Securing IP Telephony Networks
Download
Report
Transcript Securing IP Telephony Networks
Securing IP Telephony
Networks
George G. McBride
Session TEC-8
November 15, 2005 4:45 PM to 5:45 PM
CSI32: Nov 15, 2005
Page 1 of Securing IP Telephony Networks
Some Key Points To Cover This
Afternoon
• The fundamentals and security concerns of VoIP
• Mitigating risks associated with VoIP
• Confidentiality, integrity, authentication, availability,
access, and non-repudiation
• Determining what to look for in an audit
• Measuring risk and recommending actions to reduce
vulnerability
• Tools that you can use
• Lessons learned from my assessments
CSI32: Nov 15, 2005
Page 2 of Securing IP Telephony Networks
Real Quick Introduction
• What is Voice over IP?
– Definition: Transmission of voice over the IP
Network
• Why is it important to companies?
– $$$ (and sometimes “services”)
• Is this brand new?
– SIP and H.323 Standards have been
around since the mid 1990s
• Why now?
CSI32: Nov 15, 2005
Page 3 of Securing IP Telephony Networks
VoIP Introduction
• What do you need for a VoIP network?
– The IP Part: A data network
– The V Part: VoIP specific equipment
• H.323 and SIP are two different sets of
protocols and have different infrastructure
requirements
– There is some commonality between the
two!
CSI32: Nov 15, 2005
Page 4 of Securing IP Telephony Networks
VoIP Implementation
• Who put the VoIP infrastructure in place?
– Many times, the designers and
implementers are the traditional “voice”
personnel
• May be just learning the new technology
– Or it may be sharp IT personnel who aren’t
“voice” savvy
– Nevertheless, the technology including
products, protocols, and services are new
and “experts” are limited!
CSI32: Nov 15, 2005
Page 5 of Securing IP Telephony Networks
What Are The Threats?
Concern
PSTN Controls
VoIP Controls
Confidentiality
Physical
Encryption
Integrity
Physical
Encryption/Checksums
Availability
Physical Access Control
Logical Access Control
Authentication
Recognition & Caller ID
User ID and Password
Authorization
Access Control & Caller ID
Access Control
Design
Large/Complex/Centralized Varies…Distributed
Interoperability
Centralized & Very Tested
Distributed & Ad-Hoc
CSI32: Nov 15, 2005
Page 6 of Securing IP Telephony Networks
The Legal Threat
• Companies are currently reviewing the
Communications Assistance to Law
Enforcement Act (CALEA) to determine
how they must comply:
– Service Providers Only?
– All Companies?
– Only when the VoIP interfaces with the
PSTN?
CSI32: Nov 15, 2005
Page 7 of Securing IP Telephony Networks
Emergency Services
• 911 Emergency Services
– PSTN/POTS locations are generally assigned
by physical port and generally don’t move
around!
– VoIP Phones by definition are usually
“portable” and are simply based on IP
addresses
• How are location services managed?
Updated? Logged?
• Is it real-time?
CSI32: Nov 15, 2005
Page 8 of Securing IP Telephony Networks
The Biggest Threat!
• Your organization is responsible for the
costs related to toll fraud
• When the VoIP Gateway is compromised
and hacker’s use the gateway for unlimited
international dialing, your company is
responsible for the toll charges
• I still don’t have any realistic or consistent
figures to share. Do you?
CSI32: Nov 15, 2005
Page 9 of Securing IP Telephony Networks
The Threats Are Real!
• XXX Series phones running the default Skinny (SCCP)
protocol for messaging, can be easily crashed by sending
malformed messages.
• XXX VoIP enabled router is also vulnerable by sending a
message of 50,000 characters+ to port 2000 (the TCP port
used by the router to communicate with the phones) to
cause every VoIP phone on the network to reboot or lockup, completely disrupting communications.
• XXX is vulnerable to an ARP attack on a target phone which
draws the RTP data stream through the attacker’s computer.
As most conversations are transmitted in the clear,
eavesdropping is trivial.
