Cutting Edge VoIP Security Issues Color

1
Network and VoIP Security More Important Than
Ever
Mark D. CollierChief Technology
OfficerSecureLogix Corporationmark.collier_at_secur
elogix.com
2
Outline
Outline

• General Security Trends
• Good news
• Bad news
• Going forward
• Network-Based Security
• Managed Security Services
• Internal Application/VoIP Security

3
General Security TrendsSome Good News
Security Trends

• Basic security measures, such as anti-virus,
  firewalls, and anti-spyware, are ubiquitously
  deployed
• Average losses due to security breaches are up,
  but down significantly from 2001 and 2002 ()
• The number of incidents is down ()
• Incidents are being reported at a greater rate
  ()

() Source 2007 Computer Crime and Security
Survey
4
General Security TrendsSome Good News
Security Trends
() Source 2007 Computer Crime and Security
Survey
5
General Security TrendsSome Good News
Security Trends
() Source 2007 Computer Crime and Security
Survey
6
General Security TrendsSome Good News
Security Trends
() Source 2007 Computer Crime and Security
Survey
7
General Security TrendsSome Good News
Security Trends
() Source 2007 Computer Crime and Security
Survey
8
General Security TrendsSome Bad News
Security Trends
() Source 2007 Computer Crime and Security
Survey
9
General Security TrendsSome Bad News
Security Trends

• Signature based-detection systems are being
  pushed to the limit
• The platforms, network, and applications are
  getting more and more complex
• Attacks are becoming increasing complex
• Perimeter security has many issues
• Security funding is a small part of IT spending
  no more than 10 and often less than 5 ()
• Targeted attacks are increasing ()

() Source 2007 Computer Crime and Security
Survey
10
General Security TrendsSome Bad News
Security Trends
() Source 2007 Computer Crime and Security
Survey
11
General Security TrendsSome Bad News
Security Trends
() Source 2007 Computer Crime and Security
Survey
12
General Security TrendsGoing Forward
Security Trends

• Increased deployment of Intrusion Detection and
  Prevention Systems (IDSs and IPSs)
• Possible increase the in use of Network Admission
  Control (NAC)
• Network-Based Security solutions are available
• Managed Security Services solutions are available
• Increased focus on internal application security
• New applications such as Voice Over IP (VoIP)
  moving onto the data network

13
Network-based SecurityIntroduction
Network-basedSecurity

• Enterprise customers are deploying firewalls,
  IDSs/IPSs, AV, anti-SPAM on network edge
• Some disadvantages
• Expensive
• Multiple vendors and difficult to manage
• Does not scale well

14
Network-based SecurityIntroduction
Network-basedSecurity

• Network-based security embeds security capability
  in the network
• Some advantages
• Leverages security capability in the network
• Centralized management
• Scales better

15
Network-based SecurityAdvantages
Network-basedSecurity

• Leverages security expertise
• Greatly assists with threat reconnaissance
• Broad network visibility allows greater awareness
  and warning of attacks
• The impact of major Worm attacks are seen well in
  advance of when they are a threat to an
  enterprise
• The only real solution to DoS and DDoS attacks
• A great defense in depth approach
• Still may need network defense and internal
  security

16
Network-based SecurityEarly Detection of Attacks
Network-basedSecurity
Web-Based Information Collection
Broad Network Mapping
Service Vulnerability Exploitation
DDOS Zombie Code Installation
Use of Stolen Accounts for Attack
Social Engineering
Targeted Scan
Password Guessing
System File Delete
Log File Changes
Reconnaissance
Scanning
System Access
Damage
Track Coverage
Reactive Phase (Defense)
Preventive Phase (Defense)
ATT Security Service Primary Emphasis
17
Network-based SecurityDoS and DDoS Attacks
Network-basedSecurity
ATT IP Backbone
TARGETED Server
Enterprise Server
18
Network-based SecurityATT Offerings
Network-basedSecurity
Incident Management
Policy Management
Identity Management
Intrusion Management
Monitoring Mgmt
Perimeter Security
Secure Connectivity

• ATT Internet Protect
• ATT DDoS Defense
• ATT My Internet Protect
• ATT Private Intranet Protect
• ATT Network-Based Firewalls
• ATT Secure E-Mail Gateway
• ATT Web Security Services

