VoIP Security Best Practices

1
(No Transcript)
2
VoIP Security Best Practices

• Bogdan Materna
• CTO VP Engineering
• VoIPshield Systems
• Session U3-03 04/02/2009

3
VoIP Security Overview

• Voice over IP (VoIP) inherits the same security
  threats as the IP data network, plus some new
  ones
• Traditional IT security products are not equipped
  to address the new challenges associated with
  securing voice systems

4
Current State of VoIP Security

• Follows the data networks security history but
  VoIP is different than traditional data security
• VoIP is a real-time, mission-critical service
• Voice-specific malicious activities
• VoIP presents new vectors of attack
• Applications (existing H/W and new S/W based
  vendors)
• Devices (wireline and wireless)
• Protocols (standard and proprietary)
• Still in the early stages a few known
  incidents, more unpublished cases
• Research a cornerstone of VoIP and UC security
• Vulnerabilities, threats, exploits
• Signatures
• Zero day

5
Typical Enterprise PBX Deployment

• One physical interface (1 Gbit/sec) supports both
  access and trunking traffic
• In large installation an additional physical
  interface might be used to provide dedicated IP
  trunking

6
VoIP based Call Center
PBX
Call Recorder
Confidential information transmission
Confidential information usage, maintenance,
collection

• Confidential information is collected , stored
  and transmitted through VoIP infrastructure
• Complex call flows, infrastructure and
  outsourcing creates potential for security
  breaches
• Large call volumes

7
VoIP Vulnerabilities and Exploits

• Software related (introduced by a VoIP vendor)
• Configuration related (introduced by the user of
  VoIP)
• Protocol related (inherent protocol issues SIP,
  UNIStim, Skinny, H323)
• Composite (combination of the above)
• Device level (related to a particular
  device/application such as IP PBX)
• System level (related to the VoIP infrastructure
  components and topology)
• Unidirectional or duplex (related to flow of data
  and information)

8
Device Level Vulnerabilities and Exploits
Security Layers
Remote/Local
PBX Call Manager
Remote/Local
Remote/Local
Remote/Local
Remote/Local
Hundreds of permutations and attack vectors
9
Converged Networks Security
Prevention

• Prevention
• Compliance assessment
• Vulnerability and Risk Assessment
• Patching

Protection
Processes
People

• Protection
• Perimeter (Firewall, IPS, SPIT)
• Internal (HIPS, NAC, Encryption)

Mitigation
Mitigation Security attack impact mitigation
Converged Data, Voice and Video Network
Processes Modified to accommodate VoIP specific
security requirements
People Education and awareness training
10
Enterprise VoIP Security Infrastructure
Corporate VoIP Network
IP PBX/Softswitch/ Call Manager
VIPS/VNAC
VA/CM
PRI / BRI / Analog Lines
IP PBX/Softswitch/ Call Manager
VIPS/Anti-SPIT
VIPS/VNAC
Enterprise VoIP Network
VoIP Phones
Corporate SBC
SIM
Corporate Data Network
PCs/ VoIP Soft Phones
Calls
Departmental IPS/NAC
Departmental IPS/NAC
Data
Departmental IPS/NAC
Corporate Firewall
11
VoIP Best Practices
12
Best Practices VoIP Risk Assessment

• Pre-deployment or existing VoIP installations
• Identify threats that could adversely affect
  critical operations and assets
• Estimate the probability that such threats being
  exploited based on historical information and
  judgment of experts
• Identify and rank the value, sensitivity, and
  criticality of the operations and assets that
  could be affected. Determine which operations and
  assets are the most important.
• Estimate, for the most critical and sensitive
  assets and operations, the potential losses or
  damage
• Identify the best actions to mitigate or reduce
  the risk. These actions can include implementing
  policies, procedures and technical or physical
  controls
• Document the results and develop an action plan

13
Best Practices Risk Assessment Critical
Success Factors

• Obtain C level, IT , security and
  telecommunication department support
• Involve VoIP equipment vendor(s)Designate primes
  for various activities
• Define procedures
• Involve business and VoIP/UC technical experts
• Keep the scope well defined and focused
• Document and maintain results

14
Best Practices Pre-deployment

• Execute Risk Assessment process
• Create VoIP Security Architecture Design
  Implementation Document
• Make it an integral part of VoIP RFP process
• Create a lab infrastructure corresponding to the
  production VoIP deployment
• Run vulnerability assessment on the VoIP
  equipment
• Install and test VoIP security applications
  identified in (1)
• Run effectiveness assessment on the VoIP security
  apps
• Put it all together and run false/positive
  realistic tests
• Blocking attacks
• Blocking legitimate traffic

15
Best Practices Existing Installations

• Execute Risk Assessment process
• Create VoIP Security Architecture Design
  Implementation Document
• Provide business case for deploying VoIP security
• Run vulnerability assessment on the production
  VoIP equipment. Fix the issues by patching,
  reconfiguration or network tuning
• Create a lab infrastructure corresponding to the
  production VoIP deployment
• In the lab install and test VoIP security
  applications identified in (2)
• In the lab run effectiveness assessment on the
  VoIP security apps
• In the lab put it all together and run
  false/positive realistic tests
• Blocking attacks
• Blocking legitimate traffic
• Run pilots/stage the security apps deployment in
  production

16
Best Practices Specific Recommendations

• Be proactive
• Acquire VoIP VA tool or procure VoIP VA Services
• Make sure VoIP is part regulatory compliance
  framework
• Protect your infrastructure
• Use Session Border Controller as a access point
  for SIP trunks
• Deploy VoIP IPS with VoIP specific signatures
  sets and detection engines
• Deploy VIPS sensors in remote locations
• Encryption/Authentication where it makes sense
• Use VPN to carry traffic amongst the sites if it
  provides required QoS
• Consider Data Leakage Protection on VoIP
• For large number of home office or travelling
  employees consider deployment of VNAC
  functionality
• If SPIT is a risk you identified you should
  acquire anti-SPIT appliance

17
Best Practices Specific Recommendations

• 3. Manage PBX configuration
• Default passwords, barrier codes, access codes
• Employees who are no longer with the company
• Local administrators
• Administrative access
• User profiles
• Adds/Moves
• Toll fraud

18
Best Practices Operationalize VoIP Security

• Write polices and procedures how to manage, for
  example
• Passwords, barrier codes, access codes, etc.
• Accounts owned by people who are no longer with
  the company end-point PBX profiles, voice mail,
  remote access, admin access, etc.
• Changes made by VoIP administrators
• admin passwords
• Vulnerability assessment process
• VoIP remote access policy
• Usage of softclients on the laptops
• Contractors, business partners access to VoIP
  infrastructure

19
Best Practices Operationalize VoIP Security

• Integrate VoIP security infrastructure with the
  existing management tools and processes, for
  example
• Integration with SIM/SEM systems
• Tracking changes in PBX configuration
• User adds and moves
• Patching process
• Relationship with VoIP Service Provider(s)
• Integration with email, IM and other UC
  applications

20
Best Practices Advice

• Dont think you are secure because
• You use only PSTN trunks
• You implemented VLAN based separation of VoIP and
  data
• You have a solid data security infrastructure
• You encrypted all the traffic
• Your VoIP equipment vendor told you so

21
Thank Youbmaterna_at_voipshield.comwww.voipshield.
com