Transcript Document
Voice/VoIP/SIP Security Hacker Halted 2010 Mark D. Collier SecureLogix Corporation www.securelogix.com [email protected] 1 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Discussion Outline » Introduction » Discussion of the current threat level » Application/social attacks » Internal/campus VoIP attacks » Session Initiation Protocol (SIP) attacks » Best practices 2 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. About SecureLogix » SecureLogix: » Voice/VoIP/UC security and management solution company » Security solutions for SIP and traditional voice networks » Security applications available now on Cisco ISRs » About me: » Author of Hacking Exposed: VoIP » Author of SANS 540 course on VoIP security » www.voipsecurityblog.com » Author of many SIP and RTP-based “attack” tools 3 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Voice/VoIP Security Introduction » Voice/VoIP systems are vulnerable: » VoIP platforms, network, protocols, and applications are vulnerable » Many available VoIP attack tools » The vendors continue to improve security » Security is not a major consideration during deployment » Fortunately, the threat to VoIP systems is still moderate: » Most deployments are strictly campus/internal deployments » Limited incentive to attack systems » Most access to public networks is still through traditional trunking » Application/social threats remain the biggest issue » SIP trunking and UC “may” change the threat 4 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Traditional Voice Security High Threat Toll fraud/Social engineering Modems TDM Public Trunks Voice Network Medium Threat PBX TDM Phones Harassing Calls/TDoS Modem Voice Firewall Fax Internet Internet Connection Modem Servers/PCs 5 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Internal/Campus VoIP Security IP PBX High Threat Toll fraud/Social eng Modems Public Voice Network TDM Trunks Medium Threat Harassing Calls/TDoS TDM Phones CM VM CC Admin Modem Voice Firewall Gate way Low Threat DB TFTP DNS DHCP Voice VLAN LAN Originated Attacks Internet Internet Connection IP Phones Data VLAN Servers/PCs 6 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Fax SIP Trunks IP PBX High Threat Toll fraud/Social eng Modems SIP Public Trunks Voice Network Medium Threat Harassing Calls/TDoS Voice Firewall CUBE Low Threat Scanning Fuzzing Flood DoS Internet Internet Connection TDM Phones CM VM CC Admin Modem Gate way DB TFTP DNS DHCP Voice VLAN IP Phones Data VLAN Servers/PCs 7 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Fax Network VoIP Increases the Threat High Threat TDM Public Trunks Voice Network TDoS/Harassing Calls Toll Fraud Social engineering Modems PBX TDM Phones Modem Voice Firewall Medium Threat Fax Voice Phishing Voice SPAM Internet Internet Connection Modem Servers/PCs 8 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. UC Changes IP PBX TDM Phones SIP Public Trunks Voice Network More Social Networking CM Voice Firewall CUBE More traffic Over Public Networks VM CC Admin Modem Gate way DB TFTP DNS DHCP Fax Greater Integration IP Phones Internet Servers/PCs 9 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. IP Phone Vulnerabilities Application/Social Attacks » These issues are present whether or not VoIP is used » VoIP is making these attacks easier to execute » Toll fraud » Harassing callers and Telephony Denial of Service (DoS) » Social engineering »Voice Phishing (Vishing) » Voice SPAM 10 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. IP Phone Vulnerabilities Toll Fraud » Toll fraud is theft of voice service » This threat has been around for many years, but is getting worse » It is still very expensive to make international calls to many countries » VoIP is making this issue worse – toll fraud is one of the few incentives to attack VoIP » Enterprise toll fraud consists of minor misuse and dial-through fraud » Minor misuse occurs when employees abuse toll services » Users abuse phones that have limited or no calling restrictions 11 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. IP Phone Vulnerabilities Toll Fraud » Damaging toll fraud occurs when an attacker finds vulnerable DISA or other service that allows an inbound caller to obtain unrestricted outbound dial tone » Attackers find these services/passwords by scanning or from an internal user » Can also happen with some VoIP systems » Attacker sells the call in number and password to anyone they can » Often starts over a weekend when it is less likely to be noticed 12 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Modems Harassing Calls/Denial Of Service (DoS) » Traditionally, harassing calls were generated by individuals » VoIP makes it easy to generate many calls and harass targets » If enough calls are generated, a DoS condition occurs » This type of DoS appears as actual completed calls, with some sort of audio » This is different than the commonly discussed “Invite Floods”, because the target can be using any type of trunking » Depending on the volume and target, the impact can range from annoyance, harassment, to outright DoS » The attacks may be used to mask other types of attacks (fraud, social engineering ,etc). 