Securing Open Source Enterprise VoIP

1
(No Transcript)
2
Securing Open Source Enterprise VoIP

• Christian Stredicke/snom

3
SIP is the ketchup of the burger
The Future Specialized vendors offering
excellent products in a specific area
The PastEverything is provided (more or less)
by one large company
SoftPhones
ITSP
Hosting
IVR
Consulting
SIP PBX
Problem Products are getting very complex and it
is hard to stay competitive
ATA
Hard Phones
SBC
Finally the VoIP industry is splitting up into
layers SIP is the ketchup that makes it a tasty
combination
4
Selling Security

• There is probably no company without firewall any
  more
• Security for Email and Web is a must have today
• Administrators who dont understand that are
  jobless
• Offer two contracts
• One where you make the customer responsible for
  all security breaks (system without security)
• Another one where they just waive your liability
  (system with security)
• They will pick the contract that includes security

5
The Evolution of VoIP Privacy
TLS SRTP
VPN
Use SRTP (but no TLS)
We got transfer working
6
How to listen to VoIP calls
Ethernet Switch
The PC puts itself into the communication stream
by pretending to have same MAC address as the
phone (PC are pretty fast these days and respond
faster than VoIP phones)

• Tools
• www.oxit.it
• arp-sk - ARP Swiss Army Knife Tool
• arp-scan

ARP
The LAN is the problem!
If you are just using plain SIP
7
SRTP scrambles the voice
Ethernet Header
IP
UDP
RTP
Codec
Ethernet Checksum
X
AES Counter
MAC
Ethernet Header
IP
UDP
RTP
Codec
Ethernet Checksum

• The AES Counter is used for XOR the audio data
• The MAC is a hash over the codec content and
  makes sure that only the one who knows the
  counter value can generate the packet
• With every packet, the counter is pseudorandomly
  incremented
• The key is to negotiate the initial counter value
  securely

8
Key Exchange Algorithms (so far)
Source Dan Wing, Overview of SIP Media Security
Options, March 21, 2006 (IETF 65)
9
How TLS works

• Known from other protocols (https, secure SMTP,
  )
• Looks like TCP from the application point of view
• Uses strong cryptographical methods (RSA, DH)
• How can you trust the other side?
• Certificates
• Must be issued by someone that you trust
• Preset list or load the root certificate
• Problem
• Requires at the very least TCP support (most PBXs
  don't have this today)
• Problems for embedded devices (OpenSSL takes
  several MB)

10
Is VPN the solution?

• Very well established
• Secure
• Latest generations address latency
• UDP or GRE
• Nice side effects
• No more NAT problems
• VPN servers are widely available (OpenVPN)
• No more port-playing with national carriers
• Problems
• Media Relay through the central VPN node
• Setup is not as easy as TLS

11
DoS is becoming a pain
If you have Gigabit Ethernet, make sure you can
process one million ping packets per second

• Brute force attacks
• ping f (start is several times)
• Downloading of emails (LOL)
• Just dont hang up (ENUM)
• Bad software
• INVITE of Death (DoS LOL)
• Accepting INVITE without any kind of
  authentication

12
Simple Steps to Increase Security

• Put your VoIP network into a VLAN
• Give higher priority bits for that LAN
• Have a mini-SBC between the LANs
• Limit bandwidth on trunk level
• Set the expectations right
• Making phone calls over the public Internet has
  no QoS
• Seriously consider PSTN termination
• Think about upgrade paths
• Backup

13
The Bottom Line

• You must address privacy in the enterprise
• TLS and SRTP are a good solution
• VPN is even better as is solves NAT as well
• Think pessimistic about bandwidth utilization