security of sip based voice over ip voip in enterprise networks l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Security of SIP-based Voice over IP (VoIP) in enterprise networks PowerPoint Presentation
Download Presentation
Security of SIP-based Voice over IP (VoIP) in enterprise networks

Loading in 2 Seconds...

play fullscreen
1 / 19

Security of SIP-based Voice over IP (VoIP) in enterprise networks - PowerPoint PPT Presentation


  • 493 Views
  • Uploaded on

Security of SIP-based Voice over IP (VoIP) in enterprise networks. Christina Chalastanis. Agenda Importance of VoIP security in enterprises Threat & Risk Analysis of VoIP in enterprises Securing enterprise VoIP systems Security concepts for SIP mobility in hosted VoIP deployments

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Security of SIP-based Voice over IP (VoIP) in enterprise networks' - Roberta


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security of sip based voice over ip voip in enterprise networks

Security of SIP-based Voice over IP (VoIP) in enterprise networks

Christina Chalastanis

  • Agenda
  • Importance of VoIP security in enterprises
  • Threat & Risk Analysis of VoIP in enterprises
  • Securing enterprise VoIP systems
  • Security concepts for SIP mobility in hosted VoIP deployments
  • Conclusion

November 30th, 2006

Supervisors at Alcatel SEL

Dr. S. Rupp

Dipl.-Ing. F.J. Banet

Supervisors at Universität Stuttgart

Prof. Dr. P. Kühn (IKR)

Dipl.-Ing. A. Gutscher (IKR)

Dipl.-Ing. M.Neubauer

voip security in full bloom
VoIP security in full bloom
  • Voice over IP Security Alliance (VOIPSA) in early 2005
  • VoIP servers and IP phones in the “Top 20 Internet Security Attack Target List” (SANS Institute) in mid-November, 2006
  • Massive publication in 2005 and 2006 of
    • White papers
    • Recommendations
    • Articles
  • New software tools for VoIP attacks
  • Emergence of new role in enterprises: VoIP administrator
importance of voip security in enterprise networks
Importance of VoIP security in enterprise networks
  • Popularity of VoIP increasing in enterprises
  • Security often considered as secondary, but fundamental
  • Lack of confidence of enterprises about level of VoIP security
  • However, VoIP security not utopian
  • Importance of thorough tailored analysis of threats and risks
  • VoIP certainly target of predilection of attackers

=> VoIP security major concern for vendors, manufacturers, researchers, service providers

hybrid model of voip deployment
Hybrid model of VoIP deployment

PBX= Private Exchange Branch IP-PBX=Internet Protocol Private Exchange Branch

threat analysis characterization of the voip system
Threat analysis: characterization of the VoIP system

PBX= Private Exchange Branch IP-PBX=Internet Protocol Private Exchange Branch

threat risk analysis process

likelihood

Threat & Risk analysis: process

impact

int./ext

risk

  • Distinction of threats:
    • Network-based
    • Application-based
    • Wireless VoIP
    • Mobility

I= Internal H= High M=Medium M+=Medium-to-high

  • Process:
    • VOIPSA Taxonomy used as a frame
    • Schneier’ attack tree model
  • Assessment:
    • Likelihood = motivation ´difficulty

[ ´ existing protective measures]

    • Risk = likelihood ´ impact
overview of security technical solutions
Overview of security technical solutions
  • Encryption of SIP signalling stream and RTP media stream
  • SIP authentication mechanisms
  • SIP-aware firewalls
  • SPIT prevention
  • VoIP Virtual Private Networks (VPNs)
  • Voice over WLAN (VoWLAN): WPA2 (802.11i standard)
  • However: protocols not always implemented in products, interoperability problems, traditional firewalls, vulnerabilities in architectures
comparison of four major sets of recommendations for voip security institutions
Comparison of four major sets of recommendations for VoIP security : Institutions
  • NIST = National Institute of Standards and Technology (USA) “Security considerations for Voice over IP systems” (Jan. 2005)
  • BSI = Federal Office for Security in Information Technology (Germ.) “VoIPsec – Studie zur Sicherheit von Voice over Internet Protocol” (Oct. 2005)
  • NSA = National Security Agency (USA)“Security Guidance for Deploying IP Telephony Systems” (Feb. 2006)
  • DISA = Defense Information Systems Agency (USA)“Internet Protocol Telephony & Voice over Internet Protocol – Security Technical Implementation Guide – version 2” (Apr. 2006)
comparison of four major sets of recommendations for voip security approaches
Comparison of four major sets of recommendations for VoIP security: Approaches
  • Classification of recommendations
      • Areas of network infrastructure (NSA)
      • Critical points like physical protection, policies for softphones, call privacy and confidentiality, and others (DISA)
  • Granularity and depth
      • Superficial (NIST)
      • Very detailed (BSI, NSA, DISA); it depends on the topics
  • Categorization of security levels
      • Security levels defined by the strength of mitigation (NSA)
      • Security levels defined by the vulnerability severity they have to mitigate (DISA, BSI)
  • Focus on particular topics
comparison of four major sets of recommendations for voip security extract 1 2
Comparison of four major sets of recommendations for VoIP security: Extract (1/2)

Level of security

DISA

BSI

NIST

NSA

NM = