Telephony, VoIP - USALearning_v401/course/... · Telephony / VOIP . 191. Telephony / VOIP **191 Instructor: I'd like to . talk to you about telephony. In . particular, we're going

Telephony, VoIP

Table of Contents

Telephony / VOIP ............................................................................................................................ 2

Voice over Internet Protocol (VoIP) Architectures ......................................................................... 3

Parts of a VoIP Implementation -1.................................................................................................. 5



Parts of a VoIP Implementation -4................................................................................................ 10

VoIP Protocols ............................................................................................................................... 11

VoIP Protocol – H.323 ................................................................................................................... 12

Diagram of an H.323 Implementation .......................................................................................... 13

SIP – Session Initiation Protocol ................................................................................................... 14

VoIP Protocol – H.323 ................................................................................................................... 15

SIP – Session Initiation Protocol ................................................................................................... 16

SIP Network Servers ...................................................................................................................... 17

SIP Network Servers in Action ...................................................................................................... 18

VoIP Protocol Types -1 .................................................................................................................. 19

VoIP Protocol Types -2 .................................................................................................................. 21

VoIP Security Considerations -1 .................................................................................................... 22

VoIP Security Considerations -2 .................................................................................................... 25

Notices .......................................................................................................................................... 26

Page 1 of 26

Telephony / VOIP

191

Telephony / VOIP

**191 Instructor: I'd like to talk to you about telephony. In particular, we're going to focus our attention on VOIP. And the reason why we should talk about telephony and how it works is because well, quite frankly, as security people, and as network security people, we've inherited a lot of telephony by it being changed over to voice over IP.

Page 2 of 26

Voice over Internet Protocol (VoIP) Architectures

193

Voice over Internet Protocol (VoIP) Architectures

IP centric • System is entirely IP-based with a dedicated trunk to the PSTN

IP enabled• End-user phones are IP-based, switching and trunks are traditional

**193 So, when we talk about voice over IP, the architectures, they are IP centric. In other words, our call communication is done IP address to IP address. It's no longer done telephone number to telephone number. But what we have to do is we have to create a dedicated trunking system that will allow us to keep that idea in our mind. Now, where we truly see voice over IP really kicking in is-- I don't know if you've seen this lately, but a lot of the websites that you pop on to say, "Would you like to chat with a representative right now?" And then there's another button that's popping

Page 3 of 26

up more and more often, "Would you like to have a voice communication with this person right now?" So, you've got both options. The chat is a lot more automated, a lot more cost effective for them because they can put robots in place up until the point where you ask a question that's I don't know to the robot. And then a real person can step in so they can set up those calls and get those people ready, and optimize all those people that are in that call center. When you click the voice button and you actually get somebody ringing and picking up the phone, that is very costly to the organization. So, what they say is, "Okay, we'll pay for that cost, but we won't pay for the cost of the dime to actually make the call."

Page 4 of 26

Parts of a VoIP Implementation -1

194


IP network• Provide underlying connectivity• Should prioritize voice and data – latency in voice communication is

more noticeable than in data communication— Quality of service (QoS) – specifies a priority— Class of service (CoS) – marks packets for compliance with QoS

**194 When we look at VoIP implementations out there, you have to know who's providing the underlying connectivity. This is your Internet service provider, which Internet service providers are really-- well, they were telephone providers for a long time. Do you, when you set up this communication, prioritize the voice and data in a way that is different than other customers? Remember, one of the problems that we run into with voice that we expect is we want nice clean communication from me to you. We want that quality of service. We want that high level communication

Page 5 of 26

that we've come to expect from a hundred years of communication over regular telephones. And we expect it on a cellular network. Or we expect it on our computer.


195


Call processor / controller

Aka, softswitch, call agent, call manager, gatekeeper• Setup and monitoring of calls• Authorization of users• Provides phone features like voicemail, caller-ID• Controls bandwidth for each call

**195 One of the pieces that we have to understand here is that there now needs to be that was replaced from old Ma Bell a call processor and a controller. Somebody has to set up or connection to the phone system from our computer. That needs to be automated. And that needs to be sent out over the wire. And then the call connection on the other side needs to be made. This used to be

Page 6 of 26

made by somebody actually plugging in a switch and connecting the circuit from one source to the destination. Well, that stuff's gone, but we still have to do that function because it's not immediate like it is with a lot of other technologies. Then we have to set up and monitor calls and see if that's reasonable. Are we allowed to monitor because that's a security issue depending on the country that you're in. So, we need a call agent, a call manager, and a gatekeeper. And all these functions go together to make up what is our telephony today. So, all of those concepts have now been abstracted into certain protocols and services that are being offered by the voice over IP providers. We also need to do the things that we thought we had before with the auto-attendant locally are things like voicemail and caller ID. All of that-- all of those tools need to be in place. And all that data needs to be passed up the channel on something that is a multi-use computer rather than a single use phone. We also need to check the bandwidth on this and whether we actually have enough bandwidth to support all the calls that are happening simultaneously.

