Deploying ip telephony in an enterprise and the vulnerabilities that come with it
1 / 37

Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It - PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It. Brennen Reynolds Department of Electrical and Computer Engineering University of California, Davis Security Lab Seminar – 7/17/02. Agenda. Introduction to IP Telephony

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It

Brennen Reynolds

Department of Electrical and Computer Engineering

University of California, Davis

Security Lab Seminar – 7/17/02


  • Introduction to IP Telephony

  • Challenges Faced with Deploying IP Telephony in Enterprises

  • Proposed Architecture Solutions

  • Security Issues Surrounding Converged Networks

  • An Architecture to Handle DoS Attacks

What is IP Telephony?

  • The use of the Internet Protocol to implement POTS telephony functionality over a data network

  • IP Telephony is NOT the same as VoIP

    • VoIP uses IP to transport voice traffic over ANY network

Implementing IP Telephony

  • Key Protocols:

    • Signaling - SIP or H.323

      • Handles establishment, maintenance and teardown of sessions

    • Media Transport - RTP & RTCP

      • Transmits voice samples

    • Supporting Services - DNS, ENUM, TRIP, RSVP, STUN

      • Improve performance and ease of use

Typical Call Setup

The Location Service is being queries to check that the destination IP address represents a valid registered device, and for its IP Address

DNS Server

DNS Query for the IP Address of the SIP Proxy of the Destination Domain

Location Service

The INVITE is forwarded




A request is sent (SIP INVITE) to ESTABLISH a session

SIP Proxy


The request is forwarded to the End-Device

SIP Proxy


SIP IP Phone


Media Transport

SIP IP Phone

Destination device returns its IP Address to the originating device and a media connection is opened

Why IP Telephony?

  • Advanced Services

    • video, email, instant messaging and web

  • Reduced Network Costs

    • Cheap computer equipment vs. expensive proprietary teleco equipment

    • Reduced bandwidth usage per call

      • G.711 (PSTN codec) uses 64 kbps per call

      • IP Telephony codecs can use anywhere from 32 kbps to 5.3 kbps per call

Enterprise Network Layout


  • Speech quality

    • Network Delay, Jitter, Packet Loss, Encoding Technique

  • Network requirements

    • Must match current carrier grade network uptime (99.999% or 5 min downtime per year)

    • Must be capable of handling huge volume of calls (in addition to other data applications)

    • Must allow for network modification

Challenges Cont.

  • Access Management & Traffic Prioritization

    • Voice and data traffic have different requirements

    • Users must always be able to make a high quality call

      • Large data transfers may need to be throttled back

  • Security

    • Both data and voice share same network resources

    • IP protocol has security problems associated with it

    • Call signaling is now in-band with call data

    • Added intelligence at network edge (phone)

    • Susceptibility to attacks

Problems Encountered

  • Major categories of problems

    • Network Capacity

    • Network Middleboxes

      • Firewall

      • Network Address Translation

Infrastructure Problems

  • How much load would be added by IP Telephony?

  • Can an enterprise network designed for standard data applications provide the necessary guarantees?

  • Should IP Telephony be run over a separate data network?

Firewall Problems

  • Must allow new ports to be open

    • Application doesn’t use well know ports

    • Ports are negotiated at runtime

      • Transmitted in application level header

  • Must allow UDP traffic to pass through firewall

    • Many enterprises don't want to allow this

NAT Problems

  • User Agents require routable end-to-end connections

    • Purpose of NAT is to use private (hidden addresses)

  • IP address is now included in multiple places in packet

    • Not just IP header

    • NAT devices only translate IP header information

Proposed Solutions

  • All Access

  • Traffic Redirection

  • Application Proxy

  • Protocol Tunneling

All Access

  • Removes all restrictions

  • Accomplished by removing NAT devices

  • Removal of all firewall rules

  • Provides no security at all

All telephony traffic that is destined for endpoints outside the enterprise are redirected over the PSTN

