A Survey of VoIP Security Practices in Higher Education - PowerPoint PPT Presentation

Loading...

PPT – A Survey of VoIP Security Practices in Higher Education PowerPoint presentation | free to download - id: 3c8f8a-ODEyN



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

A Survey of VoIP Security Practices in Higher Education

Description:

A Survey of VoIP Security Practices in Higher Education H. Morrow Long Director, Information Security Yale University Security Professionals Conference Session – PowerPoint PPT presentation

Number of Views:191
Avg rating:3.0/5.0
Slides: 63
Provided by: netEduca
Learn more at: http://net.educause.edu
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: A Survey of VoIP Security Practices in Higher Education


1
A Survey of VoIP Security Practices in Higher
Education
  • H. Morrow Long
  • Director, Information Security
  • Yale University
  • Security Professionals Conference Session
  • Wednesday, April 11, 2007 315 p.m. - 415 p.m.

2
Introductions
3
Overview
  • This presentation will discuss a survey and
    informal poll of the current campus network VoIP
    security practices and products in higher
    education on both wired and wireless networks.

4
Agenda
  • Introduction
  • What is VoIP?
  • VoIP Threats
  • VoIP Security Checklists
  • VoIP Effective Practices in Higher Ed
  • Survey of VoIP Security in Academia
  • Discussion and Questions

5
VoIP Security Goes Mainstream
  • In 2006, VoIP Security entered the SANS Top 20
    for the first time
  • http//www.sans.org/top20/n1
  • N1 VoIP Servers and Phones

6
VoIP Security Flaws Go Mainstream
  • 2006 VoIP Security vulnerabilities
  • AsteriskCVE-2006-2898, CVE-2006-4345,
    CVE-2006-4346, CVE-2006-5444
  • Cisco Call ManagerCVE-2006-0368, CVE-2006-3594
  • VoIP PhonesCVE-2005-3717, CVE-2005-3722,
    CVE-2005-3723, CVE-2006-0305, CVE-2006-0374,
    CVE-2006-0834, CVE-2006-5038

7
VoIP Security Flaws Go Mainstream
  • 2007 VoIP Security vulnerabilities
  • Asterisk CVE-2007-1306
  • Cisco Call Manager / IOS / PIXOS CVE-2007-0648,
    SA24180/cisco-sa-20070214-fwsm, SA24179/cisco-sa-
    20070214-pix
  • VoIP Phones CVE-2007-1072, CVE-2007-1062,
    CVE-2007-1063

8
What is VoIP?
  • Voice over IP
  • IP Telephony
  • Converged Data/Voice Networking
  • Unified Messaging

9
What is VoIP?
  • 2 Major Protocols
  • H.323
  • SIP / SIPS
  • Popular Internet VoIP
  • Proprietary
  • Skype
  • Vonage
  • Other
  • Zfone/ZRTP (Phil Zimmerman)
  • Internet Standards related to VoIP Security
  • IPSEC
  • SSL/TLS
  • SRTP (RFC3711)

10
H.323 and SIP
  • The 2 Major (Local and Enterprise) VoIP
    Protocols
  • H.323
  • SIP
  • Both protocols
  • Are hard (but not impossible) to firewall
  • Were not designed for security
  • Use separate signaling and media (content)
    channels
  • Use dynamic ports
  • Were not designed to be NAT friendly (embed IP
    addresses inside signaling/control information)
  • But H.323 is more like ISO X. protocols (uses
    ASN.1/PER) and SIP is more like Internet
    FTP/SMTP/HTTP/NNTP.

11
H.323
  • Older protocol than SIP, implemented earlier
  • ITU Umbrella Standard - built of other H stds
  • First VoIP std to use RTP
  • Interoperates with ISDN PBX systems
  • Used by several voice and videoconferencing
    systems
  • Built into NetMeeting, other commercial and open
    source programs available
  • GNU Gatekeeper - accounting/authorization/NAT
    traversal/H.323 proxy/H.235 security

12
H.235 Security
  • H.235 provides security for H.323
  • Optionally nine security profiles can be used to
    apply one or more of six security services
    (authentication, nonrepudiation, integrity,
    confidentiality, access control, key management)
    to H.225, H.245 and RTP traffic.

13
Skinny - Cisco H.323
  • Skinny is Ciscos lightweight proprietary
    version of H.3323.
  • SCCP is the acronym for Skinny Client Control
    Protocol.
  • It is a lower overhead control protocol between
    the client and Call Manager.

