Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation"— Presentation transcript:

1 Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com

2 General Security Trends  Good news  Bad news  Going forward Network-Based Security Managed Security Services Internal Application/VoIP Security Outline

3 Basic security measures, such as anti-virus, firewalls, and anti-spyware, are ubiquitously deployed Average losses due to security breaches are up, but down significantly from 2001 and 2002 (*) The number of incidents is down (*) Incidents are being reported at a greater rate (*) General Security Trends Some Good News Security Trends (*) Source – 2007 Computer Crime and Security Survey

4 Security Trends (*) Source – 2007 Computer Crime and Security Survey General Security Trends Some Good News

5 (*) Source – 2007 Computer Crime and Security Survey General Security Trends Some Good News Security Trends

6 (*) Source – 2007 Computer Crime and Security Survey General Security Trends Some Good News

7 Security Trends (*) Source – 2007 Computer Crime and Security Survey General Security Trends Some Good News

8 Security Trends General Security Trends Some Bad News (*) Source – 2007 Computer Crime and Security Survey

9 Signature based-detection systems are being pushed to the limit The platforms, network, and applications are getting more and more complex Attacks are becoming increasing complex Perimeter security has many issues Security funding is a small part of IT spending – no more than 10% and often less than 5% (*) Targeted attacks are increasing (*) General Security Trends Some Bad News Security Trends (*) Source – 2007 Computer Crime and Security Survey

10 Security Trends (*) Source – 2007 Computer Crime and Security Survey General Security Trends Some Bad News

11 Security Trends General Security Trends Some Bad News (*) Source – 2007 Computer Crime and Security Survey

12 Increased deployment of Intrusion Detection and Prevention Systems (IDSs and IPSs) Possible increase the in use of Network Admission Control (NAC) Network-Based Security solutions are available Managed Security Services solutions are available Increased focus on internal application security New applications such as Voice Over IP (VoIP) moving onto the data network General Security Trends Going Forward Security Trends

13 Enterprise customers are deploying firewalls, IDSs/IPSs, AV, anti-SPAM on network edge Some disadvantages:  Expensive  Multiple vendors and difficult to manage  Does not scale well Network-based Security Introduction Network-based Security Client Enterprise Client Enterprise 3 rd Party Network Primary Provider IP Network Edge

14 Network-based security embeds security capability in the network Some advantages:  Leverages security capability in the network  Centralized management  Scales better Network-based Security Introduction Network-based Security Client Enterprise Client Enterprise 3 rd Party Network Edge AT&T IP Network VPN, Firewall, IDS, Anti-Virus, etc. Firewall, IDS, Anti-Virus, etc.

15 Leverages security expertise Greatly assists with threat reconnaissance Broad network visibility allows greater awareness and warning of attacks The impact of major Worm attacks are seen well in advance of when they are a threat to an enterprise The only real solution to DoS and DDoS attacks A great defense in depth approach Still may need network defense and internal security Network-based Security Advantages Network-based Security

16 Network-based Security Early Detection of Attacks Network-based Security ReconnaissanceScanningSystem AccessDamageTrack Coverage Preventive Phase (Defense) Reactive Phase (Defense) Web-Based Information Collection Social Engineering Broad Network Mapping Targeted Scan Service Vulnerability Exploitation Password Guessing DDOS Zombie Code Installation System File Delete Log File Changes Use of Stolen Accounts for Attack AT&T Security Service Primary Emphasis

17 Network-based Security DoS and DDoS Attacks Network-based Security TARGETED Server AT&T IP Backbone Enterprise Server

18 Network-based Security AT&T Offerings Network-based Security Policy Management Identity Management Intrusion Management Perimeter Security Secure Connectivity Monitoring & Mgmt Incident Management Network-Based Security Platform  AT&T Internet Protect ®  AT&T DDoS Defense  AT&T My Internet Protect  AT&T Private Intranet Protect  AT&T Network-Based Firewalls  AT&T Secure E-Mail Gateway  AT&T Web Security Services

19 Managed Security Services (MSS) are a viable alternative to in-house security staffing Leverage experienced staff, who are familiar with security processes and products Often can be more cost effective Eliminates the need to retain and train staff Security assessments/audits are commonly outsourced Managed Security Services Introduction Managed Security Services

20 Managed Security Services Enterprise Penetration (*) Source – 2007 Computer Crime and Security Survey Managed Security Services

21 (*) Source – 2007 Computer Crime and Security Survey Managed Security Services Assessments/Audits Managed Security Services

22 Managed Security Services AT&T Offerings Network-based Security Premises-Based Firewalls Managed Intrusion Detection Endpoint Security Service Token Authentication

23 Despite availability of network-based security, managed services, and customer-premise edge security, securing applications is still important Voice Over IP (VoIP) is one internal application that must be secured Application/VoIP Security VoIP Security Introduction

24 An enterprise website often contains a lot of information that is useful to a hacker:  Organizational structure and corporate locations  Help and technical support  Job listings  Phone numbers and extensions Public Website Research Introduction Gathering Information Footprinting

