Best Practices for VoIP Security
Agenda A brief introduction to REDCOM A short history of phone system hacking VoIP overview VoIP vulnerabilities VoIP Security Standards Risk mitigation methods Conclusion
Introduction to REDCOM Providing communications solutions for nearly 40 years Made in the USA Based in Victor, NY All design, coding, manufacturing, and support Diverse customer base Class 4/5 offices Utilities Emergency response Government and DoD
REDCOM Experience
Hacking is a very real concern
Phreaking A Brief History Phone hacking became prevalent in the 1960s and 70s The term phreaking refers to phone hacking The (in)famous Captain Crunch whistle Evolved into the blue box Famous phreaks Steve Jobs (aka Oaf of Tobar) Steve Wozniak (aka Berkeley Blue) That time the Woz called the Pope
A Brief VoIP Overview Signaling (call control) Standards based Session Initiation Protocol (SIP) H.323 Media Gateway Control Protocol (MGCP) Proprietary SCCP Skinny Call Control Protocol Media (voice, video, etc.) Real-time Transport Protocol (RTP) Uses codecs to encode voice G.711, G.729, and many others
VoIP Overview SIP SIP terms Registrar Call controller User agent (UA) User endpoint (i.e. telephone) Session Active media session (i.e. phone call)
SIP Architecture SIP Registrar User agent User agent
VoIP Call Flow
VoIP Vulnerabilities UA impersonation Registration hijacking Call interception Eavesdropping on conversation Session manipulation Denial of Service (DoS) Overwhelm session controller so it can t process calls
VoIP Security Standards National Institute of Standards and Technology (NIST) Special Publication (SP) 800-58 Security Considerations for Voice over IP Systems Department of Homeland Security (DHS) DHS 4300A Sensitive Systems Handbook Attachment Q5 Voice over Internet Protocol (VoIP)
Risk Mitigation
Physical Security Goal: restrict direct access to network and VoIP systems Methods: Door locks Guards Alarm system CCTV surveillance Motion detectors Key card access
System Hardening Goal: restrict remote access to systems and network Methods: System software updates Anti-virus software Definition file must be periodically updated System passwords Change defaults! Use strong passwords Role Based Access Control (RBAC)
A Word About Passwords Evolving recommendations Out with the old Complicated mix of characters i.e. hard to remember Password aging rules In with the new Longer but no need for the variety of character types End result is that they re much easier to remember Change only if evidence of being compromised Tr0ub4dor&3 vs correcthorsebatterystaple
Network Hardening Goal: restrict rogue access to network Methods: Limit number of devices that can connect to a single port Define port as an access port Restrict port access to specific devices Report violations as they occur Automatically shut down port when violations occur Disable ports that aren t being used Separation of voice and data
Firewall and Session Border Controller Goal: vetting of information to/from network Firewall vs SBC what s the difference? Firewall Most aren t VoIP aware Better suited for data SBC Acts as a B2BUA Meant for VoIP communications
Authentication Goal: proof of an identity Methods: IP address screening SIP authentication Use strong password concepts Public Key Infrastructure (PKI) and digital certificates One-way vs mutual authentication 2-factor/multi-factor authentication
Encryption Goal: ensure confidentiality of information Methods: Access to system(s) Secure Shell (SSH) Hyper Text Transfer Protocol Secure (HTTPS) VoIP signaling Transport Layer Security (TLS) VoIP media Secure Real-time Transport Protocol (SRTP) IPSec/VPN tunnels
Assessments and Audits Security assessment Review and test security posture of the network/system Used to identify weak security implementations and/or policies Results of assessment will help to improve the corporate cybersecurity policy as well as active security features Security audit Periodic review to ensure: All security features are in place and operational Compliance with corporate cybersecurity policy
System Monitoring Goal: determination of intrusions Methods: REVIEW YOUR LOGS! Logs will contain evidence of any intrusions Cybersecurity policy should dictate who reviews the logs and how often they are reviewed
Incident Response Plan Goal: document expected response to intrusions Outlines procedures to follow in the event of an incident Responding to an active attack can be a hectic time Having pre-established procedures to follow can provide structure to the response Responsibility policy Intrusions could result unexpected charges Who s responsible? End users should be made aware of policy up front
Conclusions Time for a quiz! Question: Which of the previous methods should be used? Hint: this is a trick question Answer: As many of them as possible There is no silver bullet, a layered approach to security is best
Top Five VoIP Security Takeaways 1. Your network will be targeted for attack 2. Be prepared before it happens 3. Use a layered approach to security 4. Security is an ongoing process 5. Be cautious with password complexity BONUS! 1. Don t forget about the phones
References History of phone system hacking (phreaking) Exploding the Phone by Phil Lapsley VoIP Vulnerabilities and Security Hacking Exposed: Unified Communications & VoIP by Mark Collier and David Endler General Network Security CompTIA Security+ Get Certified Get Ahead by Darril Gibson
Contact Information One Redcom Center Victor, New York 14564-0995 Mike Gates Sales Engineer mike.gates@redcom.com (585) 924-6500 www.redcom.com
Disclosure The information presented in this presentation is subject to change without notice or obligation. Content produced by third parties is not necessarily endorsed or supported by REDCOM. The REDCOM name, logo, Sigma, SLICE, and TRANSip are registered trademarks of REDCOM Laboratories, Inc. ClusterNet, CommandSet, CrucialConnect, and SLICE 2100 are trademarks of REDCOM Laboratories, Inc. All other trademarks and service marks are properties of their respective owners. REDCOM products are covered by one or more U.S. and international patents. 2017 REDCOM Laboratories, Inc. All rights reserved.