Chapter X Slides
Download
Report
Transcript Chapter X Slides
VOICE OVER IP FUNDAMENTALS
•
•
CHAPTER 10
Voice Security
VoIP Security Requirements:
Integrity:
The recipient should receive the packets that the
originator sends without and change to content.
Privacy:
A third party should not be able to read the data
Authenticity
Each party should be confident they are
communicating with whom each claims to be
Availability/Protection from Denial-of Service
The VoIP service should be available to users at
all times
Shared-Key:
A common shared-key between users
• Each pair of users must have the same key
• Does not scale well with multiple pairs of users
• The key is used to encrypt the message
• A hash is calculated from the shared key
Asymmetric Key:
Each user has a Private-key as well as a Public-key
• Only the corresponding public-key can decrypt the
message that is encrypted with the private-key
• Only the corresponding private-key can decrypt
the message that is encrypted with the public-key
• Has a one-to-one relationship between keys
• Keys can be exchanged over an unsecured network
Asymmetric Key:
Phases
• Authentication phase
• Secure communication phase
• CPU-intensive process
• Unique shared secret per session
Digital Signature:
Uses a set of complimentary algorithms for signing and
for verification
• A Digital signature is obtained from a Certificate
Authority (CA)
• A hash of the message is created with the private
key to create a Digital Signature
• Recipient verifies the signature by running a
verification algorithm over the message content
using the public-key of the sender
Digital Signature continued:
Uses a set of complimentary algorithms for signing and
for verification
• Digital signatures provide authentication
• Digital signatures provide message integrity
• Each signature is appended to the message in clear
text
• Digital signatures do not provide privacy
Certificate Authority:
The Certificate Authority receives the public-key at the
time of key generation.
The Certificate Authority will verify the identity of the
sender and issue a certificate
Each device in the system has a public-key of the CA
At the time of contact each system will:
• Present its certificate to it’s peer
• Each will run a verification
• If verified the keys are stored
Public-key:
Common Protocols
• Transport layer Security (TLS)
Independent of applications
Rides on top of Transport layer protocols
Can be used with multiple services
• Record Protocol
Lower-layer protocol
Provides privacy and integrity
Used DES or RC4 for encryption
• Client layer
Authenticates
Negotiates
TLS:
Public-key:
Common Protocols continued
• Ipsec
Uses Authentication Header (AH)
Uses Encapsulation Security Payload (ESP)
AH provides authentication and integrity
ESP provides privacy, authenticity, and integrity
Tunnel-mode
Protects only the payload
Header inserted between the Ip header and the
transport layer header (TCP/UDP)
Transport-mode
Encapsulates the entire packet
Ipsec header is added between the outer and
inner IP headers
Public-key:
Common Protocols continued
• Ipsec
Public-key:
Common Protocols continued
IPsec
Public-key:
Common Protocols continued
IPsec
Public-key:
Common Protocols continued
• Secure Real Time Protocol (SRTP)
Integrity
Authentication
Privacy
Protecting Voice Devices:
• Disable Unused Ports/Services
Disable Telnet
Disable Trivial File Transport Protocol
• Simple Network management Protocol
Use only read-only mode
• Disable Unused Ports on layer 2 switches
Administrative shut down
Protecting Voice Devices continued:
• Host-based Intrusion Protection System (HIPS)
Software agent installed on each device
Collects information about traffic
Information compared against a set of rules
System can take preventative action
Terminating application
Rate-limit data
Protecting Voice Infrastructure:
• Segmentation
VLAN’s
IP addressing
Traffic types
Separate DHCP servers
• Traffic Policing
Limit bandwidth to Codec used
G.711 is 64 kbps plus overhead
Queuing techniques
• 802.1x Authentication
EAP protocol
RADIUS authentication server
Layer 2
Protecting Voice Infrastructure continued:
• 802.1x Authentication
Protecting Voice Infrastructure continued:
Layer 2 tools
• DHCP Snooping
Only allow DHCP offers from known sources
Enabled on switches
Switch(config)#ip dhcp snooping
Switch(config-if)#ip dhcp snooping trust
Switch(config-if)#ip dhcp snooping limit rate [rate]
Switch(config)#ip dhcp snooping vlan number
[number]
DHCP snooping binding database (IP-to-MAC)
Protecting Voice Infrastructure continued:
Layer 2 tools
• IP Source Guard
Used with DHCP Snooping
On untrusted ports only DHCP messages allowed
until DHCP response is received
Uses DHCP snooping binding database
Per port
Installs a Vlan Access Control List (VACL)
Protecting Voice Infrastructure continued:
Layer 2 tools
• Dynamic ARP Inspection
Attacker sends it’s own MAC address as a reply
Man-in-the-middle attack
Uses the DHCP binding database
Drops malicious packets
Protecting Voice Infrastructure continued:
Layer 2 tools
• CAM overflow and Port Security
Attacker sends fictitious MAC addresses to fill
CAM table
When CAM table is filled switch will forward
packets out all active ports (broadcast)
Use port security features
Switch(config-if)#switchport port-security
maximum [number]
Protecting Voice Infrastructure continued:
Layer 2 tools
• Circumventing VLANs
Uses trunk ports to obtain access
802.1q or ISL
Disable DTP on non trunk ports
Switch(config-if)#switchport mode access
Protecting Voice Infrastructure continued:
Layer 2 tools
• NIPS Network Based Intrusion Protection System
In series
In parallel
Examines every packet
Does not protect against “Atomic” attacks
Delay is a problem for voice
Protecting Voice Infrastructure continued:
Layer 2 tools
• BPDU Guard and Root Guard
Exploits Spanning-tree protocol
Listens on configured ports for BPDU’s
Rogue device tries to become the root bridge
Violation can disable the port
Used with portfast
Root Guard will port into a root-inconsistent state
Root Guard will allow the device to participate in
spanning-tree
Protecting Voice Infrastructure continued:
Layer 3 tools
• Routing authentication
Not available for all protocols
Can use simple password
Can use Message-digest (MD5) encryption
Not available on RIPv1
Shared keys between systems
Protecting Voice Infrastructure continued:
Layer 3 tools
• TCP intercepts
Denial of Service attacks
Sends multiple “syn” packets
Never completes the three-way handshake
Uses falsified IP addresses
Can limit half-open secessions
Intercept mode allows the router to respond
before forwarding packets to client
Protecting Voice Infrastructure:
Security Planning and Policies
• Transitive trust
Eliminate re-authentication at each device
• VoIP Protocol-Specific Issues
Use of computer based softphones
• VLAN’s
• Trunking
• Double tagging
Protecting Voice Infrastructure continued:
Security Planning and Policies
• Complexity tradeoffs
Bandwidth overhead
Delay
CA cost
• NAT/Firewall Traversal
Opens pathways for voice traffic
Does not work well with encryption (port numbers)
• Password and Access Control
Minimum length
Complexity
Equipment access
End of Chapter 10