25 Public Website Research Countermeasures It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it Try to limit amount of detail in job postings Remove technical detail from help desk web pages Gathering Information Footprinting

26 Google is incredibly good at finding details on the web:  Vendor press releases and case studies  Resumes of VoIP personnel  Mailing lists and user group postings  Web-based VoIP logins Google Hacking Introduction Gathering Information Footprinting

27 Determine what your exposure is Be sure to remove any VoIP phones which are visible to the Internet Disable the web servers on your IP phones There are services that can help you monitor your exposure:  www.cyveilance.com  ww.baytsp.com Google Hacking Countermeasures Gathering Information Footprinting

28 Consists of various techniques used to find hosts:  Ping sweeps  ARP pings  TCP ping scans  SNMP sweeps After hosts are found, the type of device can be determined Classifies host/device by operating system Once hosts are found, tools can be used to find available network services Host/Device Discovery and Identification Gathering Information Scanning

29 Host/Device Discovery Ping Sweeps/ARP Pings Gathering Information Scanning

30 Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps VLANs can help isolate ARP pings Ping sweeps can be blocked at the perimeter firewall Use secure (SNMPv3) version of SNMP Change SNMP public strings Host/Device Discovery Countermeasures Gathering Information Scanning

31 Involves testing open ports and services on hosts/devices to gather more information Includes running tools to determine if open services have known vulnerabilities Also involves scanning for VoIP-unique information such as phone numbers Includes gathering information from TFTP servers and SNMP Enumeration Introduction Gathering Information Enumeration

32 Vulnerability Testing Tools Gathering Information Enumeration

33 Vulnerability Testing Countermeasures Gathering Information Enumeration The best solution is to upgrade your applications and make sure you continually apply patches Some firewalls and IPSs can detect and mitigate vulnerability scans

34 TFTP Enumeration Introduction Almost all phones we tested use TFTP to download their configuration files The TFTP server is rarely well protected If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password The files are downloaded in the clear and can be easily sniffed Configuration files have usernames, passwords, IP addresses, etc. in them Gathering Information Enumeration

35 TFTP Enumeration Countermeasures Gathering Information Enumeration It is difficult not to use TFTP, since it is so commonly used by VoIP vendors Some vendors offer more secure alternatives Firewalls can be used to restrict access to TFTP servers to valid devices

36 SNMP Enumeration Introduction SNMP is enabled by default on most IP PBXs and IP phones Simple SNMP sweeps will garner lots of useful information If you know the device type, you can use snmpwalk with the appropriate OID You can find the OID using Solarwinds MIB Default “passwords”, called community strings, are common Gathering Information Enumeration

37 Disable SNMP on any devices where it is not needed Change default public and private community strings Try to use SNMPv3, which supports authentication SNMP Enumeration Countermeasures Gathering Information Enumeration

38 The VoIP network and supporting infrastructure are vulnerable to attacks VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter Attacks include:  Flooding attacks  Network availability attacks  Supporting infrastructure attacks Network Infrastructure DoS Attacking The Network Network DoS

39 Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests Flooding Attacks Introduction Attacking The Network Network DoS

40 Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling) Use rate limiting in network switches Use anti-DoS/DDoS products Some vendors have DoS support in their products (in newer versions of software) Flooding Attacks Countermeasures Attacking The Network Network DoS

41 This type of attack involves an attacker trying to crash the underlying operating system:  Fuzzing involves sending malformed packets, which exploit a weakness in software  Packet fragmentation  Buffer overflows Network Availability Attacks Attacking The Network Network DoS

42 A network IPS is an inline device that detects and blocks attacks Some firewalls also offer this capability Host based IPS software also provides this capability Network Availability Attacks Countermeasures Attacking The Network Network DoS

43 VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc. DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones DNS cache poisoning involves tricking a DNS server into using a fake DNS response Supporting Infrastructure Attacks Attacking The Network Network DoS

44 Configure DHCP servers not to lease addresses to unknown MAC addresses DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries Supporting Infrastructure Attacks Countermeasures Attacking The Network Network DoS

45 VoIP configuration files, signaling, and media are vulnerable to eavesdropping Attacks include:  TFTP configuration file sniffing (already discussed)  Number harvesting and call pattern tracking  Conversation eavesdropping By sniffing signaling, it is possible to build a directory of numbers and track calling patterns voipong automates the process of logging all calls Wireshark is very good at sniffing VoIP signaling Network Eavesdropping Introduction Attacking The Network Eavesdropping

46 Conversation Recording Wireshark Attacking The Network Eavesdropping

47 Other tools include:  vomit  Voipong  voipcrack (not public)  DTMF decoder Conversation Recording Other Tools Attacking The Network Eavesdropping

48 Use encryption:  Many vendors offer encryption for signaling  Use the Transport Layer Security (TLS) for signaling  Many vendors offer encryption for media  Use Secure Real-time Transport Protocol (SRTP)  Use ZRTP  Use proprietary encryption if you have to Network Eavesdropping Countermeasures Attacking The Network Eavesdropping

49 The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing:  Eavesdropping on the conversation  Causing a DoS condition  Altering the conversation by omitting, replaying, or inserting media  Redirecting calls Network Interception Introduction Attacking The Network Net/App Interception

