Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation

General Security Trends  Good news  Bad news  Going forward Network-Based Security Managed Security Services Internal Application/VoIP Security Outline

Basic security measures, such as anti-virus, firewalls, and anti-spyware, are ubiquitously deployed Average losses due to security breaches are up, but down significantly from 2001 and 2002 (*) The number of incidents is down (*) Incidents are being reported at a greater rate (*) General Security Trends Some Good News Security Trends (*) Source – 2007 Computer Crime and Security Survey

Security Trends (*) Source – 2007 Computer Crime and Security Survey General Security Trends Some Good News

(*) Source – 2007 Computer Crime and Security Survey General Security Trends Some Good News Security Trends

(*) Source – 2007 Computer Crime and Security Survey General Security Trends Some Good News

Security Trends (*) Source – 2007 Computer Crime and Security Survey General Security Trends Some Good News

Security Trends General Security Trends Some Bad News (*) Source – 2007 Computer Crime and Security Survey

Signature based-detection systems are being pushed to the limit The platforms, network, and applications are getting more and more complex Attacks are becoming increasing complex Perimeter security has many issues Security funding is a small part of IT spending – no more than 10% and often less than 5% (*) Targeted attacks are increasing (*) General Security Trends Some Bad News Security Trends (*) Source – 2007 Computer Crime and Security Survey

Security Trends (*) Source – 2007 Computer Crime and Security Survey General Security Trends Some Bad News

Security Trends General Security Trends Some Bad News (*) Source – 2007 Computer Crime and Security Survey

Increased deployment of Intrusion Detection and Prevention Systems (IDSs and IPSs) Possible increase the in use of Network Admission Control (NAC) Network-Based Security solutions are available Managed Security Services solutions are available Increased focus on internal application security New applications such as Voice Over IP (VoIP) moving onto the data network General Security Trends Going Forward Security Trends

Enterprise customers are deploying firewalls, IDSs/IPSs, AV, anti-SPAM on network edge Some disadvantages:  Expensive  Multiple vendors and difficult to manage  Does not scale well Network-based Security Introduction Network-based Security Client Enterprise Client Enterprise 3 rd Party Network Primary Provider IP Network Edge

Network-based security embeds security capability in the network Some advantages:  Leverages security capability in the network  Centralized management  Scales better Network-based Security Introduction Network-based Security Client Enterprise Client Enterprise 3 rd Party Network Edge AT&T IP Network VPN, Firewall, IDS, Anti-Virus, etc. Firewall, IDS, Anti-Virus, etc.

Leverages security expertise Greatly assists with threat reconnaissance Broad network visibility allows greater awareness and warning of attacks The impact of major Worm attacks are seen well in advance of when they are a threat to an enterprise The only real solution to DoS and DDoS attacks A great defense in depth approach Still may need network defense and internal security Network-based Security Advantages Network-based Security

Network-based Security Early Detection of Attacks Network-based Security ReconnaissanceScanningSystem AccessDamageTrack Coverage Preventive Phase (Defense) Reactive Phase (Defense) Web-Based Information Collection Social Engineering Broad Network Mapping Targeted Scan Service Vulnerability Exploitation Password Guessing DDOS Zombie Code Installation System File Delete Log File Changes Use of Stolen Accounts for Attack AT&T Security Service Primary Emphasis

Network-based Security DoS and DDoS Attacks Network-based Security TARGETED Server AT&T IP Backbone Enterprise Server

Network-based Security AT&T Offerings Network-based Security Policy Management Identity Management Intrusion Management Perimeter Security Secure Connectivity Monitoring & Mgmt Incident Management Network-Based Security Platform  AT&T Internet Protect ®  AT&T DDoS Defense  AT&T My Internet Protect  AT&T Private Intranet Protect  AT&T Network-Based Firewalls  AT&T Secure Gateway  AT&T Web Security Services

Managed Security Services (MSS) are a viable alternative to in-house security staffing Leverage experienced staff, who are familiar with security processes and products Often can be more cost effective Eliminates the need to retain and train staff Security assessments/audits are commonly outsourced Managed Security Services Introduction Managed Security Services

Managed Security Services Enterprise Penetration (*) Source – 2007 Computer Crime and Security Survey Managed Security Services

(*) Source – 2007 Computer Crime and Security Survey Managed Security Services Assessments/Audits Managed Security Services

Managed Security Services AT&T Offerings Network-based Security Premises-Based Firewalls Managed Intrusion Detection Endpoint Security Service Token Authentication

Despite availability of network-based security, managed services, and customer-premise edge security, securing applications is still important Voice Over IP (VoIP) is one internal application that must be secured Application/VoIP Security VoIP Security Introduction

An enterprise website often contains a lot of information that is useful to a hacker:  Organizational structure and corporate locations  Help and technical support  Job listings  Phone numbers and extensions Public Website Research Introduction Gathering Information Footprinting

