A survey of voip security practices in higher education
1 / 65

A Survey of VoIP Security Practices in Higher Education - PowerPoint PPT Presentation

  • Uploaded on

Network Security Effective Practices - VoIP: SIP, H.323. A Survey of VoIP Security Practices in Higher Education. H. Morrow Long Director, Information Security Yale University Educause 2007 Annual Conference Session Wednesday, October 24, 2007 11:30 a.m. - 12:45 p.m. Introductions.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'A Survey of VoIP Security Practices in Higher Education' - PamelaLan

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
A survey of voip security practices in higher education l.jpg

Network Security Effective Practices - VoIP: SIP, H.323

A Survey of VoIP Security Practices in Higher Education

H. Morrow Long

Director, Information Security

Yale University

Educause 2007 Annual Conference Session

Wednesday, October 24, 2007 11:30 a.m. - 12:45 p.m.

Overview l.jpg

This presentation will discuss a survey and informal poll of the current campus network VoIP security practices and products in higher education on both wired and wireless networks.

Agenda l.jpg

  • Introduction

  • What is VoIP?

  • VoIP Threats

  • VoIP Security Checklists

  • VoIP Effective Practices in Higher Ed

  • Survey of VoIP Security in Academia

  • Discussion and Questions

Voip security goes mainstream l.jpg
VoIP Security Goes Mainstream

In 2006, VoIP Security entered the SANS Top 20 for the first time:

  • http://www.sans.org/top20/#n1

  • N1 VoIP Servers and Phones

Voip security flaws go mainstream l.jpg
VoIP Security Flaws Go Mainstream

2006 VoIP Security vulnerabilities:

  • AsteriskCVE-2006-2898, CVE-2006-4345, CVE-2006-4346, CVE-2006-5444

  • Cisco Call ManagerCVE-2006-0368, CVE-2006-3594

  • VoIP PhonesCVE-2005-3717, CVE-2005-3722, CVE-2005-3723, CVE-2006-0305, CVE-2006-0374, CVE-2006-0834, CVE-2006-5038

Voip security flaws go mainstream7 l.jpg
VoIP Security Flaws Go Mainstream

2007 VoIP Security vulnerabilities:

  • AsteriskCVE-2007-1306

  • Cisco Call Manager / IOS / PIXOSCVE-2007-0648, SA24180/cisco-sa-20070214-fwsm, SA24179/cisco-sa-20070214-pix

  • VoIP PhonesCVE-2007-1072, CVE-2007-1062, CVE-2007-1063

What is voip l.jpg
What is VoIP?

  • Voice over IP

  • IP Telephony

  • Converged Data/Voice Networking

  • Unified Messaging

What is voip9 l.jpg
What is VoIP?

  • 2 Major Protocols:

    • H.323

    • SIP / SIPS

  • Popular Internet VoIP

    • Proprietary

      • Skype

      • Vonage

  • Other

    • Zfone/ZRTP (Phil Zimmerman)

  • Internet Standards related to VoIP Security:

    • IPSEC

    • SSL/TLS

    • SRTP (RFC3711)

H 323 and sip l.jpg
H.323 and SIP

The 2 Major (Local and Enterprise) VoIP Protocols:

  • H.323

  • SIP

    Both protocols:

  • Are hard (but not impossible) to firewall

  • Were not designed for security…

  • Use separate signaling and media (content) channels

  • Use dynamic ports

  • Were not designed to be NAT “friendly” (embed IP addresses inside signaling/control information)

    But: H.323 is more like ISO X. protocols (uses ASN.1/PER) and SIP is more like Internet FTP/SMTP/HTTP/NNTP.

  • H 323 l.jpg

    • Older protocol than SIP, implemented earlier

    • ITU Umbrella Standard - built of other H stds

    • First VoIP std to use RTP

    • Interoperates with ISDN PBX systems

    • Used by several voice and videoconferencing systems

    • Built into NetMeeting, other commercial and open source programs available

    • GNU Gatekeeper - accounting/authorization/NAT traversal/H.323 proxy/H.235 security

    H 235 security l.jpg
    H.235 Security

    • H.235 provides security for H.323

    • Optionally nine security profiles can be used to apply one or more of six security services (authentication, nonrepudiation, integrity, confidentiality, access control, key management) to H.225, H.245 and RTP traffic.

    Skinny cisco h 323 l.jpg
    “Skinny” - Cisco H.323

    • “Skinny” is Cisco’s lightweight proprietary version of H.3323.

    • SCCP is the acronym for Skinny Client Control Protocol.

    • It is a lower overhead control protocol between the client and Call Manager.

    Sip session initiation protocol l.jpg
    SIP - Session Initiation Protocol

    • Overtaking H.323 on LANS - many clients.

    • Created 1996. SIP 2.0 defined in RFC 2543 (1999)-- refined in RFC 3261 (2002).

    • Lightweight, text-based protocol run on top of UDP or TCP (e.g. port 5060- mod P2P model.

    • Uses HTTP “style” status codes & email addresses.

    • Interoperates with XMPP IM (Japper)

    • STUN & newer TURN enable SIP through NAT using public Internet servers.

    • Uses other protocols: SDR, RTP, MGCP, RTSP.

    • Can be stateful/less, client/server or P2P.

    Sip rtp architecture l.jpg
    SIP/RTP Architecture

    Credit: Practical VoIP Security, Syngress

    Sips secure sip l.jpg
    SIPS - Secure SIP

    • Secure SIP is a security mechanism defined by SIP

    • RFC 3261 (2002) defines Secure SIP -- a security mechanism using TLS to send SIP messages over an (Transport Layer Security) encrypted channel.

    • Fairly new, competes with IPSEC, VPNs, SRTP -- often referred to as SIP with TLS -- used when IPSEC is overkill or SIP proxies must be used.

    Slide17 l.jpg

    • Adds message encryption, authentication, integrity and replay protection to to RTP

    • Sister to SRTCP (Secure RTP Control Proto)

    • SRTP/SRTCP encryption, authentication and integrity are independent and can be disabled (“Null” encryption).

    • Single Cipher (AES), 2 modes (counter & feedback modes)

    • External Key mgt (ZRTP, Mikey, …)

      Credit: http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol

    Srtp interoperability l.jpg
    SRTP Interoperability

    • Hard IP Phones

      • Avaya, Cisco, Ericsson (&TLS), Siemens, Linksys, Snom (&TLS)

    • Soft IP phones

      • Gizmo, Kphone, Snom360 (&TLS), minisip (&TLS)

    • Hard IP PBX - Alcatel and Ericsson

    • Soft-IP-PBX - Asterisk (SIP & H323) and pbxnsip

    • SBC (Session Border Ctrlr) / SIP Firewall

      • Covergence (& SIP & H323)

      • InGate (SIP aware firewall)

        Credit: http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol

    Zfone zrtp l.jpg

    • Created/driven by (Phil Zimmerman)

    • 2nd attempt (PGPfhone)

    • Designed to work with current SIP phone programs (via plug-ins).

    • Zfone is the program.

    • ZRTP is an extension to RTP (Real-time Transport Protocol) providing secure real-time transport to secure sessions (SIP, H.323, etc.) already established.

      • Keys are transmitted and managed outside the std signaling.

      • Protection against MitM (man in the Middle) attacks.

    Skype l.jpg

    • Peer to Peer Model

    • Supernodes route traffic for other calls

    • Can be blocked and bandwidth managed

    • Outlawed at some institutions

    • Proprietary strong encryption

    • Non-CALEA compliance?

    More voip terminology l.jpg
    More VoIP Terminology

    • “Presence” (R U there?)

    • Convergence (Data + Voice = Synergy)

    • Voice Messaging

    • Unified Messaging Systems

    More voip acronyms l.jpg
    More VoIP Acronyms

    • ACD Automatic Call Distribution(Call Ctr)

    • IVR Interactive Voice Response

    • ICE Interactive Connectivity Establishment

    • RSVP Resource Reservation Protocol

    • RTSP Real Time Streaming Protocol

    • SDP Session Discovery Protocol

    • STUN Simple Traversal of UDP through NAT

    • TLS Transport Layer Security (ala SSLv3)

    • TURN Traversal Using Relay NAT

    • TTS Text-to-speech server

    Non cyber security related voip issues l.jpg
    Non-Cyber Security-related VoIP Issues

    • 911 - where does 911 ring?

    • E-911 - need to provide location information?

    • Emergency access -

      • during network or power outages

        • Use Power-over-Ethernet (PoE AKA IEEE 802.3af) cabling

        • Provide at least the minimal # of land lines per # rooms (e.g. or as required by law)

    Pbx system components l.jpg
    PBX System Components

    • PSTN

    • Endpoints (Phones, Faxes, Modems.)

