Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in

Secured IP telephony

2Secured IP Telephony. © 2008 Aastra Communications, Ltd.

Agenda

» ToIP : risks ?

» Security analysis

» Bests practices

» Security in Aastra 5K solution

» Engineering

ToIP : risks


TDM versus ToIP

» TDM = dedicated solution without any link to is/it link.– Generally not seen in the Company’s security Policy.– A little of Applications– High Availability level (>99,99%)

» ToIP– Shared “transport” network: IP-Network– Deep Interaction in the IS/IT solutio:

ToIP is part of the company process ToIP projects are managed by DIS/IT managers

>> ToIP is part of the security policy of all Companies


» Call listening-in– Physical access to wiring closet or to PSTN access (with sensor) needed with a

TDM solution (access to wiring closet)– No physical access needed with ToIP

» Service degradation : DoS (Denial of Service) or DDos (Distributed DoS) attacks– Potential vulnerability to virus or worm– New threats from network world (ex : SPIT = SPAM on unified messaging)– TDM solution availability = 99,998% !

» Fraudulent use of resources– Same risks as legacy telephony : rights bypassing / abusive call

Which risks ?


» Attacks on access equipment– Phreaking : scan of numbers, toll-free number– Voice messaging equipment– Free telephony,

» Inappropriate use of facilities– Call forward for listening-in and extra-billing, telephony IT resale on black market,

advertising message, play on enterprise image…

» Denial of service– Busy line, call forward on VM,

>> ToIP is concerned too by such attacks

PhreakingExample of attack – legacy telephony


» Signaling protocols subject to packet injection and listening (UDP = spoofing),

» Network sniffing : classic network analysis to obtain information» DoS on signaling flow : bad programming and saturation,» Play with protocol request: SIP/Cancel, SIP/bye,» Eavesdropping by capturing RTP flow (i.e with ethereal),» TFTP et DHCP attack : bad configuration to gain access…

>> ToIP is concerned too by such attacks

HackingExample of attack on IP protocol


Phreaking and HackingIn real life

» Attack on VoIP provider to steal minutes

» ~1 M$ of damage» Attack could have been prevented

if « best practices » had been respected.

Security approach


» Confidentiality– No illegal listening / illegal access to directory

» Integrity– Service can not be created, changed, or deleted without authorization

» Availability– Protection mechanism guaranty availability of service,

» Proof (Audit)– Log of actions / CDR

Objectives = CIA + P


Equipments

» Confidentiality, Integrity, Availability, and Proof (audit)

Routers

System

Network Servers

Switches

LAN

WAN

CommunDedicated to ToIP

Terminals

Applications

Gateways

Call server IPISDN

Level 2 & 3WAN

Managements

Windows, Unix...

ManagementRemote Access

Interfaces


LAN

LAN

Call Server

Remote management

Remote working, mobility

SOHOIP PhoneCTI

SIP trunk

End to end security (1/2)

LAN WAN

INTERNET

RTC/RNIS

RTC/RNIS

Servers & Applications

Gateway

Legacy phones

WIFI&DECToIP

Signaling

GLOBAL APROACH


End to end security (2/2)

» Same level of protection– On all equipments– On all software layer– End to end

IP

TCP UDP

RTPOperating system

Ethernet ATM

Physical layer

Datalink

Network

Application layer

Transport

Best practices


ToIP Security elements have to be reliable

» Correct end to end integration has impact on security devices :– Risks: security level adapted to security policy– Architecture : easy integration in existing infrastructure

Evolution of existing security devices Integration with existing data infrastructure

– Performances : quality of voice is a key factor – should not be dependant of network load

– Rules : flow control should be easy to implement (firewall, proxy, SBC,..)

>> Secrurity has to be transparent for telephony services


Converged network & security Respect of best practices

» Electrical protection adapted to ToIP security prerequisites– UPS and battery

– Emergency generator

» LAN/WAN design adapted to ToIP security prerequisites in term of availability– Core network redundancy (power supply,

CPU)

– L2 redundancy: STP, rapid STP, multiple STP, 802.3ad + proprietary

– VRRP, Routing

– critical provider accesses


» Voice flow insulation– VLAN creation : broadcast limitation and voice flow isolation

– Definition of rules for InterVLAN filtering On router or L3 switch (ACL, Vlan ACL) On firewall

» Some network services become critical :– Ex : switches, DHCP server(s), TFTP/FTP server(s)