50 The most common network-level MITM attack is ARP poisoning Involves tricking a host into thinking the MAC address of the attacker is the intended address There are a number of tools available to support ARP poisoning:  Cain and Abel  ettercap  Dsniff  hunt Network Interception ARP Poisoning Attacking The Network Net/App Interception

51 Network Interception ARP Poisoning Attacking The Network Net/App Interception

52 Network Interception Countermeasures Attacking The Network Net/App Interception Some countermeasures for ARP poisoning are:  Static OS mappings  Switch port security  Proper use of VLANs  Signaling encryption/authentication  ARP poisoning detection tools, such as arpwatch

53 VoIP systems are vulnerable to application attacks against the various VoIP protocols Attacks include:  Fuzzing attacks  Flood-based DoS  Signaling and media manipulation Attacking The Application

54 Fuzzing describes attacks where malformed packets are sent to a VoIP system in an attempt to crash it Research has shown that VoIP systems, especially those employing SIP, are vulnerable to fuzzing attacks There are many public domain tools available for fuzzing:  Protos suite  Asteroid  Fuzzy Packet  NastySIP  Scapy Fuzzing Introduction Attacking The Application Fuzzing  SipBomber  SFTF  SIP Proxy  SIPp  SIPsak

55 There are some commercial tools available:  Beyond Security BeStorm  Codenomicon  MuSecurity Mu-4000 Security Analyzer  Security Innovation Hydra  Sipera Systems LAVA tools Fuzzing Commercial Tools Attacking The Application Fuzzing

56 Make sure your vendor has tested their systems for fuzzing attacks Consider running your own tests An VoIP-aware IPS can monitor for and block fuzzing attacks Fuzzing Countermeasures Attacking The Application Fuzzing

57 Several tools are available to generate floods at the application layer:  rtpflood – generates a flood of RTP packets  inviteflood – generates a flood of SIP INVITE packets  SiVuS – a tool which a GUI that enables a variety of flood- based attacks Virtually every device we tested was susceptible to these attacks Attacking The Application Flood-Based DoS Flood-Based DoS

58 There are several countermeasures you can use for flood- based DoS:  Use VLANs to separate networks  Use TCP and TLS for SIP connections  Use rate limiting in switches  Enable authentication for requests  Use SIP firewalls/IPSs to monitor and block attacks Flood-Based DoS Countermeasures Attacking The Application Flood-Based DoS

59 Proxy User Proxy Attacker Hijacked Media Hijacked Session User Registration Manipulation Attacking The Application Sig/Media Manipulation

60 Attacker Sends BYE Messages To UAs Attacker Proxy User Session Teardown Attacking The Application Sig/Media Manipulation

61 Attacker Sends check-sync Messages To UA Attacker Proxy User IP Phone Reboot Attacking The Application Sig/Media Manipulation

62 Attacker Sees Packets And Inserts/Mixes In New Audio Attacker Proxy User Audio Insertion/Mixing Attacking The Application Sig/Media Manipulation

63 Some countermeasures for signaling and media manipulation include:  Use digest authentication where possible  Use TCP and TLS where possible  Use SIP-aware firewalls/IPSs to monitor for and block attacks  Use audio encryption to prevent RTP injection/mixing Attacking The Application Sig/Media Manipulation Signaling/Media Manipulation Countermeasures

64 Voice SPAM refers to bulk, automatically generated, unsolicited phone calls Similar to telemarketing, but occurring at the frequency of email SPAM Not an issue yet, but will become prevalent when:  The network makes it very inexpensive or free to generate calls  Attackers have access to VoIP networks that allow generation of a large number of calls It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access Voice SPAM Introduction Social Attacks Voice SPAM

65 Some potential countermeasures for voice SPAM are:  Authenticated identity movements, which may help to identify callers  Legal measures  Network-based filtering Enterprise voice SPAM filters:  Black lists/white lists  Approval systems  Audio content filtering  Turing tests Voice SPAM Countermeasures Social Attacks Voice SPAM

66 VoIP Phishing Introduction Similar to email phishing, but with a phone number delivered though email or voice When the victim dials the number, the recording requests entry of personal information Social Attacks Phishing

67 VoIP Phishing Countermeasures Traditional email spam/phishing countermeasures come in to play here. Educating users is a key Social Attacks Phishing

68 Final Thoughts General network security is improving in some ways, but new threats are emerging Network-based security and managed security services can be used to improve enterprise security Don’t neglect internal security and key applications Final Thoughts

Download ppt "Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation"

Similar presentations

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.

1 © 2004, Cisco Systems, Inc. All rights reserved IP Telephony Security Cisco Systems.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy

Chapter 14 Wireless Attacks, Intrusion Monitoring and Policy
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.

Securing Unified Communications Mor Hezi VP Unified Communications AudioCodes.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
Chapter 12 Network Security.

Chapter 12 Network Security.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Hacking Exposed: VoIP Mark D. Collier Chief Technology Officer

Hacking Exposed: VoIP Mark D. Collier Chief Technology Officer
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google