CSI32: Nov 15, 2005 Page 1 of Securing IP Telephony Networks Securing IP Telephony Networks George G. McBride Session TEC-8 November 15, 2005 4:45 PM to

CSI32: Nov 15, 2005Page 1 of Securing IP Telephony Networks

Securing IP Telephony Networks

George G. McBride

Session TEC-8

November 15, 2005 4:45 PM to 5:45 PM


Some Key Points To Cover This Afternoon

• The fundamentals and security concerns of VoIP • Mitigating risks associated with VoIP • Confidentiality, integrity, authentication, availability,

access, and non-repudiation • Determining what to look for in an audit • Measuring risk and recommending actions to reduce

vulnerability• Tools that you can use• Lessons learned from my assessments


Real Quick Introduction

• What is Voice over IP?– Definition: Transmission of voice over the IP

Network

• Why is it important to companies?– $$$ (and sometimes “services”)

• Is this brand new?– SIP and H.323 Standards have been around since

the mid 1990s

• Why now?


VoIP Introduction

• What do you need for a VoIP network?– The IP Part: A data network– The V Part: VoIP specific equipment

• H.323 and SIP are two different sets of protocols and have different infrastructure requirements– There is some commonality between the

two!


VoIP Implementation

• Who put the VoIP infrastructure in place?– Many times, the designers and

implementers are the traditional “voice” personnel

• May be just learning the new technology

– Or it may be sharp IT personnel who aren’t “voice” savvy

– Nevertheless, the technology including products, protocols, and services are new and “experts” are limited!


What Are The Threats?

Concern PSTN Controls VoIP ControlsConfidentiality Physical Encryption

Integrity Physical Encryption/Checksums

Availability Physical Access Control Logical Access Control

Authentication Recognition & Caller ID User ID and Password

Authorization Access Control & Caller ID Access Control

Design Large/Complex/Centralized Varies…Distributed

Interoperability Centralized & Very Tested Distributed & Ad-Hoc


The Legal Threat

• Companies are currently reviewing the Communications Assistance to Law Enforcement Act (CALEA) to determine how they must comply:– Service Providers Only?– All Companies?– Only when the VoIP interfaces with the PSTN?


Emergency Services

• 911 Emergency Services– PSTN/POTS locations are generally assigned by

physical port and generally don’t move around!– VoIP Phones by definition are usually “portable”

and are simply based on IP addresses• How are location services managed?

Updated? Logged?• Is it real-time?


The Biggest Threat!

• Your organization is responsible for the costs related to toll fraud

• When the VoIP Gateway is compromised and hacker’s use the gateway for unlimited international dialing, your company is responsible for the toll charges

• I still don’t have any realistic or consistent figures to share. Do you?


The Threats Are Real!• XXX Series phones running the default Skinny (SCCP)

protocol for messaging, can be easily crashed by sending malformed messages.

• XXX VoIP enabled router is also vulnerable by sending a message of 50,000 characters+ to port 2000 (the TCP port used by the router to communicate with the phones) to cause every VoIP phone on the network to reboot or lock-up, completely disrupting communications.

• XXX is vulnerable to an ARP attack on a target phone which draws the RTP data stream through the attacker’s computer. As most conversations are transmitted in the clear, eavesdropping is trivial.


Problems With “Reviewing” VoIP

• We’re often asked to “assess” the VoIP infrastructure against the current policies

• These policies do not address the minimum security baseline for a VoIP infrastructure

• Typical VoIP audits are also part “assessment”


Documentation Review

• A review program should begin with a formal review of all corporate documentation regarding the VoIP infrastructure:– Corporate Service Offerings– VoIP Infrastructure

• IP Network Infrastructure • Client Devices

– Acceptable Use statements– PSTN Interface SLAs


Risk Management

• One of the most important aspects to manage!– Identification and Inventory of Assets– Understanding of threats, vulnerabilities, and

controls– Cannot be evaluated in isolation. Threats and

vulnerabilities are internal and external.

• This is one area where the assessors and IT Security can work together.


Reviewing: The Architecture

• Architecture:– Need personnel with auditing, technology,

and product know-how!– Start from the top down to understand the

details are you encounter them– There may not be a “right” architecture, but

there are many “wrong” ones


Before You Begin!

