Transcript Security

VoIP Security
Sanjay Kalra
Juniper Networks
VoIP Issues
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
Address Translation
Conversion of private/public
DoS attacks Media
Media
IP Media
addresses
Application
OSS
Softswitch Gateway
Server
Server
Service theft Gateway
Class 5
RouterFirewalls challenged by small
Other
Switch
Fraud
Carrier
signaling/media
VoIP Service Provider packets
SPIT & Vishing
Internet
VoIP protocols not understood
or IP NW
Protocol Vulnerabilities
POTS
by all firewall’s
IP Network
Security
SS7
IN
Network
Softswitch
Regulatory Compliance
to Enterprise
Carrier
E-911
IP Centrex
Hosted
Lawful
intercept IP PBX Services
IP PBX
CALEA support
10.1
10.1
20.1
Carrier to Carrier
Wholesale VoIP
Peering
Service Assurance
Carrier to SOHO/Residential
Quality of service
Voice Over Broadband (Cable, DSL) Wireless/Mobile
Admission
enforcementWireless/
Router
Cable/DSL
Mobile
Data
Modem
Base Station
Lack
of reporting
FW/NAT
MGCP IAD
H.323/SIP
Endpoints
SIP/H.323 Phones
Enterprise
SIP/H.323 Phones
POTS Phone
SME
Wireless
IP Phone
SOHO/Residential
Mobile
Phone
3
www.ITEXPO.com
VoIP Attack Examples
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
• Vishing – Spam email from Paypal asking users to
leave credit card number.
• Toll Fraud – 2 people convicted to toll fraud using
brute force. Resold minutes stolen from VOIP
carriers.
• DOS – Buffer Overflow in Asterisk.
• DOS – Session Border Controller of a carrier
compromised as could not provide security
4
www.ITEXPO.com
VoIP security risks
en
detail
Infrastructure
VoIP content
September 10-12, 2007 • Los Angeles Convention
Center • attacks
Los Angeles, California
(D)DoS
Call intercept
Route poisoning
Confidentiality issues
SS7 IN
Softswitch
Traffic padding
Network
Vishing
Media
IP and ARP spoofing
Unwanted
content
Media
Gateway
Application
Media
OSS
Softswitch Gateway
Server
Server
Spambots collecting
VoIP
addresses
Session
hijacking/replay
Class 5
Router
Other
Switch
Route server hacks
can
redirect
VoIP protocolCarriercalls
VoIP Service Provider
Illegal call intercept
vulnerabilities
Internet
or IP NW
Recording of conversations through accessing
POTS
IP
Network
Carrierrecords
to CarrierVoIP traffic as
infrastructure (Ethereal
VoIP infrastructure
Wholesale VoIP
audio file)
Server OS vulnerabilities
Registration DoS attacks
Carrier to Enterprise
Invite overflows
Hosted IP Centrex
IP PBX
Excessive call setup rate
Billing fraud
10.1
10.1
20.1 messages
Malformed
protocol
Man-in-the middle attacks
SIP/H.323 Phones
DHCP/ARP spoofing
Enterprise
Peering
Carrier to SOHO/Residential
Services
IP PBX
Voice Over Broadband (Cable, DSL) Wireless/Mobile
Router
Data
FW/NAT
Wireless/
Mobile
Base Station
Cable/DSL
Modem
MGCP IAD
H.323/SIP
Endpoints
SIP/H.323 Phones
POTS Phone
SME
Wireless
IP Phone
SOHO/Residential
Mobile
Phone
5
www.ITEXPO.com
VoIP Security Mitigation
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
IP PBX DoS or
Hacking Attacks
Back door to
corporate
network
Voice call
intercept
All LAN
segments have
voice access
H.323 and SIP ALGs dynamically
open and close FW ports to keep
network secure
Combination of ALGs, firewall and
zone capabilities keep data network
secure
Encrypt VoIP connections with siteto-site VPN (DES, 3DES, AES) to
prevent eavesdropping
Zones enable separation of VoIP
network elements to ensure
appropriate policies are applied
6
www.ITEXPO.com
Tiered Approach to security
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
• Integrated control between layers of the network
• Filter at the edge
– Use equipment that can be controlled to filter at the
edge
– Don’t allow unwanted traffic into the network
• Provide Topology hiding at the edge
– Hide all the internal network
• Centralised Management
– Alerts come to a central place
– Operator can be involved in the process
• Threat risk reduced by layers
– If one layer misses the threat another catches it
7
www.ITEXPO.com
VoIP Security Toolkit
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
•
•
•
•
IDP to mitigate VoIP attacks
Zone Based Architecture
Security through Firewall ALGs
Voice Eavesdropping Prevention through
encryption
• Unauthorized Use Prevention with Policy access
control
• Resilient VPN Connectivity with Dynamic Tunnel
Failover
8
www.ITEXPO.com
Defense Against VoIP Security Threats
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
VoIP Security Threat
DoS attack on PBX, IP
Phone or gateway
Unauthorized access to
PBX or voice mail system
Toll fraud
Ramifications
All voice communications fail
Hacker listens to voice mails,
accesses call logs, company
directories, etc.
Hacker utilizes PBX for
long-distance calling, increasing
costs
Eavesdropping or
man-in-the-middle attack
Voice conversations unknowingly
intercepted and altered
Worms/trojans/viruses
on IP phones, PBX
Infected PBX and/or phones
rendered useless, spread
problems throughout network
SPIT (VoIP SPAM) and
Vishing
Lost productivity, annoyance
and financial Loss
Defense Technology
FW with SIP attack protection
IDP with SIP sigs/protocol anom
Zones, ALGs,
policy-based access control
VPNs, encryption
(IPSec or other)
VPNs, encryption
(IPSec or other)
IDP with SIP protocol anomaly
and stateful signatures
ALGs, SIP attack prevention,
SIP source IP limitations, UDP
Flood Protection, Authentication
9
www.ITEXPO.com