Voip security voice over internet protocol
Download
1 / 28

VoIP Security - PowerPoint PPT Presentation


  • 289 Views
  • Updated On :

VoIP Security (Voice over Internet Protocol). Brian Martin Matt Protacio February 28, 2007. History of VoIP. First “ internet phone ” service offered in 1995 by a company called Vocaltec Most people didn ’ t yet have broadband, and most soundcards were half duplex.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'VoIP Security' - richard_edik


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Voip security voice over internet protocol l.jpg

VoIP Security(Voice over Internet Protocol)

Brian Martin

Matt Protacio

February 28, 2007


History of voip l.jpg
History of VoIP

  • First “internet phone” service offered in 1995 by a company called Vocaltec

    • Most people didn’t yet have broadband, and most soundcards were half duplex.

  • First PC to phone service in 1998, followed by phone to phone service. Cisco, Nortel, and Lucent develop hardware VOIP switches (gateways).

  • VOIP traffic exceeded 3% of voice traffic by 2000


History of voip continued l.jpg
History of VoIP (Continued)

  • Around 2004 began mass marketing for “digital phone” service bundled with broadband arranged so calls would be received over regular phones.

  • “Digital phone” services use an adaptor from the modem to a phone jack so there is almost no difference between that and regular phone service. Other services use software clients requiring a computer with a microphone.


Voip vs old phones l.jpg
VoIP vs. Old Phones

  • Benefits:

    • More efficient bandwidth usage

    • Only one type of network required, data abstraction in the network

  • Criticisms:

    • 911 localization doesn’t always work

    • Phones aren’t useable in a power outage, unless UPS are deployed

    • Fax machines might not work


Common voip security threats l.jpg
Common VoIP Security Threats

  • VoIP Security Alliance, founded in 2005

    • Threat Taxonomy

    • Forums, Articles

  • Caller misrepresentation, caller id spoofing

  • Unwanted calls, spam or stalking


Common voip security threats continued l.jpg
Common VoIP Security Threats (Continued)

  • Traffic Capture

  • Eavesdropping

  • Interception

  • Alteration (conversion quality, content)

  • Black holing

  • Call Hijacking

    • SIP (Session Initiation Protocol) register hijacking

  • DoS


Sip registration hijacking with sivus and a botnet l.jpg
SIP registration hijacking with SiVuS and a botnet

  • SIP

    • Session Initiation Protocol

    • Application layer control protocol for initiating VOIP sessions

    • Control messages were not encrypted and had no mechanism to verify integrity

      • So even if registration requires authentication, it can be sniffed easily


The basic attack plan l.jpg
The basic attack plan

  • Both Callers must register with a registrar server before a call may be initiated

    • DoS the receiver with zombie minions

    • Deregister him with the registrar

    • Falsify his registration with SiVuS

    • Anyone planning to call him will not know and you can try to claim you are the legitimate call receiver.

    • Chances are the intended call receiver will not notice either


Good ideas l.jpg
Good Ideas

  • If using SIP use TLS

    • Transport Layer Security (encryption, basically)

    • The text based messages of SIP are considered a feature though

  • If only VoIP appliances are connected to the the network, then no PCs are available to launch attacks from.

  • Segregate data and voice to their own Virtual Lans (VLANs)

  • Encrypt!!!

    • Prevents voice injections and casual eavesdropping

  • Redundant network to deal with DoS.

  • Secure IP-PBX and gateway boxes


Voip popularity l.jpg
VoIP Popularity

  • “VoIP use has more than doubled in the past year, according to Telegeography Research, and experts expect the growth to continue.”

    • New York Daily News, Februray 26, 2007


Popular voip services l.jpg
Popular VoIP Services

  • Enterprise

    • Cisco CallManager

  • Home

    • Vonage

    • Skype

    • Cable Companies (Time Warner, Insight, Comcast, etc.)


Cisco callmanager l.jpg
Cisco CallManager

  • Enterprise VoIP Product

  • Marketed towards companies and organizations looking to replace legacy PBX (Private Business Exchange) systems or install a new IP telephony based system


Cisco callmanager system design l.jpg
Cisco CallManager System Design

  • Phones

    • Deskphones, model 7960

      • Ethernet, PoE (Power over Ethernet)

    • Software Phone

      • IP Communicator

      • Popular for using across a VPN



Cisco callmanager system design continued l.jpg
Cisco CallManager System Design (continued)

  • Servers

    • CallManager Subscribers and Publishers

      • Windows or Linux Servers running Cisco Software

      • Process all calls

      • Interface with existing PBX systems


Callmanager security l.jpg
CallManager Security

  • Multiple VLANs

    • Separate VLANs for Voice and Data

    • Higher Security by isolating voice on separate VLAN

  • Primary Protocols

    • SIP

    • H.323


H 323 attack l.jpg
H.323 Attack

  • Attacker can exploit the open standard protocol to establish malicious phone calls

  • Microsoft Netmeeting can be used to initiate an H.323 Phone Call

  • Malicous phone calls can be established to make international calls

  • Threat can be eliminated by not allowing international dialing on lines from telephone company


Ip phone tap l.jpg
IP Phone Tap

  • Capture IP packets from Phone

    • Use Ethereal network sniffer

  • Extract audio from packets

  • Export audio file of phone call


Prevent phone tapping l.jpg
Prevent Phone Tapping

  • Encrypt voice traffic

  • Prevent attacker from capturing traffic out of a phone

    • Lock down access to network switch phone is connected to


Conclusion l.jpg
Conclusion

  • VoIP is established as the future of telephones

  • Security is critical when designing and maintaining VoIP systems

    Questions?


ad