Transcript Document

Voice/VoIP/SIP Security
Hacker Halted 2010
Mark D. Collier
SecureLogix Corporation
www.securelogix.com
[email protected]
1
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Discussion Outline
» Introduction
» Discussion of the current threat level
» Application/social attacks
» Internal/campus VoIP attacks
» Session Initiation Protocol (SIP) attacks
» Best practices
2
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
About SecureLogix
» SecureLogix:
» Voice/VoIP/UC security and management solution company
» Security solutions for SIP and traditional voice networks
» Security applications available now on Cisco ISRs
» About me:
» Author of Hacking Exposed: VoIP
» Author of SANS 540 course on VoIP security
» www.voipsecurityblog.com
» Author of many SIP and RTP-based “attack” tools
3
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Voice/VoIP Security Introduction
» Voice/VoIP systems are vulnerable:
» VoIP platforms, network, protocols, and applications are vulnerable
» Many available VoIP attack tools
» The vendors continue to improve security
» Security is not a major consideration during deployment
» Fortunately, the threat to VoIP systems is still moderate:
» Most deployments are strictly campus/internal deployments
» Limited incentive to attack systems
» Most access to public networks is still through traditional trunking
» Application/social threats remain the biggest issue
» SIP trunking and UC “may” change the threat
4
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Traditional Voice Security
High Threat
Toll fraud/Social engineering
Modems
TDM
Public
Trunks
Voice
Network
Medium Threat
PBX
TDM
Phones
Harassing Calls/TDoS
Modem
Voice Firewall
Fax
Internet
Internet
Connection
Modem
Servers/PCs
5
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Internal/Campus VoIP Security
IP PBX
High Threat
Toll fraud/Social eng
Modems
Public
Voice
Network
TDM
Trunks
Medium Threat
Harassing Calls/TDoS
TDM
Phones
CM
VM
CC
Admin
Modem
Voice Firewall
Gate
way
Low Threat
DB
TFTP DNS
DHCP
Voice VLAN
LAN Originated
Attacks
Internet
Internet
Connection
IP Phones
Data VLAN
Servers/PCs
6
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Fax
SIP Trunks
IP PBX
High Threat
Toll fraud/Social eng
Modems
SIP
Public
Trunks
Voice
Network
Medium Threat
Harassing Calls/TDoS
Voice Firewall
CUBE
Low Threat
Scanning
Fuzzing
Flood DoS
Internet
Internet
Connection
TDM
Phones
CM
VM
CC
Admin
Modem
Gate
way
DB
TFTP DNS
DHCP
Voice VLAN
IP Phones
Data VLAN
Servers/PCs
7
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Fax
Network VoIP Increases the Threat
High Threat
TDM
Public
Trunks
Voice
Network
TDoS/Harassing Calls
Toll Fraud
Social engineering
Modems
PBX
TDM
Phones
Modem
Voice Firewall
Medium Threat
Fax
Voice Phishing
Voice SPAM
Internet
Internet
Connection
Modem
Servers/PCs
8
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
UC Changes
IP PBX
TDM
Phones
SIP
Public
Trunks
Voice
Network
More Social
Networking
CM
Voice Firewall
CUBE
More traffic
Over Public
Networks
VM
CC
Admin
Modem
Gate
way
DB
TFTP DNS
DHCP
Fax
Greater Integration
IP Phones
Internet
Servers/PCs
9
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
IP
Phone Vulnerabilities
Application/Social
Attacks
» These issues are present whether or not VoIP is used
» VoIP is making these attacks easier to execute
» Toll fraud
» Harassing callers and Telephony Denial of Service (DoS)
» Social engineering
»Voice Phishing (Vishing)
» Voice SPAM
10
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
IP
Phone
Vulnerabilities
Toll
Fraud
» Toll fraud is theft of voice service
» This threat has been around for many years, but is getting worse
» It is still very expensive to make international calls to many
countries
» VoIP is making this issue worse – toll fraud is one of the few
incentives to attack VoIP
» Enterprise toll fraud consists of minor misuse and dial-through
fraud
» Minor misuse occurs when employees abuse toll services
» Users abuse phones that have limited or no calling restrictions
11
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
IP
Phone
Vulnerabilities
Toll
Fraud
» Damaging toll fraud occurs when an attacker finds vulnerable
DISA or other service that allows an inbound caller to obtain
unrestricted outbound dial tone
» Attackers find these services/passwords by scanning or from an
internal user
» Can also happen with some VoIP systems
» Attacker sells the call in number and password to anyone they
can
» Often starts over a weekend when it is less likely to be noticed
12
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Modems
Harassing Calls/Denial Of Service (DoS)
» Traditionally, harassing calls were generated by individuals
» VoIP makes it easy to generate many calls and harass targets
» If enough calls are generated, a DoS condition occurs
» This type of DoS appears as actual completed calls, with some
sort of audio
» This is different than the commonly discussed “Invite Floods”,
because the target can be using any type of trunking
» Depending on the volume and target, the impact can range
from annoyance, harassment, to outright DoS
» The attacks may be used to mask other types of attacks (fraud,
social engineering ,etc).
