Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom nico@securite.org - http://www.securite.org/nico/

version 1.0

Voice over IP (VoIP) security

PacS

ec.J

P/c

ore

04

2© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Introduction

» Voice over IP and IP telephony

» Network convergence> Telephone and IT> PoE (Power over Ethernet)

» Mobility and Roaming

» Telco> Switched -> Packet (IP)> Closed world -> Open world

» Vendors and Time to Market

» Security and privacy> IPhreakers> VoIP vs 3G

3© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Architecture : protocols

» Signaling> User location> Session

- Setup- Negotiation- Modification- Closing

» Transport> Encoding, transport, etc.

4© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Architecture : protocols

» SIP> IETF - 5060/5061 (TLS) - “HTTP-like, all in one”> Proprietary extensions> Protocol becoming an architecture> “End-to-end” (between IP PBX)

- Inter-AS MPLS VPNs- Transitive trust

> IM extensions (SIMPLE)

» H.323> Protocol family> H.235 (security), Q.931+H.245 (management), RTP,

CODECs, etc.> ASN.1

5© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Architecture : protocols

» RTP (Real Time Protocol)> 5004/udp> RTCP> No QoS/bandwidth management> Packet reordering> CODECs

- old: G.711 (PSTN/POTS - 64Kb/s)- current: G.729 (8Kb/s)

6© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Architecture : network

» LAN> Ethernet (routers and switches)> xDSL/cable/WiFi> VLANs (data/voice+signaling)

» WAN> Internet> VPN

- Leased line- MPLS

7© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Architecture : network

» QoS (Quality of service)> Bandwidth> Latency (150-400ms) and Jitter (<<150ms)> Packet loss (1-3%)

8© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Architecture : systems

» Systems> SIP Proxy> Call Manager/IP PBX

- User management and reporting (HTTP, etc)- Off-path with IP

> H.323: GK (GateKeeper)> Authentication server (Radius)> Billing servers (CDR/billing)> DNS, TFTP, DHCP servers

9© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Architecture : systems

» Voice Gateway (IP-PSTN)> Gateway Control Protocols> Signaling: SS7 interface

- Media Gateway Controller. Controls the MG (Megaco/H.248). SIP interface

- Signaling Gateway. Interface between MGC and SS7. MxUA, SCTP - ISUP, Q.931

> Transport- Media Gateway: audio conversion

10© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Architecture : firewall/VPN

» Firewall> “Non-stateful” filtering> “Stateful” filtering> Application layer filtering (ALGs)> NAT / “firewall piercing”

- (H.323 : 2xTCP, 4x dynamic UDP - 1719,1720)- (SIP : 5060/udp)

» Encrypted VPN> SSL/TLS> IPsec> Where to encrypt (LAN-LAN, phone-phone, etc) ?

» Impact on QoS

» What is IPv6 going to change ?

11© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Architecture : phones

» IP phones> Softphone or Hardphone ?> “Toaster”

- Updates/patches- Intelligence

> Intelligence removed from the network and put on the end device

> Flows between the phone and other systems- SIP- RTP- (T)FTP- CRL- etc.

12© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Architecture : example

internet

LAN

IP VPN(MPLS)

PSTN

SIP

SIP

POTS

POTS

SIP

IP PBX

VGWGSM

IP PBX

SIP

voice

signaling

13© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Other phone networks

» POTS/PSTN [TDM]

» “Wireless”/DECT phone

» GSM

» Satellite

» Signaling (SS7)

14© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Attacks

» IPhreakers> IP knowledge> Known weaknesses> Evolution 2600Hz -> voicemail/int’l GWs -> IP

telephony> Internal or external threat ?> Targets: home user, enterprise, government, etc ?

» Protocol implementations> PROTOS

» The human element

15© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Attacks : denial of service

» Denial of service> Network> Protocol (SIP INVITE)> Systems / Applications> Phone

» Availability (BC/DR)> Requires: power> Alternatives (Business Continuity/Disaster

Recovery) ?> E911 (laws and technical aspect)> GSM> PSTN-to-GSM

16© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Attacks : fraud

» Call-ID spoofing

» User rights takeover> Fake authentication server

» Effects> Access to voicemail> Value added numbers> Social engineering> Replay

17© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Attacks: interception

» Interception> Discussion> “Who talks with who”

- Network sniffing- Servers (SIP, CDR, etc)

» LAN> Physical access to the LAN> ARP attacks> Unauthenticated devices (phones and servers)> Different layers (MAC address, user, physical port,

etc)

18© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Attack: interception

» Where to intercept ?> Where is the user located ?> Networks crossed ?

» Lawful Intercept> CALEA> ETSI standard > Architecture and risks

19© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Attacks : systems

» Systems> Mostly none is hardened by default> Worms, exploits, Trojan horses

20© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Attacks : phone

» (S)IP phone> Startup

- DHCP, TFTP, etc.

> Physical access- Hidden configuration tabs

> TCP/IP stacks> Firmware/configuration> Trojan horse/rootkit

21© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Defense

» Signaling: SIP> Secure SIP vs SS7 (physical security)

» Transport: Secure RTP (with MiKEY)

» Network: QoS [LLQ] (and rate-limit)

» Firewall: application level filtering

» Phone: signed firmware

» Identification: TLS> Clients by the server> Servers by the client

» 3P: project, security processes and policies

22© 2004 Nicolas FISCHBACH

PacS

ec.J

P/c

ore

04 Conclusion

» Conclusion

» Other presentations> Backbone and Infrastructure Security

- http://www.securite.org/presentations/secip/

> (Distributed) Denial of Service- http://www.securite.org/presentations/ddos/

» Q&A

Image: www.shawnsclipart.com/funkycomputercrowd.html