14
SIP - Session Initiation Protocol
  • Overtaking H.323 on LANS - many clients.
  • Created 1996. SIP 2.0 defined in RFC 2543
    (1999)-- refined in RFC 3261 (2002).
  • Lightweight, text-based protocol run on top of
    UDP or TCP (e.g. port 5060- mod P2P model.
  • Uses HTTP style status codes email addresses.
  • Interoperates with XMPP IM (Japper)
  • STUN newer TURN enable SIP through NAT using
    public Internet servers.
  • Uses other protocols SDR, RTP, MGCP, RTSP.
  • Can be stateful/less, client/server or P2P.

15
SIP/RTP Architecture
Credit Practical VoIP Security, Syngress
16
SIPS - Secure SIP
  • Secure SIP is a security mechanism defined by SIP
  • RFC 3261 (2002) defines Secure SIP -- a security
    mechanism using TLS to send SIP messages over an
    (Transport Layer Security) encrypted channel.
  • Fairly new, competes with IPSEC, VPNs, SRTP --
    often referred to as SIP with TLS -- used when
    IPSEC is overkill or SIP proxies must be used.

17
SRTP
  • Adds message encryption, authentication,
    integrity and replay protection to to RTP
  • Sister to SRTCP (Secure RTP Control Proto)
  • SRTP/SRTCP encryption, authentication and
    integrity are independent and can be disabled
    (Null encryption).
  • Single Cipher (AES), 2 modes (counter feedback
    modes)
  • External Key mgt (ZRTP, Mikey, )
  • Credit http//en.wikipedia.org/wiki/Secure_Real-t
    ime_Transport_Protocol

18
SRTP Interoperability
  • Hard IP Phones
  • Avaya, Cisco, Ericsson (TLS), Siemens, Linksys,
    Snom (TLS)
  • Soft IP phones
  • Gizmo, Kphone, Snom360 (TLS), minisip (TLS)
  • Hard IP PBX - Alcatel and Ericsson
  • Soft-IP-PBX - Asterisk (SIP H323) and pbxnsip
  • SBC (Session Border Ctrlr) / SIP Firewall
  • Covergence ( SIP H323)
  • InGate (SIP aware firewall)
  • Credit http//en.wikipedia.org/wiki/Secure_Real-t
    ime_Transport_Protocol

19
Zfone/ZRTP
  • Created/driven by (Phil Zimmerman)
  • 2nd attempt (PGPfhone)
  • Designed to work with current SIP phone programs
    (via plug-ins).
  • Zfone is the program.
  • ZRTP is an extension to RTP (Real-time Transport
    Protocol) providing secure real-time transport to
    secure sessions (SIP, H.323, etc.) already
    established.
  • Keys are transmitted and managed outside the std
    signaling.
  • Protection against MitM (man in the Middle)
    attacks.

20
Skype
  • Peer to Peer Model
  • Supernodes route traffic for other calls
  • Can be blocked and bandwidth managed
  • Outlawed at some institutions
  • Proprietary strong encryption
  • Non-CALEA compliance?

21
More VoIP Terminology
  • Presence (R U there?)
  • Convergence (Data Voice Synergy)
  • Voice Messaging
  • Unified Messaging Systems

22
More VoIP Acronyms
  • ACD Automatic Call Distribution(Call Ctr)
  • IVR Interactive Voice Response
  • ICE Interactive Connectivity Establishment
  • RSVP Resource Reservation Protocol
  • RTSP Real Time Streaming Protocol
  • SDP Session Discovery Protocol
  • STUN Simple Traversal of UDP through NAT
  • TLS Transport Layer Security (ala SSLv3)
  • TURN Traversal Using Relay NAT
  • TTS Text-to-speech server

23
Non-Cyber Security-related VoIP Issues
  • 911 - where does 911 ring?
  • E-911 - need to provide location information?
  • Emergency access -
  • during network or power outages
  • Use Power-over-Ethernet (PoE AKA IEEE 802.3af)
    cabling
  • Provide at least the minimal of land lines per
    rooms (e.g. or as required by law)

24
PBX System Components
  • PSTN
  • Endpoints (Phones, Faxes, Modems.)
  • Lines (e.g. Station lines)
  • Trunks
  • Remote PBXes
  • Adjuncts (VM, ACD, IVR, )
  • CDR (Call Detail Recording)
  • Voice/PBX Firewalls

