VOIP. Technology, Security Threats & Countermeasures. Jaydip Sen. Innovation Lab Tata Consultancy Services, Kolkata

Similar documents
Media Communications Internet Telephony and Teleconference

Overview of SIP. Information About SIP. SIP Capabilities. This chapter provides an overview of the Session Initiation Protocol (SIP).

VoIP Security Threat Analysis

Voice over IP (VoIP)

Telecommunication Services Engineering Lab. Roch H. Glitho

Secure Telephony Enabled Middle-box (STEM)

Allstream NGNSIP Security Recommendations

SIP Trunking & Security. Dan York, CISSP VOIPSA Best Practices Chair

Ingate SIParator /Firewall SIP Security for the Enterprise

VoIP Basics. 2005, NETSETRA Corporation Ltd. All rights reserved.

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

INTERFACE SPECIFICATION SIP Trunking. 8x8 SIP Trunking. Interface Specification. Version 2.0

TSIN02 - Internetworking

Session Initiation Protocol (SIP) Overview

Cisco ATA 191 Analog Telephone Adapter Overview

Real Time Protocols. Overview. Introduction. Tarik Cicic University of Oslo December IETF-suite of real-time protocols data transport:

IP Possibilities Conference & Expo. Minneapolis, MN April 11, 2007

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

Multimedia Communication

Voice over IP. What You Don t Know Can Hurt You. by Darren Bilby

Session Initiation Protocol (SIP) Overview

Department of Computer Science. Burapha University 6 SIP (I)

Voice Over IP. How technology has taken a step back?

Overview of the Session Initiation Protocol

Abstract. Avaya Solution & Interoperability Test Lab

Setting Up a Mitel SX-2000 Digital PIMG Integration with Cisco Unity Connection

Setting up Alcatel 4400 Digital PIMG Integration

Setting Up an Alcatel 4400 Digital PIMG Integration with Cisco Unity Connection

White Paper. SIP Trunking: Deployment Considerations at the Network Edge

Digital Advisory Services Professional Service Description SIP SBC with Field Trial Endpoint Deployment Model

Security for SIP-based VoIP Communications Solutions

This is a sample chapter of WebRTC: APIs and RTCWEB Protocols of the HTML5 Real-Time Web by Alan B. Johnston and Daniel C. Burnett.

Abstract. Avaya Solution & Interoperability Test Lab

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

Communications Transformations 2: Steps to Integrate SIP Trunk into the Enterprise

IPNext 187 Hybrid IP-PBX System High-performance Hybrid IP-PBX Solution

Understanding SIP exchanges by experimentation

Chapter 3: IP Multimedia Subsystems and Application-Level Signaling

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Analysing Protocol Implementations

Firewalls for Secure Unified Communications

Leveraging Amazon Chime Voice Connector for SIP Trunking. March 2019

Unified Communications Manager Express Toll Fraud Prevention

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

SIPPING Working Group A. Johnston, Ed. Internet-Draft Avaya Intended status: BCP R. Sparks Expires: January 12, 2009 Estacado Systems C. Cunningham S.

Implementing Cisco Voice Communications & QoS (CVOICE) 8.0 COURSE OVERVIEW: WHO SHOULD ATTEND: PREREQUISITES: Running on UC 9.

Application Notes for Configuring SIP Trunking between Cincinnati Bell Any Distance evantage and Avaya IP Office Issue 1.0

Application Notes for Configuring Cablevision Optimum Voice SIP Trunking with Avaya IP Office - Issue 1.1

S Postgraduate Course in Radio Communications. Application Layer Mobility in WLAN. Antti Keurulainen,

Application Notes for Configuring SIP Trunking between McLeodUSA SIP Trunking Solution and an Avaya IP Office Telephony Solution Issue 1.

Application Scenario 1: Direct Call UA UA

A survey of SIP Peering

New and Current Approaches for Secure VoIP Service

Modern IP Communication bears risks

Telecommunication Services Engineering Lab. Roch H. Glitho

SIP as an Enabling Technology

Conducting an IP Telephony Security Assessment

Cisco Unified Communications Manager Trunks

Request for Comments: Category: Standards Track Columbia U. G. Camarillo Ericsson A. Johnston WorldCom J. Peterson Neustar R.