Network-Based Security Platform
19
Managed Security ServicesIntroduction
Managed SecurityServices

• Managed Security Services (MSS) are a viable
  alternative to in-house security staffing
• Leverage experienced staff, who are familiar with
  security processes and products
• Often can be more cost effective
• Eliminates the need to retain and train staff
• Security assessments/audits are commonly
  outsourced

20
Managed Security ServicesEnterprise Penetration
Managed SecurityServices
() Source 2007 Computer Crime and Security
Survey
21
Managed Security ServicesAssessments/Audits
Managed SecurityServices
() Source 2007 Computer Crime and Security
Survey
22
Managed Security ServicesATT Offerings
Network-basedSecurity

• Premises-Based Firewalls
• Managed Intrusion Detection
• Endpoint Security Service
• Token Authentication

23
Application/VoIP Security
VoIP SecurityIntroduction

• Despite availability of network-based security,
  managed services, and customer-premise edge
  security, securing applications is still
  important
• Voice Over IP (VoIP) is one internal application
  that must be secured

24
Public Website ResearchIntroduction
Gathering InformationFootprinting

• An enterprise website often contains a lot of
  information that is useful to a hacker
• Organizational structure and corporate locations
• Help and technical support
• Job listings
• Phone numbers and extensions

25
Public Website Research Countermeasures
Gathering InformationFootprinting

• It is difficult to control what is on your
  enterprise website, but it is a good idea to be
  aware of what is on it
• Try to limit amount of detail in job postings
• Remove technical detail from help desk web pages

26
Google HackingIntroduction
Gathering InformationFootprinting

• Google is incredibly good at finding details on
  the web
• Vendor press releases and case studies
• Resumes of VoIP personnel
• Mailing lists and user group postings
• Web-based VoIP logins

27
Google HackingCountermeasures
Gathering InformationFootprinting

• Determine what your exposure is
• Be sure to remove any VoIP phones which are
  visible to the Internet
• Disable the web servers on your IP phones
• There are services that can helpyou monitor your
  exposure
• www.cyveilance.com
• ww.baytsp.com

28
Host/DeviceDiscovery and Identification
Gathering InformationScanning

• Consists of various techniques used to find
  hosts
• Ping sweeps
• ARP pings
• TCP ping scans
• SNMP sweeps
• After hosts are found, the type of device can be
  determined
• Classifies host/device by operating system
• Once hosts are found, tools can be used to find
  available network services

29
Host/Device DiscoveryPing Sweeps/ARP Pings
Gathering InformationScanning
30
Host/Device DiscoveryCountermeasures
Gathering InformationScanning

• Use firewalls and Intrusion Prevention Systems
  (IPSs) to block ping and TCP sweeps
• VLANs can help isolate ARP pings
• Ping sweeps can be blocked at the perimeter
  firewall
• Use secure (SNMPv3) version of SNMP
• Change SNMP public strings

31
EnumerationIntroduction
Gathering InformationEnumeration

• Involves testing open ports and services on
  hosts/devices to gather more information
• Includes running tools to determine if open
  services have known vulnerabilities
• Also involves scanning for VoIP-unique
  information such as phone numbers
• Includes gathering information from TFTP servers
  and SNMP

32
Vulnerability TestingTools
Gathering InformationEnumeration
33
Vulnerability TestingCountermeasures
Gathering InformationEnumeration

• The best solution is to upgrade your applications
  and make sure you continually apply patches
• Some firewalls and IPSs can detect and mitigate
  vulnerability scans

34
TFTP EnumerationIntroduction
Gathering InformationEnumeration

• Almost all phones we tested use TFTP to download
  their configuration files
• The TFTP server is rarely well protected
• If you know or can guess the name of a
  configuration or firmware file, you can download
  it without even specifying a password
• The files are downloaded in the clear and can be
  easily sniffed
• Configuration files have usernames, passwords, IP
  addresses, etc. in them

35
TFTP EnumerationCountermeasures
Gathering InformationEnumeration

• It is difficult not to use TFTP, since it is so
  commonly used by VoIP vendors
• Some vendors offer more secure alternatives
• Firewalls can be used to restrict access to TFTP
  servers to valid devices

36
SNMP EnumerationIntroduction
Gathering InformationEnumeration

• SNMP is enabled by default on most IP PBXs and IP
  phones
• Simple SNMP sweeps will garner lots of useful
  information
• If you know the device type, you can use snmpwalk
  with the appropriate OID
• You can find the OID using Solarwinds MIB
• Default passwords, called community strings,
  are common

37
SNMP EnumerationCountermeasures
Gathering InformationEnumeration

• Disable SNMP on any devices where it is not
  needed
• Change default public and private community
  strings
• Try to use SNMPv3, which supports authentication

38
Network Infrastructure DoS
Attacking The NetworkNetwork DoS

• The VoIP network and supporting infrastructure
  are vulnerable to attacks
• VoIP media/audio is particularly susceptible to
  any DoS attack which introduces latency and
  jitter
• Attacks include
• Flooding attacks
• Network availability attacks
• Supporting infrastructure attacks

39
Flooding AttacksIntroduction
Attacking The NetworkNetwork DoS

• Flooding attacks generate so many packets at a
  target, that it is overwhelmed and cant process
  legitimate requests

40
Flooding AttacksCountermeasures
Attacking The NetworkNetwork DoS

• Layer 2 and 3 QoS mechanisms are commonly used to
  give priority to VoIP media (and signaling)
• Use rate limiting in network switches
• Use anti-DoS/DDoS products
• Some vendors have DoS support in their products
  (in newer versions of software)

41
Network Availability Attacks
Attacking The NetworkNetwork DoS

• This type of attack involves an attacker trying
  to crash the underlying operating system
• Fuzzing involves sending malformed packets, which
  exploit a weakness in software
• Packet fragmentation
• Buffer overflows

42
Network Availability Attacks Countermeasures
Attacking The NetworkNetwork DoS

• A network IPS is an inline device that detects
  and blocks attacks
• Some firewalls also offer this capability
• Host based IPS software also provides this
  capability

43
Supporting Infrastructure Attacks
Attacking The NetworkNetwork DoS

• VoIP systems rely heavily on supporting services
  such as DHCP, DNS, TFTP, etc.
• DHCP exhaustion is an example, where a hacker
  uses up all the IP addresses, denying service to
  VoIP phones
• DNS cache poisoning involves tricking a DNS
  server into using a fake DNS response

44
Supporting Infrastructure AttacksCountermeasures
Attacking The NetworkNetwork DoS

• Configure DHCP servers not to lease addresses to
  unknown MAC addresses
• DNS servers should be configured to analyze info
  from non-authoritative servers and dropping any
  response not related to queries

45
Network EavesdroppingIntroduction
Attacking The NetworkEavesdropping

• VoIP configuration files, signaling, and media
  are vulnerable to eavesdropping
• Attacks include
• TFTP configuration file sniffing (already
  discussed)
• Number harvesting and call pattern tracking
• Conversation eavesdropping
• By sniffing signaling, it is possible to build a
  directory of numbers and track calling patterns
• voipong automates the process of logging all
  calls
• Wireshark is very good at sniffing VoIP signaling

46
Conversation RecordingWireshark
Attacking The NetworkEavesdropping
47
Conversation RecordingOther Tools
Attacking The NetworkEavesdropping

• Other tools include
• vomit
• Voipong
• voipcrack (not public)
• DTMF decoder

48
Network EavesdroppingCountermeasures
Attacking The NetworkEavesdropping

• Use encryption
• Many vendors offer encryption for signaling
• Use the Transport Layer Security (TLS) for
  signaling
• Many vendors offer encryption for media
• Use Secure Real-time Transport Protocol (SRTP)
• Use ZRTP
• Use proprietary encryption if you have to

49
Network InterceptionIntroduction
Attacking The NetworkNet/App Interception

• The VoIP network is vulnerable to
  Man-In-The-Middle (MITM) attacks, allowing
• Eavesdropping on the conversation
• Causing a DoS condition
• Altering the conversation by omitting, replaying,
  or inserting media
• Redirecting calls

50
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception

• The most common network-level MITM attack is ARP
  poisoning
• Involves tricking a host into thinking the MAC
  address of the attacker is the intended address
• There are a number of tools available to support
  ARP poisoning
• Cain and Abel
• ettercap
• Dsniff
• hunt

51
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
52
Network InterceptionCountermeasures
Attacking The NetworkNet/App Interception

• Some countermeasures for ARP poisoning are
• Static OS mappings
• Switch port security
• Proper use of VLANs
• Signaling encryption/authentication
• ARP poisoning detection tools, such as arpwatch

53
Attacking The Application
Attacking The Application

• VoIP systems are vulnerable to application
  attacks against the various VoIP protocols
• Attacks include
• Fuzzing attacks
• Flood-based DoS
• Signaling and media manipulation

54
FuzzingIntroduction
Attacking The ApplicationFuzzing

• Fuzzing describes attacks where malformed packets
  are sent to a VoIP system in an attempt to crash
  it
• Research has shown that VoIP systems, especially
  those employing SIP, are vulnerable to fuzzing
  attacks
• There are many public domain tools available for
  fuzzing
• Protos suite
• Asteroid
• Fuzzy Packet
• NastySIP
• Scapy

• SipBomber
• SFTF
• SIP Proxy
• SIPp
• SIPsak

55
FuzzingCommercial Tools
Attacking The ApplicationFuzzing

• There are some commercial tools available
• Beyond Security BeStorm
• Codenomicon
• MuSecurity Mu-4000 Security Analyzer
• Security Innovation Hydra
• Sipera Systems LAVA tools

56
FuzzingCountermeasures
Attacking The ApplicationFuzzing

• Make sure your vendor has tested their systems
  for fuzzing attacks
• Consider running your own tests
• An VoIP-aware IPS can monitor for and block
  fuzzing attacks

57
Flood-Based DoS
Attacking The ApplicationFlood-Based DoS

• Several tools are available to generate floods at
  the application layer
• rtpflood generates a flood of RTP packets
• inviteflood generates a flood of SIP INVITE
  packets
• SiVuS a tool which a GUI that enables a variety
  of flood-based attacks
• Virtually every device we tested was susceptible
  to these attacks

58
Flood-Based DoSCountermeasures
Attacking The ApplicationFlood-Based DoS

• There are several countermeasures you can use for
  flood-based DoS
• Use VLANs to separate networks
• Use TCP and TLS for SIP connections
• Use rate limiting in switches
• Enable authentication for requests
• Use SIP firewalls/IPSs to monitor and block
  attacks

59
Registration Manipulation
Attacking The Application Sig/Media Manipulation
60
Session Teardown
Attacking The Application Sig/Media Manipulation

61
IP Phone Reboot
Attacking The Application Sig/Media Manipulation

62
Audio Insertion/Mixing
Attacking The Application Sig/Media Manipulation

Attacker SeesPackets AndInserts/Mixes InNew
Audio
63
Signaling/Media ManipulationCountermeasures
Attacking The Application Sig/Media Manipulation

• Some countermeasures for signaling and media
  manipulation include
• Use digest authentication where possible
• Use TCP and TLS where possible
• Use SIP-aware firewalls/IPSs to monitor for and
  block attacks
• Use audio encryption to prevent RTP
  injection/mixing

64
Voice SPAMIntroduction
Social AttacksVoice SPAM

• Voice SPAM refers to bulk, automatically
  generated, unsolicited phone calls
• Similar to telemarketing, but occurring at the
  frequency of email SPAM
• Not an issue yet, but will become prevalent when
• The network makes it very inexpensive or free to
  generate calls
• Attackers have access to VoIP networks that allow
  generation of a large number of calls
• It is easy to set up a voice SPAM operation,
  using Asterisk, tools like spitter, and free
  VoIP access

65
Voice SPAMCountermeasures
Social AttacksVoice SPAM

• Some potential countermeasures for voice SPAM
  are
• Authenticated identity movements, which may help
  to identify callers
• Legal measures
• Network-based filtering
• Enterprise voice SPAM filters
• Black lists/white lists
• Approval systems
• Audio content filtering
• Turing tests

66
VoIP PhishingIntroduction
Social AttacksPhishing

• Similar to email phishing, but with a phone
  number delivered though email or voice
• When the victim dials the number, the recording
  requests entry of personal information

67
VoIP PhishingCountermeasures
Social AttacksPhishing

• Traditional email spam/phishing countermeasures
  come in to play here.
• Educating users is a key

68
Final Thoughts
Final Thoughts

• General network security is improving in some
  ways, but new threats are emerging
• Network-based security and managed security
  services can be used to improve enterprise
  security
• Dont neglect internal security and key
  applications