Téléphonie sur IP sécurisée
Download
Report
Transcript Téléphonie sur IP sécurisée
Secured IP telephony
Agenda
» ToIP : risks ?
» Security analysis
» Bests practices
» Security in Aastra 5K solution
» Engineering
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
2
ToIP : risks
TDM versus ToIP
» TDM = dedicated solution without any link to is/it link.
– Generally not seen in the Company’s security Policy.
– A little of Applications
– High Availability level (>99,99%)
» ToIP
– Shared “transport” network: IP-Network
– Deep Interaction in the IS/IT solutio:
ToIP is part of the company process
ToIP projects are managed by DIS/IT managers
>> ToIP is part of the security policy of all Companies
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
4
Which risks ?
» Call listening-in
– Physical access to wiring closet or to PSTN access (with sensor) needed with a
TDM solution (access to wiring closet)
– No physical access needed with ToIP
» Service degradation : DoS (Denial of Service) or DDos (Distributed DoS)
attacks
– Potential vulnerability to virus or worm
– New threats from network world (ex : SPIT = SPAM on unified messaging)
– TDM solution availability = 99,998% !
» Fraudulent use of resources
– Same risks as legacy telephony : rights bypassing / abusive call
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
5
Phreaking
Example of attack – legacy telephony
» Attacks on access equipment
– Phreaking : scan of numbers, toll-free number
– Voice messaging equipment
– Free telephony,
» Inappropriate use of facilities
– Call forward for listening-in and extra-billing, telephony IT resale on black market,
advertising message, play on enterprise image…
» Denial of service
– Busy line, call forward on VM,
>> ToIP is concerned too by such attacks
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
6
Hacking
Example of attack on IP protocol
» Signaling protocols subject to packet injection and listening (UDP
= spoofing),
» Network sniffing : classic network analysis to obtain information
» DoS on signaling flow : bad programming and saturation,
» Play with protocol request: SIP/Cancel, SIP/bye,
» Eavesdropping by capturing RTP flow (i.e with ethereal),
» TFTP et DHCP attack : bad configuration to gain access…
>> ToIP is concerned too by such attacks
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
7
Phreaking and Hacking
In real life
» Attack on VoIP provider to steal
minutes
» ~1 M$ of damage
» Attack could have been prevented
if « best practices » had been
respected.
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
8
Security approach
Objectives = CIA + P
» Confidentiality
– No illegal listening / illegal access to directory
» Integrity
– Service can not be created, changed, or deleted without authorization
» Availability
– Protection mechanism guaranty availability of service,
» Proof (Audit)
– Log of actions / CDR
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
10
Equipments
» Confidentiality, Integrity, Availability, and Proof (audit)
Call server
Gateways
Applications
IP
ISDN
LAN
Switches
Routers
Level 2 & 3
WAN
Managements
WAN
Windows,
Unix...
System
Terminals
Dedicated to ToIP
Management
Remote
Access
Interfaces
Network Servers
Commun
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
11
End to end security (1/2)
Remote working, mobility
Remote
management
IP Phone
CTI
SOHO
INTERNET
WIFI&DECToIP
LAN
GLOBAL APROACH
Call Server
WAN Signaling
LAN
RTC/RNIS
Gateway
Servers & Applications
SIP trunk
LAN
Legacy phones
RTC/RNIS
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
12
End to end security (2/2)
» Same level of protection
– On all equipments
– On all software layer
– End to end
Application layer
Operating system
RTP
UDP
TCP
Network
IP
ATM
Ethernet
Transport
Datalink
Physical layer
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
13
Best practices
ToIP Security elements have to be reliable
» Correct end to end integration has impact on security devices :
– Risks: security level adapted to security policy
– Architecture : easy integration in existing infrastructure
Evolution of existing security devices
Integration with existing data infrastructure
– Performances : quality of voice is a key factor – should not be dependant of
network load
– Rules : flow control should be easy to implement (firewall, proxy, SBC,..)