Mohammad Hossein Manshaei 1393

Vulnerabilities in Dual-mode / Wi-Fi Phones

Transporting Voice by Using IP

Understanding Cisco Unified Communications Security

NEC: SIP Trunking Configuration Guide V.1

CS519: Computer Networks. Lecture 9: May 03, 2004 Media over Internet

Session Border Controller

Request for Comments: 4083 Category: Informational May 2005

Real-time Communications Security and SDN

Application Notes for Configuring SIP Trunking between CenturyLink SIP Trunk (Legacy Qwest) Service and Avaya IP Office R8.0 (16) Issue 1.

EP502/EP504 IP PBX 1.1 Overview

Application Notes for Avaya IP Office Release 8.0 with AT&T Business in a Box (BIB) over IP Flexible Reach Service Issue 1.0

Unified Communications Threat Management (UCTM) Secure Communications and Collaborations

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

Best Practices for VoIP Security

EarthLink Business SIP Trunking. Toshiba IPEdge 1.6 Customer Configuration Guide

Security Assessment Checklist

Application Note. ShoreTel / Ingate / Verizon Business SIP Trunking. 09 June 2017 Version 1 Issue 2

EarthLink Business SIP Trunking. Allworx 6x IP PBX SIP Proxy Customer Configuration Guide

The Session Initiation Protocol

IMPLEMENTING CISCO VOICE COMMUNICATIONS AND QOS

Q&As. Implementing Cisco Collaboration Devices v1.0. Pass Cisco Exam with 100% Guarantee

Application Notes for Configuring SIP Trunking between Global Crossing SIP Trunking Service and an Avaya IP Office Telephony Solution Issue 1.

Telecommunications Glossary

Setting Up a Serial (SMDI, MCI, or MD-110) PIMG Integration with Cisco Unity Connection

SIP Trunk design and deployment in Enterprise UC networks

become a SIP School Certified Associate endorsed by the Telecommunications Industry Association (TIA)

NGN: Carriers and Vendors Must Take Security Seriously

Abstract. Avaya Solution & Interoperability Test Lab

Session Initiation Protocol (SIP) Ragnar Langseth University of Oslo April 26th 2013

AP-SAV100 Analog Voice Intercom

Inspection for Voice and Video Protocols

Non. Interworking between SIP and H.323, MGCP, Megaco/H.248 LS'LDORJ,QF 7HFKQRORJ\ 'ULYH 6XLWH 3KRQH )D[

Session Initiation Protocol (SIP)

Cisco SPA Line IP Phone Cisco Small Business

EarthLink Business SIP Trunking. ShoreTel 14.2 IP PBX Customer Configuration Guide

Multimedia Applications. Classification of Applications. Transport and Network Layer

Application Notes for Configuring SIP Trunking between TelePacific SmartVoice SIP Connect and an Avaya IP Office Telephony Solution 1.

Application Notes for Configuring Avaya IP Office 8.1 with Etisalat SIP Trunk service Issue 1.0

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

Application Notes for Configuring Tidal Communications tnet Business VoIP with Avaya IP Office using SIP Registration - Issue 1.0

Transcription:

VOIP Technology, Security Threats & Countermeasures Jaydip Sen Innovation Lab Tata Consultancy Services, Kolkata Email: Jaydip.Sen@tcs.com

Migration to the Integrated World Mobile Voice Fixed Voice Converged Voice End-to-end Solutions (IP) Data Communications Time

What is IP (Internet Protocol)? IP is the language that computers use to communicate over the Internet IP is the transmission mode that is expected to be used in the future for both voice and data IP enables today s services to be implemented over the same access (e.g. telephony and Internet access) IP enables multiple services to share the one network

