Fortinet VoIP Security June 2007 Carl Windsor.

Slides:



Advertisements
Similar presentations
The leader in session border control for trusted, first class interactive communications.
Advertisements

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
29.1 Chapter 29 Multimedia Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.
VoIP Security Sanjay Kalra Juniper Networks September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 3 VoIP Issues.
IT Expo SECURITY Scott Beer Director, Product Support Ingate
Ingate & Dialogic Technical Presentation SIP Trunking Focused.
IP Ports and Protocols used by H.323 Devices Liane Tarouco.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
TCP/IP Protocol Suite 1 Chapter 25 Upon completion you will be able to: Multimedia Know the characteristics of the 3 types of services Understand the methods.
Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
ﺑﺴﻢﺍﷲﺍﻠﺭﺣﻣﻥﺍﻠﺭﺣﻳﻡ. Group Members Nadia Malik01 Malik Fawad03.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Firewall Policies. Module Objectives By the end of this module participants will be able to: Identify the components used in a firewall policy Create.
5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.
Security fundamentals Topic 10 Securing the network perimeter.
1 Internet Protocols To support the Internet and all its services, many protocols are necessary Some of the protocols that we will look at: –Internet Protocol.
INTRODUCTION Firewall is a concept which blocks unwanted traffic and passes desirable traffic to and from both sides of the network.
TCP/IP Protocol Suite 1 Chapter 25 Upon completion you will be able to: Multimedia Know the characteristics of the 3 types of services Understand the methods.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Voice Over Internet Protocol (VoIP) Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Presentation 5 – VoIP and the OSI Model.
Track A: Network Security 9AM-10AM May 6, 2004 Security And Next Generation VoIP George G. McBride Senior Manager, Security Practice Lucent Technologies.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
H.323 NAT Traversal Problem particular to H.323(RAS->Q.931->H.245):  RAS from private network to public network can pass NAT  Q931 、 H.245 adopts the.
Ad Hoc – Wireless connection between two devices Backbone – The hardware used in networking Bandwidth – The speed at which the network is capable of sending.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.
Firewalls, Network Address Translators(NATs), and H.323
Security fundamentals
IPsec Problems and Solutions
CompTIA Security+ Study Guide (SY0-401)
Chapter 29 Multimedia Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Network Security Solution
Instructor Materials Chapter 5 Providing Network Services
DDoS Attacks on Financial Institutions Presentation
Network Security (the Internet Security)
Distributed Systems.
IT443 – Network Security Administration Instructor: Bo Sheng
Understand the OSI Model Part 2
RTP: A Transport Protocol for Real-Time Applications
Introduction to Networking
Introduction to Networking
Configuring TMG as a Firewall
Net 431: ADVANCED COMPUTER NETWORKS
CompTIA Security+ Study Guide (SY0-401)
Network Security: IP Spoofing and Firewall
* Essential Network Security Book Slides.
I. Basic Network Concepts
دیواره ی آتش.
Lecture 2: Overview of TCP/IP protocol
Lecture 3: Secure Network Architecture
Firewalls.
Firewalls Chapter 8.
Introduction to Network Security
Ingate & Dialogic Technical Presentation
Hosted Security.
Presentation transcript:

Fortinet VoIP Security June 2007 Carl Windsor

The VoIP Security Problem VoIP developed by voice specialists Security an afterthought Primary concern is voice quality and latency Consumer VoIP became commonplace overnight Vendor interoperability In 2007 Voice over IP (VoIP) systems will be the target of cyber attacks. VoIP technology was deployed hastily without fully understanding security. SANS Institute: Security Trends for 2007

Common VoIP Security Issues – Sharing Resources VoIP commonly shares data networks Data network traffic can impact the voice network Large file transfers increase latency and jitter VoIP should be treated as the highest priority Mail, FTP, HTTP lower priority Virus/Worm infections on the data network can cause high volumes of traffic and effectively DoS VoIP systems Slammer Nimda

Common VoIP Security Issues – Plaintext transmission VoIP communications often unencrypted Secure VoIP implementations vendor specific Is there a risk to data in transit?

Common VoIP Security Issues – Plaintext transmission

Common VoIP Security Issues – Plaintext transmission

Common VoIP Security Issues – Plaintext transmission What if this was the sound of you entering your voice banking pin or credit card number?

Common VoIP Security Issues – Dynamic Ports and NAT The VoIP payload, RTP traffic, is dynamically assigned an even port number in the range of non-privileged UDP ports (1024-65534) and specified in the packet body of the signalling protocol.

Example VoIP Packet (Header) Source IP Source Port Destination IP Destination Port 212.32.45.6 5346 64.58.79.231 389 Message Body …… Source IP: 212.32.45.6 Source (RTP) Port: 5005 …

Common VoIP Security Issues – Dynamic Ports and NAT Options: Don’t allow VoIP communications through your firewall Open a large range of possibly damaging application ports as per their firewall or application's vendor advice To establish outbound NetMeeting connections through a firewall, the firewall must be configured to do the following: Pass through primary TCP connections on ports 389, 522, 1503, 1720, and 1731 Pass through secondary TCP and UDP connections on dynamically assigned ports (1024-65535)

Common VoIP Security Issues – Dynamic Ports and NAT The VoIP payload, RTP traffic, is dynamically assigned an even port number in the range of non-privileged UDP ports (1024-65534) and specified in the packet body of the session protocol. What happens when you use Network Address Translation? 192.168.1.10 212.32.45.6 64.58.79.231

Example VoIP Packet (Header) Source IP Source Port Destination IP Destination Port 192.168.1.10 5346 64.58.79.231 389 Message Body …… Source IP: 192.168.1.10 Source (RTP) Port: 5005 …

Example VoIP Packet – NAT Applied (Header) Source IP Source Port Destination IP Destination Port 192.168.1.10212.32.45.6 23456 64.58.79.231 389 Message Body …… Source IP: 192.168.1.10 Source (RTP) Port: 5005 …

Future Security Threats Follow what happened to e-mail and multiply by 100 DoS SPAM Misconfigured relay SPAM Botnet SPAM Real threat or hype?

Future Security Threats Not so far in the….. Future Security Threats Introducing Javabot http://www.loria.fr/~nassar/readme.html DOS: Send successive INVITE with different transactions to the target (IP phone or SIP server). To paralyze a SIP server, you may need many bots SPIT: Send media audio to some SIP user (Username +IP) SCAN: take a list of destinations and send respective INVITE messages to a SIP server. Depending on the response of the server, a destination is matched as an existent user or not. CRACK: if by scanning you discover the SIP username of one user, you can try to crack its password REGISTER: if by cracking you have the password of a user, you can register instead of it and transfer calls

Enhancing Your VoIP Security Fortinet Enhancing Your VoIP Security 16

Fortigate VoIP Support Support for VLANs Segregate your data and voice networks Support for QoS Prioritise your Voice traffic over less critical Guarantee bandwidth for VoIP traffic High Speed and throughput Encryption ASIC Accelelerated 3DES/AES IPSEC VPN Small Packet Performance High numbers of concurrent sessions Wirespeed small packet performance

Fortigate VoIP Support The FortiGate series now supports three major VoIP protocol application layer gateways (ALGs) H.323, SIP, and SCCP (Skinny) Each ALG allows the FortiGate to provide: NAT of VoIP traffic Pinhole Firewall your VoIP devices, monitoring and blocking of unwanted VoIP traffic IPS protection of VoIP protocol Protocol anomalies, denial of service attacks, buffer overflows, and header manipulation attacks

Fortigate VoIP Support Application awareness - NAT (Header) Source IP Source Port Destination IP Destination Port 192.168.1.10 212.32.45.6 23456 64.58.79.231 … Message Body …… Source IP:192.168.1.10 212.32.45.6 Source (RTP) Port: 5005 23456 Application aware firewalls understand that the data payload needs modifying as well as the header

Fortigate VoIP Support Application awareness

Fortigate VoIP Support The FortiGate series now supports three major VoIP protocol application layer gateways (ALGs) H.323, SIP, and SCCP (Skinny) Each ALG allows the FortiGate to provide: NAT of VoIP traffic Pinhole Firewall your VoIP devices, monitoring and blocking of unwanted VoIP traffic IPS protection of VoIP protocol Protocol anomalies, denial of service attacks, buffer overflows, and header manipulation attacks

Fortigate VoIP Support Intrusion and DoS prevention

Fortigate VoIP Support Logging and reporting

Example Deployment – Distributed Call Centre

Example Deployment – Corporate Offices

Future Fortinet Developments Convert SIP over TCP to UDP Support SIP on dynamically chose ports (MSN, AIM, ICQ, Yahoo) SIP header compression/decompression SIP/SIMPLE AV scanning New Vendor Specific ALGs Stream Control Transmission Protocol (SCTP) Support Call recording and archive Anti-SPIT

Questions

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.