>> Secrurity has to be transparent for telephony services
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
16
Converged network & security
Respect of best practices
» Electrical protection adapted to ToIP
security prerequisites
– UPS and battery
– Emergency generator
» LAN/WAN design adapted to ToIP security
prerequisites in term of availability
– Core network redundancy (power supply,
CPU)
– L2 redundancy: STP, rapid STP, multiple
STP, 802.3ad + proprietary
– VRRP, Routing
– critical provider accesses
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
17
Converged network & security
Respect of best practices
» Voice flow insulation
– VLAN creation : broadcast limitation and voice flow isolation
– Definition of rules for InterVLAN filtering
On router or L3 switch (ACL, Vlan ACL)
On firewall
» Some network services become critical :
– Ex : switches, DHCP server(s), TFTP/FTP server(s)
» Limit and control resources access
– Call server
– Applications
– Deactivation of unused services
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
18
Converged network & security
Example : VLAN ACL
» Objective :
– Prevent from ICMP et TCP flooding
DoS attacks
Attack : ICMP flooding in
voice VLAN
» Current generation of switches allow
to define ACL (Access Control List) à
inside VLAN (VLAN ACL)
» IP Phones talks to each other only
with UDP
» ACL Example of implementation in
ToIP phone VLAN:
LAN
ACL in ToIP VLAN:
Only UDP is permitted btw phones
– Block TCP and ICMP btw IP Phones
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
19
Converged network & security
Example : limitation of MAC@ # by port
»
Objective :
Attack : ARP flooding
(different MAC@) with
frame creation tool
– Prevent attack that can saturate
switch CAM by ARP requests with
different MAC@ flooding CAM
overflow attack
» Current generation of switches allow
to limit @MAC# by port
LAN
» Example : limit to 2 MAC@ by port
– MAC @ phone
– MAC @ PC
Switch port that
allows only 2
MAC@ by port
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
20
Converged network & security
Example : limitation of rogue DHCP server
Attack : rogue DHCP
server on LAN
» Objective :
– Prevent rogue DHCP server on
network
» Current generation of switches allows
to forbid some ports to deliver DHCP
Offer
Voice DHCP Server
LAN
» Example
– Interdiction to send DHCP offer on
Phone Port
Ports that blocks
DHCP Offer
Port that allows
DHCP offer
Data DHCP Server
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
21
Converged network & security
LAN Design
Authentication & ciphering
» Filtering by protocole/ports
and/or IP@
– InterVLAN routing rules on L3
device
– ACL on switch
– Statefull firewall
» Number of MAC@ limited by
port
» All traffic expect RTP is
forbidden btw Phones
» DHCP protection
» Authentication and encryption
SSL, sRTP, TLS
» IDS / IPS (Intrusion Detection/
Prevention/ Intrusion system
L2
IDPS
L2
L2
L2
Logical function
(Layer 3 Switches, Routers and/or firewalls)
FW
@MAC Filtering
and limiting –
Ø DHCP offer
L2
Filtering and
communication
between VLANs
L2
L2
VLANs Call Server & gateways
L2
VLANs Data Application
L2
VLANs Admin
L2
VLANs PC and Data endpoint
L2
VLANs Telephony Applications
L2
VLANs Phone
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
22
Converged network & security
High level architecture
Remote worker, Mobility
Remote
management
Remote worker
Secure CTI
IP Phone
SOHO
CTI
INTERNET
Firewall
VPN
WAN
VLANs
LAN
Call Server
Hardened
servers
WIFI&DECToIP
LAN
VLANs
Secure mobility
Signaling
RTC/RNIS
Gateway
Firewall
Servers & Applications
VLANs
LAN
SIP Trunk
RTC/RNIS
Legacy phones
Encryption
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
23
Converged network & security
WAN Design
Voice applications
» Protect ToIP ressources :
– Voice app & Call Server in
DeMilitarized Zone (DMZ)
– Filtering rules
DMZ Téléphonie
ToIP
» Virtual Private Network (VPN)
managed by enterprise or provider
– Encryption
– Authentication
– Proof
FW
VPN
Remote sites
QoS
» QoS
ToIP+Data
LAN commun (VLAN)
LAN
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
24
Converged network & security
Remote workers
Voice applications
» Secure access to enterprise
resources (firewall, VPN
concentrator, UTM)
DMZ Téléphonie
» Virtual Private Network (VPN)
managed by enterprise or
provider
– Encryption
– Authentication
– Proof
» QoS should be a Main
Concern (especially with ADSL
access)
IPSec site to site
+ IP Phone
ToIP
FW
VPN
Remote sites
QoS
IPSec client to site
+ Softphone
ToIP+Data
LAN commun (VLAN)
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
25
Converged network & security
Remote management
Voice applications
» Secure access to enterprise
resources (firewall, VPN
concentrator, UTM)
DMZ Téléphonie
ToIP
» Virtual Private Network (VPN)
managed by enterprise or provider
– Encryption
– Authentication
– Proof
FW
VPN
Remote sites
QoS
IPSec client to site
» Use secure protocols (ex : HTTPs)
ToIP+Data
LAN commun (VLAN)
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
26
Security in Aastra solution
HA
Encryption
Protected application
SSO
Active
Directory
Win Session (NTLM, Kerberos)
Radius
(AAA)
802.1x (EAP-MD5)
IDS/IPS
Applications
OS Hardening
Server LAN
Endpoints
Firewall