13
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Modems
Telephony Denial of Service
» FBI announcement this year
» TDoS used to overwhelm consumer phones while fraud was
being committed
» TDoS also occurred at many large enterprises in their contact
centers
» Calls were designed to dwell in IVRs and generate traffic
» Primary incentive was traffic pumping/skimming
» Attacks became more sophisticated as time went on
» Expect these attacks to become more common, sophisticated,
and damaging
14
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
IP
PhoneEngineering
Vulnerabilities
Social
» Social engineering involves an attacker who manipulates
inexperienced users in order to gain confidential information
» This threat has been around for many years, but is getting worse
» The target is often call centers
» VoIP may be making the issue worse, because it makes it easier to
spoof caller ID and make free calls
» Attackers call in and hope to talk with inexperienced users
» Attackers also call in multiple times, each time trying to get an
additional bit of information
» Once an attacker gets a piece of information, it is often easier to
get more
15
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Voice Phishing (Vishing)
» Similar to email phishing, but with a phone number delivered
though email or voice
» When the victim dials the number, the recording requests entry
of personal information
» VoIP and tools such as Asterisk or Trixbox make setting up this
attack much easier
16
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Voice SPAM
» Voice SPAM refers to bulk, automatically generated, unsolicited
phone calls
» Similar to telemarketing, but occurring at the frequency of
email SPAM
» Attackers have access to VoIP networks that allow generation of
a large number of calls
» It is easy to set up a voice SPAM operation, using Asterisk, tools
like “spitter”, and free VoIP access
» Attack execution is similar to harassing calling/DoS
17
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Application Attacks Countermeasures
» Educate users on proper response
» Use PBX features to control access to DISA and toll calls
» Closely monitor CDR
» Obtain visibility into what is happening across all sites
» Work with your service provider
» Perform a trunk/external traffic assessment to determine if any
attacks are ongoing
» Deploy voice firewalls to monitor for and mitigate attacks (on all
types of trunks)
18
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Internal/Campus Attacks
» Gathering information
» IP PBX:
» Server platforms
» Various gateway cards
» Adjunct systems
» Network:
» Switches, routers, firewalls
» Shared links
» VLAN configurations
» Endpoints:
» IP phones and softphones
19
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Gathering Information
»
First step in gathering information prior to an attack
»
Footprinting does not require network access
» An enterprise website often contains useful information
»
Google is very good at finding details on the web:
» Vendor press releases and case studies
» Resumes of VoIP personnel
» Mailing lists and user group postings
» Web-based VoIP logins
20
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Scanning
»
Process of finding VoIP hosts and running services
»
The first step is gaining access to the network:
» Insider access
» Malware delivered via email, trojan, etc.
» Non-secure wireless, modems, etc.
» Poorly secured “public” device like a lobby phone
» Compromised network device
»
VLANs are pretty easy to overcome
» Its possible to hook up a lap top and spoof IP and MAC addresses
21
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Scanning
»
Once network access is obtained, next step is to scan for VoIP
hosts
»
nmap is commonly used for this purpose
»
After hosts are found, scans are used to find running services
»
After hosts are found and ports identified, the type of device can
be determined
»
Network stack fingerprinting is a common technique for
identifying hosts/devices
22
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Scanning (Signaling Ports)
»
SIP enabled devices will usually respond on UDP/TCP ports 5060
and 5061
»
H.323 devices use multiple ports, including TCP 1720, UDP 1719
»
SCCP phones (Cisco) use UDP/TCP 2000-2001
»
Unistim (nortel) uses UDP/TCP 5000
» MGCP devices use UDP 2427
23
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Enumeration
»
Involves testing open ports and services on hosts to gather more
information
»
Includes running tools to determine if open services have known
vulnerabilities
»
Also involves scanning for VoIP-unique information such as phone
numbers
» Includes gathering information from TFTP servers and SNMP
24
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Enumeration
»
SNMP is enabled by default on most IP PBXs and IP phones
»
If you know the device type, you can use snmpwalk with the
appropriate OID
»
You can find the OID using Solarwinds MIB
»
Default “passwords”, called community strings, are common
25
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Enumeration
»
Almost all phones use TFTP to download their configuration files
»
The TFTP server is rarely well protected
» If you know or can guess the name of a configuration or firmware
file, you can download it without even specifying a password
»
The files are downloaded in the clear and can be easily sniffed
» Configuration files have usernames, passwords, IP addresses, etc.
in them
26
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Network
NetworkVulnerabilities
Vulnerabilities
» The VoIP network and supporting infrastructure are vulnerable
to attacks
» DoS floods are particularly effective
» VoIP media/audio is particularly susceptible to any DoS attack
which introduces latency and jitter
» Attacks against supporting infrastructure services, such as DHCP,
TFTP, DNS, are also possible
» Any direct attack against a network element (IP PBX, switch,
router, gateway, etc.) can affect VoIP service
» Possible to eavesdrop, exploit VLAN configuration, and perform
MITM attacks
27
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Network
NetworkVulnerabilities
DoS
» Some types of floods are:
» UDP floods
» TCP SYN floods
» ICMP and Smurf floods
» Worm and virus oversubscription side effect
» QoS manipulation
» Application flooding (INVITE floods, REGISTER floods)
» Shared links with large amounts of traffic are especially
vulnerable
28
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Network
NetworkVulnerabilities
Infrastructure DoS
» VoIP systems rely heavily on supporting services such as DHCP,
DNS, TFTP, etc.