Public Website Research Countermeasures It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it Try to limit amount of detail in job postings Remove technical detail from help desk web pages Gathering Information Footprinting

Google is incredibly good at finding details on the web:  Vendor press releases and case studies  Resumes of VoIP personnel  Mailing lists and user group postings  Web-based VoIP logins Google Hacking Introduction Gathering Information Footprinting

Determine what your exposure is Be sure to remove any VoIP phones which are visible to the Internet Disable the web servers on your IP phones There are services that can help you monitor your exposure:   ww.baytsp.com Google Hacking Countermeasures Gathering Information Footprinting

Consists of various techniques used to find hosts:  Ping sweeps  ARP pings  TCP ping scans  SNMP sweeps After hosts are found, the type of device can be determined Classifies host/device by operating system Once hosts are found, tools can be used to find available network services Host/Device Discovery and Identification Gathering Information Scanning

Host/Device Discovery Ping Sweeps/ARP Pings Gathering Information Scanning

Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps VLANs can help isolate ARP pings Ping sweeps can be blocked at the perimeter firewall Use secure (SNMPv3) version of SNMP Change SNMP public strings Host/Device Discovery Countermeasures Gathering Information Scanning

Involves testing open ports and services on hosts/devices to gather more information Includes running tools to determine if open services have known vulnerabilities Also involves scanning for VoIP-unique information such as phone numbers Includes gathering information from TFTP servers and SNMP Enumeration Introduction Gathering Information Enumeration

Vulnerability Testing Tools Gathering Information Enumeration

Vulnerability Testing Countermeasures Gathering Information Enumeration The best solution is to upgrade your applications and make sure you continually apply patches Some firewalls and IPSs can detect and mitigate vulnerability scans

TFTP Enumeration Introduction Almost all phones we tested use TFTP to download their configuration files The TFTP server is rarely well protected If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password The files are downloaded in the clear and can be easily sniffed Configuration files have usernames, passwords, IP addresses, etc. in them Gathering Information Enumeration

TFTP Enumeration Countermeasures Gathering Information Enumeration It is difficult not to use TFTP, since it is so commonly used by VoIP vendors Some vendors offer more secure alternatives Firewalls can be used to restrict access to TFTP servers to valid devices

SNMP Enumeration Introduction SNMP is enabled by default on most IP PBXs and IP phones Simple SNMP sweeps will garner lots of useful information If you know the device type, you can use snmpwalk with the appropriate OID You can find the OID using Solarwinds MIB Default “passwords”, called community strings, are common Gathering Information Enumeration

Disable SNMP on any devices where it is not needed Change default public and private community strings Try to use SNMPv3, which supports authentication SNMP Enumeration Countermeasures Gathering Information Enumeration

The VoIP network and supporting infrastructure are vulnerable to attacks VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter Attacks include:  Flooding attacks  Network availability attacks  Supporting infrastructure attacks Network Infrastructure DoS Attacking The Network Network DoS

Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests Flooding Attacks Introduction Attacking The Network Network DoS

Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling) Use rate limiting in network switches Use anti-DoS/DDoS products Some vendors have DoS support in their products (in newer versions of software) Flooding Attacks Countermeasures Attacking The Network Network DoS

This type of attack involves an attacker trying to crash the underlying operating system:  Fuzzing involves sending malformed packets, which exploit a weakness in software  Packet fragmentation  Buffer overflows Network Availability Attacks Attacking The Network Network DoS

A network IPS is an inline device that detects and blocks attacks Some firewalls also offer this capability Host based IPS software also provides this capability Network Availability Attacks Countermeasures Attacking The Network Network DoS

VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc. DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones DNS cache poisoning involves tricking a DNS server into using a fake DNS response Supporting Infrastructure Attacks Attacking The Network Network DoS

Configure DHCP servers not to lease addresses to unknown MAC addresses DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries Supporting Infrastructure Attacks Countermeasures Attacking The Network Network DoS

VoIP configuration files, signaling, and media are vulnerable to eavesdropping Attacks include:  TFTP configuration file sniffing (already discussed)  Number harvesting and call pattern tracking  Conversation eavesdropping By sniffing signaling, it is possible to build a directory of numbers and track calling patterns voipong automates the process of logging all calls Wireshark is very good at sniffing VoIP signaling Network Eavesdropping Introduction Attacking The Network Eavesdropping

Conversation Recording Wireshark Attacking The Network Eavesdropping

Other tools include:  vomit  Voipong  voipcrack (not public)  DTMF decoder Conversation Recording Other Tools Attacking The Network Eavesdropping