    • Lines (e.g. Station lines)

    • Trunks

    • Remote PBXes

    • Adjuncts (VM, ACD, IVR, …)

    • CDR (Call Detail Recording)

    • Voice/PBX Firewalls

    Voip system components l.jpg
    VoIP System Components

    • Media Gateways -- e.g. to PSTN/PBXes

    • Endpoints (User Agents): softphones, IM/Video/VoIP/ATA (Analog Telephone Adatper)

    • Media Servers (VM, ACD, IVR, TTS,VC)

    • H.323 Gatekeepers

    • SIP Registration, Redirect Servers

    • SIP Proxy Servers

    • Firewalls/ALGs

    Voip threats l.jpg
    VoIP Threats

    • VoIP Networks have many of the same threats to security, privacy and reliability as data networks do, but they also bring in the problems of the telephone system and have some special threats all their own.

    • Converged networks can combine threats from the data and VoIP world -- making the new network less secure (in the opinion of some).

    • Data network people are afraid VoIP infrastrucutre will weaken the security of their data network and the voice/telecom people feel the same about data / IP networks.

    Other voip architectures l.jpg
    Other VoIP Architectures

    • Skype

    • IAX

    • H.248

    • Microsoft Live Communication Server 2005 (MLCS)

      • TLS between client and server

      • Mutual TLS server-to-server

    Voip vs pstn l.jpg
    VoIP vs. PSTN

    • Remember that “POTS” telephones have little security -- ordinary phone conversations are not encrypted and can be tapped or eavesdropped.

    • You can actually have better security using VoIP IF you use strong encryption (and a good implementation).

    Voip threats29 l.jpg
    VoIP Threats

    • DDoS / DoS Attacks

      • ICMP Flood (eg ‘pings’) to Phone or Call Mgr

    • Unauthorized Access

    • Toll Fraud

    • Voicemail hacking

    • Eavesdropping (Call and/or Control)

    • Call Hijacking

    • Application Level Attacks

      Credit: Juniper Networks

    Ip network threats l.jpg
    IP Network Threats

    • Ethernet, IP and DNS address spoofing

    • ARP and DNS Cache Poisoning

    • Quantity-based packet flooding

    • Stack DoS attacks

    • VLAN “jumping”

    • QoS / prioritization attacks

    Organizing voip threats l.jpg
    Organizing VoIP Threats

    Standard IP Network Threats

    (to the CIA triad)

    • C - Confidentiality

    • I - Integrity

    • A - Availability

    Organizing voip threats32 l.jpg
    Organizing VoIP Threats

    Advanced IP Network Issues/challenges

    (triple A)

    • A - Authentication

    • A - Authorization

    • A - Accounting

    Application specific voip threats l.jpg
    Application-Specific VoIP Threats

    • “Phone” spoofing - registering a SIP client with someone else's identifier (no auth.).

      • a successful attack would cause the similarly registered phone to ring when someone called the legitimate owner of the number.

        Credit: Jeremy George, Yale University

    Threat to confidentiality l.jpg
    Threat to Confidentiality

    • Programs exist to listen to SIP and other VoIP streams (and record them).

    • It is possible to capture packets on switched networks (by overflowing ARP tables, poisoning ARP caches, etc.).

    • Encryption should be used but has side- effects: : on latency, on sound qulaity (packetization and compression chunking can lead to clipped staccato speech).

    Application specific voip threats35 l.jpg
    Application-Specific VoIP Threats

    • Caller-ID / ANI “Spoofing” (faking source #)

      • Trivial to do -- don’t trust Caller-ID -- OK to screen w/

        Credit: Jeremy George, Yale University

    Threat to integrity l.jpg
    Threat to Integrity

    • It is possible to ‘hijack’ sessions.

    • It is possible to modify voice over IP streams.

    • Once again, use encryption (or at least cryptographic integrity checks) to prevent this.

    Application specific voip threats37 l.jpg
    Application-Specific VoIP Threats

    • MitM “spoofing”

      • CALEA is a ‘legit’ application of this.

      • DoS attacks are known immediately by communicating parties

      • Call content is neither overheard nor compromised.

      • Some proxies have logic in them that identifies a likely DoS attack and discard those packets (ask your vendor!).

      • Encryption is the best proection against MitM spoofing.

        Credit: Jeremy George, Yale University

    Threats to availability l.jpg
    Threats to Availability

    • Quality of Service (QoS) problems:

      • Latency - time for traffic to go from source to destination (one-way and round-trip).150ms is Max RTT for PSTN. VoIP at 400ms is at outer limit of tolerable range.