» Limit and control resources access– Call server

– Applications

– Deactivation of unused services

Converged network & security Respect of best practices


Converged network & security Example : VLAN ACL

» Objective :– Prevent from ICMP et TCP flooding

DoS attacks

» Current generation of switches allow to define ACL (Access Control List) à inside VLAN (VLAN ACL)

» IP Phones talks to each other only with UDP

» ACL Example of implementation in ToIP phone VLAN:

– Block TCP and ICMP btw IP Phones

LAN

ACL in ToIP VLAN:Only UDP is permitted btw phones

Attack : ICMP flooding in voice VLAN


» Objective :– Prevent attack that can saturate

switch CAM by ARP requests with different MAC@ flooding CAM overflow attack

» Current generation of switches allow to limit @MAC# by port

» Example : limit to 2 MAC@ by port– MAC @ phone– MAC @ PC

LAN

Switch port that allows only 2 MAC@ by port

Attack : ARP flooding (different MAC@) with frame creation tool

Converged network & security Example : limitation of MAC@ # by port


» Objective :– Prevent rogue DHCP server on

network

» Current generation of switches allows to forbid some ports to deliver DHCP Offer

» Example – Interdiction to send DHCP offer on

Phone Port

LAN

Port that allows DHCP offer

Attack : rogue DHCP server on LAN

Data DHCP Server

Voice DHCP Server

Ports that blocks DHCP Offer

Converged network & security Example : limitation of rogue DHCP server


» Filtering by protocole/ports and/or IP@

– InterVLAN routing rules on L3 device

– ACL on switch– Statefull firewall

» Number of MAC@ limited by port» All traffic expect RTP is

forbidden btw Phones» DHCP protection» Authentication and encryption

SSL, sRTP, TLS» IDS / IPS (Intrusion Detection/

Prevention/ Intrusion system

Converged network & security LAN Design

Logical function(Layer 3 Switches, Routers and/or firewalls)

Filtering and communication between VLANs

IDPS

FW

@MAC Filtering and limiting – Ø DHCP offer

Authentication & ciphering

L2

L2 VLANs Call Server & gateways

L2

L2 VLANs Telephony Applications

L2

L2 VLANs Data Application

L2

L2 VLANs Phone

L2

L2 VLANs PC and Data endpoint

L2

L2 VLANs Admin


LAN

LAN

Call Server

Remote worker, Mobility

SOHOIP PhoneCTI

SIP Trunk

Converged network & security High level architecture

LAN WAN

INTERNET

RTC/RNIS

RTC/RNIS

Servers & Applications

Gateway

Legacy phones

WIFI&DECToIP

Signaling

Firewall

Encryption

Remote management

Remote worker

Firewall

Secure CTI

Hardened servers

VPNVLANs

VLANs

VLANsSecure mobility


» Protect ToIP ressources :– Voice app & Call Server in

DeMilitarized Zone (DMZ)

– Filtering rules

» Virtual Private Network (VPN) managed by enterprise or provider– Encryption

– Authentication

– Proof

» QoS

LAN commun (VLAN)

DMZ Téléphonie

Remote sites

ToIP

ToIP+Data

Voice applications

Voice DMZ

VLANs

VPNQoS

FW

LAN

Converged network & security WAN Design


LAN commun (VLAN)

DMZ Téléphonie

Remote sites

ToIP

ToIP+Data

Voice applications

Voice DMZ

VLANs

VPNQoS

» Secure access to enterprise resources (firewall, VPN concentrator, UTM)

» Virtual Private Network (VPN) managed by enterprise or provider

– Encryption– Authentication– Proof

» QoS should be a Main Concern (especially with ADSL access)

IPSec client to site+ Softphone

FW

IPSec site to site+ IP Phone

Converged network & security Remote workers


LAN commun (VLAN)

DMZ Téléphonie

Remote sites

ToIP

ToIP+Data

Voice applications

Voice DMZ

VLANs

VPNQoS

IPSec client to site

FW

» Secure access to enterprise resources (firewall, VPN concentrator, UTM)

» Virtual Private Network (VPN) managed by enterprise or provider– Encryption

– Authentication

– Proof

» Use secure protocols (ex : HTTPs)

Converged network & security Remote management

Security in Aastra solution


SSO

SIP Digest (MD5 )

Aastra 5000 Security Management everywhere

Active DirectoryActive

Directory

Radius(AAA)