CSI32: Nov 15, 2005
Page 10 of Securing IP Telephony Networks
Problems With “Reviewing” VoIP
• We’re often asked to “assess” the VoIP
infrastructure against the current policies
• These policies do not address the
minimum security baseline for a VoIP
infrastructure
• Typical VoIP audits are also part
“assessment”
CSI32: Nov 15, 2005
Page 11 of Securing IP Telephony Networks
Documentation Review
• A review program should begin with a formal
review of all corporate documentation regarding
the VoIP infrastructure:
– Corporate Service Offerings
– VoIP Infrastructure
• IP Network Infrastructure
• Client Devices
– Acceptable Use statements
– PSTN Interface SLAs
CSI32: Nov 15, 2005
Page 12 of Securing IP Telephony Networks
Risk Management
• One of the most important aspects to
manage!
– Identification and Inventory of Assets
– Understanding of threats, vulnerabilities, and
controls
– Cannot be evaluated in isolation. Threats and
vulnerabilities are internal and external.
• This is one area where the assessors and
IT Security can work together.
CSI32: Nov 15, 2005
Page 13 of Securing IP Telephony Networks
Reviewing: The Architecture
• Architecture:
– Need personnel with auditing, technology,
and product know-how!
– Start from the top down to understand the
details are you encounter them
– There may not be a “right” architecture, but
there are many “wrong” ones
CSI32: Nov 15, 2005
Page 14 of Securing IP Telephony Networks
Before You Begin!
• From your IT Organization’s source, obtain
an inventory of the VoIP infrastructure
• Obtain all documentation and specifications
from the vendor to understand what you
have and what it is supposed to do
• Obtain configuration information
• Review on-line vulnerability/risk databases
CSI32: Nov 15, 2005
Page 15 of Securing IP Telephony Networks
Auditing Concerns
• The next few slides highlight some VoIP
specific concerns that we should review.
– Are these part of your organization’s
standards, practices, procedures, and
policies?
• This is a highlight of a number of areas
that should be reviewed. There are
plenty more!
CSI32: Nov 15, 2005
Page 16 of Securing IP Telephony Networks
Basic Physical Infrastructure
• Physical Security:
– The old “telecom” closets are often neglected
and may be insecure. Where is your VoIP
equipment?
– Protect test and trial equipment as you would
production equipment. It usually has
production grade configuration information
– Ensure UPS equipment can handle the new
loads
CSI32: Nov 15, 2005
Page 17 of Securing IP Telephony Networks
Business Continuity Planning &
Disaster Recover
• Have you incorporated the entire VoIP
infrastructure into the BCP/DR efforts?
• Have you tested it?
• Are the employees aware of it?
• Be aware of limited restores.
• Companies today tend to build
significant features into their VoIP
phones that they’ve grown to need.
CSI32: Nov 15, 2005
Page 18 of Securing IP Telephony Networks
Logical Auditing Concerns
• VLAN Usage:
– Separate voice and data on logically
separate networks.
• Each VLAN should have a separate DHCP
Server and management system
• Reduces QoS Issues
• VLAN Jumping still an issue, depending on
equipment
CSI32: Nov 15, 2005
Page 19 of Securing IP Telephony Networks
Logical Auditing Concerns (Con’t)
• Firewalls:
– Are you using the right one for your
environment?
• Is it VoIP Specific? Does it support SIP or
H.323? What about Megaco?
– Does it support Application Level Gateways
or Proxies?
– Pinholing?
– Is it stateful?
CSI32: Nov 15, 2005
Page 20 of Securing IP Telephony Networks
Reviewing The Firewall
• Obtain the Firewall rule sets.
– Can you experiment in a “lab” setting? This is
great to validate the firewall rule sets!
• What are the static ports?
– Port 1720 for Call Signaling
– Usually H.225 traffic.
– Any others for management?
• What are the required dynamic ports?
• Even a VoIP-aware firewall will require
reviewing, tuning, and tweaking
CSI32: Nov 15, 2005
Page 21 of Securing IP Telephony Networks
Logical Auditing Concerns (Con’t)
• Interfaces:
– PSTN to VoIP Infrastructure:
• At the Voice Gateway: Are SIP, H.323, MGCP,
and Megaco connections from the data network
prohibited?
• What authentication is configured? Required?
CSI32: Nov 15, 2005
Page 22 of Securing IP Telephony Networks
The Firewall
• A Great Cisco Whitepaper highlights key areas
where voice and data traffic intersect and
should have firewall protection:
– PC Based IP Phones (d) requiring access to the voice
segment (v) to place calls
– IP Phones (d) and call managers (v) accessing voice-mail
– Users (d) accessing the proxy server (v)
– Proxy Server (v) accessing network resources (d)
– IP Phones (d) to call processing manager (v) or proxy
server (v) because the interaction uses the data segment
to communicate
CSI32: Nov 15, 2005
Page 23 of Securing IP Telephony Networks
Firewall NAT
• NAT, Network Address Translation helps to
efficiently utilize resources and to provide some
level of security.