Broadband (IP) Telephony Broadband telephony is speech/voice that is packaged and transmitted partly or entirely over IP-based networks The concept of broadband telephony is the sum of: Voice Over IP Internet telephony Related value-added services Full-featured broadband telephony uses IP technology both for voice transmission and for value-added services Broadband telephony is in the first place a follow-on product of data communications solutions Broadband telephony requires a broadband connection

Evolution of Voice Telephony Products Fixed access IP Broadband telephony Digital AXE IP GPRS IP 3G Analog AGF Analog NMT Digital GSM Mobile access

Convergence of Fixed and Mobile Voice POTS = access line VOIP = SIP server account Mobile = HLR account VOIP Mobile SIP- client = SIM card IP coverage Radio coverage All devices can or will be wireless

Prerequisites, Business Model, Time Frame Prerequisites Broadband penetration Established standards Customer needs Business model IP will generate a new logic over time Start from where you are convergence may be the best of both worlds Time frame It may be a long time before IP takes over completely

Broadband vs. Conventional Telephony Reliability Prioritization of voice packets Combining different networks Power dependency Broadband telephony doesn t work if the power is off at the customer Ability to reach alarm numbers Position information Standards Terminals Services/networks

Business People Needs Integrated Services Communicate with other people Telephone Voice-mail E-mail, sms, mms Plan and organize your work Telephone Calendar Contacts E-mail Do business Telephone E-business CRM Supply Chain mgmt Stay informed Telephone Web search News, Collaborate with other people Telephone meeting Video meeting e-meeting Project management tools

The VOIP Funnel Business Customers 2002 2003 2004 Business case Standards 2005 2006 Lab Branch office (where to start) Network management QoS Full scale Scale up to corporate level First full implementations First pilots TRENDS Classic Centrex Classic PBX IP Centrex IP PBX

Individual Customer Needs Connectivity with control Need to be in touch Voice is still the killer application Need to control accessibility Want to be reachable but need to control access based on user situations Need to stay informed Need to know what is going on around them E.g. after 9/11, increased need for security Greater capabilities for: Personal telephony Communications Mobility

Broadband Telephony SIP (Session Initiation Protocol) A standard that is establishing itself Other parties can provide services Functionality Telephony as software in a PC Simple to download Adapter or separate phone required to talk via receiver Personal phone number 0751121441 SIP address 0751121441@telia.com which can be an email address Capabilities Call control Availability information Chat Video calls

What is VoIP? A suite of IP-based communications services Provides multimedia communications over IP networks Based on open IETF and ITU standards Operates over any IP network (not just the Internet) Utilizes separate paths for signaling and media Low-cost alternative to PSTN calling

Cost Toll bypass for on-net calling Reduced network costs Lower move/add/delete (MAD) costs Reduced site preparation time Network convergence Functionality Enterprise directory integration Unified Messaging Call center applications Interactive Voice Response (IVR) IP Video Instant Messaging The Business Value of VoIP Mobility Location services (Find-Me/Follow-Me routing) Wider array of service providers Ubiquitous access

PSTN vs VoIP Public Switched Telephone Network (PSTN) SS7 signaling protocol Circuit-switched network (ATM/Frame Relay) Expensive infrastructure Reliable quality Voice Over IP (VoIP) SIP, H.323, SCCP, MGCP, or MegaCo signaling protocol RTP media protocol Packet switched network Converged infrastructure Unreliable quality

VoIP Protocols SIP RFC 3261 The Session Initiation Protocol (SIP) is an application-layer control (signaling) protocol for creating, modifying and terminating sessions with one or more participants. Text based messaging Modeled on HTTP Uses URI to address call flow components sip:rdh@stealthllama.org sip:robert.hagen@globalcrossing.com INVITE sip:bob@biloxi.com SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hg4bk776asdhds Max-Forwards: 70 To: Bob <sip:bob@biloxi.com> From: Alice <sip:alice@atlanta.com>;tag=1928301774 Call-ID: a84b4c76e66710@pc33.atlanta.com CSeq: 314159 INVITE Contact: <sip:alice@pc33.atlanta.com> Content-Type: application/sdp Content-Length: 142 Versatile and open with many applications Voice Video Gaming Instant Messages Presence Call-Control