Radius(AAA)

802.1x (EAP-MD5)

Win Session (NTLM, Kerberos)

HTTPS (TLS)

Server L

AN

Firew

all

IDS

/IPS

BEST PRACTICES

En

dp

oin

tsA

pp

lica

tio

ns

Man

ag

emen

t

Protected application

OS Hardening

HA Encryption


Aastra 5000 Securisation, High Disponibility

» Aastra 5000 CS: Service without any interruption

– Secured hardware Stratus®– Spatiale Redundancy with communications not cut

» Aastra IPBX/MGW– Specific and secured Hardware– Power Supply Safety using battery– CPU and power supply Redundancy

» « Local Survivability » on Aastra IPBX/MGW (services kept)

– Short or external numbering– Vocal Guides vocaux, announcements, – Transfers, Callbacks, Alternate, multi – lines,

monitoring of extensions – Profile of the user

WAN

Signalisation

Switch

IPBX/MGW

Poste IP/SIP

A5000CS Primaire

A5000CSSecondaireA5KCCA5KCC


WAN

A5000 ServerIP Phone – secured by gtw

Gateway X Series

Provider

1. Nominal mode : Managed by main Call Servers

2. WAN Failure

3. Subscription to Local gateway

Availability of ToIP service Local call Handling on gateway (ex : WAN failure) : Dual Homing

Provider

Remote siteMax 500 IP Phone on gtw

4. Dual Homing Mode : call server function on gateway

Main siteR5.1B


» Same level of services (except access to centralized resources):– Short or external numbering

– Vocal guide, music,

– Call forward, call back, alternate, multi line, supervision

– User profile

» No break of communications during failover (except if call transits through the WAN)

» No restart of the gtw in case of remote disconnection.» Integrated CDR buffer to save CDR (tickets) and send them to CDR Server» Configuration synchronization A5k towards gateway :

– Periodic downloading of the configuration each day for each set

R5.1B

Availability of ToIP service Local call Handling on gateway : Dual Homing


» L2 tagging (802.1p/q) and L3 (ToS field Diffserv) available on all Phone

» Call Admission Control embedded in Aastra software on all Call Server & Gateway/iPBX range– QoS does not prevent of IP link overloading– Aastra CAC allows to prevent overloading on WAN links with limited

bandwidth Codec negociation in relation to load of links In case of overload, fallback mechanism : : rerouting by voice carrier for

instance (RTC/RNIS)

Availability of ToIP service Local call Handling on gateway :


Secured IP PhonesEmbedded features (1/2)

» Authentication to A5k software : phone # & PIN code for log-in log-out

» Authentication to network access 802.1X or MAC@

» Integrated switch – Voice flow tagged in Voice VLAN– Data flow tagged in data VLAN

» Optional Communication (Voice) encryption on SIP 675xi & 53xxIP or I7xx

R5.1B

R5.2


» Self admin on 67xxi & 53xxIP : – Password – Automatic log-out after idle state

» User profile is on AM7450

» firmware OS is specific : no known virus

» Secure firmware update

Secured IP PhonesEmbedded features (2/2)


» Objective :– Secured access to LAN via IP Phone authentication (EAP-MD5)

– Relay of 802.1x requests from PC connected to integrated switch

Secured IP Phones Focus 802.1x

1 auth. Request EAP-MD5 (802.1x)

2Check

Login+mdp

3Rights

Authorization 4

OK 56 OK = auth. connection

(DHCP, RTP…)

Transparent relay + EAP-Logoff

Authentication server (Radius)

LDAP


Secured communicationsToIP encryption

» VoIP encryption– Encryption based on AES 128 bits – From A5k Server, encrypted diffusion of

to : Gateways IP Phone I7xx (for each beginning of call) IP Phone 53xxIP

– Key defined by administrator on A5k server

– Systematic encryption, codec negotiation based on CAC & support of encryption on devices

– Indication of encrypted state of communication on terminal

R5.2

Btw gateways

IP Phone & Gateway

BTW IP PHONES

A5000


HTTPS TLS

Secured management

» Integrated Web Manager = Aastra Management Portal

– Secured access by login/pwd– Different rights

Rights for iPbx configuration Rights for directory management

(web based) Rights to managed user phones

– Log of accesses

» Aastra Management 7450 (AM7450):

