Network and VoIP Security –
Download
1 / 68

Network and VoIP Security - PowerPoint PPT Presentation


  • 348 Views
  • Updated On :

Network and VoIP Security – More Important Than Ever. Mark D. Collier Chief Technology Officer SecureLogix Corporation [email protected] Outline. Outline. General Security Trends Good news Bad news Going forward Network-Based Security Managed Security Services

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Network and VoIP Security' - Jeffrey


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Network and VoIP Security –More Important Than Ever

Mark D. CollierChief Technology OfficerSecureLogix [email protected]


Outline l.jpg

Outline

Outline

General Security Trends

  • Good news

  • Bad news

  • Going forward

    Network-Based Security

    Managed Security Services

    Internal Application/VoIP Security


General security trends some good news l.jpg

Security Trends

General Security TrendsSome Good News

Basic security measures, such as anti-virus, firewalls, and anti-spyware, are ubiquitously deployed

Average losses due to security breaches are up, but down significantly from 2001 and 2002 (*)

The number of incidents is down (*)

Incidents are being reported at a greater rate (*)

(*) Source – 2007 Computer Crime and Security Survey


General security trends some good news4 l.jpg

Security Trends

General Security TrendsSome Good News

(*) Source – 2007 Computer Crime and Security Survey


General security trends some good news5 l.jpg

Security Trends

General Security TrendsSome Good News

(*) Source – 2007 Computer Crime and Security Survey


General security trends some good news6 l.jpg

Security Trends

General Security TrendsSome Good News

(*) Source – 2007 Computer Crime and Security Survey


General security trends some good news7 l.jpg

Security Trends

General Security TrendsSome Good News

(*) Source – 2007 Computer Crime and Security Survey


General security trends some bad news l.jpg

Security Trends

General Security TrendsSome Bad News

(*) Source – 2007 Computer Crime and Security Survey


General security trends some bad news9 l.jpg

Security Trends

General Security TrendsSome Bad News

Signature based-detection systems are being pushed to the limit

The platforms, network, and applications are getting more and more complex

Attacks are becoming increasing complex

Perimeter security has many issues

Security funding is a small part of IT spending – no more than 10% and often less than 5% (*)

Targeted attacks are increasing (*)

(*) Source – 2007 Computer Crime and Security Survey


General security trends some bad news10 l.jpg

Security Trends

General Security TrendsSome Bad News

(*) Source – 2007 Computer Crime and Security Survey


General security trends some bad news11 l.jpg

Security Trends

General Security TrendsSome Bad News

(*) Source – 2007 Computer Crime and Security Survey


General security trends going forward l.jpg

Security Trends

General Security TrendsGoing Forward

Increased deployment of Intrusion Detection and Prevention Systems (IDSs and IPSs)

Possible increase the in use of Network Admission Control (NAC)

Network-Based Security solutions are available

Managed Security Services solutions are available

Increased focus on internal application security

New applications such as Voice Over IP (VoIP) moving onto the data network


Network based security introduction l.jpg

Network-basedSecurity

3rd Party Network

Primary Provider IP Network

Edge

Edge

Client

Enterprise

Client

Enterprise

Network-based SecurityIntroduction

Enterprise customers are deploying firewalls, IDSs/IPSs, AV, anti-SPAM on network edge

Some disadvantages:

  • Expensive

  • Multiple vendors and difficult to manage

  • Does not scale well


Network based security introduction14 l.jpg

Network-basedSecurity

3rd Party Network

AT&T IP Network

VPN, Firewall, IDS, Anti-Virus, etc.

Edge

Edge

Firewall, IDS,

Anti-Virus, etc.

