any questions? Have you got any questions?

45 Summary Security = Confidentiality, Integrity and Availability Consequences and threat assessments VoIP security threats are real The risks are not new or unique to VoIP There are several steps that can mitigate/manage threats Carriers moving to VoIP cores is a different issue Essential technology: TLS, Secure RTP, SIPS, IPsec, MIKEY

46 Thank you mark.fawcett@aculab.com

Download ppt "Introduction to VoIP security Mark Fawcett, Head of Global Professional Services, Aculab."

Similar presentations

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Security S-72.3240 Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.

Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.

Network Security Chapter 8. Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T IKE Tutorial.

W O R L D W I D E L E A D E R I N S E C U R I N G T H E I N T E R N E T IKE Tutorial.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.

Lecture 22 Internet Security Protocols and Standards modified from slides of Lawrie Brown.
Chapter 8 Network Security 4/17/2017 www.noteshit.com.

Chapter 8 Network Security 4/17/2017
K. Salah1 Security Protocols in the Internet IPSec.

K. Salah1 Security Protocols in the Internet IPSec.
Chapter 8 Web Security.

Chapter 8 Web Security.

Similar presentations

Ads by Google