Page 7 of 26


196


Media / signaling gateway• Interface VoIP network with public switched telephone network • Call origination and detection• Analog to digital conversion voice packets from analog signal

Three kinds• Media gateway – data / voice conversion, interface with PSTN• Signaling gateway – call signaling conversion • Media gateway controllers – call origination and tear down

**196 Now, when we're dealing with this, we also have this media signaling issue. So, what is our interface from the VOIP network to the public switched telephone network because there are still people that still have phones at this point? How do we communicate with them? There are still people that are connecting from their cellular phones down to a physical landline. We have to have call origination and call detection. And that could be the reverse. If you've got a physical phone, and you actually pick it up and you call me, and it's actually a real phone and not washed away

Page 8 of 26

VOIP underneath it, if you actually can pick up that phone and call me on a rotary dial phone, at that moment in time, now we have to have that origination and detection popping back toward my side of the digital conversation. Now, there are three kinds of VOIP that are out there. Or not three kinds of VOIP, but three overall media signaling gateways that are there. It's the media gateway itself. That's where we do data and voice conversion. The signaling gateway, which is making the phone ring is what it boils down to. And the media gateway controllers, and that's call origination where it comes from, but also tearing down the circuit after we're finished because we could sit on the phone and be quiet for a really long time. And the signal stills need to be there in order for us to communicate. If we didn't have a way, and we say when there's silence on the phone, tear down the conversation, no we have to have the hang up button sending the signal to terminate this.

Page 9 of 26


197


End user devices• IP phone – physical device

— Handset – traditional phone look and feel— Conferencing handsets – advanced features at the touch of a button— Wireless handsets – use WiFi to connect to network

• Soft phone – software-based “phone”— Any computer with speakers and a microphone “Phone”

**197 The other piece of this is from an implementation standpoint, we've got two different kinds of phones that are out there, the IP phone, which is really a really small physical computer with a limited subset of buttons, and then our soft phone, which is built into our terminal or to our-- that we can install anywhere we want to. And I'm sure you've seen Skype at this point where you can call in or call out from the Skype phone. That is a phone. But now, it's all software on the machine. Now, think about this from an attack standpoint. As you're looking at all of

Page 10 of 26

these communications, how could we attack them? What could we do to be an adversary in this network?

VoIP Protocols

198

VoIP Protocols

Two protocols have emerged for VoIP support.• H.323 – proposed by the ITU• SIP – session initiation protocol – proposed by IETF

Both define VoIP implementation, audio, video, and data.

These two are NOT compatible with each other;

AND, vendors have their own, proprietary implementations.

**198 Now, when we look at the protocols, the two major protocols are H323 and SIP. They do not interoperate. Now, there is something called Mega Co that allows them to interoperate, but that's separate from these two different protocols. So, the ITU came up with H323. And IETF came up with SIP. Both of these have a definition for implementation of audio, video, and data. However,

Page 11 of 26

they do not interoperate with each other so now we need a translation tool. And that's where the Mega Co kicks in.

VoIP Protocol – H.323

199


Standard defines terminal, gateway, gatekeeper, MCUs

Terminal – a local area network endpoint• Communicates with other terminals, gateways, or MCUs• Provides real-time, two-way communication (e.g., an IP phone)

Gateway – interface between VoIP and PSTN• Provide translation between CODECs and communication formats

Gatekeeper – focal point for local area (the H.323 zone)• Call management, signaling, authorization, bandwidth management

MCU – multi-point control unit, enables conferencing• Interfaces multiple terminals and gateways

**199 When we talk about 323, it's designed in the ways of terminal gateway, gatekeeper, and MCU, Multipoint Control Unit. So, that's its way of dealing with VOIP.

Page 12 of 26

Diagram of an H.323 Implementation

200

Diagram of an H.323 Implementation

Terminal MCUTerminal

Gatekeeper Gateway

PSTNInternet

H.323 Zone

Other SIP or H.323 Zone(s)

**200 When we look at H323, we can see that we've got many terminals. And then the MCU is up there. And then when we want to get out to the rest of the world, we go through a gateway to the Internet. And we use the MCGP. That's, by the way, that's that Mega Co that allows us to go over the Internet to another SIP implementation at that point. I mean over to a SIP implementation from an H323. So, the MGCP is that translation tool that allows us to communicate between them.