Negates the reduced cost of deploying IP telephony because a large amount of PSTN voice trunks are still required

Traffic Redirection

An proxy server is positioned in parallel with the firewall

All IP telephony traffic is routed through the proxy instead of the firewall

Each new application will require an individual proxy

Additional interface to the enterprise network

Application Proxy

All IP telephony traffic is sent through a tunnel running over a fixed port scheme

Added overhead of encapsulation of each packet

Provides avenue for malicious traffic to disguise itself as legitimate

Protocol Tunneling

Firewall is aware of entire network stack and automatically open pinholes

SIP proxy server protected in the DMZ

Requires replacement of existing firewalls with dynamic, intelligent versions

STEM Network Architecture

Comparison of Solutions

Solving Security Issues

  • With Strong Authentication

  • With Payload Encryption

  • With Enterprise Domain Authentication

  • With Network Architecture

Strong Authentication

  • Call Based Denial of Service

    • CANCEL messages, BYE message, Unavailable responses

  • Call Redirection

    • Re-registering with bogus terminal address, user moved to new address, must use additional proxy

  • User Impersonation

Payload Encryption

  • Capture and decoding of voice stream

    • Can be done in real-time very easily

  • Capture of DTMF information

    • Voice mail access code, credit card number, bank account

  • Call profiling based on information in message headers

Enterprise Domain Authentication

  • Unauthorized party connected to enterprise network making calls

    • Enterprise networks are easy to get access to

      • Wireless, conference rooms, waiting areas

    • A single user could easily saturate voice ports at M/S gateway if they wanted to

Network Architecture

  • Resource consumption DoS attacks

    • Network bandwidth, server resources, human time

  • Camouflaging hostile traffic

  • Malicious data flows

DoS Attacks in Converged Networks

  • Three points of attack

    • Network bandwidth between enterprise and external network

    • Server resources at control points

    • End user’s efficiency

Internet Originated Attack

  • Enterprise network connection can be flooded using techniques like SYN flooding

  • Resources on SIP proxy can be exhausted by a large flood of incoming calls

  • End user receives large number of SIP INVITE requests in a brief period of time

PSTN Originated Attack

  • Signaling link between M/S gateway and PSTN STP becomes saturated with messages

  • Voice ports on the M/S gateway are completely allocated

  • Large number of PSTN endpoints attempt to contact a single individual resulting in a high volume of INVITE messages

Network Framework For Detecting and Responding to DoS Attacks

  • Each resource consumption DoS attack has a unique signature

    • All the signatures have a similar behavior

  • An algorithm can be created to detect this behavior

  • Sensors can be implemented based on the algorithm

  • Appropriate responses can be activated to reduce the impact of the attack after detection

Information Sampling

  • IP telephony and the underlying protocol (TCP) both include some form of handshaking during the connection setup phase

  • Monitoring the volume of connection attempts vs. volume of complete connection handshakes can be used to detect an attack

Detection Algorithm

  • All connection setup attempts and complete handshakes are counted during the observation period

  • Upon expiration of the sampling period the difference is computed and normalized

  • Under normal operation, the resulting value should be very close to 0

  • In the presence of an attack, the result is a large positive number

Types of Attack Sensors

  • To ensure the detection and protection of the three targets, two sensors must be built

    • Application Layer Attack Sensor

    • Network Layer Attack Sensor

Application Layer Attack Sensor

  • Monitors the number of SIP INVITE requests vs. SIP OK (call acceptance) responses

  • Each URI is monitored independently

  • Upon flood detection, proxy or M/S gateway return temporally busy messages

Network Layer Attack Sensor

  • Monitors the number of TCP SYN and ACK packets

  • Traffic is monitored at a high level aggregate

  • Upon attack detection, throttling is applied by perimeter devices (e.g. firewall)

    • If attack persists, traceback technologies can be used to drop malicious traffic at an upstream point

New Enterprise Network Topology

Future Work

  • Implementation of the sensors and collection of performance and detection results

  • Design of a module to detect malicious flows


  • Login