25
VoIP System Components
  • Media Gateways -- e.g. to PSTN/PBXes
  • Endpoints (User Agents) softphones,
    IM/Video/VoIP/ATA (Analog Telephone Adatper)
  • Media Servers (VM, ACD, IVR, TTS,VC)
  • H.323 Gatekeepers
  • SIP Registration, Redirect Servers
  • SIP Proxy Servers
  • Firewalls/ALGs

26
VoIP Threats
  • VoIP Networks have many of the same threats to
    security, privacy and reliability as data
    networks do, but they also bring in the problems
    of the telephone system and have some special
    threats all their own.
  • Converged networks can combine threats from the
    data and VoIP world -- making the new network
    less secure (in the opinion of some).
  • Data network people are afraid VoIP
    infrastrucutre will weaken the security of their
    data network and the voice/telecom people feel
    the same about data / IP networks.

27
Other VoIP Architectures
  • Skype
  • IAX
  • H.248
  • Microsoft Live Communication Server 2005 (MLCS)
  • TLS between client and server
  • Mutual TLS server-to-server

28
VoIP vs. PSTN
  • Remember that POTS telephones have little
    security -- ordinary phone conversations are not
    encrypted and can be tapped or eavesdropped.
  • You can actually have better security using VoIP
    IF you use strong encryption (and a good
    implementation).

29
VoIP Threats
  • DDoS / DoS Attacks
  • ICMP Flood (eg pings) to Phone or Call Mgr
  • Unauthorized Access
  • Toll Fraud
  • Voicemail hacking
  • Eavesdropping (Call and/or Control)
  • Call Hijacking
  • Application Level Attacks
  • Credit Juniper Networks

30
IP Network Threats
  • Ethernet, IP and DNS address spoofing
  • ARP and DNS Cache Poisoning
  • Quantity-based packet flooding
  • Stack DoS attacks
  • VLAN jumping
  • QoS / prioritization attacks

31
Organizing VoIP Threats
  • Standard IP Network Threats
  • (to the CIA triad)
  • C - Confidentiality
  • I - Integrity
  • A - Availability

32
Organizing VoIP Threats
  • Advanced IP Network Issues/challenges
  • (triple A)
  • A - Authentication
  • A - Authorization
  • A - Accounting

33
Application-Specific VoIP Threats
  • Phone spoofing - registering a SIP client with
    someone else's identifier (no auth.).
  • a successful attack would cause the similarly
    registered phone to ring when someone called the
    legitimate owner of the number.
  • Credit Jeremy George, Yale University

34
Threat to Confidentiality
  • Programs exist to listen to SIP and other VoIP
    streams (and record them).
  • It is possible to capture packets on switched
    networks (by overflowing ARP tables, poisoning
    ARP caches, etc.).
  • Encryption should be used but has side- effects
    on latency, on sound qulaity (packetization and
    compression chunking can lead to clipped staccato
    speech).

35
Application-Specific VoIP Threats
  • Caller-ID / ANI Spoofing (faking source )
  • Trivial to do -- dont trust Caller-ID -- OK to
    screen w/
  • Credit Jeremy George, Yale University

36
Threat to Integrity
  • It is possible to hijack sessions.
  • It is possible to modify voice over IP streams.
  • Once again, use encryption (or at least
    cryptographic integrity checks) to prevent this.

37
Application-Specific VoIP Threats
  • MitM spoofing
  • CALEA is a legit application of this.
  • DoS attacks are known immediately by
    communicating parties
  • Call content is neither overheard nor
    compromised.
  • Some proxies have logic in them that identifies a
    likely DoS attack and discard those packets (ask
    your vendor!).
  • Encryption is the best proection against MitM
    spoofing.
  • Credit Jeremy George, Yale University

38
Threats to Availability
  • Quality of Service (QoS) problems
  • Latency - time for traffic to go from source to
    destination (one-way and round-trip).150ms is
    Max RTT for PSTN. VoIP at 400ms is at outer
    limit of tolerable range.
  • Jitter - variability in latency and out-of-order
    packet arrival times. Buffering can help here.
  • Packet Loss - results in gaps in communication.