SIP Methods INVITE: create a session BYE: terminates a session ACK: acknowledges a final response for an INVITE request CANCEL: cancels an INVITE request REGISTER: binds a public SIP URI to a Contact address OPTIONS: queries a server for capabilities SUBSCRIBE: installs a subscription for a resource NOTIFY: informs about changes in the state of the resource MESSAGE: delivers an Instant Message REFER: used for call transfer, call diversion, etc. PRACK: acknowledges a provisional response for an INVITE request UPDATE: changes the media description (e.g. SDP) in an existing session INFO: used to transport mid-session information PUBLISH: publication of presence information

SIP Components User Agents Clients Make requests Servers Accept requests Server types Redirect Server Proxy Server Registrar Server Location Server Gateways

Session Description Protocol (SDP) SDP IETF RFC 2327 SDP is intended for describing multimedia sessions for the purposes of session announcement, session invitation, and other forms of multimedia session initiation. SDP includes: The type of media (video, audio, etc.) The transport protocol (RTP/UDP/IP, H.320, etc.) The format of the media (H.261 video, MPEG video, etc.) Information to receive those media (addresses, ports, formats, etc) Crypto keys v=0 o=mhandley 2890844526 2890842807 IN IP4 126.16.64.4 s=sdp Seminar i=a Seminar on the session description protocol u=http://www.cs.ucl.ac.uk/staff/m.handley/sdp.03.ps e=mjh@isi.edu (Mark Handley) c=in IP4 224.2.17.12/127 t=2873397496 2873404696 a=recvonly m=audio 49170 RTP/AVP 0 m=video 51372 RTP/AVP 31 m=application 32416 udp wb a=orient:portrait

Media Protocols RTP Real-time Transport Protocol RFC 3550 Standardized packet format for delivering audio and video over IP Frequently used in streaming media systems CODECs GIPS Enhanced G.711 8kHz sampling rate Voice Activity Detection Variable bit rate G.711 8kHz sampling rate 64kbps G.729 8kHz sampling rate 8kbps Voice Activity Detection

SIP Call Flow Outbound Proxy Inbound Proxy BYE INVITE BYE INVITE 180 Ringing 100 Trying 200 OK 100 Trying 200 OK 180 Ringing BYE INVITE 200 OK 180 Ringing ACK Alice Alice Calls Bob Is Bob there? RTP Voice Bob Hello. No. I need Bob. Thanks. Bye. Steve answers Bob s phone Sorry, no, can I help you

SIP Standards A sampling of SIP RFCs RFC3261 Core SIP specification obsoletes RFC2543 RFC2327 SDP Session Description Protocol RFC1889 RTP - Real-time Transport Protocol RFC2326 RTSP - Real-Time Streaming Protocol RFC3262 SIP PRACK method reliability for 1XX messages RFC3263 Locating SIP servers SRV and NAPTR RFC3264 Offer/answer model for SDP use with SIP RFC3265 SIP event notification SUBSCRIBE and NOTIFY RFC3266 IPv6 support in SDP RFC3311 SIP UPDATE method eg. changing media RFC3325 Asserted identity in trusted networks RFC3361 Locating outbound SIP proxy with DHCP RFC3428 SIP extensions for Instant Messaging RFC3515 SIP REFER method eg. call transfer

Complexities of VOIP Architecture Copied from NSA Security Guidance for Deploying IP Telephony Systems, Report Number: I332-016R-2005

VOIP Security Threats Robert Wood

Most Common VOIP Security Mistakes 1. Treating VOIP security the same way as Network security 2. Not treating VOIP security the same way as Network Security How it s the Same How it s Different Uses mostly the same protocols Uses mostly the same Operating Systems Many of the same threats What we Commonly See Some unique protocols Traditional Security devices (IDS/Firewalls can disrupt service) People treat it like the old phone system! Segmentation without monitoring Improperly configured systems Little device hardening Little understanding of privacy threats No regular security assessments ON the VOIP segment