• From your IT Organization’s source, obtain an inventory of the VoIP infrastructure

• Obtain all documentation and specifications from the vendor to understand what you have and what it is supposed to do

• Obtain configuration information• Review on-line vulnerability/risk databases


Auditing Concerns

• The next few slides highlight some VoIP specific concerns that we should review.– Are these part of your organization’s

standards, practices, procedures, and policies?

• This is a highlight of a number of areas that should be reviewed. There are plenty more!


Basic Physical Infrastructure

• Physical Security:– The old “telecom” closets are often neglected

and may be insecure. Where is your VoIP equipment?

– Protect test and trial equipment as you would production equipment. It usually has production grade configuration information

– Ensure UPS equipment can handle the new loads


Business Continuity Planning & Disaster Recover

• Have you incorporated the entire VoIP infrastructure into the BCP/DR efforts?

• Have you tested it?• Are the employees aware of it?• Be aware of limited restores. • Companies today tend to build

significant features into their VoIP phones that they’ve grown to need.


Logical Auditing Concerns

• VLAN Usage:– Separate voice and data on logically

separate networks.• Each VLAN should have a separate DHCP

Server and management system• Reduces QoS Issues• VLAN Jumping still an issue, depending on

equipment


Logical Auditing Concerns (Con’t)

• Firewalls:– Are you using the right one for your

environment?• Is it VoIP Specific? Does it support SIP or

H.323? What about Megaco?

– Does it support Application Level Gateways or Proxies?

– Pinholing?

– Is it stateful?


Reviewing The Firewall

• Obtain the Firewall rule sets.– Can you experiment in a “lab” setting? This is great

to validate the firewall rule sets!• What are the static ports?

– Port 1720 for Call Signaling– Usually H.225 traffic. – Any others for management?

• What are the required dynamic ports?• Even a VoIP-aware firewall will require reviewing,

tuning, and tweaking



• Interfaces:– PSTN to VoIP Infrastructure:

• At the Voice Gateway: Are SIP, H.323, MGCP, and Megaco connections from the data network prohibited?

• What authentication is configured? Required?


The Firewall

• A Great Cisco Whitepaper highlights key areas where voice and data traffic intersect and should have firewall protection:– PC Based IP Phones (d) requiring access to the voice

segment (v) to place calls– IP Phones (d) and call managers (v) accessing voice-mail– Users (d) accessing the proxy server (v)– Proxy Server (v) accessing network resources (d)– IP Phones (d) to call processing manager (v) or proxy

server (v) because the interaction uses the data segment to communicate


Firewall NAT

• NAT, Network Address Translation helps to efficiently utilize resources and to provide some level of security.– Full Cone (1:1 address and port)– Restricted Cone – same as full cone, incoming

packets are rejected unless an outbound one originated the traffic (looks at IP Address Only)

– Port Restricted Cone – Like Restricted Cone but restricts the inbound packet as it must be returning to the same outbound port

– Symmetric NAT – Different mapping for each inbound – outbound pair.



• Remote Management– Use SSH only for remote administration

and management.• Telnet is dead.

– For the truly paranoid, use dedicated consoles for each management server

– How are the configuration files protected? Backed-up?


QoS: Quality of Service

• Is Quality of Service a “Security Issue”?– It is when the security features impact

the VoIP QoS levels.– You’ll invariably be asked about it

during your Audit

• The next few slides highlight some QoS issues


QoS

• Latency – time from source to destination. The ITU-T recommended upper bounds for latency is to be less than 150ms.– Queuing– Encoding– Packetization– Transmission


Jitter

• Jitter – the time differences between packet arrival on the receiving end.– Jitter often affects QoS more than latency– Caused by low bandwidth– Can cause packets to be processed out of

sequence and/or dropped if they fall outside of the receiving buffer

– Firewalls are a big source of jitter introduction


Bandwidth & Packet Loss

• What is the available bandwidth for VoIP traffic? If on a VLAN, this answer is easy to compute. If on a shared network, this is quite a bit different (and more variable).

• Packet Loss results from excessive latency or jitter; as well as a result of voice-data riding over UDP.


