Real World Practices for Securing VoIP Jeff Caldwell Director, R&D SonicWALL, Inc.
SonicWALL/SecureIT 2 Deployed Security Devices
SonicWALL/SecureIT 3 Mainstream VoIP Common Signaling Protocols/VoIP Technologies H.323 ITU, 1996 SCCP/Skinny Cisco Proprietary, Mid-1990s from Selsius Corporation MGCP Media Gateway Control Protocol, IETF, 1999 SIP Session Initiated Protocol, RFC 2543, 1999 Megaco/H.248 ITU/IETF, 2000 Skype Proprietary, initial Beta launched August 29, 2003
SonicWALL/SecureIT 4 Mainstream VoIP – SIP Session Initiation Protocol IETF Standard – Dozens of RFCs Initial standards ratified in the late 1990s Supports both TCP and UDP media and signaling Media can be audio, video, etc. A SIP network is composed of a number of logical SIP entities: User Agent (Phone) Initiates, receives and terminates calls Proxy Server (Call Controller) Acts on behalf of UA in forwarding or responding to requests Can “fork” requests to multiple servers Redirect Server (Call Controller) Responds to, but does not forward requests Registration Server (Call Controller) Handles User Agent authentication and registration
SonicWALL/SecureIT 5 SIP Entity Example Redirect Server Registrar User Agent Proxy Server Gateway Circuit Switched Networks Packet Network User Agent Registrar User Agent
SonicWALL/SecureIT 6 Mainstream VoIP – H.323 Standard for real-time transmission of audio, video and data over packet-based networks Employs a combination of TCP and UDP for signaling ASN.1 used for message encoding Considered to have more overhead than SIP Standards developed by ITU; v1 1996, v Entities Terminal – Communicating endpoint on network Gatekeeper – Address translation, registration, admission control and status Multipoint Control Unit – Conference control and data distribution Gateway – VoIP to PSTN/ISDN
SonicWALL/SecureIT 7 H.323 Entity Example Terminal (Analog Telephone Adapter [ATA]) Multipoint Control Unit Gatekeeper Gateway Terminal (H.323 Hard Phone) Terminal (H.323 Soft Phone) ILS (LDAP) Server Circuit Switched Networks Packet Network
SonicWALL/SecureIT 8 Mainstream VoIP – Skype Acquired by eBay October 14, 2005 Decentralized peer-to-peer system Skype encrypts all calls and instant messages end-to-end Skype provides free Internet telephony in many cases Impressively persistent in its ability to penetrate firewalls If required by company policy, it is possible to block Skype Concerns over unauthorized network access exist e.g., a flaw found and fixed in October 2005 allowed the ability to take control of compromised computers via a buffer overflow exposure in Skype
SonicWALL/SecureIT 9 Mainstream VoIP – Others SCCP/Skinny Cisco Skinny Client Control Protocol Proprietary protocol MGCP Media Gateway Control Protocol Considered “Old-School” by some Megaco (H.248) Used between elements of a physically decomposed multimedia gateway; not for endpoint control Quite heavyweight; used within telcos Used for internally controlling IP telephony gateways
SonicWALL/SecureIT 10 VoIP Security Concern – Eavesdropping Currently a very animated point of discussion for VoIP Traffic Capture and Replay VOMIT – Converts a captured phone call into a.wav file vomit -r phone.dump | waveplay -S8000 -B16 -C1 CAIN from Cain & Abel VoIPong – Captures and dumps conversations to separate wave files. It works on SIP, H.323, SCCP, RTP and RTCP But I have a switched network, I’m safe APR (ARP Poison Routing) – Enables sniffing on switched networks and the interception of IP traffic on switched networks
SonicWALL/SecureIT 11 VoIP Security Concern – Eavesdropping If media is encrypted, but signaling is not Invasion of privacy vulnerability – Number Harvesting Builds a list of “real” phone numbers for future use (SPIT) Invasion of privacy vulnerability – Call Pattern Tracking Who is calling whom? When? How long? VoIP protection against eavesdropping When implemented correctly – Better than POTS When implemented incorrectly – More vulnerable than POTS
SonicWALL/SecureIT 12 VoIP Security Concern – Denial of Service IP phones are participants in a network – No different than PCs that are participants in the same network Request Flooding H.323 Setup floods SIP INVITE floods Malformed Signaling c07-SIP PROTOS – CERT® Advisory CA affected Alcatel, Cisco, Ingate, IPTel, Mediatrix Telecom, Nortel and others c07-h2250v4 PROTOS – CERT® Advisory CA affected H.323 implementations of Cisco, Hewlett Packard, Microsoft, Nortel and others
SonicWALL/SecureIT 13 VoIP Security Concern – Quality of Service QoS at Layer 2, 3 and 4+ Layer 2: p Requires q VLAN header support Layer 3: DSCP – Differentiated services Contained within the IP header p/DSCP rely upon correct and accurate packet coloring Vulnerable to injected higher-color network saturation Dependent upon capability of intermediate network equipment Layer 4: VoIP Aware Stateful BWM is most reliable Requires VoIP awareness and multiple stream identification and coalation Most effective when combined with Layer 2/3 marking/coloring
SonicWALL/SecureIT 14 VoIP Security Concern – Degradation of Quality “Test shows VoIP call quality can improve with SSL VPN links”, Network World, February 20, 2006 TCP packet reordering and compression improved the quality of calls as compared to the “Reference” non-SSL link With a Bad network, MOS rating improved from below 2.5 to above 3.5 for some vendors A 3.0 MOS (Mean Opinion Score) rating is commonly considered as the minimum acceptable level
SonicWALL/SecureIT 15 VoIP Security Concern – Denial of Service Interjected Signaling Unsolicited “End Session” or “BYE” packets will terminate calls Underlying OS DoS A soft client is only as reliable as the OS it runs on Microsoft Distributed DoS Multiple focused external attacks on a given Gateway SYNFlood attacks, Malformed ICMP Nuke attacks, etc., can be mitigated or eliminated effectively with a proper firewall
SonicWALL/SecureIT 16 VoIP Security Concern – Interception/Modification Call Black Holes A directed attack utilizing Dynamic Routing at intermediate routers sending calls to unconnected networks Call Hijacking A directed attack utilizing Dynamic Routing at intermediate routers sending calls to unintended “other” receiver Media Alteration Modification of media stream Caller ID Falsification Caller ID modification – On-the-fly via interception or intended falsification by the call initiator
SonicWALL/SecureIT 17 VoIP Security Practices – Quality of Service Appropriate Bandwidth Kbps/voice call Up to 2 Mbps/video call Bandwidth Management Coalesces disparate streams into a single flow Improves performance by slowing down undesirable flows more than desirable flows QoS p layer 2 DSCP layer 3
SonicWALL/SecureIT 18 VoIP Security Practices – Media and Signaling Encryption IPSec VPN Currently the most complete solution Complexity of configuration is a barrier Not supported by many vendors TLS (Transport Layer Security), IETF Interoperability concerns Issues with key exchange SSL (Secure Sockets Layer), Netscape, IETF Generally not supported for peer-to-peer Hub and spoke deployments
SonicWALL/SecureIT 19 Firewall – NAT/Port Considerations VoIP issues with classic stateful NAT firewalls Inbound access to UDP/TCP ports are restricted by default RTP dynamically assigned an “even” port It would be necessary to open up the entire firewall RTCP port is dynamically remapped with Symmetric NAT VoIP endpoints each have a unique IP NAT turns all “internal” IPs into a single “external” IP All incoming calls are to a single IP. Which endpoint is the actual intended IP? VoIP requires an ALG or SBC solution
SonicWALL/SecureIT 20 Firewall Solution – SBC Session Border Controller A dedicated appliance which implements firewall/NAT traversal Tricks the existing firewall Placed in the Signaling and Media Path between calling and called parties Breaks end-to-end security unless private keys are told to the SBC Implemented as a B2BUA – Back-to-back User Agent Can run into scalability issues
SonicWALL/SecureIT 21 Firewall Solutions – ALG An Application Layer Gateway is a firewall which understands VoIP media Embedded software on a firewall Dynamically identifies, opens and closes ports as needed Transforms outer (NAT) and inner (DPT) IPs & ports on-the-fly May be able to identify and coalesce disparate streams into a single call flow for monitoring and QoS Should be able to identify and protect against malformed signaling and media Since it is not terminating/re-initiating calls, a proper ALG can scale beyond an SBC on a price/call metric
SonicWALL/SecureIT 22 NIST Recommendations NIST Special Publication , January 2005 Logically distinct networks Use an ALG firewall or Session Border Controller STUN – Simple Traversal of UDP through NAT, does not work with Symmetric NAT TURN – Traversal Using Relay NAT, works with STUN, limited to a single peer behind a NAT device ICE – Interactive Connectivity Establishment, uses STUN, TURN, RSIP – requires additional SDB attributes UPnP – Universal Plug and Play, multi-NAT scalability and security issues Strong authentication and IPSec or SSH to access controller Use end-point encryption or Site-to-Site IPSec tunnels Don’t use soft phones – PCs are too vulnerable Stay away from a/b/g phones without IPSec
SonicWALL/SecureIT 23 VoIP Security Practices – Endpoint and Call Manager Protection UTM Firewall Unified Threat Management – GAV, IPS Physical and Logical Security Access to Call Manager must be restricted It is only as secure as the weakest password Redundant Power VoIP requires AC power to operate; PSTN does not End-to-end Encryption TLS, SRTP covers media only IPSec, SSL covers media and signaling
SonicWALL/SecureIT 24 References NETWORKWORLD- SonicWALL, “Beyond Interoperability: Network Security as a Voice over IP (VoIP) Enabler”- VOIPSA- CERT- University of Oulu, Finland- NIST, “Security Considerations for Voice Over IP Systems”-
Thank you. Jeff Caldwell Director, R&D