VOIP Threat Taxonomy Social Threats Misrepresentation Identity Authority Rights Content Theft of Services VoIP Threats Unwanted Contact Harassment Extortion Unwanted Lawful Content (spam and other offensive material) Eavesdropping Call Pattern Tracking Traffic Capture Number Harvesting Call Reconstruction (voice, video, fax, text, voicemail)

VoIP Threats VOIP Threat Taxonomy Interception and Modification Call Black Holing Call Rerouting Fax Alteration Conversation Alteration Conversation Degradation Conversation Impersonation and Hikacking False Caller Identification Service Abuse Denial of Service VoIP Specific DoS Request Flooding Malformed Requests and Messages QoS Abuse Spoofed Messages Call Hijacking Network Services DoS Underlying Operating System/Firmware DoS Distributed DoS (DDoS) Physical Intrusion

VoIP Threats VOIP Threat Taxonomy Other Disruptions of Service Loss of Power Resource Exhaustion Performance Latency and Metrics

Summary of VOIP Risks? Service Disruption or Denial of Service Theft of Service or Data Infrastructure Attacks Voice SPAM (Vishing, Mailbox Stuffing, Unsolicited Calling) Call Hijacking and Spoofing Call Eavesdropping or recording Voicemail Hacking Every other network and system vulnerability not unique to VOIP!

Threat Model for VOIP Systems Voice Mail VOIP Environment VOIP Network Gateway VOIP Application Layer Supporting Applications Layer Configuration Databases IP Phones Firewall Fax SBC Call Manager Servers HW Platform, OS VOIP Protocol Layer Signaling and Transfer Protocols Facility/Infrastructure

What are the Threat Vectors? OS Exploits Signaling Attacks Endpoint Admin Privilege Exploits Proxy Impersonation Real Time Protocol (RTP) Attacks VoIP Wiretapping VoWiFi Attacks DoS Attacks Spam for Internet Telephony (SPIT) IP PBX and Telephony Server Exploits Vishing (VoIP Phishing)

Who are You Protecting Against? Malicious Attack Unintentional Exposure Intentional Exposure Risk is Irrelevant of Intent

Specialized Hacking Tools SIPScan - enumerate SIP interfaces TFTPBrute - TFTP directory attacking UDP and RTP Flooder - DoS tools hping2 TCP session flooding Registration Hijacker - tool to take over H.323 session SIVUS - SIP authentication and registration auditor Vomit - RTP Playback VOIP HOPPER IP Phone mimicing tool LDAPMiner - collect ldap directory information Dsniff - various utilitarian tools (macof and arpspoof) Wireshark (Ethereal) / tcpdump - packet capture and protocol analysis

Hardware Can be Gussed "Your call is being answered by Audix. [USER'S NAME] {is not available... to leave a message wait for the tone, is busy... to leave a message wait for the tone}." "[USER'S NAME] {is on the phone, is unavailable} Please leave your message after the tone. When done, hang up or press the pound key." "Record your message at the tone. When you are finished, hang up or hold for more options."

DDoS Attack? call

Toll Fraud Hacker sells your company calling information Your company gets the bill

Call Manager OS

Call Manager OS?

Call Forwarding/Spoofing? call

Expose Private Conversations! call

Block Certain Calls? 555-1212 999-1213 987-6543

Log Call Activity call

Hijacking/Injection Attack call

Call Forwarding/Spoofing call

Call Forwarding/Spoofing call

Eavesdropping Outbound Proxy Inbound Proxy SIP Kevin Yak Alice RTP Bob Yak DTMF intercept IM snooping Call pattern analysis Number harvesting Network discovery Voice reconstruction Fax reconstruction Video reconstruction

Spoofing Outbound Proxy Inbound Proxy SIP BYE BYE Alice RTP Bob Hello? Yak Kevin Hello? Yak Kevin forges a BYE from Alice

