CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change.

Slides:



Advertisements
Similar presentations
Internet Protocol Security (IP Sec)
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Common Layer 2 Attacks and Countermeasures.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Internet Security CSCE 813 IPsec
Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.
Network Security. Reasons to attack Steal information Modify information Deny service (DoS)
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Henric Johnson1 Ola Flygt Växjö University, Sweden IP Security.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Web Server Administration Chapter 10 Securing the Web Environment.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
CSCE 715: Network Systems Security
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 Module 3 City College of San.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Network Security David Lazăr.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
Chapter 32 Internet Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.
1 CMPT 471 Networking II Authentication and Encryption © Janice Regan,
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
Chapter 6: Securing the Local Area Network
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
K. Salah1 Security Protocols in the Internet IPSec.
CSEN 1001 Computer and Network Security Amr El Mougy Mouaz ElAbsawi.
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Introduction to Network Security
Advanced Computer Networks
Sécurisation au niveau 2 pour certains matériels Cisco
Presentation transcript:

CHAPTER 10 Voice Security

VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change to content. Privacy: A third party should not be able to read the data Authenticity Each party should be confident they are communicating with whom each claims to be Availability/Protection from Denial-of Service The VoIP service should be available to users at all times

Shared-Key: A common shared-key between users Each pair of users must have the same key Does not scale well with multiple pairs of users The key is used to encrypt the message A hash is calculated from the shared key

Asymmetric Key: Each user has a Private-key as well as a Public-key Only the corresponding public-key can decrypt the message that is encrypted with the private-key Only the corresponding private-key can decrypt the message that is encrypted with the public-key Has a one-to-one relationship between keys Keys can be exchanged over an unsecured network

Asymmetric Key: Phases Authentication phase Secure communication phase CPU-intensive process Unique shared secret per session

Digital Signature: Uses a set of complimentary algorithms for signing and for verification A Digital signature is obtained from a Certificate Authority (CA) A hash of the message is created with the private key to create a Digital Signature Recipient verifies the signature by running a verification algorithm over the message content using the public-key of the sender

Digital Signature continued: Uses a set of complimentary algorithms for signing and for verification Digital signatures provide authentication Digital signatures provide message integrity Each signature is appended to the message in clear text Digital signatures do not provide privacy

Certificate Authority: The Certificate Authority receives the public-key at the time of key generation. The Certificate Authority will verify the identity of the sender and issue a certificate Each device in the system has a public-key of the CA At the time of contact each system will: Present its certificate to it’s peer Each will run a verification If verified the keys are stored

Public-key: Common Protocols Transport layer Security (TLS)  Independent of applications  Rides on top of Transport layer protocols  Can be used with multiple services Record Protocol  Lower-layer protocol  Provides privacy and integrity  Used DES or RC4 for encryption Client layer  Authenticates  Negotiates

TLS:

Public-key: Common Protocols continued Ipsec  Uses Authentication Header (AH)  Uses Encapsulation Security Payload (ESP)  AH provides authentication and integrity  ESP provides privacy, authenticity, and integrity  Tunnel-mode  Protects only the payload  Header inserted between the Ip header and the transport layer header (TCP/UDP)  Transport-mode  Encapsulates the entire packet  Ipsec header is added between the outer and inner IP headers

Public-key: Common Protocols continued Ipsec

Public-key: Common Protocols continued IPsec

Public-key: Common Protocols continued IPsec

Public-key: Common Protocols continued Secure Real Time Protocol (SRTP)  Integrity  Authentication  Privacy

Protecting Voice Devices: Disable Unused Ports/Services  Disable Telnet  Disable Trivial File Transport Protocol Simple Network management Protocol  Use only read-only mode Disable Unused Ports on layer 2 switches  Administrative shut down

Protecting Voice Devices continued: Host-based Intrusion Protection System (HIPS)  Software agent installed on each device  Collects information about traffic  Information compared against a set of rules  System can take preventative action Terminating application Rate-limit data

Protecting Voice Infrastructure: Segmentation  VLAN’s  IP addressing  Traffic types  Separate DHCP servers Traffic Policing  Limit bandwidth to Codec used  G.711 is 64 kbps plus overhead  Queuing techniques 802.1x Authentication  EAP protocol  RADIUS authentication server  Layer 2

Protecting Voice Infrastructure continued: 802.1x Authentication

Protecting Voice Infrastructure continued: Layer 2 tools DHCP Snooping  Only allow DHCP offers from known sources  Enabled on switches  Switch(config)#ip dhcp snooping  Switch(config-if)#ip dhcp snooping trust  Switch(config-if)#ip dhcp snooping limit rate [rate]  Switch(config)#ip dhcp snooping vlan number [number]  DHCP snooping binding database (IP-to-MAC)

Protecting Voice Infrastructure continued: Layer 2 tools IP Source Guard  Used with DHCP Snooping  On untrusted ports only DHCP messages allowed until DHCP response is received  Uses DHCP snooping binding database  Per port  Installs a Vlan Access Control List (VACL)

Protecting Voice Infrastructure continued: Layer 2 tools Dynamic ARP Inspection  Attacker sends it’s own MAC address as a reply  Man-in-the-middle attack  Uses the DHCP binding database  Drops malicious packets

Protecting Voice Infrastructure continued: Layer 2 tools CAM overflow and Port Security  Attacker sends fictitious MAC addresses to fill CAM table  When CAM table is filled switch will forward packets out all active ports (broadcast)  Use port security features  Switch(config-if)#switchport port-security maximum [number]

Protecting Voice Infrastructure continued: Layer 2 tools Circumventing VLANs  Uses trunk ports to obtain access  802.1q or ISL  Disable DTP on non trunk ports  Switch(config-if)#switchport mode access

Protecting Voice Infrastructure continued: Layer 2 tools NIPS Network Based Intrusion Protection System  In series  In parallel  Examines every packet  Does not protect against “Atomic” attacks  Delay is a problem for voice

Protecting Voice Infrastructure continued: Layer 2 tools BPDU Guard and Root Guard  Exploits Spanning-tree protocol  Listens on configured ports for BPDU’s  Rogue device tries to become the root bridge  Violation can disable the port  Used with portfast  Root Guard will port into a root-inconsistent state  Root Guard will allow the device to participate in spanning-tree

Protecting Voice Infrastructure continued: Layer 3 tools Routing authentication  Not available for all protocols  Can use simple password  Can use Message-digest (MD5) encryption  Not available on RIPv1  Shared keys between systems

Protecting Voice Infrastructure continued: Layer 3 tools TCP intercepts  Denial of Service attacks  Sends multiple “syn” packets  Never completes the three-way handshake  Uses falsified IP addresses  Can limit half-open secessions  Intercept mode allows the router to respond before forwarding packets to client

Protecting Voice Infrastructure: Security Planning and Policies Transitive trust  Eliminate re-authentication at each device VoIP Protocol-Specific Issues  Use of computer based softphones VLAN’s Trunking Double tagging

Protecting Voice Infrastructure continued: Security Planning and Policies Complexity tradeoffs  Bandwidth overhead  Delay  CA cost NAT/Firewall Traversal  Opens pathways for voice traffic  Does not work well with encryption (port numbers) Password and Access Control  Minimum length  Complexity  Equipment access

End of Chapter 10

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.