13 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Modems Telephony Denial of Service » FBI announcement this year » TDoS used to overwhelm consumer phones while fraud was being committed » TDoS also occurred at many large enterprises in their contact centers » Calls were designed to dwell in IVRs and generate traffic » Primary incentive was traffic pumping/skimming » Attacks became more sophisticated as time went on » Expect these attacks to become more common, sophisticated, and damaging 14 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. IP PhoneEngineering Vulnerabilities Social » Social engineering involves an attacker who manipulates inexperienced users in order to gain confidential information » This threat has been around for many years, but is getting worse » The target is often call centers » VoIP may be making the issue worse, because it makes it easier to spoof caller ID and make free calls » Attackers call in and hope to talk with inexperienced users » Attackers also call in multiple times, each time trying to get an additional bit of information » Once an attacker gets a piece of information, it is often easier to get more 15 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Voice Phishing (Vishing) » Similar to email phishing, but with a phone number delivered though email or voice » When the victim dials the number, the recording requests entry of personal information » VoIP and tools such as Asterisk or Trixbox make setting up this attack much easier 16 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Voice SPAM » Voice SPAM refers to bulk, automatically generated, unsolicited phone calls » Similar to telemarketing, but occurring at the frequency of email SPAM » Attackers have access to VoIP networks that allow generation of a large number of calls » It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access » Attack execution is similar to harassing calling/DoS 17 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Application Attacks Countermeasures » Educate users on proper response » Use PBX features to control access to DISA and toll calls » Closely monitor CDR » Obtain visibility into what is happening across all sites » Work with your service provider » Perform a trunk/external traffic assessment to determine if any attacks are ongoing » Deploy voice firewalls to monitor for and mitigate attacks (on all types of trunks) 18 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Internal/Campus Attacks » Gathering information » IP PBX: » Server platforms » Various gateway cards » Adjunct systems » Network: » Switches, routers, firewalls » Shared links » VLAN configurations » Endpoints: » IP phones and softphones 19 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Gathering Information » First step in gathering information prior to an attack » Footprinting does not require network access » An enterprise website often contains useful information » Google is very good at finding details on the web: » Vendor press releases and case studies » Resumes of VoIP personnel » Mailing lists and user group postings » Web-based VoIP logins 20 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Scanning » Process of finding VoIP hosts and running services » The first step is gaining access to the network: » Insider access » Malware delivered via email, trojan, etc. » Non-secure wireless, modems, etc. » Poorly secured “public” device like a lobby phone » Compromised network device » VLANs are pretty easy to overcome » Its possible to hook up a lap top and spoof IP and MAC addresses 21 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Scanning » Once network access is obtained, next step is to scan for VoIP hosts » nmap is commonly used for this purpose » After hosts are found, scans are used to find running services » After hosts are found and ports identified, the type of device can be determined » Network stack fingerprinting is a common technique for identifying hosts/devices 22 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Scanning (Signaling Ports) » SIP enabled devices will usually respond on UDP/TCP ports 5060 and 5061 » H.323 devices use multiple ports, including TCP 1720, UDP 1719 » SCCP phones (Cisco) use UDP/TCP 2000-2001 » Unistim (nortel) uses UDP/TCP 5000 » MGCP devices use UDP 2427 23 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Enumeration » Involves testing open ports and services on hosts to gather more information » Includes running tools to determine if open services have known vulnerabilities » Also involves scanning for VoIP-unique information such as phone numbers » Includes gathering information from TFTP servers and SNMP 24 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Enumeration » SNMP is enabled by default on most IP PBXs and IP phones » If you know the device type, you can use snmpwalk with the appropriate OID » You can find the OID using Solarwinds MIB » Default “passwords”, called community strings, are common 25 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Enumeration » Almost all phones use TFTP to download their configuration files » The TFTP server is rarely well protected » If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password » The files are downloaded in the clear and can be easily sniffed » Configuration files have usernames, passwords, IP addresses, etc. in them 26 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Network NetworkVulnerabilities Vulnerabilities » The VoIP network and supporting infrastructure are vulnerable to attacks » DoS floods are particularly effective » VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter » Attacks against supporting infrastructure services, such as DHCP, TFTP, DNS, are also possible » Any direct attack against a network element (IP PBX, switch, router, gateway, etc.) can affect VoIP service » Possible to eavesdrop, exploit VLAN configuration, and perform MITM attacks 27 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Network NetworkVulnerabilities DoS » Some types of floods are: » UDP floods » TCP SYN floods » ICMP and Smurf floods » Worm and virus oversubscription side effect » QoS manipulation » Application flooding (INVITE floods, REGISTER floods) » Shared links with large amounts of traffic are especially vulnerable 28 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Network NetworkVulnerabilities Infrastructure DoS » VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc. » DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones » DNS cache poisoning involves tricking a DNS server into using a fake DNS response 29 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Network Vulnerabilities Eavesdropping » VoIP signaling and media are very vulnerable to eavesdropping 30 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Network NetworkVulnerabilities Interception » The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing: » Eavesdropping on the conversation » Causing a DoS condition » Altering the conversation by omitting, replaying, or inserting media » Redirecting calls 31 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. IP IPPhone PhoneVulnerabilities Vulnerabilities » IP phones can also be attacked: » Physical access » Poor passwords » Signaling/media » DoS » Unnecessary services 32 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Internal/Campus Attacks Countermeasures » Follow best practices for good internal network security » Limit publically available information » Disable unnecessary services on all VoIP platforms » Maintain patches » Monitor network activity and maintain logs » Consider using encryption for signaling and audio » Consider secure protocols for administration, file transfer, etc. 33 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. IP Phone Vulnerabilities Session Initiation Protocol (SIP) Attacks » Very important, since SIP is becoming more commonly used » Directory Scanning » Fuzzing » Flood-based Denial of Service (DoS) » Registration manipulation » Call termination » RTP tunneling and manipulation 34 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. SIP Security IP PBX TDM Phones Public Voice Network SIP Trunks CM Voice Firewall CUBE Scanning Fuzzing Flood DoS Internet Internet Connection VM CC Admin Modem Gate way DB TFTP DNS DHCP Voice VLAN SIP Phones Data VLAN Servers/PCs 35 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Fax Directory Scanning 1. INVITE derek@tpti (spoofed source IP) Proxy Server Send INVITEs/OPTIONs/REGISTERS To Scan For IP Phones 36 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Fuzzing/Malformed Messages Redirect Server Malformed SIP Malformed SIP SIP Proxy/PBX Malformed SIP 37 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Flood-based DoS 1. INVITE derek@tpti (spoofed source IP) Proxy Server Send 1000000 INVITEs Ring All Phones 38 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Registration Manipulation Location Server 3. REGISTER sip:[email protected] Contact < [email protected] > Expires: 1800 2. “To contact sip:[email protected] Use sip:[email protected] for 60 minutes” 4. “To contact sip:[email protected] Use sip:[email protected] for 30 minutes” 1. REGISTER sip:[email protected] Contact <sip:[email protected]> Expires: 3600 3. 200 OK Registrar derek’s Phone 39 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Call Termination 6. INVITE [email protected] 7. 200 OK 8. RTP Conversation 7. SIP CANCEL [email protected] 9. SIP BYE [email protected] 40 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. RTP Tunneling 41 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. RTP Manipulation 42 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. IP Phone Vulnerabilities SIP Attacks Countermeasures » Secure registration with authentication » Consider encryption for signaling and audio » Deploy SIP-aware firewalls (CUBE) on SIP trunks » Continue to deploy voice firewalls on SIP trunks for application security issues 43 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. IP Phone Best Vulnerabilities Overall Practices » Develop a voice/VoIP security policy » Address application issues at the perimeter » Prioritize security during VoIP deployments » Follow good basic data network security for internal network » Consider a perimeter and VoIP security assessment » Deploy SIP security when using SIP trunks 44 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. IP Phone Vulnerabilities Resources » www.voipsa.org » www.blueboxpadcast.com » www.securelogix.com » www.voipsecurityblog.com » Vendor sites 45 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners. Questions? 46 © Copyright 2009 SecureLogix Corporation. All Rights Reserved. ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.