What about H.235

• Provides H.323 Security Features through defined profiles which provide different levels of security.

• These must be required, not an optional implementation as clients may chose not to use the features.


H.235v2/3

• Builds up from H.235 and offers enhanced encryption as well as:– Annex D: Shared secrets and keyed hashes

– Annex E: Digital signatures on every message

– Annex F: Digital signatures and shared secret establishment

• Is it required?


What about Session Initiation Protocol (SIP)?

• SIP Offers HTTP Digest Authentication– Based on a challenge-response system– Replaces HTTP Basic Authentication so that the

password is not sent in the clear!

• S/MIME can be used to enable public key distribution as well as authentication and integrity protection– Authentication (and Integrity) of signaling data– Confidentiality of signaling data


SIP Security With TLS

• TLS: Successor of SSL protects SIP signaling (integrity, confidentiality, replay)

• Only works with TCP based SIP signaling• Must be configured hop-by-hop between

user agents and proxies or between proxies

• Provides key management with mutual authentication and secure key distribution


SIP Security

• Besides TLS, SIP also supports:– HTTP Digest– IPSec (With IKE)– IPSec (With manual key exchange)– S/MIME

• Be aware of bidding down attacks


SRTP

• Secure Real-time Transport Protocol– A “profile” of RTP offers confidentiality,

authentication, and replay protection– Encrypts Payloads– Independent of the key management system– Independent of the RTP stack chosen– Can use AES– Hardware Crypto Support, although it was

designed with low computational requirements.


SRTP Audit Points

• Keep these things in mind:– How are the encryption keys distributed?

• Pre-Shared• Public Key• Diffie-Hellman Key Exchange using Public Key• Diffie-Hellman Key Exchange using Pre-Shared Secret

– Is it only being used for encryption or also integrity and replay-attack protection?


What I’m Seeing…

• Default administration accounts

• Ineffective encryption (It may be AES, but not in use at key points)

• Web-Server interfaces (It may be easier for the admin and the bad-guys!)

• DHCP and TFTP Server Spoofing and Insertion Attacks


What I’m Seeing

• Random responses to invalidly formatted or excessive packets

• Security mechanisms susceptible to “bidding-down” attacks

• Firewalls that require just a bit of “tuning” to disable that service that isn’t required or the ports that can be closed


What’s in my toolbox?

• In order to perform a technical based review, you’ll need some tools:– Sniffers– Injectors– Vulnerability Scanners

• Some important documents from the ITU, NIST, ETSI, and most importantly, equipment vendors!


Network Sniffers

• Empirix Hammer Call Analyzer

• VoIP Specific

• Great for beginners through advanced users

• Very expensive


VoIP Sniffers Also Do Call Analysis


Network Sniffers

• Ethereal

• Requires more work to decode the packets and review traffic

• It’s Open Source, it’s free, and it’s supported through a large user community


Network Traffic Injectors

Available From:http://www.komodia.com/

Great Packet Crafting Tool


SiVus


SiVus


Other tools: VoIPong


Cain and Abel


Various Documents


Additional Resources

• National Institute of Standards and Technology: Security Considerations for Voice Over IP Systems: http://csrc.nist.gov/publications/nistpubs/

• Empirix Call Analyzer: http://www.empirix.com/Empirix/Network+IP+Storage+Test/

• SiVus at VoP Security: http://www.vopsecurity.org/

• IETF/ITU Documents• ETSI Tiphon Documents• J. Halpern, “IP Telephony Security in Depth”, Cisco


VoIP Summary

• Know your stuff! Or hire those that do!– VoIP technology is still evolving and is very

complex!• It’s more than just voice traffic on an IP network• Look for everything you would look for with a

standard infrastructure assessment and you’ll knock out a lot of the “common” audit findings.

• Watch mis-configurations on VoIP. Understand the configurations. What looks good may not be.– (It usually isn’t!)


Contact Information

Lucent TechnologiesBell Labs Innovations

Lucent Technologies Inc.Room 1B-237A101 Crawfords Corner RoadHolmdel, NJ 07733Phone: +1.732.949.3408E-mail: [email protected]

George McBrideSenior Manager

Lucent Worldwide Services

• Please contact me with any questions, comments, complaints, or new developments.