      • Jitter - variability in latency and out-of-order packet arrival times. Buffering can help here.

      • Packet Loss - results in gaps in communication.

    Application specific voip threats39 l.jpg
    Application-Specific VoIP Threats

    • “Special DoS (Denial of Service) attacks

      • high volume flood of SIP INVITEs

      • high volume flood of SIP REGISTER commands

      • Control Packet / Call Data Floods

      • Packet Replay / Injection / Modification

        Credit: Jeremy George, Yale University

    Application specific voip threats40 l.jpg
    Application-Specific VoIP Threats

    • “BID attacks on SIPS”

      • Get SIPS devices to downgrade to ordinary SIP

        Credit: Jeremy George, Yale University

    Application specific voip threats41 l.jpg
    Application-Specific VoIP Threats

    • Rogue SIP Proxies

      • Impersonate a proxy to a User-Agent

        Credit: Practical VoIP Security, Syngress

    Voip security checklist l.jpg
    VoIP Security Checklist

    Practical VoIP Security “high level short list”:

    • Create, publish and enforce security policies.

    • Practice rigorous physical security.

    • Verify user identities.

    • Actively monitor logs, firewalls & IDSes.

    • Logically segregate data & voice traffic.

    • Harden Oses.

    • Encrypt whenever and whatever you can.

    Voip security checklist43 l.jpg
    VoIP Security Checklist

    Juniper Best Pracices Security Measures

    1. Maintain Current Patch Levels

    2. Install a Good Anti-Virus System and Update it Regularly

    3. Apply State-of-the-Art Intrusion Detection and Prevention Systems

    4. Install Application-Layer Gateways between Trusted and Untrusted Zones.

    5. Enforce SIP security by means of Authentication, Authorization and IPSec

    6. Establish Policy-Based Security Zones to Isolate VoIP Segments.

    7. Run VoIP Traffic on VPNs to Minimize Eavesdropping Risk on Critical Segments.

    8. Use VLANs to Prioritize and Protect Voice Traffic from Data Network Attacks

    9. Apply Encryption Selectively

    10 Protect Against UDP Flooding

    11. Develop a Holistic Security Program

    Meta group checklist l.jpg
    Meta Group Checklist

    IP Telephony-Specific Security Features

    The Call Control Server

    • Harden/Strip down OS.

    • Use secure OS.

    • Authenticate & authorize all user & device access to servers.

    • Require strong authentication for all configuration and software upgrades.

    • Should support app level signaling message auth.

    • Should support call setup info encryption.

    Meta group checklist45 l.jpg
    Meta Group Checklist

    IP Telephony-Specific Security Features

    The Voice Gateway:

    • Require strong authentication for all configuration and software upgrades .

    • Provide DoS protection on IP inteface.

    • Should be configured to route calls only via the call control server.

    • Secure OS w/anti-virus AND host-based IDS.

    • Should support call setup info and media (voice content) encryption.

    • Should support a media (voice content) protocol authentication on a per-packet basis.

    Meta group checklist46 l.jpg
    Meta Group Checklist

    IP Telephony-Specific Security Features

    The IP Phone:

    • Must authenticate itself to the call control server or a proxy server upon initial registration

    • Must support strong authentication for any remote configuration and software upgrades .

    • Should support a configurable access control list to control any incoming traffic (e.g. H.323/SIP, RTP, HTTP, FTP, DHCP)..

    • When supporting an additional Ethernet port for PC connectivity, should have this implemented via a switching function combined with VLAN functionality.

    • Should support encryption of both call setup info and media as needed. Using encryption can add an additional end-to-end delay on each media packet.

    Voip security checklist47 l.jpg
    VoIP Security Checklist

    Detailed and Specfic list:

    • Use a separate VLAN with 802.1p/q QoS w/priority VLAN tagging for the VoIP network.

    • Use a private (RFC1918) IP network for the VoIP LAN.

    • Use NAT and/or proxies to hide internal addresses.

    • Use a firewall (packet filtering or ALG) to protect & connect the VoIP network to the data IP network.

    • Use an IDS or IPS to examine the traffic allowed through the firewall (may be built into the firewall).

    • Use TLS to protect SIP and SRTP to protect RTP.

    • Use NAC, 802.1X & RADIUS auth & SIP-aware FW.