39
Application-Specific VoIP Threats
  • Special DoS (Denial of Service) attacks
  • high volume flood of SIP INVITEs
  • high volume flood of SIP REGISTER commands
  • Control Packet / Call Data Floods
  • Packet Replay / Injection / Modification
  • Credit Jeremy George, Yale University

40
Application-Specific VoIP Threats
  • BID attacks on SIPS
  • Get SIPS devices to downgrade to ordinary SIP
  • Credit Jeremy George, Yale University

41
Application-Specific VoIP Threats
  • Rogue SIP Proxies
  • Impersonate a proxy to a User-Agent
  • Credit Practical VoIP Security, Syngress

42
VoIP Security Checklist
  • Practical VoIP Security high level short list
  • Create, publish and enforce security policies.
  • Practice rigorous physical security.
  • Verify user identities.
  • Actively monitor logs, firewalls IDSes.
  • Logically segregate data voice traffic.
  • Harden Oses.
  • Encrypt whenever and whatever you can.

43
VoIP Security Checklist
  • Juniper Best Pracices Security Measures
  • 1. Maintain Current Patch Levels
  • 2. Install a Good Anti-Virus System and Update it
    Regularly
  • 3. Apply State-of-the-Art Intrusion Detection and
    Prevention Systems
  • 4. Install Application-Layer Gateways between
    Trusted and Untrusted Zones.
  • 5. Enforce SIP security by means of
    Authentication, Authorization and IPSec
  • 6. Establish Policy-Based Security Zones to
    Isolate VoIP Segments.
  • 7. Run VoIP Traffic on VPNs to Minimize
    Eavesdropping Risk on Critical Segments.
  • 8. Use VLANs to Prioritize and Protect Voice
    Traffic from Data Network Attacks
  • 9. Apply Encryption Selectively
  • 10 Protect Against UDP Flooding
  • 11. Develop a Holistic Security Program

44
Metagroup Checklist
  • IP Telephony-Specific Security Features
  • The Call Control Server
  • Harden/Strip down OS.
  • Use secure OS.
  • Authenticate authorize all user device access
    to servers.
  • Require strong authentication for all
    configuration and software upgrades.
  • Should support app level signaling message auth.
  • Should support call setup info encryption.

45
Metagroup Checklist
  • IP Telephony-Specific Security Features
  • The Voice Gateway
  • Require strong authentication for all
    configuration and software upgrades .
  • Provide DoS protection on IP inteface.
  • Should be configured to route calls only via the
    call control server.
  • Secure OS w/anti-virus AND host-based IDS.
  • Should support call setup info and media (voice
    content) encryption.
  • Should support a media (voice content) protocol
    authentication on a per-packet basis.

46
Metagroup Checklist
  • IP Telephony-Specific Security Features
  • The IP Phone
  • Must authenticate itself to the call control
    server or a proxy server upon initial
    registration
  • Must support strong authentication for any remote
    configuration and software upgrades .
  • Should support a configurable access control list
    to control any incoming traffic (e.g. H.323/SIP,
    RTP, HTTP, FTP, DHCP)..
  • When supporting an additional Ethernet port for
    PC connectivity, should have this implemented via
    a switching function combined with VLAN
    functionality.
  • Should support encryption of both call setup
    info and media as needed. Using encryption can
    add an additional end-to-end delay on each media
    packet.

47
VoIP Security Checklist
  • Detailed and Specfic list
  • Use a separate VLAN with 802.1p/q QoS w/priority
    VLAN tagging for the VoIP network.
  • Use a private (RFC1918) IP network for the VoIP
    LAN.
  • Use NAT and/or proxies to hide internal
    addresses.
  • Use a firewall (packet filtering or ALG) to
    protect connect the VoIP network to the data IP
    network.
  • Use an IDS or IPS to examine the traffic allowed
    through the firewall (may be built into the
    firewall).
  • Use TLS to protect SIP and SRTP to protect RTP.
  • Use NAC, 802.1X RADIUS auth SIP-aware FW.

