Transcript VOIP-Final-Xeon

MSIT 458
Information Security and Assurance
VoIP
Xeon Group
Rohit Bhat
Ryan Hannan
Alan Mui
Irfan Siddiqui
1
VOIP
I. What is VoIP?
II. Business & Security Concerns
III. Security Threats
IV.Security Measures
V. Cost/Risk Analysis
VI.Legal Consequences
2
What is VOIP?
• Protocol optimized for the transmission of
voice through the Internet or other packet
switched networks
• Also referred to as IP telephony, Internet
telephony, voice over broadband, broadband
telephony, and broadband phone.
3
How fast is VoIP growing?
Per a study conducted by IBISWorld:
• Industry’s forecast is to experience the
largest revenue growth in the
telecommunications sector over the next five
years, at an annual growth rater of 25%.
• Business subscriptions will grow by 44%,
compared with consumer subscription
growth of 21%.
4
How fast is VoIP growing?
Per a study conducted by IBISWorld:
• U.S. will have 25 million paying VoIP
customers by 2012.
• Total industry revenues in 2008 are forecast
at $3.2 billion, reaching $5 billion by 2012.
5
Business Concerns





Integrity – Voice quality should be excellent
Availability – User needs dial-tone 365/24/7
Confidentiality – All communication should
remain confidential
Authenticity – Valid service subscribers
should be able to access the service
provider’s network
Federal and State regulatory compliance
6
Security Threats
Configuration weaknesses in VoIP devices and
underlying operating systems can enable
denial of service attacks, eavesdropping,
voice alteration (hijacking) and toll fraud
(theft of service), all of which can result in
the loss of privacy and integrity.
Unscrupulous telemarketers could use VoIP (via
soft PC based phones) to access customer
credit and privacy details.
7
Security Threats
Today, the biggest VoIP-related security threats
are inside a company's firewall, such as
changing a configuration setting to make
the CEO's phone ring at a disgruntled
employee's desk. Eavesdropping is
another potential problem.
8
Security Threats
Launch a Denial of Service attack by placing a
large number of calls, either as an
authorized or unauthorized user, to flood
the network.
SPIT (spam over Internet telephony or VOIP) –
advertising that appears in a VoIP voice
mailbox.
9
Security Threats
Vishing, the process of persuading users to
divulge personal information such as Social
Security and credit card numbers. Attackers
can "spoof" the caller ID that users see to
make the call appear to come from a
legitimate organization.
10
Security Measures
Bolster encryption by encoding and decoding
information securely, both the conversation
and the call numbers.
Encrypt VoIP communications at the router or
other gateway, not at the individual
endpoints. Since some VoIP telephones are
not powerful enough to perform encryption,
placing this burden at a central point
ensures all VoIP traffic emanating from the
enterprise network will be encrypted.
11
Security Measures
IP Phone must register to make phone calls.
1.
2.
3.
When a phone tries to register, the registrar
sends a challenge.
Phone correctly encrypts the challenge,
digital certificate from phone manufacturer,
and Media Access Control (MAC) address.
Manufacturer certificate cannot be forged
because it is burnt into the phone’s nonvolatile RAM and cannot be retrieved.
12
Security Measures
Separate VoIP network from data network by
logically segregating the voice and data
networks using vLAN-capable switches.
Don't allow interaction between Internetconnected PCs and VoIP components.
13
Security Measures
Install an Intrusion Prevention System (IPS) at
the network's perimeter to scan for known
signatures while blocking or allowing traffic
based on application content rather than IP
addresses or ports.
An IPS can dynamically modify firewall
rules or terminate a network session when
necessary.
14
Security Measures
Session Border Controllers (SBC) prevent
someone (most likely a computer program)
from generating abnormal number of calls
from a legitimate VoIP account within a
threshold period.
A violation of the threshold policy rule
suspends additional call placement from an
account for specified period of time.
A session key is maintained for the whole of
the conversation for security and encryption
purposes.
15
Security Measures
Implement a voice-aware (VoIP-ready) firewall,
which is optimized by voice, allowing the
opening of ports only when a connection
must be established.
Stateful packet inspection can be used to
drop attack packets because they are not
part of an authenticated connection.
16
Security Measures
In order to mitigate the latency issues caused by
security measures, add QoS to all devices
processing the calls, i.e. turn on this feature
on the service provider’s data switch and
the data router, as opposed to a phone
switch located within the subscriber’s LAN
where the call terminates.
17
A look at the VoIP infrastructure
Customer A
Session Border
Controller
EWSD Switch
T1(s)
Edge Router
`
GenBand G6
T1(s)
Public Switched
Telephone Network
PRI
Trunk
Per rate Center
Customer B
Virtual VPN
Router
`
Firewall
Next VOIP
Service
Central Office
(Telephone Switch Exchange)
TECH CENTER
VOIP Servers
Virtual VPN Router
Site Headend Router
Core Routing
VPN Tunnel
1. Customer A’s SIP phone initiates call by contacting
SBC
2. SBC contacts Applications Server to determine
where to send RTP (Real Time Protocol) traffic
3. Application Server consults with Network Server to
determine where SBC is to connect to send establish
session for traffic
4. Application Server Contacts Genband G6 and SBC
and give them each others contact info (IP and port).
5. Genband and SBC establish Signaling session for
call
6. Customer A’s SIP phone sends traffic to SBC, then
to G6 over to the EWSD
Data Center
Broadworks Application
Server
Email Servers that store
Vmail wave files
Core Routing
Broadworks Network
Server
Broadworks Media Server
Firewall
Firewall
Broadworks Web Server
18
Security Threat to Come
A lot of the security measures taken today are
based on experience with restricting access
to data networks.
To date, not a single virus is reported that is
specific to infecting the VoIP packets.
However, it is to come without a doubt.
19
Cost/Risk Analysis
Cost/Risk analysis vary from industry to industry
and business to business. The best
judgment of risk exposure is collective
assessment of both immediate and future
monetary losses to an organization.
Organizations today can utilize research based
calculators for estimating the potential cost
of a data security breach for any number of
'at risk' records. The same concept can be
applied to VoIP.
20
100,000
Cost/Risk Analysis
A sample identity theft or data breach Cost
calculator can be found at
www.IdentityTheftAmerica.com/databreachcalculator.asp
Enter Total Number Of Affected Records
Customer Notification (Mail)
Phone Call Center Support
Legal Defense Services
Criminal Investigations (Forensics)
Public / Investor Relations
Free / Discounted Services (Credit
reports)
Cost Of Brand Impact - Lost & Fewer Customers
Cost Of Security Data Breach
100,000
$664,000.00
$2,895,000.00
$663,000.00
$248,000.00
$205,000.00
$2,380,000.00
$9,832,000.00
$16,887,000.00
21
Legal Consequences
Businesses need to be aware that the laws and
rulings governing interception or monitoring
of VoIP lines, and retention of call records,
may differ from those of conventional
telephone systems.
These issues
should be reviewed with legal advisers.
Virus attacks delivered through use of VoIP
services, such as Skype, may not be held
accountable.
22
VoIP Security
Questions?
23