    Listservs newsgroups l.jpg
    Listservs & Newsgroups

    • EDUCAUSE Security Discussion Listserv


    • VOIPSA Best Practices Working Group


    • VOIPSA Best Practices WG List http://voipsa.org/mailman/listinfo/bestpractices_voipsa.org

    • NIST Publication Mailing list


    Voip security effective practices in higher ed l.jpg
    VoIP Security Effective Practices in Higher Ed

    One anonymous school:

    • Uses separate VLAN, L2 switches and RFC1918 IP addresses for VoIP network.

    • Provides separate connections (and bandwidth) to each building with VoIP.

    • Softphones can participate from regular campus LAN (aren’t required to use a 2nd NIC on the VoIP network).

    Voip security effective practices in higher ed50 l.jpg
    VoIP Security Effective Practices in Higher Ed

    A 2nd anonymous school:

    • Has enterprise polycom gateways (a bunch of them) that have priority in QOS on the routers..

    • Allows traffic via ports inbound on the above routers for this ‘legit’ traffic.

    • Doesn’t restrict H.323.

    • Blocks SIP and Vonage because they don’t open the inbound ports.

    • Packet8 and other SIP applications which use STUN work fine (because of tunneling).

    • Skype is a problem (paritcularly Supernodes at times).

    Survey l.jpg

    • http://www.surveymonkey.com/s.asp?u=822993567486

    Which voip security mechanisms do n t you use l.jpg

    VoIP Higher Ed Security Survey

    Which VoIP Securitymechanisms do[n’t] you use?

    Use H.235 for H.323 security profiles (for H.225, H.245 and RTP traffic).

    Use SIPS (Secure SIP - RFC3261 - SIP over TLS).

    Don't allow SRTP with null cipher (e.g. don't allow use of SRTP for just authentication).

    Use zRTP for key management.

    Use Mikey for key mgt/exchange.

    Use SDES for key exchange.

    Use SRTCP for authentication.

    Use SRTCP for encryption.

    IPSEC to secure MGC (Media Gateways/Controllers) communication.

    Use of separate physical LAN(s) for VoIP for segregation from data IP network.

    Voip higher ed security survey59 l.jpg
    VoIP Higher Ed Security Survey

    Which VoIP Securitymechanisms do[n’t] you use?

    • Use of IPS between VoIP network and data IP network.

    • Use of IDS between VoIP network and data IP network.

    • Use NAC (network access control) such as 802.1X and RADIUS to authenticate hard phones.

    • Softphones require the use of the separate VoIP network (physical LAN, VLAN, subnet address, etc.) from the data IP network.

    • Softphones are allowed with IPSEC transport mode.

    • Softphones are allowed with IPSEC VPNs.

    • Use NAC (network access control) such as 802.1X and RADIUS to authenticate hard phones.

    • Allow NAT traversal via STUN or TURN Internet proxies.

    • Provide separate dedicated bandwidth for VoIP traffic to the Internet.

    Survey60 l.jpg

    • http://www.surveymonkey.com/s.asp?u=822993567486

    Wrap up l.jpg

    • Question & Answer

    • Session Evaluation & Feedback

    Contact info l.jpg
    Contact Info

    • H. Morrow Long

    • morrow.long@yale.edu

    • Security.yale.edu

    Credits l.jpg

    • Cisco - Configuring SIP High Availability Applications, http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/vvfax_c/callc_c/sip_c/sipha_c/hachap2.htm

    • Jeremy George, Yale University, ““SIP.edu Cookbook - Security Considerations”http://mit.edu/sip/sip.edu/security.shtml

    • Deb Shinder, 2006/12/1 “Make a SIP-based VoIP network more secure”, http://articles.techrepublic.com.com/5100-1035_11-6145231.html?part=rss&tag=feed&subj=tr

    • Deb Shinder, 2007/1/7 “Take a multi-layered approach to VoIP security”, http://articles.techrepublic.com.com/5100-1035_11-6145231.html?part=rss&tag=feed&subj=tr

    • Jose J. Valdes, Jr., Colorado State University “Voice over Internet Protocol (VoIP) Security”, Net@Edu Conference, ICS – Wireless Group Meeting, Tempe, Arizona, February 6, 2005

    Credits64 l.jpg

    • Practical VoIP Security by Larry Chaffin, Jan Kanclirz, Jr., Thomas Porter, Choon Shim, Andy Zmolek, Syngress, March 2006

    • Wikipedia (pages on H.323, SIP, SRTP, ZRTP), Zfone, etc.)

    This has been a chalk outline production l.jpg

    This has been a chalk outline™ production.