VoIP Security
Download
Report
Transcript VoIP Security
A Comparison of
Traditional Telephony
Security with VoIP
Roy Ford
Agenda
Into to Telephony (Traditional and VoIP)
Security Risks
Risk Mitigations
Conclusions
The Telephone
PBX
Phone Switch
T1 Trunk
Local Loop
Call Setup
SS7
Network
The Telephone
Mixture of Analog and Multiplexed digital
technology
Centralized switches that provide power
and establish circuits between phones
2 Types of signaling
• In-band DTMF signaling at phone
• Out-of-band signaling between Switch nodes
over the SS7 network
VoIP
SIP Servers
LAN
Internet
Gateway
PSTN
VoIP
Distributed architecture of Phones,
gateways and servers over an IP
Network
2 Protocols used to carry voice and
signaling
• Real Time Protocol (RTP) carries voice in
•
UDP packets
Session Initialization Protocol (SIP) does call
setup
SIP Invite
INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhds
Max-Forwards: 70
To: Bob <sip:[email protected]>
From: Alice <sip:[email protected]>;tag=1928301774
Call-ID: [email protected]
CSeq: 314159 INVITE
Contact: <sip:[email protected]>
Content-Type: application/sdp
Content-Length: 142
SIP Call Setup
Traditional Telephony Risks
Wire Tapping
Toll Fraud
• Phone Phreaking
• Call Forward All
Caller ID Spoofing & SS7 Security
User Identification
VoIP Risks
Denial of Service
Man in the Middle
Caller ID Spoofing and interception of Call
Setup Information
Toll Fraud
User Authentication
Device Web Servers
VoIP Fuzzing
VoIP and Firewalls
VoIP does not like Firewalls
Firewall Techniques
• VoIP Aware firewalls
• STUN
• TURN
Risk Mitigation - Traditional
Physical Security
Proper Configuration of Call Forwarding
Caller ID Spoofing
• Physical plant & Access Console
• Wire Tap protection
• Toll Fraud
Risk Mitigation - VoIP
Segregation of VoIP Traffic
•
DoS isolation
Encryption
•
Man in the Middle protection
Server Configuration
•
Toll Fraud
User Authentication
Device Web Servers
•
Just Say No
VoIP Fuzzing
Conclusions
Encryption required for VoIP
Infrastructure issues with VoIP and
Traditional Telephony Similar
The phone is an attack vector in VoIP