Page 13 of 26

SIP – Session Initiation Protocol

201


Relies on other protocols to provide audio, video, and data

Distributed; relies on user agents and network servers

User agents • User agent client – places calls• User agent server – responds to call requests• Calls require a network server for transmission

**201 When we look at SIP, it does things entirely different. It has what are called the user agents where we have the client, the server, and then the network for that transmission. So, if we go back-- let's go back just a couple slides.

Page 14 of 26


199


Standard defines terminal, gateway, gatekeeper, MCUs

Terminal – a local area network endpoint• Communicates with other terminals, gateways, or MCUs• Provides real-time, two-way communication (e.g., an IP phone)

Gateway – interface between VoIP and PSTN• Provide translation between CODECs and communication formats

Gatekeeper – focal point for local area (the H.323 zone)• Call management, signaling, authorization, bandwidth management

MCU – multi-point control unit, enables conferencing• Interfaces multiple terminals and gateways

**199 Terminal gateway and gatekeeper, that's one way to do it.

Page 15 of 26


201


Relies on other protocols to provide audio, video, and data

Distributed; relies on user agents and network servers

User agents • User agent client – places calls• User agent server – responds to call requests• Calls require a network server for transmission

**201 User agent, server, and then call set up is another way to do it for

Page 16 of 26

SIP Network Servers

202

SIP Network Servers

The backbone of the SIP network• Registration server – maintains directory of user agents within its

domain• Location server – stores user agent address and location

information for multiple registration servers• Proxy server – processes SIP requests, resolves usernames into

addresses, and forwards the request to the user agent or other server

• Redirect server – performs username lookups, but requires requestor to send request to the next address

**202 It does a registration server, location server, proxy server, and redirect server. All these servers need to be in place. And you don't do all of these yourself. What happens is a lot of these things are outsourced to other organizations. You say I don't want to do any of these servers whatsoever. I just want to be able to, in my ten person business, make this phone call. Well, then you pay for those services to be supported by an external agent. Wait a minute. Didn't we do this with telephony before? Before we actually outsourced all that stuff, didn't we just call up Ma Bell and say will you

Page 17 of 26

take care of all this stuff for us? And the answer is yes. That's exactly who we picked up the phone and we called. Or we went to the office to actually get a phone connected to them. But all that process still exists. It's just been outsourced to a low cost bidder at this point in time.

SIP Network Servers in Action

203

SIP Network Servers in Action

User Agent 1

Proxy Server

Location Server

Registration Server

User Agent2

Proxy Server

Registration Server

**203 When we look at SIP network servers in action, we have this locational service. And that's usually the thing that is definitely outsourced to somebody else. And then most of the time, the registration servers, that's done to a regional provider or on the Internet.

Page 18 of 26

The proxy server may or may not be on our site. I think that in most implementations, larger implementations, the proxy server is local. The registration server may or may not be local. But the location server is handled by very, very large organizations on the outside.

VoIP Protocol Types -1

204


RTP – Real-time transmission protocol• Unicast / multi-cast streaming; no QoS guarantee

RTCP – Real-time transmission control protocol• Monitors real-time data delivery

SRTP – Secure, real-time transmission protocol• Adds confidentiality and message authentication to RTP• No effect on QoS; can be used with header compression

**204 Okay, a couple of protocols that we want to pay attention to are the real time transmission protocol. And one of the key elements in this is that it has no quality of service. We've come to expect quality of service. When we pick up that phone, we want to hear that person on the

Page 19 of 26

other end. And we don't want to hear them breaking up. I'm sure you've all seen the Chevy Chase movie when he is a political speaker. And he's talking-- and we hear him saying that-- and he's breaking up. Well, with no quality of service, we could have that break up, and that could cause us a serious problem. Real time transmission control, that talks about the real time data delivery to make sure that it is in real time. And remember, this is going from me to you. Every one of our conversations is bidirectional at this point. And any time during our conversation, we could be theoretically talking over each other. And so, the RTCP actually addresses that. Now, we could do real time transmission over security. Now, the problem is is when we add this confidentiality on here, if we're not careful about that encryption, what we get is no quality of service. But SRTP actually protects our quality of service and respects as that as a component of this call. That is the real problem that we run into with VOIP is quality of service versus security. The next thing we have to ask ourselves is could somebody intercept this call and listen in. Not so much on the Internet as it's passing around, but at the end points or the compromised workstations, if I can compromise your workstation, I can record all your calls locally going in and out of your machine and then play them back for myself later on.