48
Listservs Newsgroups
  • EDUCAUSE Security Discussion Listserv
  • http//www.educause.edu/SecurityDiscussionGroup/9
    79
  • VOIPSA Best Practices Working Group
  • http//www.voipsa.org/Activities/bestpractices.ph
    p
  • VOIPSA Best Practices WG List http//voipsa.org/m
    ailman/listinfo/bestpractices_voipsa.org
  • NIST Publication Mailing list
  • http//csrc.nist.gov/compubs-mail.html

49
VoIP Security Effective Practices in Higher Ed
  • One anonymous school
  • Uses separate VLAN, L2 switches and RFC1918 IP
    addresses for VoIP network.
  • Provides separate connections (and bandwidth) to
    each building with VoIP.
  • Softphones can participate from regular campus
    LAN (arent required to use a 2nd NIC on the VoIP
    network).

50
VoIP Security Effective Practices in Higher Ed
  • A 2nd anonymous school
  • Has enterprise polycom gateways (a bunch of them)
    that have priority in QOS on the routers..
  • Allows traffic via ports inbound on the above
    routers for this legit traffic.
  • Doesnt restrict H.323.
  • Blocks SIP and Vonage because they dont open the
    inbound ports.
  • Packet8 and other SIP applications which use STUN
    work fine (because of tunneling).
  • Skype is a problem (paritcularly Supernodes at
    times).

51
VoIP Higher Ed Security Survey
52
VoIP Higher Ed Security Survey
53
VoIP Higher Ed Security Survey
54
VoIP Higher Ed Security Survey
55
VoIP Higher Ed Security Survey
56
VoIP Higher Ed Security Survey
57
Which VoIP Security mechanisms dont you use?
VoIP Higher Ed Security Survey
  • Use H.235 for H.323 security profiles (for H.225,
    H.245 and RTP traffic).
  • Use SIPS (Secure SIP - RFC3261 - SIP over TLS).
  • Don't allow SRTP with null cipher (e.g. don't
    allow use of SRTP for just authentication).
  • Use zRTP for key management.
  • Use Mikey for key mgt/exchange.
  • Use SDES for key exchange.
  • Use SRTCP for authentication.
  • Use SRTCP for encryption.
  • IPSEC to secure MGC (Media Gateways/Controllers)
    communication.
  • Use of separate physical LAN(s) for VoIP for
    segregation from data IP network.

58
VoIP Higher Ed Security Survey
Which VoIP Security mechanisms dont you use?
  • Use of IPS between VoIP network and data IP
    network.
  • Use of IDS between VoIP network and data IP
    network.
  • Use NAC (network access control) such as 802.1X
    and RADIUS to authenticate hard phones.
  • Softphones require the use of the separate VoIP
    network (physical LAN, VLAN, subnet address,
    etc.) from the data IP network.
  • Softphones are allowed with IPSEC transport mode.
  • Softphones are allowed with IPSEC VPNs.
  • Use NAC (network access control) such as 802.1X
    and RADIUS to authenticate hard phones.
  • Allow NAT traversal via STUN or TURN Internet
    proxies.
  • Provide separate dedicated bandwidth for VoIP
    traffic to the Internet.

59
Wrap-Up
  • Question Answer
  • Session Evaluation Feedback

60
Contact Info
  • H. Morrow Long
  • morrow.long_at_yale.edu
  • Security.yale.edu

61
Credits
  • Cisco - Configuring SIP High Availability
    Applications, http//www.cisco.com/univercd/cc/td/
    doc/product/software/ios123/123cgcr/vvfax_c/callc_
    c/sip_c/sipha_c/hachap2.htm
  • Jeremy George, Yale University, SIP.edu
    Cookbook - Security Considerationshttp//mit.edu
    /sip/sip.edu/security.shtml
  • Deb Shinder, 2006/12/1 Make a SIP-based VoIP
    network more secure, http//articles.techrepublic
    .com.com/5100-1035_11-6145231.html?partrsstagfe
    edsubjtr
  • Deb Shinder, 2007/1/7 Take a multi-layered
    approach to VoIP security, http//articles.techre
    public.com.com/5100-1035_11-6145231.html?partrss
    tagfeedsubjtr
  • Jose J. Valdes, Jr., Colorado State University
    Voice over Internet Protocol (VoIP) Security,
    Net_at_Edu Conference, ICS Wireless Group Meeting,
    Tempe, Arizona, February 6, 2005

62
Credits
  • Practical VoIP Security by Larry Chaffin, Jan
    Kanclirz, Jr., Thomas Porter, Choon Shim, Andy
    Zmolek, Syngress, March 2006
  • Wikipedia (pages on H.323, SIP, SRTP, ZRTP),
    Zfone, etc.)
About PowerShow.com