Management
Aastra 5000
Security Management everywhere
BEST PRACTICES
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
28
Aastra 5000
Securisation, High Disponibility
» Aastra 5000 CS: Service without any
interruption
A5000CS
Primaire
– Secured hardware Stratus®
– Spatiale Redundancy with communications not cut
» Aastra IPBX/MGW
– Specific and secured Hardware
– Power Supply Safety using battery
– CPU and power supply Redundancy
Switch
Signalisation
WAN
» « Local Survivability » on Aastra IPBX/MGW
(services kept)
– Short or external numbering
– Vocal Guides vocaux, announcements,
– Transfers, Callbacks, Alternate, multi – lines,
monitoring of extensions
– Profile of the user
A5KCC
A5000CS
Secondaire
Poste IP/SIP
IPBX/MGW
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
30
Availability of ToIP service
Local call Handling on gateway (ex : WAN failure) : Dual Homing
Main site
R5.1B
Provider
Remote site
Max 500 IP Phone on gtw
2. WAN Failure
Gateway X Series
WAN
Provider
4. Dual Homing Mode : call
server function on gateway
IP Phone – secured by gtw
A5000 Server
3. Subscription to Local gateway
1. Nominal mode : Managed by main Call Servers
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
31
Availability of ToIP service
Local call Handling on gateway : Dual Homing
R5.1B
» Same level of services (except access to centralized resources):
–
–
–
–
Short or external numbering
Vocal guide, music,
Call forward, call back, alternate, multi line, supervision
User profile
» No break of communications during failover (except if call transits through the
WAN)
» No restart of the gtw in case of remote disconnection.
» Integrated CDR buffer to save CDR (tickets) and send them to CDR Server
» Configuration synchronization A5k towards gateway :
– Periodic downloading of the configuration each day for each set
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
32
Availability of ToIP service
Local call Handling on gateway :
» L2 tagging (802.1p/q) and L3 (ToS field Diffserv) available on all
Phone
» Call Admission Control embedded in Aastra software on all Call
Server & Gateway/iPBX range
– QoS does not prevent of IP link overloading
– Aastra CAC allows to prevent overloading on WAN links with limited
bandwidth
Codec negociation in relation to load of links
In case of overload, fallback mechanism : : rerouting by voice carrier for
instance (RTC/RNIS)
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
33
Secured IP Phones
Embedded features (1/2)
» Authentication to A5k software :
phone # & PIN code for log-in
log-out
» Authentication to network access
802.1X R5.1B or MAC@
» Integrated switch
– Voice flow tagged in Voice VLAN
– Data flow tagged in data VLAN
» Optional Communication (Voice)
encryption on SIP 675xi & 53xxIP
or I7xx
R5.2
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
34
Secured IP Phones
Embedded features (2/2)
» Self admin on 67xxi & 53xxIP :
– Password
– Automatic log-out after idle state
» User profile is on AM7450
» firmware OS is specific : no known
virus
» Secure firmware update
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
35
Secured IP Phones
Focus 802.1x
» Objective :
– Secured access to LAN via IP Phone authentication (EAP-MD5)
– Relay of 802.1x requests from PC connected to integrated switch
Transparent relay
+ EAP-Logoff
1
auth. Request
EAP-MD5 (802.1x)
Check
Login+mdp
2
Authentication
server (Radius)
6
OK = auth.
connection
(DHCP, RTP…)
OK
5
Authorization
4
3
Rights
LDAP
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
36
Secured communications
ToIP encryption
A5000
» VoIP encryption
– Encryption based on AES 128 bits
– From A5k Server, encrypted diffusion of
to :
BTW IP PHONES
Gateways
IP Phone I7xx (for each beginning of call)
IP Phone 53xxIP
– Key defined by administrator
on A5k
R5.2
server
– Systematic encryption, codec
negotiation based on CAC & support of
encryption on devices
– Indication of encrypted state of
communication on terminal
IP Phone & Gateway
Btw gateways
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
37
Secured management
» Integrated Web Manager = Aastra
Management Portal
– Secured access by login/pwd
– Different rights
Rights for iPbx configuration
Rights for directory management
(web based)
Rights to managed user phones
– Log of accesses
» Aastra Management 7450
(AM7450):
– Right management / administrator
– Management flows are encrypted
– Gateway and server are
authentified
HTTPS
TLS
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
38
Secured Management
» Configuration management :
– Backup / Restore of user profiles on
AM7450
– Automated backup/restore of CS and
GTX configurations
– Automated backup of CS and GTX
logs & inventory of active elements
– Configuration audit – numbering plan
– Inventory
of R2.1
IP Phone, directory #,
M7450
M7450 R2.1
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
39
Aastra 5000 - OS
» Linux Community
» OS Linux customised and ruggedized (OS hardening), no direct
access on it
» The not-used services are not avaiable: only few accessible
(open) ports
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
41
A5k software
» User profile:
–
–
–
–
Class of service– ex: discrete listening rights, call forwards,..
