1 / 68

Network and VoIP Security – More Important Than Ever

Network and VoIP Security – More Important Than Ever. Mark D. Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com. Outline. Outline. General Security Trends Good news Bad news Going forward Network-Based Security Managed Security Services

gunda
Download Presentation

Network and VoIP Security – More Important Than Ever

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Network and VoIP Security –More Important Than Ever Mark D. CollierChief Technology OfficerSecureLogix Corporationmark.collier@securelogix.com

  2. Outline Outline General Security Trends • Good news • Bad news • Going forward Network-Based Security Managed Security Services Internal Application/VoIP Security

  3. Security Trends General Security TrendsSome Good News Basic security measures, such as anti-virus, firewalls, and anti-spyware, are ubiquitously deployed Average losses due to security breaches are up, but down significantly from 2001 and 2002 (*) The number of incidents is down (*) Incidents are being reported at a greater rate (*) (*) Source – 2007 Computer Crime and Security Survey

  4. Security Trends General Security TrendsSome Good News (*) Source – 2007 Computer Crime and Security Survey

  5. Security Trends General Security TrendsSome Good News (*) Source – 2007 Computer Crime and Security Survey

  6. Security Trends General Security TrendsSome Good News (*) Source – 2007 Computer Crime and Security Survey

  7. Security Trends General Security TrendsSome Good News (*) Source – 2007 Computer Crime and Security Survey

  8. Security Trends General Security TrendsSome Bad News (*) Source – 2007 Computer Crime and Security Survey

  9. Security Trends General Security TrendsSome Bad News Signature based-detection systems are being pushed to the limit The platforms, network, and applications are getting more and more complex Attacks are becoming increasing complex Perimeter security has many issues Security funding is a small part of IT spending – no more than 10% and often less than 5% (*) Targeted attacks are increasing (*) (*) Source – 2007 Computer Crime and Security Survey

  10. Security Trends General Security TrendsSome Bad News (*) Source – 2007 Computer Crime and Security Survey

  11. Security Trends General Security TrendsSome Bad News (*) Source – 2007 Computer Crime and Security Survey

  12. Security Trends General Security TrendsGoing Forward Increased deployment of Intrusion Detection and Prevention Systems (IDSs and IPSs) Possible increase the in use of Network Admission Control (NAC) Network-Based Security solutions are available Managed Security Services solutions are available Increased focus on internal application security New applications such as Voice Over IP (VoIP) moving onto the data network

  13. Network-basedSecurity 3rd Party Network Primary Provider IP Network Edge Edge Client Enterprise Client Enterprise Network-based SecurityIntroduction Enterprise customers are deploying firewalls, IDSs/IPSs, AV, anti-SPAM on network edge Some disadvantages: • Expensive • Multiple vendors and difficult to manage • Does not scale well

  14. Network-basedSecurity 3rd Party Network AT&T IP Network VPN, Firewall, IDS, Anti-Virus, etc. Edge Edge Firewall, IDS, Anti-Virus, etc. Client Enterprise Client Enterprise Network-based SecurityIntroduction Network-based security embeds security capability in the network Some advantages: • Leverages security capability in the network • Centralized management • Scales better

  15. Network-basedSecurity Network-based SecurityAdvantages Leverages security expertise Greatly assists with threat reconnaissance Broad network visibility allows greater awareness and warning of attacks The impact of major Worm attacks are seen well in advance of when they are a threat to an enterprise The only real solution to DoS and DDoS attacks A great defense in depth approach Still may need network defense and internal security

  16. Network-basedSecurity Network-based SecurityEarly Detection of Attacks Web-Based Information Collection Broad Network Mapping Service Vulnerability Exploitation DDOS Zombie Code Installation Use of Stolen Accounts for Attack Social Engineering Targeted Scan Password Guessing System File Delete Log File Changes Reconnaissance Scanning System Access Damage Track Coverage Reactive Phase (Defense) Preventive Phase (Defense) AT&T Security Service Primary Emphasis

  17. Network-basedSecurity Network-based SecurityDoS and DDoS Attacks AT&T IP Backbone Enterprise Server TARGETED Server

  18. Network-basedSecurity Network-based SecurityAT&T Offerings Incident Management Intrusion Management Policy Management Identity Management Monitoring & Mgmt Perimeter Security Secure Connectivity • AT&T Internet Protect® • AT&T DDoS Defense • AT&T My Internet Protect • AT&T Private Intranet Protect • AT&T Network-Based Firewalls • AT&T Secure E-Mail Gateway • AT&T Web Security Services Network-Based Security Platform

  19. Managed SecurityServices Managed Security ServicesIntroduction Managed Security Services (MSS) are a viable alternative to in-house security staffing Leverage experienced staff, who are familiar with security processes and products Often can be more cost effective Eliminates the need to retain and train staff Security assessments/audits are commonly outsourced

  20. Managed SecurityServices Managed Security ServicesEnterprise Penetration (*) Source – 2007 Computer Crime and Security Survey

  21. Managed SecurityServices Managed Security ServicesAssessments/Audits (*) Source – 2007 Computer Crime and Security Survey

  22. Network-basedSecurity Managed Security ServicesAT&T Offerings Premises-Based Firewalls Managed Intrusion Detection Endpoint Security Service Token Authentication

  23. VoIP SecurityIntroduction Application/VoIP Security Despite availability of network-based security, managed services, and customer-premise edge security, securing applications is still important Voice Over IP (VoIP) is one internal application that must be secured

  24. Gathering InformationFootprinting Public Website ResearchIntroduction An enterprise website often contains a lot of information that is useful to a hacker: • Organizational structure and corporate locations • Help and technical support • Job listings • Phone numbers and extensions

  25. Gathering InformationFootprinting Public Website Research Countermeasures It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it Try to limit amount of detail in job postings Remove technical detail from help desk web pages

  26. Gathering InformationFootprinting Google HackingIntroduction Google is incredibly good at finding details on the web: • Vendor press releases and case studies • Resumes of VoIP personnel • Mailing lists and user group postings • Web-based VoIP logins

  27. Gathering InformationFootprinting Google HackingCountermeasures Determine what your exposure is Be sure to remove any VoIP phones which are visible to the Internet Disable the web servers on your IP phones There are services that can helpyou monitor your exposure: • www.cyveilance.com • ww.baytsp.com

  28. Gathering InformationScanning Host/DeviceDiscovery and Identification Consists of various techniques used to find hosts: • Ping sweeps • ARP pings • TCP ping scans • SNMP sweeps After hosts are found, the type of device can be determined Classifies host/device by operating system Once hosts are found, tools can be used to find available network services

  29. Gathering InformationScanning Host/Device DiscoveryPing Sweeps/ARP Pings

  30. Gathering InformationScanning Host/Device DiscoveryCountermeasures Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps VLANs can help isolate ARP pings Ping sweeps can be blocked at the perimeter firewall Use secure (SNMPv3) version of SNMP Change SNMP public strings

  31. Gathering InformationEnumeration EnumerationIntroduction Involves testing open ports and services on hosts/devices to gather more information Includes running tools to determine if open services have known vulnerabilities Also involves scanning for VoIP-unique information such as phone numbers Includes gathering information from TFTP servers and SNMP

  32. Gathering InformationEnumeration Vulnerability TestingTools

  33. Gathering InformationEnumeration Vulnerability TestingCountermeasures The best solution is to upgrade your applications and make sure you continually apply patches Some firewalls and IPSs can detect and mitigate vulnerability scans

  34. Gathering InformationEnumeration TFTP EnumerationIntroduction Almost all phones we tested use TFTP to download their configuration files The TFTP server is rarely well protected If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password The files are downloaded in the clear and can be easily sniffed Configuration files have usernames, passwords, IP addresses, etc. in them

  35. Gathering InformationEnumeration TFTP EnumerationCountermeasures It is difficult not to use TFTP, since it is so commonly used by VoIP vendors Some vendors offer more secure alternatives Firewalls can be used to restrict access to TFTP servers to valid devices

  36. Gathering InformationEnumeration SNMP EnumerationIntroduction SNMP is enabled by default on most IP PBXs and IP phones Simple SNMP sweeps will garner lots of useful information If you know the device type, you can use snmpwalk with the appropriate OID You can find the OID using Solarwinds MIB Default “passwords”, called community strings, are common

  37. Gathering InformationEnumeration SNMP EnumerationCountermeasures Disable SNMP on any devices where it is not needed Change default public and private community strings Try to use SNMPv3, which supports authentication

  38. Attacking The NetworkNetwork DoS Network Infrastructure DoS The VoIP network and supporting infrastructure are vulnerable to attacks VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter Attacks include: • Flooding attacks • Network availability attacks • Supporting infrastructure attacks

  39. Attacking The NetworkNetwork DoS Flooding AttacksIntroduction Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests

  40. Attacking The NetworkNetwork DoS Flooding AttacksCountermeasures Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling) Use rate limiting in network switches Use anti-DoS/DDoS products Some vendors have DoS support in their products (in newer versions of software)

  41. Attacking The NetworkNetwork DoS Network Availability Attacks This type of attack involves an attacker trying to crash the underlying operating system: • Fuzzing involves sending malformed packets, which exploit a weakness in software • Packet fragmentation • Buffer overflows

  42. Attacking The NetworkNetwork DoS Network Availability Attacks Countermeasures A network IPS is an inline device that detects and blocks attacks Some firewalls also offer this capability Host based IPS software also provides this capability

  43. Attacking The NetworkNetwork DoS Supporting Infrastructure Attacks VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc. DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones DNS cache poisoning involves tricking a DNS server into using a fake DNS response

  44. Attacking The NetworkNetwork DoS Supporting Infrastructure AttacksCountermeasures Configure DHCP servers not to lease addresses to unknown MAC addresses DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries

  45. Attacking The NetworkEavesdropping Network EavesdroppingIntroduction VoIP configuration files, signaling, and media are vulnerable to eavesdropping Attacks include: • TFTP configuration file sniffing (already discussed) • Number harvesting and call pattern tracking • Conversation eavesdropping By sniffing signaling, it is possible to build a directory of numbers and track calling patterns voipong automates the process of logging all calls Wireshark is very good at sniffing VoIP signaling

  46. Attacking The NetworkEavesdropping Conversation RecordingWireshark

  47. Attacking The NetworkEavesdropping Conversation RecordingOther Tools Other tools include: • vomit • Voipong • voipcrack (not public) • DTMF decoder

  48. Attacking The NetworkEavesdropping Network EavesdroppingCountermeasures Use encryption: • Many vendors offer encryption for signaling • Use the Transport Layer Security (TLS) for signaling • Many vendors offer encryption for media • Use Secure Real-time Transport Protocol (SRTP) • Use ZRTP • Use proprietary encryption if you have to

  49. Attacking The NetworkNet/App Interception Network InterceptionIntroduction The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing: • Eavesdropping on the conversation • Causing a DoS condition • Altering the conversation by omitting, replaying, or inserting media • Redirecting calls

  50. Attacking The NetworkNet/App Interception Network InterceptionARP Poisoning The most common network-level MITM attack is ARP poisoning Involves tricking a host into thinking the MAC address of the attacker is the intended address There are a number of tools available to support ARP poisoning: • Cain and Abel • ettercap • Dsniff • hunt

More Related