Client

Enterprise

Client

Enterprise

Network-based SecurityIntroduction

Network-based security embeds security capability in the network

Some advantages:

  • Leverages security capability in the network

  • Centralized management

  • Scales better


Network based security advantages l.jpg

Network-basedSecurity

Network-based SecurityAdvantages

Leverages security expertise

Greatly assists with threat reconnaissance

Broad network visibility allows greater awareness and warning of attacks

The impact of major Worm attacks are seen well in advance of when they are a threat to an enterprise

The only real solution to DoS and DDoS attacks

A great defense in depth approach

Still may need network defense and internal security


Network based security early detection of attacks l.jpg

Network-basedSecurity

Network-based SecurityEarly Detection of Attacks

Web-Based

Information

Collection

Broad

Network

Mapping

Service

Vulnerability

Exploitation

DDOS Zombie

Code

Installation

Use of Stolen

Accounts

for Attack

Social

Engineering

Targeted

Scan

Password

Guessing

System File

Delete

Log File

Changes

Reconnaissance

Scanning

System Access

Damage

Track Coverage

Reactive Phase

(Defense)

Preventive Phase

(Defense)

AT&T Security Service

Primary Emphasis


Network based security dos and ddos attacks l.jpg

Network-basedSecurity

Network-based SecurityDoS and DDoS Attacks

AT&T IP

Backbone

Enterprise

Server

TARGETED

Server


Network based security at t offerings l.jpg

Network-basedSecurity

Network-based SecurityAT&T Offerings

Incident

Management

Intrusion

Management

Policy

Management

Identity

Management

Monitoring

& Mgmt

Perimeter

Security

Secure

Connectivity

  • AT&T Internet Protect®

  • AT&T DDoS Defense

  • AT&T My Internet Protect

  • AT&T Private Intranet Protect

  • AT&T Network-Based Firewalls

  • AT&T Secure E-Mail Gateway

  • AT&T Web Security Services

Network-Based Security Platform


Managed security services introduction l.jpg

Managed SecurityServices

Managed Security ServicesIntroduction

Managed Security Services (MSS) are a viable alternative to in-house security staffing

Leverage experienced staff, who are familiar with security processes and products

Often can be more cost effective

Eliminates the need to retain and train staff

Security assessments/audits are commonly outsourced


Managed security services enterprise penetration l.jpg

Managed SecurityServices

Managed Security ServicesEnterprise Penetration

(*) Source – 2007 Computer Crime and Security Survey


Managed security services assessments audits l.jpg

Managed SecurityServices

Managed Security ServicesAssessments/Audits

(*) Source – 2007 Computer Crime and Security Survey


Managed security services at t offerings l.jpg

Network-basedSecurity

Managed Security ServicesAT&T Offerings

Premises-Based Firewalls

Managed Intrusion Detection

Endpoint Security Service

Token Authentication


Application voip security l.jpg

VoIP SecurityIntroduction

Application/VoIP Security

Despite availability of network-based security, managed services, and customer-premise edge security, securing applications is still important

Voice Over IP (VoIP) is one internal application that must be secured


Public website research introduction l.jpg

Gathering InformationFootprinting

Public Website ResearchIntroduction

An enterprise website often contains a lot of information that is useful to a hacker:

  • Organizational structure and corporate locations

  • Help and technical support

  • Job listings

  • Phone numbers and extensions


Public website research countermeasures l.jpg

Gathering InformationFootprinting

Public Website Research Countermeasures

It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it

Try to limit amount of detail in job postings

Remove technical detail from help desk web pages


Google hacking introduction l.jpg

Gathering InformationFootprinting

Google HackingIntroduction

Google is incredibly good at finding details on the web:

  • Vendor press releases and case studies

  • Resumes of VoIP personnel

  • Mailing lists and user group postings

  • Web-based VoIP logins


Google hacking countermeasures l.jpg

Gathering InformationFootprinting

Google HackingCountermeasures

Determine what your exposure is

Be sure to remove any VoIP phones which are visible to the Internet

Disable the web servers on your IP phones

There are services that can helpyou monitor your exposure:

  • www.cyveilance.com

  • ww.baytsp.com


Host device discovery and identification l.jpg

Gathering InformationScanning

Host/DeviceDiscovery and Identification

Consists of various techniques used to find hosts:

  • Ping sweeps

  • ARP pings

  • TCP ping scans

  • SNMP sweeps

    After hosts are found, the type of device can be determined

    Classifies host/device by operating system

    Once hosts are found, tools can be used to find available network services


Host device discovery ping sweeps arp pings l.jpg

Gathering InformationScanning

Host/Device DiscoveryPing Sweeps/ARP Pings


Host device discovery countermeasures l.jpg

Gathering InformationScanning

Host/Device DiscoveryCountermeasures

Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps

VLANs can help isolate ARP pings

Ping sweeps can be blocked at the perimeter firewall

Use secure (SNMPv3) version of SNMP

Change SNMP public strings


Enumeration introduction l.jpg

Gathering InformationEnumeration

EnumerationIntroduction

Involves testing open ports and services on hosts/devices to gather more information

Includes running tools to determine if open services have known vulnerabilities

Also involves scanning for VoIP-unique information such as phone numbers

Includes gathering information from TFTP servers and SNMP


Vulnerability testing tools l.jpg

Gathering InformationEnumeration

Vulnerability TestingTools


Vulnerability testing countermeasures l.jpg

Gathering InformationEnumeration

Vulnerability TestingCountermeasures

The best solution is to upgrade your applications and make sure you continually apply patches

Some firewalls and IPSs can detect and mitigate vulnerability scans


Tftp enumeration introduction l.jpg

Gathering InformationEnumeration

TFTP EnumerationIntroduction

Almost all phones we tested use TFTP to download their configuration files

The TFTP server is rarely well protected

If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password

The files are downloaded in the clear and can be easily sniffed

Configuration files have usernames, passwords, IP addresses, etc. in them


Tftp enumeration countermeasures l.jpg

Gathering InformationEnumeration

TFTP EnumerationCountermeasures

It is difficult not to use TFTP, since it is so commonly used by VoIP vendors

Some vendors offer more secure alternatives

Firewalls can be used to restrict access to TFTP servers to valid devices


Snmp enumeration introduction l.jpg

Gathering InformationEnumeration

SNMP EnumerationIntroduction

SNMP is enabled by default on most IP PBXs and IP phones

Simple SNMP sweeps will garner lots of useful information

If you know the device type, you can use snmpwalk with the appropriate OID

You can find the OID using Solarwinds MIB

Default “passwords”, called community strings, are common


Snmp enumeration countermeasures l.jpg

Gathering InformationEnumeration

SNMP EnumerationCountermeasures

Disable SNMP on any devices where it is not needed

Change default public and private community strings

Try to use SNMPv3, which supports authentication


Network infrastructure dos l.jpg

Attacking The NetworkNetwork DoS

Network Infrastructure DoS

The VoIP network and supporting infrastructure are vulnerable to attacks

VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter

Attacks include:

  • Flooding attacks

  • Network availability attacks

  • Supporting infrastructure attacks


Flooding attacks introduction l.jpg

Attacking The NetworkNetwork DoS

Flooding AttacksIntroduction

Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests


Flooding attacks countermeasures l.jpg

Attacking The NetworkNetwork DoS

Flooding AttacksCountermeasures

Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling)

Use rate limiting in network switches

Use anti-DoS/DDoS products

Some vendors have DoS support in their products (in newer versions of software)


Network availability attacks l.jpg

Attacking The NetworkNetwork DoS

Network Availability Attacks

This type of attack involves an attacker trying to crash the underlying operating system:

  • Fuzzing involves sending malformed packets, which exploit a weakness in software

  • Packet fragmentation

  • Buffer overflows


Network availability attacks countermeasures l.jpg

Attacking The NetworkNetwork DoS

Network Availability Attacks Countermeasures

A network IPS is an inline device that detects and blocks attacks

Some firewalls also offer this capability

Host based IPS software also provides this capability


Supporting infrastructure attacks l.jpg

Attacking The NetworkNetwork DoS

Supporting Infrastructure Attacks

VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc.

DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones

DNS cache poisoning involves tricking a DNS server into using a fake DNS response


Supporting infrastructure attacks countermeasures l.jpg

Attacking The NetworkNetwork DoS

Supporting Infrastructure AttacksCountermeasures

Configure DHCP servers not to lease addresses to unknown MAC addresses

DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries


Network eavesdropping introduction l.jpg

Attacking The NetworkEavesdropping

Network EavesdroppingIntroduction

VoIP configuration files, signaling, and media are vulnerable to eavesdropping

Attacks include:

  • TFTP configuration file sniffing (already discussed)

  • Number harvesting and call pattern tracking

  • Conversation eavesdropping

    By sniffing signaling, it is possible to build a directory of numbers and track calling patterns

    voipong automates the process of logging all calls

    Wireshark is very good at sniffing VoIP signaling


Conversation recording wireshark l.jpg

Attacking The NetworkEavesdropping

Conversation RecordingWireshark


Conversation recording other tools l.jpg

Attacking The NetworkEavesdropping

Conversation RecordingOther Tools

Other tools include:

  • vomit

  • Voipong

  • voipcrack (not public)

  • DTMF decoder


Network eavesdropping countermeasures l.jpg

Attacking The NetworkEavesdropping

Network EavesdroppingCountermeasures

Use encryption:

  • Many vendors offer encryption for signaling

  • Use the Transport Layer Security (TLS) for signaling

  • Many vendors offer encryption for media

  • Use Secure Real-time Transport Protocol (SRTP)

  • Use ZRTP

  • Use proprietary encryption if you have to


Network interception introduction l.jpg

Attacking The NetworkNet/App Interception

Network InterceptionIntroduction

The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing:

  • Eavesdropping on the conversation

  • Causing a DoS condition

  • Altering the conversation by omitting, replaying, or inserting media

  • Redirecting calls


Network interception arp poisoning l.jpg

Attacking The NetworkNet/App Interception

Network InterceptionARP Poisoning

The most common network-level MITM attack is ARP poisoning

Involves tricking a host into thinking the MAC address of the attacker is the intended address

There are a number of tools available to support ARP poisoning:

  • Cain and Abel

  • ettercap

  • Dsniff

  • hunt


Network interception arp poisoning51 l.jpg

Attacking The NetworkNet/App Interception

Network InterceptionARP Poisoning


Network interception countermeasures l.jpg

Attacking The NetworkNet/App Interception

Network InterceptionCountermeasures

Some countermeasures for ARP poisoning are:

  • Static OS mappings

  • Switch port security

  • Proper use of VLANs

  • Signaling encryption/authentication

  • ARP poisoning detection tools, such as arpwatch


Attacking the application l.jpg

Attacking The Application

Attacking The Application

VoIP systems are vulnerable to application attacks against the various VoIP protocols

Attacks include:

  • Fuzzing attacks

  • Flood-based DoS

  • Signaling and media manipulation


Fuzzing introduction l.jpg

Attacking The ApplicationFuzzing

FuzzingIntroduction

Fuzzing describes attacks where malformed packets are sent to a VoIP system in an attempt to crash it

Research has shown that VoIP systems, especially those employing SIP, are vulnerable to fuzzing attacks

There are many public domain tools available for fuzzing:

  • Protos suite

  • Asteroid

  • Fuzzy Packet

  • NastySIP

  • Scapy

  • SipBomber

  • SFTF

  • SIP Proxy

  • SIPp

  • SIPsak


Fuzzing commercial tools l.jpg

Attacking The ApplicationFuzzing

FuzzingCommercial Tools

There are some commercial tools available:

  • Beyond Security BeStorm

  • Codenomicon

  • MuSecurity Mu-4000 Security Analyzer

  • Security Innovation Hydra

  • Sipera Systems LAVA tools


Fuzzing countermeasures l.jpg

Attacking The ApplicationFuzzing

FuzzingCountermeasures

Make sure your vendor has tested their systems for fuzzing attacks

Consider running your own tests

An VoIP-aware IPS can monitor for and block fuzzing attacks


Flood based dos l.jpg

Attacking The ApplicationFlood-Based DoS

Flood-Based DoS

Several tools are available to generate floods at the application layer:

  • rtpflood – generates a flood of RTP packets

  • inviteflood – generates a flood of SIP INVITE packets

  • SiVuS – a tool which a GUI that enables a variety of flood-based attacks

    Virtually every device we tested was susceptible to these attacks


Flood based dos countermeasures l.jpg

Attacking The ApplicationFlood-Based DoS

Flood-Based DoSCountermeasures

There are several countermeasures you can use for flood-based DoS:

  • Use VLANs to separate networks

  • Use TCP and TLS for SIP connections

  • Use rate limiting in switches

  • Enable authentication for requests

  • Use SIP firewalls/IPSs to monitor and block attacks


Registration manipulation l.jpg

Attacking The Application Sig/Media Manipulation

HijackedSession

Proxy

Proxy

HijackedMedia

User

User

Attacker

Registration Manipulation


Session teardown l.jpg

Attacking The Application Sig/Media Manipulation

Proxy

Proxy

Attacker Sends

BYE Messages

To UAs

User

User

Attacker

Session Teardown


Ip phone reboot l.jpg

Attacking The Application Sig/Media Manipulation

Proxy

Proxy

Attacker Sends

check-sync Messages

To UA

User

User

Attacker

IP Phone Reboot


Audio insertion mixing l.jpg

Attacking The Application Sig/Media Manipulation

Proxy

Proxy

User

User

Attacker

Audio Insertion/Mixing

Attacker SeesPackets AndInserts/Mixes InNew Audio


Signaling media manipulation countermeasures l.jpg

Attacking The Application Sig/Media Manipulation

Signaling/Media ManipulationCountermeasures

Some countermeasures for signaling and media manipulation include:

  • Use digest authentication where possible

  • Use TCP and TLS where possible

  • Use SIP-aware firewalls/IPSs to monitor for and block attacks

  • Use audio encryption to prevent RTP injection/mixing


Voice spam introduction l.jpg

Social AttacksVoice SPAM

Voice SPAMIntroduction

Voice SPAM refers to bulk, automatically generated, unsolicited phone calls

Similar to telemarketing, but occurring at the frequency of email SPAM

Not an issue yet, but will become prevalent when:

  • The network makes it very inexpensive or free to generate calls

  • Attackers have access to VoIP networks that allow generation of a large number of calls

    It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access


Voice spam countermeasures l.jpg

Social AttacksVoice SPAM

Voice SPAMCountermeasures

Some potential countermeasures for voice SPAM are:

  • Authenticated identity movements, which may help to identify callers

  • Legal measures

  • Network-based filtering

    Enterprise voice SPAM filters:

  • Black lists/white lists

  • Approval systems

  • Audio content filtering

  • Turing tests


Voip phishing introduction l.jpg

Social AttacksPhishing

VoIP PhishingIntroduction

Similar to email phishing, but with a phone number delivered though email or voice

When the victim dials the number, the recording requests entry of personal information


Voip phishing countermeasures l.jpg

Social AttacksPhishing

VoIP PhishingCountermeasures

Traditional email spam/phishing countermeasures come in to play here.

Educating users is a key


Final thoughts l.jpg

Final Thoughts

Final Thoughts

General network security is improving in some ways, but new threats are emerging

Network-based security and managed security services can be used to improve enterprise security

Don’t neglect internal security and key applications


ad