– Full Cone (1:1 address and port)
– Restricted Cone – same as full cone, incoming
packets are rejected unless an outbound one
originated the traffic (looks at IP Address Only)
– Port Restricted Cone – Like Restricted Cone but
restricts the inbound packet as it must be returning
to the same outbound port
– Symmetric NAT – Different mapping for each
inbound – outbound pair.
CSI32: Nov 15, 2005
Page 24 of Securing IP Telephony Networks
Logical Auditing Concerns (Con’t)
• Remote Management
– Use SSH only for remote administration
and management.
• Telnet is dead.
– For the truly paranoid, use dedicated
consoles for each management server
– How are the configuration files protected?
Backed-up?
CSI32: Nov 15, 2005
Page 25 of Securing IP Telephony Networks
QoS: Quality of Service
• Is Quality of Service a “Security Issue”?
– It is when the security features impact
the VoIP QoS levels.
– You’ll invariably be asked about it
during your Audit
• The next few slides highlight some QoS
issues
CSI32: Nov 15, 2005
Page 26 of Securing IP Telephony Networks
QoS
• Latency – time from source to destination.
The ITU-T recommended upper bounds
for latency is to be less than 150ms.
– Queuing
– Encoding
– Packetization
– Transmission
CSI32: Nov 15, 2005
Page 27 of Securing IP Telephony Networks
Jitter
• Jitter – the time differences between
packet arrival on the receiving end.
– Jitter often affects QoS more than latency
– Caused by low bandwidth
– Can cause packets to be processed out of
sequence and/or dropped if they fall outside of the
receiving buffer
– Firewalls are a big source of jitter introduction
CSI32: Nov 15, 2005
Page 28 of Securing IP Telephony Networks
Bandwidth & Packet Loss
• What is the available bandwidth for VoIP
traffic? If on a VLAN, this answer is easy
to compute. If on a shared network, this is
quite a bit different (and more variable).
• Packet Loss results from excessive
latency or jitter; as well as a result of
voice-data riding over UDP.
CSI32: Nov 15, 2005
Page 29 of Securing IP Telephony Networks
What about H.235
• Provides H.323 Security Features through
defined profiles which provide different
levels of security.
• These must be required, not an optional
implementation as clients may chose not
to use the features.
CSI32: Nov 15, 2005
Page 30 of Securing IP Telephony Networks
H.235v2/3
• Builds up from H.235 and offers enhanced
encryption as well as:
– Annex D: Shared secrets and keyed hashes
– Annex E: Digital signatures on every
message
– Annex F: Digital signatures and shared secret
establishment
• Is it required?
CSI32: Nov 15, 2005
Page 31 of Securing IP Telephony Networks
What about Session Initiation
Protocol (SIP)?
• SIP Offers HTTP Digest Authentication
– Based on a challenge-response system
– Replaces HTTP Basic Authentication so that the
password is not sent in the clear!
• S/MIME can be used to enable public key
distribution as well as authentication and integrity
protection
– Authentication (and Integrity) of signaling data
– Confidentiality of signaling data
CSI32: Nov 15, 2005
Page 32 of Securing IP Telephony Networks
SIP Security With TLS
• TLS: Successor of SSL protects SIP
signaling (integrity, confidentiality, replay)
• Only works with TCP based SIP signaling
• Must be configured hop-by-hop between
user agents and proxies or between
proxies
• Provides key management with mutual
authentication and secure key distribution
CSI32: Nov 15, 2005
Page 33 of Securing IP Telephony Networks
SIP Security
• Besides TLS, SIP also supports:
– HTTP Digest
– IPSec (With IKE)
– IPSec (With manual key exchange)
– S/MIME
• Be aware of bidding down attacks
CSI32: Nov 15, 2005
Page 34 of Securing IP Telephony Networks
SRTP
• Secure Real-time Transport Protocol
– A “profile” of RTP offers confidentiality,
authentication, and replay protection
– Encrypts Payloads
– Independent of the key management system
– Independent of the RTP stack chosen
– Can use AES
– Hardware Crypto Support, although it was
designed with low computational requirements.
CSI32: Nov 15, 2005
Page 35 of Securing IP Telephony Networks
SRTP Audit Points
• Keep these things in mind:
– How are the encryption keys distributed?
•
•
•
•
Pre-Shared
Public Key
Diffie-Hellman Key Exchange using Public Key
Diffie-Hellman Key Exchange using PreShared Secret
– Is it only being used for encryption or also
integrity and replay-attack protection?
CSI32: Nov 15, 2005
Page 36 of Securing IP Telephony Networks
What I’m Seeing…
• Default administration accounts
• Ineffective encryption (It may be AES, but
not in use at key points)
• Web-Server interfaces (It may be easier
for the admin and the bad-guys!)
• DHCP and TFTP Server Spoofing and
Insertion Attacks
CSI32: Nov 15, 2005
Page 37 of Securing IP Telephony Networks
What I’m Seeing
• Random responses to invalidly formatted
or excessive packets
• Security mechanisms susceptible to
“bidding-down” attacks
• Firewalls that require just a bit of “tuning”
to disable that service that isn’t required or
the ports that can be closed
CSI32: Nov 15, 2005
Page 38 of Securing IP Telephony Networks
What’s in my toolbox?
• In order to perform a technical based
review, you’ll need some tools:
– Sniffers
– Injectors
– Vulnerability Scanners
• Some important documents from the ITU,
NIST, ETSI, and most importantly,
equipment vendors!
CSI32: Nov 15, 2005
Page 39 of Securing IP Telephony Networks
Network Sniffers
• Empirix Hammer Call
Analyzer
• VoIP Specific
• Great for beginners
through advanced
users
• Very expensive
CSI32: Nov 15, 2005
Page 40 of Securing IP Telephony Networks
VoIP Sniffers Also Do Call
Analysis
CSI32: Nov 15, 2005
Page 41 of Securing IP Telephony Networks
Network Sniffers
• Ethereal
• Requires more work
to decode the packets
and review traffic
• It’s Open Source, it’s
free, and it’s
supported through a
large user community
CSI32: Nov 15, 2005
Page 42 of Securing IP Telephony Networks
Network Traffic Injectors
Available From:
http://www.komodia.com/
Great Packet Crafting Tool
CSI32: Nov 15, 2005
Page 43 of Securing IP Telephony Networks
SiVus
CSI32: Nov 15, 2005
Page 44 of Securing IP Telephony Networks
SiVus
CSI32: Nov 15, 2005
Page 45 of Securing IP Telephony Networks
Other tools: VoIPong
CSI32: Nov 15, 2005
Page 46 of Securing IP Telephony Networks
Cain and Abel
CSI32: Nov 15, 2005
Page 47 of Securing IP Telephony Networks
Various Documents
CSI32: Nov 15, 2005
Page 48 of Securing IP Telephony Networks
Additional Resources
• National Institute of Standards and Technology:
Security Considerations for Voice Over IP Systems:
http://csrc.nist.gov/publications/nistpubs/
• Empirix Call Analyzer:
http://www.empirix.com/Empirix/Network+IP+Storage+Test/
•
•
•
•
SiVus at VoP Security: http://www.vopsecurity.org/
IETF/ITU Documents
ETSI Tiphon Documents
J. Halpern, “IP Telephony Security in Depth”, Cisco
CSI32: Nov 15, 2005
Page 49 of Securing IP Telephony Networks
VoIP Summary
• Know your stuff! Or hire those that do!
– VoIP technology is still evolving and is very
complex!
• It’s more than just voice traffic on an IP network
• Look for everything you would look for with a
standard infrastructure assessment and you’ll
knock out a lot of the “common” audit findings.
• Watch mis-configurations on VoIP. Understand
the configurations. What looks good may not be.
– (It usually isn’t!)
CSI32: Nov 15, 2005
Page 50 of Securing IP Telephony Networks
Contact Information
• Please contact me with any questions,
comments, complaints, or new
developments.
Lucent Technologies
Bell Labs Innovations
George McBride
Senior Manager
Lucent Worldwide Services
Lucent Technologies Inc.
Room 1B-237A
101 Crawfords Corner Road
Holmdel, NJ 07733
Phone: +1.732.949.3408
E-mail: [email protected]
CSI32: Nov 15, 2005
Page 51 of Securing IP Telephony Networks