Access discrimination
Multi – tenant with filtering btw society (multicompany)
User pwd
» Call logging :
– Via CDR & CDR app server– performance analysis
– Cut off of com after certain time (parameter)
– Business code
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
42
Aastra Communication Portal
Secured acess
» Secured acess to whole Aastra
Communication Portal app via SSO
(Single Sign On)
» User authentication via Windows Active
Directory login/mdp
» Unified user and pwd management
through Windows Server
» Native security and mobility
– Windows Login/pswd
– Virtual desking or free seating (login-logout)
from Aastra IP Phones
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
43
Aastra Communication Portal
Secured acess
1
4
2
Authentication
Login/pwd
Windows
Windows
Server
ACP is launched
Login : Bob
Tel : 5656
Aastra 5000
3
Windows Session
is open
NTLM Auth
1*
802.1x (optional) +
Auth Login/pwd
A5000
Check
Login+pwd
5
7 Access OK
7
VTI request for
number 5656
ACP
Search of user :
*requests not detailed on schemes
6 Bob & app/rights
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
44
Aastra applications
Antivirus support
» Antivirus support on Aastra applications : highly advised
– Respect prerequisite (c.f. LCI)
» ACP
– Scan and updates authorized during idle state (night)
– Scan of logs not permitted
» UCP
– Directory D:/ not scaned
– Updates during idle state
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
45
SIP and security
» MD5 authentication of Aastra SIP Phone
» Digest Access Authentication (RFC2617) via MD5 on trunk SIP:
– Crossed authentication VoIP provider<->Aastra 5k
» Embedded Session Border Controler (SBC) for support of NATed
environments
Session Border
Controler
Auth. MD5
Aastra Com
Server
Voice ISP
Auth. MD5
FW
WAN
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
46
Security and wireless solutions
» Aastra DECToIP
– Radio DECT technology natively secured
(authentication, encryption)
– Qos integrated in RFP : L2 (802.1p/q) & L3 (Diffserv)
» Wifi Terminal Aastra 312i
– WPA2 support with PSK authentication (Pre Shared
Key) for better performances
– QoS has to be implemented on ntw infrastructure
(example mapping SSID / VLAN)
– Light AP solution needed
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
47
Checkphone partnership
» Check of integrity of
communications :
– Detection of illegal use of telephony
resources
– Differential analysis btw
configurations
Example : gain of privileges
» Analysis and filtering : IDPS
proble on TDM & IP/SIP trunks
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
48
Engineering rules
QoS
» QoS on LAN : its implementation depends on network load
– 802.1p/q tagging
– Guaranteed bandwidth for voice flow
– Use of different waiting queues of switches: voice flow acheminated in priority
» QoS on WAN : recommended
– L3 taggin upon Diffserv model & ToS (type of service) field of IP header
– L2&L3 QoS have to be coherent
– L2&L3 QoS Mapping & MPLS class of service (ex : mapping VLAN <-> class of
service)
» Aastra Call Admission Control :
– Load limited “a priori” on links, fall back mechanism in case of congestion
– Embedded on all Aastra equipments
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
50
SNEC tool
» SNEC (Succession Network Engineering
Configuration)
» Complete Engineering tool used during
presales phase
–
–
–
–
Traffic modelisation
Quality of voice
Bandwidth and network planning
End to end validation
» Version 2 integrates new features :
– VPN : IPSec, L2TP, PPTP
– xDSL links
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
51
VoIP encrypted Performances
» No impact on voice communication (delay…)
» Some constraints linked to treatments
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
52
Tools
» Port (TCP/UDP) used in Aastra solutions
– http://support.nexspan.net/mkg/mcdfr/
» SNEC Tool (bandwidth, jitter, delay,…)
– SNEC http://support.nexspan.net/mkg/mcdfr/
» Technical information (supported antivirus,
configuration) :
http://support.nexspan.net/support/lci/lci.php?l=f
r
» Patches management
http://support.nexspan.net/extra/Support/patch/i
ndex.php?lang=fr&target
Secured IP Telephony. © 2008 Aastra Communications,
Ltd.
55