Use encryption:  Many vendors offer encryption for signaling  Use the Transport Layer Security (TLS) for signaling  Many vendors offer encryption for media  Use Secure Real-time Transport Protocol (SRTP)  Use ZRTP  Use proprietary encryption if you have to Network Eavesdropping Countermeasures Attacking The Network Eavesdropping

The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing:  Eavesdropping on the conversation  Causing a DoS condition  Altering the conversation by omitting, replaying, or inserting media  Redirecting calls Network Interception Introduction Attacking The Network Net/App Interception

The most common network-level MITM attack is ARP poisoning Involves tricking a host into thinking the MAC address of the attacker is the intended address There are a number of tools available to support ARP poisoning:  Cain and Abel  ettercap  Dsniff  hunt Network Interception ARP Poisoning Attacking The Network Net/App Interception

Network Interception ARP Poisoning Attacking The Network Net/App Interception

Network Interception Countermeasures Attacking The Network Net/App Interception Some countermeasures for ARP poisoning are:  Static OS mappings  Switch port security  Proper use of VLANs  Signaling encryption/authentication  ARP poisoning detection tools, such as arpwatch

VoIP systems are vulnerable to application attacks against the various VoIP protocols Attacks include:  Fuzzing attacks  Flood-based DoS  Signaling and media manipulation Attacking The Application

Fuzzing describes attacks where malformed packets are sent to a VoIP system in an attempt to crash it Research has shown that VoIP systems, especially those employing SIP, are vulnerable to fuzzing attacks There are many public domain tools available for fuzzing:  Protos suite  Asteroid  Fuzzy Packet  NastySIP  Scapy Fuzzing Introduction Attacking The Application Fuzzing  SipBomber  SFTF  SIP Proxy  SIPp  SIPsak

There are some commercial tools available:  Beyond Security BeStorm  Codenomicon  MuSecurity Mu-4000 Security Analyzer  Security Innovation Hydra  Sipera Systems LAVA tools Fuzzing Commercial Tools Attacking The Application Fuzzing

Make sure your vendor has tested their systems for fuzzing attacks Consider running your own tests An VoIP-aware IPS can monitor for and block fuzzing attacks Fuzzing Countermeasures Attacking The Application Fuzzing

Several tools are available to generate floods at the application layer:  rtpflood – generates a flood of RTP packets  inviteflood – generates a flood of SIP INVITE packets  SiVuS – a tool which a GUI that enables a variety of flood- based attacks Virtually every device we tested was susceptible to these attacks Attacking The Application Flood-Based DoS Flood-Based DoS

There are several countermeasures you can use for flood- based DoS:  Use VLANs to separate networks  Use TCP and TLS for SIP connections  Use rate limiting in switches  Enable authentication for requests  Use SIP firewalls/IPSs to monitor and block attacks Flood-Based DoS Countermeasures Attacking The Application Flood-Based DoS

Proxy User Proxy Attacker Hijacked Media Hijacked Session User Registration Manipulation Attacking The Application Sig/Media Manipulation

Attacker Sends BYE Messages To UAs Attacker Proxy User Session Teardown Attacking The Application Sig/Media Manipulation

Attacker Sends check-sync Messages To UA Attacker Proxy User IP Phone Reboot Attacking The Application Sig/Media Manipulation

Attacker Sees Packets And Inserts/Mixes In New Audio Attacker Proxy User Audio Insertion/Mixing Attacking The Application Sig/Media Manipulation

Some countermeasures for signaling and media manipulation include:  Use digest authentication where possible  Use TCP and TLS where possible  Use SIP-aware firewalls/IPSs to monitor for and block attacks  Use audio encryption to prevent RTP injection/mixing Attacking The Application Sig/Media Manipulation Signaling/Media Manipulation Countermeasures

Voice SPAM refers to bulk, automatically generated, unsolicited phone calls Similar to telemarketing, but occurring at the frequency of SPAM Not an issue yet, but will become prevalent when:  The network makes it very inexpensive or free to generate calls  Attackers have access to VoIP networks that allow generation of a large number of calls It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access Voice SPAM Introduction Social Attacks Voice SPAM

Some potential countermeasures for voice SPAM are:  Authenticated identity movements, which may help to identify callers  Legal measures  Network-based filtering Enterprise voice SPAM filters:  Black lists/white lists  Approval systems  Audio content filtering  Turing tests Voice SPAM Countermeasures Social Attacks Voice SPAM

VoIP Phishing Introduction Similar to phishing, but with a phone number delivered though or voice When the victim dials the number, the recording requests entry of personal information Social Attacks Phishing

VoIP Phishing Countermeasures Traditional spam/phishing countermeasures come in to play here. Educating users is a key Social Attacks Phishing

Final Thoughts General network security is improving in some ways, but new threats are emerging Network-based security and managed security services can be used to improve enterprise security Don’t neglect internal security and key applications Final Thoughts