Recording call

Interception Outbound Proxy Inbound Proxy 202 BYE Accepted SIP 202 Accepted INVITE BYE 200 REFER OK BYE 202 Accepted INVITE REFER Alice 200 OK RTP Bob Yak Kevin Hello? Yak Yak Kevin forges a REFER from Bob

Key Mitigation Strategies Create VOIP Specific Security Policies Segmentation as appropriate Restrict logical network access to critical servers and VoIP call processors Utilize separate VLANs for voice and data Device Hardening Do not use default passwords Turn off unnecessary services Apply vendor supplied patches in a timely manner Perform vendor installation security checklist to harden applications Perform Security Assessments on and against the VOIP infrastructure Apply Appropriate Encryption

Key Mitigation Strategies Utilize VoIP aware Firewalls, Intrusion Prevention Systems (IPS) and Session Border Controllers (SBC) when possible Utilize end-to-end QoS Continue to protect against traditional system attacks (Toll Fraud, Modem Security, Social Networking Attacks & etc.)

Security Solutions Robert Wood

Network Solutions: Security Policy Establish a corporate security policy Acceptable Use Policy Analog/Dial-in/ISDN Line Policy Anti-Virus Process E-mail Policy Automatic Forwarding Usage Retention Ethics Policy Password Protection Policy Patch Management Process Router Security Policy Server Security Policy Risk Assessment Policy VPN Security Policy Wireless Security Policy GISFI # 2, Allahabad, http://www.sans.org/resources/policies/#template September 17, 2010

Security Solutions: Network Network Design by Cisco Systems

Security Solutions: DoS & DDoS Provide redundancy through: Mesh Corporate WAN design Utilizing multiple ISPs Fallback PSTN Gateway(s) Uninterruptible Power Supplies Negotiate QoS agreements

Security Solutions: Hacking Segment networks into separate VLANs Voice network Data network Monitoring and control network

Security Solutions: Hacking Maintain VoIP application server updates Call manager server(s) Voicemail server(s) Gateway server(s) Install current Operating System patches Install current application software patches

Security Solutions: Spoofing Eliminate unknown devices DHCP Snooping DAI: Dynamic Address Resolution Protocol Inspection IP Source Guard Eliminate unknown software Digital Signatures

Security Solutions: Threats Manage and prevent threats via: Stateful Firewalls Virus Filters Intrusion Detection (NIDS) Intrusion Prevention (HIPS) Filter unnecessary ports on: Routers Switches PCs IP Telephones Firewalls

Security Solutions: Complete

Network Diagram Legend

Summary of Countermeasures Authentication and Encryption Digest Authentication Used during UA registration Authenticates UA to SIP proxy Similar to HTTP digest from web browser to web server Cannot be used between proxies Transport Layer Security (TLS) Used to secure signaling path Authenticates each endpoint on a link Provides encrypted path between each link Non-transitive trust Can be used between proxies Requires X.509 certificates

Summary of Countermeasures Authentication and Encryption Secure RTP (SRTP) Used to secure the media path Provides end-to-end security Requires X.509 certificates Zphone (ZRTP) Used to secure the media path Provides end-to-end security IETF draft written by Phil Zimmermann Requires no X.509 certificates Relies on OSI layer 8 authorization

Physical Security Summary of Countermeasures VoIP equipment in secured datacenter Lock wiring closet doors VoIP VLANs = Good Separate VoIP network = Better Separate VoIP network + Authentication + Encryption = Best! Logical Security CIS Benchmarks applied to all host platforms Regular patching and assessments Network IDS Firewall and NAT protection of gateway and proxies

Conclusion VOIP will lead to convergence of voice and data into a common infrastructure for wiring, routers, network connectivity. Companies will be able to deploy, manage and maintain one network to serve all communication needs, saving on infrastructure costs and resources. With VoIP the Internet becomes the backbone of a company s phone network. This leads to a number of threats: Hackers Worms Viruses DoS attacks The challenge of VoIP security is not new. History has shown that advances and trends in information technology typically outpace the corresponding realistic security requirements. Such requirements are often tackled only after these technologies have been widely adopted and deployed Cable Datacom News

Thank You! 66

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback