VoIP Security & Security Methods
Download
Report
Transcript VoIP Security & Security Methods
Carrier VoIP Security:
Threats and Defenses
1
Agenda
•
•
•
•
•
•
Security Philosophy
VoIP Basics (IETF SIP-based)
VoIP Threats
Fundamental VoIP Security Mechanisms and Tasks
Enhanced VoIP Security – Session Border Control
Enhanced VoIP Security – Application Layer Firewall
2
21st Century Security Philosophy
• Security must be layered, i.e. defenses in depth.
• Perimeter hardening, like physical measures, is just a first step.
• All network elements must be hardened as "defensive strong points"
in their own right.
• Deploy multiple security technologies.
• Deployed assets MUST have integrated security capabilities that
support end-to-end protection.
• NO clear-text passwords, use secure protocols.
• NO networking link is trustable anywhere!
3
SIP-Based VoIP
SIP-Based
Voice Mail
Softswitch
Servers
Common Services
Infrastructure
TDM-Based
Voice Mail
ALF /SBC
PSTN /SS7
Circuit
Switch Softswitch
/
SIP SS7 GW
POTS
Phone
Trunk
Gateway
Softswitch /
SIP SS7 GW
PSTN /SS7
Internet
ALF /SBC
FiOS
Nomadic
Customer C
BYOBB
ILEC LATA
IP Network
Trunk
Gateway
FiOS
Customer A
POTS
Phone
FiOS
Customer B
4
VoIP Threat Taxonomy
5
SIP and VoIP Security Concerns
•
•
•
•
•
•
•
•
•
•
•
•
VoIP Denial of Service
IP Phone Provisioning / Credentialing
Caller ID Spoofing
VoIP Theft of Service
SIP Registration Hijacking
SIP Proxy Impersonation
SIP and RTP message tampering / injection
SIP to SS7 Signaling Conversion
IP-Based Voicemail Fraud
E911 Availability
CALEA / Law Enforcement
Oh yes, and that issue with NAT
6
VoIP Security – Minimum Defenses
•
Use SIP Digest Authentication
•
•
•
•
•
•
Drawn from HTTP MD5 Digest Authentication per RFC 2617
Server sends a nonce to client which client hashes with shared
secret
This digest is sent back to server for verification and authentication
It provides a way to verify a user’s (claimed) identity without having
to send passwords or secrets “in the clear”.
It makes it difficult for an intruder to tamper with a user’s service by
“replaying” portions of previous messages. (Replay prevention)
It supports an optional capability for ensuring that a SIP message
has not been altered. (Message integrity)
7
VoIP Security – Minimum Defenses
The Inputs for Digest Authentication
These inputs are sent to the client by the server in the 401 or 407 challenging
response:
nonce = a random string
realm = hostname/domain defining the server
qop = quality of protection; can be “auth” or “auth-int” (w/ integrity)
opaque = server generated string; no well-defined use
These are inputs provided by the client:
nc-value = nonce count; used in preventing replay
cnonce = client generated nonce; used to prevent chosen plaintext attacks, provide some
mutual authentication and integrity.
method = SIP method (i.e., INVITE, SUBSCRIBE, NOTIFY, …)
username
password
8
VoIP Security – Minimum Defenses
After getting challenged and receiving the server inputs (with a
specified qop), the client then performs either of the following
calculations where H(x) is the hash of x:
When qop = “auth”
H ( H(username:realm:password):nonce:
nc-value:cnonce:qop:H(method;URI of called party) )
When qop = “auth-int”
H ( H(username:realm:password):nonce:
nc-value:cnonce:qop:H(method:URI of calledparty:
H(entity-body) ) )
9
VoIP Security – Minimum Defenses
Don’t be a Cache Cow
The security is weakened if the nonces are cached for more than a
brief period
The security can be enhanced by making use of the nonce-count and
the next-nonce values.
nonce-count = # of times a nonce has been used including the current request
next-nonce = the nonce that the server sends for a client to use in next request
The next-nonce mechanism has a negative impact on signaling performance for
pipelined requests.
The nonce-count provides some good replay security without the performance hit
of next-nonce.
10
VoIP Security – Minimum Defenses
SIP Digest Authentication
Alice
Bob
Proxy
INVITE
407 Proxy Authentication Required
ACK
INVITE (with the digested credentials)
INVITE
200 OK
180 Ringing
180 Ringing
200 OK
200 OK
ACK
Media Session
BYE
200 OK
11
VoIP Security – Minimum Defenses
•
•
•
•
•
•
•
•
Use encryption when provisioning IP phones
Harden Softswitch (usually multiple servers)
Enable rate /session limits within Switch Application
Run IPSec on SIP inter-carrier peering
Lock down DNS (Lots to do)
Vulnerability scanning
Don’t you dare “trust” your management network
Identify relevant inputs to a Fraud Analysis process
12
Enchanced VoIP Security – SBCs
Using Session Border Controllers
•
•
•
•
•
•
•
•
SIP layer and RTP alternate routing
Inbound / Outbound SIP Proxy
Call Admission Control
RTP firewall pinhole management
SIP layer rewriting for NAT Traversal
SIP layer rewriting for topology hiding
SIP Call State awareness for optimizing softswitch assets
Point of collection for CALEA / LI targets
13
VoIP Security – Robustness Testing
•
SIP is both simple and quite complex
•
•
•
SIP Robustness test tools are available
•
•
•
•
Protos, Codenomicon, SIP Bomber, PacketCrafter
Essentially a Protocol Stresser and Reliability Tester
Several SIP network elements were crashed
Some SIP stacks are poorly built
•
•
Format borrows heavily from HTTP and is easy to read
Session state awareness and protocol timers are complex
No input validation, poor memory management,…
Gosh, maybe we need a SIP Application Layer
Firewall
14
Enhanced VoIP Security – SIP ALF
• ALF = Application Layer Firewall
• In VoIP context - the ALF is really a SIP Intrusion
Prevention System
• Selling management on the additional expense
• Show and Tell
• Demonstrated SBCs and Softswitches crashing
• Avoiding exposures due to the risks
• Next generation direction is to combine SBC and ALF
functions in one device to gain economies
15
Lessons Learned
16
Industry Challenges:
• Service Providers:
• Collaborate on accumulating security related actuarial information
• Standards Bodies:
• ANSI/ITU developed architectural security framework
• Technology standards groups follow ANSI/ITU framework and
leverage existing standard technologies (IPsec, PKI)
• Accommodate today's reality (NAT, Firewalls, untrusted networks)
• Vendor Community:
• Consider current best practices (e.g.. RFCs 2196, 2504, 3365)
• Build on standards (IPsec, PKI, NIST Common Criteria, ATIS, ITU-T,
ISO)
• Support future needs (IPsec, IPv4 to IPv6 migration, PKI)
• Adjust product plans to today's security realities (NAT is a fact and
everywhere, NO network segments can be assumed trustable)
17
In Conclusion
• Verizon is addressing today's very real threats.
• Standards organizations must address carrier class
security issues and architectures.
• The vendor community needs to produce equipment
& software that meet Verizon's security objectives.
• Our customers and peer carriers need to work with
us to mitigate security risks.
18
Questions?
19