– Right management / administrator– Management flows are encrypted– Gateway and server are

authentified


» Configuration management : – Backup / Restore of user profiles on

AM7450– Automated backup/restore of CS and

GTX configurations– Automated backup of CS and GTX

logs & inventory of active elements– Configuration audit – numbering plan– Inventory of IP Phone, directory #,

M7450 R2.1

Secured Management

M7450 R2.1


Aastra 5000 - OS

» Linux Community» OS Linux customised and ruggedized (OS hardening), no direct

access on it» The not-used services are not avaiable: only few accessible

(open) ports


A5k software

» User profile:– Class of service– ex: discrete listening rights, call forwards,..– Access discrimination– Multi – tenant with filtering btw society (multicompany)– User pwd

» Call logging :– Via CDR & CDR app server– performance analysis– Cut off of com after certain time (parameter)– Business code


Le logiciel

» Secured acess to whole Aastra Communication Portal app via SSO (Single Sign On)

» User authentication via Windows Active Directory login/mdp

» Unified user and pwd management through Windows Server

» Native security and mobility– Windows Login/pswd – Virtual desking or free seating (login-logout)

from Aastra IP Phones

Aastra Communication PortalSecured acess


1 Authentication Login/pwd Windows

2Check

Login+pwd

3Windows Session

is open

ACP is launchedLogin : BobTel : 5656

4

NTLM Auth 5

7 VTI request for number 5656

Windows Server

6 Search of user : Bob & app/rights

Aastra 5000

ACP

7 Access OK1* 802.1x (optional) +Auth Login/pwd

A5000

*requests not detailed on schemes

Aastra Communication PortalSecured acess


» Antivirus support on Aastra applications : highly advised– Respect prerequisite (c.f. LCI)

» ACP– Scan and updates authorized during idle state (night)– Scan of logs not permitted

» UCP– Directory D:/ not scaned– Updates during idle state

Aastra applicationsAntivirus support


» MD5 authentication of Aastra SIP Phone» Digest Access Authentication (RFC2617) via MD5 on trunk SIP:

– Crossed authentication VoIP provider<->Aastra 5k

» Embedded Session Border Controler (SBC) for support of NATed environments

SIP and security

FW WAN

Voice ISP

Session Border Controler

Aastra Com Server

Auth. MD5

Auth. MD5


Security and wireless solutions

» Aastra DECToIP– Radio DECT technology natively secured

(authentication, encryption)– Qos integrated in RFP : L2 (802.1p/q) & L3

(Diffserv)

» Wifi Terminal Aastra 312i– WPA2 support with PSK authentication (Pre Shared

Key) for better performances– QoS has to be implemented on ntw infrastructure

(example mapping SSID / VLAN)– Light AP solution needed


Checkphone partnership

» Check of integrity of communications :– Detection of illegal use of telephony

resources– Differential analysis btw

configurations Example : gain of privileges

» Analysis and filtering : IDPS proble on TDM & IP/SIP trunks

Engineering rules


» QoS on LAN : its implementation depends on network load– 802.1p/q tagging– Guaranteed bandwidth for voice flow– Use of different waiting queues of switches: voice flow acheminated in priority

» QoS on WAN : recommended– L3 taggin upon Diffserv model & ToS (type of service) field of IP header– L2&L3 QoS have to be coherent– L2&L3 QoS Mapping & MPLS class of service (ex : mapping VLAN <-> class of

service)

» Aastra Call Admission Control :– Load limited “a priori” on links, fall back mechanism in case of congestion– Embedded on all Aastra equipments

QoS


» SNEC (Succession Network Engineering Configuration)

» Complete Engineering tool used during presales phase

– Traffic modelisation– Quality of voice– Bandwidth and network planning– End to end validation

» Version 2 integrates new features :– VPN : IPSec, L2TP, PPTP– xDSL links

SNEC tool


» No impact on voice communication (delay…)

» Some constraints linked to treatments

VoIP encrypted Performances


» Port (TCP/UDP) used in Aastra solutions– http://support.nexspan.net/mkg/mcdfr/

» SNEC Tool (bandwidth, jitter, delay,…) – SNEC http://support.nexspan.net/mkg/mcdfr/

» Technical information (supported antivirus, configuration) :http://support.nexspan.net/support/lci/lci.php?l=fr

» Patches management

http://support.nexspan.net/extra/Support/patch/index.php?lang=fr&target

Tools

Documents

Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in