Best Practices for VoIP Security

Similar documents
Applying Virtualization as part of your Network Transformation Strategy

Security+ SY0-501 Study Guide Table of Contents

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Defense in Depth Security in the Enterprise

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Secure Access & SWIFT Customer Security Controls Framework

Ken Agress, Senior Consultant PlanNet Consulting, LLC.

VoIP Security Threat Analysis

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Firewalls for Secure Unified Communications

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Security for SIP-based VoIP Communications Solutions

INFORMATION SUPPLEMENT. Use of SSL/Early TLS for POS POI Terminal Connections. Date: June 2018 Author: PCI Security Standards Council

Real-time Communications Security and SDN

Watson Developer Cloud Security Overview

Secure Communications on VoIP Networks

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

VPN-1 Power/UTM. Administration guide Version NGX R

Software Development & Education Center Security+ Certification

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Network Security and Cryptography. December Sample Exam Marking Scheme

Cybersecurity Risk Oversight: the NIST Framework and EU approaches

Voice over IP. What You Don t Know Can Hurt You. by Darren Bilby

HikCentral V1.3 for Windows Hardening Guide

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Security Assessment Checklist

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Checklist: Credit Union Information Security and Privacy Policies

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Ingate SIParator /Firewall SIP Security for the Enterprise

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Chapter 11: Networks

Cyber Criminal Methods & Prevention Techniques. By

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Frequently Asked Questions (Dialogic BorderNet 500 Gateways)

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Security Principles for Stratos. Part no. 667/UE/31701/004

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Encryption setup for gateways and trunks

IC32E - Pre-Instructional Survey

Endpoint Security & Health Check Report Background

Chapter 5. Security Components and Considerations.

Configuring Encryption for Gateways and Trunks

Wireless e-business Security. Lothar Vigelandzoon

Voice Over IP. How technology has taken a step back?

the SWIFT Customer Security

Polycom RealPresence Access Director System

Education Network Security

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

Studying the Security in VoIP Networks

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Best Practices Guide to Electronic Banking

A QUICK PRIMER ON PCI DSS VERSION 3.0

Altius IT Policy Collection

BraindumpsVCE. Best vce braindumps-exam vce pdf free download

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

Security Issues and Best Practices for Water Facilities

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

QuickBooks Online Security White Paper July 2017

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

Building a More Secure Cloud Architecture

Fundamentals of Information Systems Security Lesson 5 Auditing, Testing, and Monitoring

Compliance Audit Readiness. Bob Kral Tenable Network Security

Communications Transformations 2: Steps to Integrate SIP Trunk into the Enterprise

Understanding Cisco Unified Communications Security

PCI DSS and VNC Connect

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Featured Articles II Security Research and Development Research and Development of Advanced Security Technology

KERIO TECHNOLOGIES KERIO WINROUTE FIREWALL 6.3 REVIEWER S GUIDE

Maria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor Security

Simple and Secure Micro-Segmentation for Internet of Things (IoT)

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

DATABASE SECURITY REQUIREMENTS GUIDE (SRG) TECHNOLOGY OVERVIEW. Version 2, Release October Developed by DISA for the DoD

SDR Guide to Complete the SDR

Hacker Explains Privilege Escalation: How Hackers Get Elevated Permissions

Achieving PCI Compliance: Long and Short Term Strategies

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

External Supplier Control Obligations. Cyber Security

Recommendations for Device Provisioning Security

10 FOCUS AREAS FOR BREACH PREVENTION

FreeSWITCH as a Kickass SBC. Moises Silva Manager, Software Engineering

Secure VidyoConferencing

Digital Advisory Services Professional Service Description SIP SBC with Field Trial Endpoint Deployment Model

WHITE PAPER. Session Border Controllers: Helping keep enterprise networks safe TABLE OF CONTENTS. Starting Points

How Cyber-Criminals Steal and Profit from your Data

The Case for Secure Communications

HikCentral V.1.1.x for Windows Hardening Guide

Define information security Define security as process, not point product.

Ensuring System Protection throughout the Operational Lifecycle

Post-Class Quiz: Access Control Domain

Cloud Security Standards Supplier Survey. Version 1

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Polycom RealPresence Access Director System

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

Transcription:

Best Practices for VoIP Security

Agenda A brief introduction to REDCOM A short history of phone system hacking VoIP overview VoIP vulnerabilities VoIP Security Standards Risk mitigation methods Conclusion

Introduction to REDCOM Providing communications solutions for nearly 40 years Made in the USA Based in Victor, NY All design, coding, manufacturing, and support Diverse customer base Class 4/5 offices Utilities Emergency response Government and DoD

REDCOM Experience

Hacking is a very real concern

Phreaking A Brief History Phone hacking became prevalent in the 1960s and 70s The term phreaking refers to phone hacking The (in)famous Captain Crunch whistle Evolved into the blue box Famous phreaks Steve Jobs (aka Oaf of Tobar) Steve Wozniak (aka Berkeley Blue) That time the Woz called the Pope

A Brief VoIP Overview Signaling (call control) Standards based Session Initiation Protocol (SIP) H.323 Media Gateway Control Protocol (MGCP) Proprietary SCCP Skinny Call Control Protocol Media (voice, video, etc.) Real-time Transport Protocol (RTP) Uses codecs to encode voice G.711, G.729, and many others

VoIP Overview SIP SIP terms Registrar Call controller User agent (UA) User endpoint (i.e. telephone) Session Active media session (i.e. phone call)

SIP Architecture SIP Registrar User agent User agent

VoIP Call Flow

VoIP Vulnerabilities UA impersonation Registration hijacking Call interception Eavesdropping on conversation Session manipulation Denial of Service (DoS) Overwhelm session controller so it can t process calls

VoIP Security Standards National Institute of Standards and Technology (NIST) Special Publication (SP) 800-58 Security Considerations for Voice over IP Systems Department of Homeland Security (DHS) DHS 4300A Sensitive Systems Handbook Attachment Q5 Voice over Internet Protocol (VoIP)

Risk Mitigation

Physical Security Goal: restrict direct access to network and VoIP systems Methods: Door locks Guards Alarm system CCTV surveillance Motion detectors Key card access

System Hardening Goal: restrict remote access to systems and network Methods: System software updates Anti-virus software Definition file must be periodically updated System passwords Change defaults! Use strong passwords Role Based Access Control (RBAC)

A Word About Passwords Evolving recommendations Out with the old Complicated mix of characters i.e. hard to remember Password aging rules In with the new Longer but no need for the variety of character types End result is that they re much easier to remember Change only if evidence of being compromised Tr0ub4dor&3 vs correcthorsebatterystaple

Network Hardening Goal: restrict rogue access to network Methods: Limit number of devices that can connect to a single port Define port as an access port Restrict port access to specific devices Report violations as they occur Automatically shut down port when violations occur Disable ports that aren t being used Separation of voice and data

Firewall and Session Border Controller Goal: vetting of information to/from network Firewall vs SBC what s the difference? Firewall Most aren t VoIP aware Better suited for data SBC Acts as a B2BUA Meant for VoIP communications

Authentication Goal: proof of an identity Methods: IP address screening SIP authentication Use strong password concepts Public Key Infrastructure (PKI) and digital certificates One-way vs mutual authentication 2-factor/multi-factor authentication

Encryption Goal: ensure confidentiality of information Methods: Access to system(s) Secure Shell (SSH) Hyper Text Transfer Protocol Secure (HTTPS) VoIP signaling Transport Layer Security (TLS) VoIP media Secure Real-time Transport Protocol (SRTP) IPSec/VPN tunnels

Assessments and Audits Security assessment Review and test security posture of the network/system Used to identify weak security implementations and/or policies Results of assessment will help to improve the corporate cybersecurity policy as well as active security features Security audit Periodic review to ensure: All security features are in place and operational Compliance with corporate cybersecurity policy

System Monitoring Goal: determination of intrusions Methods: REVIEW YOUR LOGS! Logs will contain evidence of any intrusions Cybersecurity policy should dictate who reviews the logs and how often they are reviewed

Incident Response Plan Goal: document expected response to intrusions Outlines procedures to follow in the event of an incident Responding to an active attack can be a hectic time Having pre-established procedures to follow can provide structure to the response Responsibility policy Intrusions could result unexpected charges Who s responsible? End users should be made aware of policy up front

Conclusions Time for a quiz! Question: Which of the previous methods should be used? Hint: this is a trick question Answer: As many of them as possible There is no silver bullet, a layered approach to security is best

Top Five VoIP Security Takeaways 1. Your network will be targeted for attack 2. Be prepared before it happens 3. Use a layered approach to security 4. Security is an ongoing process 5. Be cautious with password complexity BONUS! 1. Don t forget about the phones

References History of phone system hacking (phreaking) Exploding the Phone by Phil Lapsley VoIP Vulnerabilities and Security Hacking Exposed: Unified Communications & VoIP by Mark Collier and David Endler General Network Security CompTIA Security+ Get Certified Get Ahead by Darril Gibson

Contact Information One Redcom Center Victor, New York 14564-0995 Mike Gates Sales Engineer mike.gates@redcom.com (585) 924-6500 www.redcom.com

Disclosure The information presented in this presentation is subject to change without notice or obligation. Content produced by third parties is not necessarily endorsed or supported by REDCOM. The REDCOM name, logo, Sigma, SLICE, and TRANSip are registered trademarks of REDCOM Laboratories, Inc. ClusterNet, CommandSet, CrucialConnect, and SLICE 2100 are trademarks of REDCOM Laboratories, Inc. All other trademarks and service marks are properties of their respective owners. REDCOM products are covered by one or more U.S. and international patents. 2017 REDCOM Laboratories, Inc. All rights reserved.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback