VoIP

1
VoIP Security

• Who opened the barn door?

Frank Leeds Seitel Leeds Associates
2
Agenda

• Current industry trends
• Definitions and architectures
• Practical steps securing VoIP networks
• Unforeseen side effects
• Basic best practices
• Questions

3
First things First!

• IP Telephony is our real focus.
• Voice over IP or VoIP is just one transport
  technique within the realm of IP Telephony.
• ..But . well stick with VoIP as a generic term
  for IP telephony during this presentation!

4
Industry trends

• Its here!
• Its real!
• Its not perfect!
• But then nothing is

5
So whats the problem?

• Significant capital is already invested in TDM
  equipment

• Insufficient data infrastructure
• Often a weak existing data security infrastructure

6
Security
We like security we like the pope to be
infallible in matters of faith, and grave doctors
to be so in moral questions so that we can feel
reassured.
Blaise Pascal (16231662)
There is one safeguard known generally to the
wise, which is an advantage and security to
all...What is it? Distrust.
Demosthenes (c. 384-322 B.C.)
7
Agenda

• Current industry trends
• Definitions and architectures
• Practical steps securing VoIP networks
• Unforeseen side effects
• Basic best practices
• Questions

8
Security 101

• Define assets
• Classify threats
• Determine vulnerabilities
• Assess the risk
• Take appropriate measures

9
Assets
What are we protecting?

• Physical people, buildings, equipment
• Intellectual code, WWW information
• Financial credit card, accounting data
• Intangible reputation, morale, privacy
• Computer Services fiscal, student records
• Voice services dial-tone, LD, 9-1-1

10
Threats
Who or What threatens our assets?

• Intentional theft, attacks virus, DoS
• Attacks terrorism, war, deranged individuals
• Accidental deletion, spills, backhoe fade
• Natural fire, earthquake, tornado
• Environmental building systems plumbing,
  sprinklers, fire alarm, power, HVAC

11
Vulnerabilities
Likelihood of a threat resulting in a loss to an
asset.

• Physical Do I lock my doors?
• Host-based security Do I have passwords?
• User training Do I train my users?
• Network Do I restrict access to my network?
• Natural Are my equipment racks bolted down?
• Environmental Do I have a UPS?

12
Risk
Prioritization of the vulnerabilities for
mitigation.

• Conduct a vulnerability assessment
• Threat frequency and impact
• Evaluate against safeguards in place
• Prioritize those vulnerabilities

13
VoIP Security 101

• Define voice and IP telephony assets
• Classify data and voice threats
• Determine data and voice vulnerabilities
• Assess the risk (e.g. E9-1-1)
• Take appropriate measures

Nothing different from what you do today!
14
Definitions Architectures

• What is VoIP or IP Telephony?
• What is VoIP Security?

15
Agenda

• Current industry trends
• Definitions and architectures
• What is VoIP?
• What is VoIP Security?
• Practical steps securing VoIP networks
• Unforeseen side effects
• Basic best practices
• Questions

16
IP telephony is

• Telephone service transmitted over a TCP/IP
  network
• Provides
• Call Signaling(Registration, Admission, Status)
• Call Control/Call Setup
• Media Capabilities
• Call Processing

PSTN
17
It contains.

• Handsets
• Softphones
• Gateways
• Gatekeepers
• Conference Bridge
• IP PBX
• H.323, SIP, MGCP, Megaco/H.248, Proprietary

Gatekeeper
PSTN
SIP, H.323 Proprietary
H.248, H.323, SIP
Conf. Bridge
H.323, SIP, H.248, MGCP
IP
H.323, SIP, RTP
18
It is built on.

• Campus networks
• Metropolitan networks
• Extranets
• Internet
• Carrier networks
• PSTN
• 3rd Party Solutions (financial, security)

19
Computing Infrastructure

• Servers
• Email Servers
• Directory Servers
• Backup/Restore Servers
• PC Workstations
• Legacy systems (voice and data)
• Advanced Services (ACD/IVR, Call Centers)

20
Network Infrastructure

• Ethernet Layer 2/3 Switches with in-line power
• Gateways/Routers
• Firewalls / Proxy Servers
• Carrier circuits
• Voicemail Gateways
• NMS
• HIDS/NIDS

21
What is VoIP?

• More of the Same!
• Infrastructure
• Protocols
• Equipment
• PROCESS!

Nothing you can't handle!
If you're methodical and cautious!
22
Agenda

• Current industry trends
• Definitions and architectures
• What is VoIP?
• What is VoIP Security?
• Practical steps securing VoIP networks
• Unforeseen side effects
• Basic best practices
• Questions

23
VoIP Security Issues

• IP telephony or VoIP.
• Adds new access points to the corporate network
• Adds new devices that can be attacked or used to
  launch attacks
• Adds new protocols to be used to launch threats
• Adds a new channel for blended threats

24
Importance?

• IP telephony attacks/outages affect
• Life-Safety Denial of access to 9-1-1
• Confidentiality Voicemails revealed
• Integrity Voicemail data changed
• Productivity Denial of service
• Morale and public image

25
Agenda

• Current industry trends
• Definitions and architectures
• Practical steps securing VoIP networks
• Unforeseen side effects
• Basic best practices
• Questions

26
Where to start?

• Analysis
• Understanding
• Planning
• Execution

Common sense aint common. Will Rogers (1879-1935)
27
VoIP Security Architecture
Firewalls
VoIP
VLANS
IDS
Backup Restore
Virus Protection
Security Management
Protocols
Power HVAC Building Srv.
28
Components (Easy or Vendor View)
Gateway
QoS Enabled Switch
IP PBX
IP Phones
29
Components (Reality)
30
Components
VoIP-enabled Firewall
IP Telephone
Application Server
QoS Enabled Switch
IP PBX
Layer 2/3 Switch
Unified Messaging/VM
Voice Gateway/Router
Workstation / Softphones
31
IP Telephony Attacks
Remember!

• Asset attacks
• Can occur directly at the asset (IVR access for
  banking services)
• Or can be indirect (denial of service)
• Or can be directed at network resources (dB,
  Server OS)
• Need to understand all possibilities.

32
Analysis / Understanding

• VoIP security means an understanding of.
• Data flows (signaling, media exchange, call
  processing)
• Protocols
• Components

33
Example - Softphones
Viruses and Worms (Code-Red, Nimda)
OS Vulnerabilities (security holes)
Application Vulnerabilities (macro viruses)
Network Vulnerabilities (ARP sniffing)
Power Outages
Denial of Service (UDP flood)
34
Basic VoIP Data Flows
Data VLAN
Voice VLAN
35
Advanced Data Flows
VPN Tunnel
RTP, UDP, TCP (Media, Conversation)
Inter-VLAN Routing
DMZ
Call Setup
VoIP Web Access
Call Processing
36
Possible Springboards into Your Network
New IP device on network, web-enabled, xml enabled
New routing patterns, new access control lists
New servers - Windows, Linux or VxWorks
New tunnels, new VPN access, new protocols
37
Possible Vulnerabilities

• Routing between voice and data VLANs
• Firewall tunnels for VoIP
• IP handset access, rogue wireless APs
• Man-in-the-Middle spoofing attacks
• Log analysis doesnt account for VoIP
• IDS response plan doesnt account for VoIP

38
Direct VoIP Threats

• Physical Spills, unlocked wiring closets
• Logical Invalid E9-1-1 address, improper
  settings, music on hold thrashing, CO glare,
  forwarding loops
• Malicious DoS, data corruption, inappropriate
  access
• Environmental power outage, network outage

39
VoIP Security Axioms

• Voice networks are targets
• Data and voice segmentation is key
• Telephony devices dont support confidentiality
• IP-phones provide access to data-voice segments
• PC-based IP phones require open access

• PC-based IP phones are especially susceptible to
  attacks
• Controlling the voice-to-data segment interaction
  is key
• Establishing identity is key
• Rogue devices pose serious threats
• Secure and monitor all voice servers and segments

40
Reference VoIP Security Architecture
41
VoIP Threat Mitigation

• Call interception (switched infrastructure)
• Unauthorized access (HIDS, AAA)
• Caller Identity spoofing (MAC level tracking)
• Toll Fraud (ACL - keep unknowns out)
• Repudiation (call setup log review)
• IP spoofing (RFC 2827, 1918 filtering)
• App Layer Attacks (HIDS)
• DoS (stateful firewall, sep. V/D segments)