Page 20 of 26


205


ZRTP – Zimmerman real-time transmission protocol• Key exchange using SRTP• Uses the data stream, not the control stream, for keys• Keys are not visible to anyone other than end-points

— Important if intermediate devices process signaling• Uses Diffie-Hellman algorithm

— Keys discarded at end of call no key management

**205 One of the other protocols that we want to pay attention to is the Zimmerman real time transmission protocol. It helps ensure communication between us is secure by addressing the key exchange issue. And it uses data streams and not control streams for the keys. So, the data stream for those keys is being passed back and forth so that our actual, our control stream will actually communicate directly and will be encrypted. Our data for setting up the call is encrypted. The actual communications may or may not be. I really like the fact that it uses Diffie- Hellman keys for the keys because

Page 21 of 26

then they're only used for that call. And then we reinitiate that process for our next communication.

VoIP Security Considerations -1

206


All Internet Protocol (IP) level threats • Denial of Service• Route redirection

VoIP specific threats• Sniffing / Eavesdropping

— Switch port mirroring— Packet capturing— ARP floods

**206 A couple of considerations that we want to pay attention to here is the IP level threats, the things that happen. Since we've comingled these two networks where we took the voice network and we put it as an application on our IP network, what could happen? Well, one of the first things that can happen is denial of service. This happens a lot with what are called DHCP exhaustion attacks. If we have a soft phone service and hard phone service where a phone

Page 22 of 26

can be plugged into any jack, and it says, "Hi, I'd like an IP address so that I could actually make phone calls," what can happen is it can have a rogue agent plug in and say give me all the IP addresses over and over and over again so that no calls can be made. So, denial of service is a very real fact when we have phones that can be transported throughout our network. We could also redirect those calls where we could give a client a DHCP server-- give it an IP address beyond the DHCP server and then say route your calls through here. And as we're routing them, we can do a man-in- the-middle attack and capture all of that information. Now, when we talk about VOIP by itself as a specific threat, we need to realize that sniffing and eavesdropping is a reality. Somebody could, at the port level, they could mirror all the information or span all the information from all the different ports. Or they could be particular and say I only want to see the SIP or H323 traffic and pull all that data back, do packet capturing on it. Now, here's the really big problem that I run into is usually, as security personnel, and as network monitoring personnel, just for availability standpoint, we do packet captures all the time. And we investigate that traffic. And we look at that traffic. It is illegal in the U.S. to tap someone's phone. But the communications over regular phone

Page 23 of 26

lines are not encrypted. So, if it's illegal, and we, by accident, capture that as a part of our process where we say span or mirror all that traffic that's going over those ports, here let me have all this information, and I'm looking for some sort of other protocol that has nothing to do with voice, I've still captured that information. Now, it's complicating my process because now what I have to say is in my capturing, capture everything accept for any kind of voice traffic. WireShark to the rescue at this point, by the way. You can go into WireShark and you can do a pre- capture instead of a post filter. And in that pre-capture, you can limit some traffic out. And that traffic would be your VOIP traffic going back and forth. That's for you, the good guy. Well, what about the bad guy? What can they do? Well, they don't have any rules. They say we're going to break the rules. We're trying to attack your network. What will we do? Capture that information, listen to what's going on so that-- remember when we did the IPsec section, and we called each other up, and I said the password is? Well, if I use SIP or H323 to transmit that password thinking that it was out of band, the reality is it wasn't because the adversary is listening on there. And they caught us. And they recorded the password is the password. So, that causes us some problems, too. That's my real

Page 24 of 26

concern in a lot of cases is that the adversary is going to capture all this information.


207


VoIP specific threats• Rogue DHCP server• Rogue TFTP server

**207 Last thing is a couple of VOIP specific threats, rogue DHCP servers, and rogue TFTP servers. Trivial File Transfer Protocol says when I have this hard phone that I'm plugging in that's programmable, download the particular configuration to this phone so that it will actually work. Well, I could set up my own TFTP server that downloads something that makes you communicate with me so I can do a man-in-the-middle attack before I pass it on to the other TFTP

Page 25 of 26

server. So, now I can capture that information. Same thing with DHCP servers, we could do an exhaustion attack where we take all the IP addresses. Or what we could do is we could hand you an IP address. By the way, the way that DHCP works is the DORA process, that's the four step process. Whoever does the offer first, if there's multiple DHCP servers, whoever does the offer first, wins. So, there are a lot of security concerns with VOIP.

Notices

2

Notices© 2015 Carnegie Mellon University

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study.

Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

This material was created in the performance of Federal Government Contract Number FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. The U.S. government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. government purposes, the SEI recommends attendance to ensure proper understanding.

THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).

CERT ® is a registered mark owned by Carnegie Mellon University.

Page 26 of 26

Documents

Telephony, VoIP - USALearning_v401/course/... · Telephony / VOIP . 191. Telephony / VOIP **191 Instructor: I'd like to . talk to you about telephony. In . particular, we're going