» DHCP exhaustion is an example, where a hacker uses up all the
IP addresses, denying service to VoIP phones
» DNS cache poisoning involves tricking a DNS server into using a
fake DNS response
29
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Network
Vulnerabilities
Eavesdropping
» VoIP signaling and media are very vulnerable to eavesdropping
30
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Network
NetworkVulnerabilities
Interception
» The VoIP network is vulnerable to Man-In-The-Middle (MITM)
attacks, allowing:
» Eavesdropping on the conversation
» Causing a DoS condition
» Altering the conversation by omitting, replaying, or inserting media
» Redirecting calls
31
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
IP
IPPhone
PhoneVulnerabilities
Vulnerabilities
» IP phones can also be attacked:
» Physical access
» Poor passwords
» Signaling/media
» DoS
» Unnecessary services
32
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Internal/Campus Attacks Countermeasures
» Follow best practices for good internal network security
» Limit publically available information
» Disable unnecessary services on all VoIP platforms
» Maintain patches
» Monitor network activity and maintain logs
» Consider using encryption for signaling and audio
» Consider secure protocols for administration, file transfer, etc.
33
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
IP
Phone Vulnerabilities
Session
Initiation Protocol (SIP) Attacks
» Very important, since SIP is becoming more commonly used
» Directory Scanning
» Fuzzing
» Flood-based Denial of Service (DoS)
» Registration manipulation
» Call termination
» RTP tunneling and manipulation
34
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
SIP Security
IP PBX
TDM
Phones
Public
Voice
Network
SIP
Trunks
CM
Voice Firewall
CUBE
Scanning
Fuzzing
Flood DoS
Internet
Internet
Connection
VM
CC
Admin
Modem
Gate
way
DB
TFTP DNS
DHCP
Voice VLAN
SIP Phones
Data VLAN
Servers/PCs
35
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Fax
Directory Scanning
1. INVITE derek@tpti
(spoofed source IP)
Proxy Server
Send INVITEs/OPTIONs/REGISTERS
To Scan For IP Phones
36
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Fuzzing/Malformed Messages
Redirect Server
Malformed SIP
Malformed SIP
SIP Proxy/PBX
Malformed SIP
37
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Flood-based DoS
1. INVITE derek@tpti
(spoofed source IP)
Proxy Server
Send 1000000 INVITEs
Ring All Phones
38
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Registration Manipulation
Location Server
3. REGISTER sip:[email protected]
Contact < [email protected] >
Expires: 1800
2. “To contact sip:[email protected]
Use sip:[email protected] for 60 minutes”
4. “To contact sip:[email protected]
Use sip:[email protected] for 30 minutes”
1. REGISTER sip:[email protected]
Contact <sip:[email protected]>
Expires: 3600
3. 200 OK
Registrar
derek’s
Phone
39
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Call Termination
6. INVITE [email protected]
7. 200 OK
8. RTP Conversation
7. SIP CANCEL [email protected]
9. SIP BYE [email protected]
40
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
RTP Tunneling
41
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
RTP Manipulation
42
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
IP
Phone
Vulnerabilities
SIP
Attacks
Countermeasures
» Secure registration with authentication
» Consider encryption for signaling and audio
» Deploy SIP-aware firewalls (CUBE) on SIP trunks
» Continue to deploy voice firewalls on SIP trunks for application
security issues
43
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
IP
Phone Best
Vulnerabilities
Overall
Practices
» Develop a voice/VoIP security policy
» Address application issues at the perimeter
» Prioritize security during VoIP deployments
» Follow good basic data network security for internal network
» Consider a perimeter and VoIP security assessment
» Deploy SIP security when using SIP trunks
44
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
IP
Phone Vulnerabilities
Resources
» www.voipsa.org
» www.blueboxpadcast.com
» www.securelogix.com
» www.voipsecurityblog.com
» Vendor sites
45
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.
Questions?
46
© Copyright 2009 SecureLogix Corporation. All Rights Reserved.
ETM, SecureLogix, SecureLogix Corporation, the ETM Emblem and the SecureLogix Diamond Emblem are trademarks or registered trademarks of SecureLogix
Corporation in the U.S.A. and other countries. All other trademarks mentioned herein are believed to be trademarks of their respective owners.