42
VoIP Security

• Same as traditional data security!
• Some new protocols
• Some new equipment
• Some new assets

43
Agenda

• Current industry trends
• Definitions and architectures
• Practical steps securing VoIP networks
• Unforeseen side effects
• Basic best practices
• Questions

44
Unforeseen Side Effects

• Firewalls
• VLANs

45
Firewalls VoIP
Signaling Control
Transient Ports
X
Out-bound Media Capabilities and RTP
In-bound Media and RTP
46
VLANS as security!?
Voice
Data VLAN has been routed to Voice VLAN Here!
Data
47
VLANS and ARP
VLAN 100
A
B
ARP Table A 00cc001234 10.1.1.1
ARP Table B 00cc00abcd 10.1.1.2
00cc00abcd 10.1.1.2
00cc001234 10.1.1.1
VLAN 100
VLAN 200
ARP Table A 00cc001234 10.1.1.1
ARP Table B 00cc00abcd 10.1.1.2
48
VLAN Issues

• VLAN are a compromise for LANs connected with
  routers.
• Switches were not designed as security devices.
• VLANS were designed for broadcast domain
  management - not security
• Recognize frames can hop VLANs and VLAN tags can
  be spoofed
• Dont leave VLAN 1 as management VLAN (well known
  VLAN)

49
Some Technical Ref.

• http//www.isa.org
• http//www.cisco.com/go/safe
• http//naughty.monkey.org/dugsong/dsniff/
• voice over misconfigured Internet Telephones or
  vomit http//vomit.xtdnet.nl
• RFC 2543 Session Initiation Protocol
• RFC 2705 MGCP Media Gateway Control Protocol
• RFC 2827 Network Ingress Filtering Defeating
  Denial of Service Attacks which employ IP Source
  Address Spoofing 
• Security for H.323 Annex J www.itu.int

50
Agenda

• Current industry trends
• Definitions and architectures
• Practical steps securing VoIP networks
• Unforeseen side effects
• Basic best practices
• Questions

51
Best Practices for Security

• What are general best practices for security?
• What are some specific VoIP best practices for
  security?

52
10 Generally Accepted Security Best Practice
Categories

• General Management
• Policy
• Risk Management
• Security Architecture Design
• User Issues

• System Network Management
• Authentication Authorization
• Monitor Audit
• Physical Security
• Continuity Planning Disaster Recovery

Internet Security Alliance (ISA)
53
10 VoIP Security Best Practices

• Use ACLs to minimize all IP traffic access
  between Voice and Data VLANs
• Encrypt configuration passwords
• Enable session timeouts
• Restrict SNMP access
• Restrict virtual (Telnet) console access

• Disable minor host services
• Disable forwarding of directed broadcasts
• Disable RCP and RSH services
• Disable forwarding of source-routed packets
• Enable port security

This list is not exhaustive!
54
Server (PBX/VM) Security

• Install vendor approved patches from manf.
• Lock down and harden server OS
• Use vendors instructions e.g.
• Disable or remove Guest accounts
• Use strong passwords and AAA
• Remove unnecessary services
• Add SA password
• More
• Understand how AD or other directory services
  interact with your VoIP OS.
• LIMIT! Supervisory access, vendor access
• Use group policies to setup task-based granular
  security levels

55
VoIP Security Admin

• Conduct regular security assessments of your VoIP
  architecture and equipment
• Audit significant actions/events on equipment
  (service added, user added)
• Have well defined incident response procedures
  for these regular audits when a suspicious
  event occurs.
• Methodically control access between the data and
  voice segments

56
Conclusion

• VoIP just adds - more assets (dial tone, E9-1-1),
  more threat locations, more vulnerabilities to
  the data network
• Because of - new equipment, protocols, process
  on the data network
• Good is no longer good enough!
• Specifically address security infrastructure and
  process for VoIP.

You will have to do your homework with VoIP
Security!!
57
Questions

• Frank Leeds
• Seitel Leeds Associates
• fleeds_at_sla.com