Voice over IP Fundamentals - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

Voice over IP Fundamentals

Description:

CHAPTER 10 Voice Security VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change to content. – PowerPoint PPT presentation

Number of Views:171
Avg rating:3.0/5.0
Slides: 32
Provided by: facultyCc83
Category:

less

Transcript and Presenter's Notes

Title: Voice over IP Fundamentals


1
Voice over IP Fundamentals
  • CHAPTER 10
  • Voice Security

2
VoIP Security Requirements Integrity The
recipient should receive the packets that the
originator sends without and change to
content. Privacy A third party should not be
able to read the data Authenticity Each party
should be confident they are communicating with
whom each claims to be Availability/Protection
from Denial-of Service The VoIP service should
be available to users at all times
3
  • Shared-Key
  • A common shared-key between users
  • Each pair of users must have the same key
  • Does not scale well with multiple pairs of users
  • The key is used to encrypt the message
  • A hash is calculated from the shared key

4
  • Asymmetric Key
  • Each user has a Private-key as well as a
    Public-key
  • Only the corresponding public-key can decrypt the
    message that is encrypted with the private-key
  • Only the corresponding private-key can decrypt
    the message that is encrypted with the public-key
  • Has a one-to-one relationship between keys
  • Keys can be exchanged over an unsecured network

5
  • Asymmetric Key
  • Phases
  • Authentication phase
  • Secure communication phase
  • CPU-intensive process
  • Unique shared secret per session

6
  • Digital Signature
  • Uses a set of complimentary algorithms for
    signing and for verification
  • A Digital signature is obtained from a
    Certificate Authority (CA)
  • A hash of the message is created with the private
    key to create a Digital Signature
  • Recipient verifies the signature by running a
    verification algorithm over the message content
    using the public-key of the sender

7
  • Digital Signature continued
  • Uses a set of complimentary algorithms for
    signing and for verification
  • Digital signatures provide authentication
  • Digital signatures provide message integrity
  • Each signature is appended to the message in
    clear text
  • Digital signatures do not provide privacy

8
  • Certificate Authority
  • The Certificate Authority receives the public-key
    at the time of key generation.
  • The Certificate Authority will verify the
    identity of the sender and issue a certificate
  • Each device in the system has a public-key of the
    CA
  • At the time of contact each system will
  • Present its certificate to its peer
  • Each will run a verification
  • If verified the keys are stored

9
  • Public-key
  • Common Protocols
  • Transport layer Security (TLS)
  • Independent of applications
  • Rides on top of Transport layer protocols
  • Can be used with multiple services
  • Record Protocol
  • Lower-layer protocol
  • Provides privacy and integrity
  • Used DES or RC4 for encryption
  • Client layer
  • Authenticates
  • Negotiates

10
TLS
11
  • Public-key
  • Common Protocols continued
  • Ipsec
  • Uses Authentication Header (AH)
  • Uses Encapsulation Security Payload (ESP)
  • AH provides authentication and integrity
  • ESP provides privacy, authenticity, and integrity
  • Tunnel-mode
  • Protects only the payload
  • Header inserted between the Ip header and the
    transport layer header (TCP/UDP)
  • Transport-mode
  • Encapsulates the entire packet
  • Ipsec header is added between the outer and inner
    IP headers

12
  • Public-key
  • Common Protocols continued
  • Ipsec

13
Public-key Common Protocols continued IPsec
14
Public-key Common Protocols continued IPsec
15
  • Public-key
  • Common Protocols continued
  • Secure Real Time Protocol (SRTP)
  • Integrity
  • Authentication
  • Privacy

16
  • Protecting Voice Devices
  • Disable Unused Ports/Services
  • Disable Telnet
  • Disable Trivial File Transport Protocol
  • Simple Network management Protocol
  • Use only read-only mode
  • Disable Unused Ports on layer 2 switches
  • Administrative shut down

17
  • Protecting Voice Devices continued
  • Host-based Intrusion Protection System (HIPS)
  • Software agent installed on each device
  • Collects information about traffic
  • Information compared against a set of rules
  • System can take preventative action
  • Terminating application
  • Rate-limit data

18
  • Protecting Voice Infrastructure
  • Segmentation
  • VLANs
  • IP addressing
  • Traffic types
  • Separate DHCP servers
  • Traffic Policing
  • Limit bandwidth to Codec used
  • G.711 is 64 kbps plus overhead
  • Queuing techniques
  • 802.1x Authentication
  • EAP protocol
  • RADIUS authentication server
  • Layer 2

19
  • Protecting Voice Infrastructure continued
  • 802.1x Authentication

20
  • Protecting Voice Infrastructure continued
  • Layer 2 tools
  • DHCP Snooping
  • Only allow DHCP offers from known sources
  • Enabled on switches
  • Switch(config)ip dhcp snooping
  • Switch(config-if)ip dhcp snooping trust
  • Switch(config-if)ip dhcp snooping limit rate
    rate
  • Switch(config)ip dhcp snooping vlan number
    number
  • DHCP snooping binding database (IP-to-MAC)

21
  • Protecting Voice Infrastructure continued
  • Layer 2 tools
  • IP Source Guard
  • Used with DHCP Snooping
  • On untrusted ports only DHCP messages allowed
    until DHCP response is received
  • Uses DHCP snooping binding database
  • Per port
  • Installs a Vlan Access Control List (VACL)

22
  • Protecting Voice Infrastructure continued
  • Layer 2 tools
  • Dynamic ARP Inspection
  • Attacker sends its own MAC address as a reply
  • Man-in-the-middle attack
  • Uses the DHCP binding database
  • Drops malicious packets

23
  • Protecting Voice Infrastructure continued
  • Layer 2 tools
  • CAM overflow and Port Security
  • Attacker sends fictitious MAC addresses to fill
    CAM table
  • When CAM table is filled switch will forward
    packets out all active ports (broadcast)
  • Use port security features
  • Switch(config-if)switchport port-security
    maximum number

24
  • Protecting Voice Infrastructure continued
  • Layer 2 tools
  • Circumventing VLANs
  • Uses trunk ports to obtain access
  • 802.1q or ISL
  • Disable DTP on non trunk ports
  • Switch(config-if)switchport mode access

25
  • Protecting Voice Infrastructure continued
  • Layer 2 tools
  • NIPS Network Based Intrusion Protection System
  • In series
  • In parallel
  • Examines every packet
  • Does not protect against Atomic attacks
  • Delay is a problem for voice

26
  • Protecting Voice Infrastructure continued
  • Layer 2 tools
  • BPDU Guard and Root Guard
  • Exploits Spanning-tree protocol
  • Listens on configured ports for BPDUs
  • Rogue device tries to become the root bridge
  • Violation can disable the port
  • Used with portfast
  • Root Guard will port into a root-inconsistent
    state
  • Root Guard will allow the device to participate
    in spanning-tree

27
  • Protecting Voice Infrastructure continued
  • Layer 3 tools
  • Routing authentication
  • Not available for all protocols
  • Can use simple password
  • Can use Message-digest (MD5) encryption
  • Not available on RIPv1
  • Shared keys between systems

28
  • Protecting Voice Infrastructure continued
  • Layer 3 tools
  • TCP intercepts
  • Denial of Service attacks
  • Sends multiple syn packets
  • Never completes the three-way handshake
  • Uses falsified IP addresses
  • Can limit half-open secessions
  • Intercept mode allows the router to respond
    before forwarding packets to client

29
  • Protecting Voice Infrastructure
  • Security Planning and Policies
  • Transitive trust
  • Eliminate re-authentication at each device
  • VoIP Protocol-Specific Issues
  • Use of computer based softphones
  • VLANs
  • Trunking
  • Double tagging

30
  • Protecting Voice Infrastructure continued
  • Security Planning and Policies
  • Complexity tradeoffs
  • Bandwidth overhead
  • Delay
  • CA cost
  • NAT/Firewall Traversal
  • Opens pathways for voice traffic
  • Does not work well with encryption (port numbers)
  • Password and Access Control
  • Minimum length
  • Complexity
  • Equipment access

31
End of Chapter 10
Write a Comment
User Comments (0)
About PowerShow.com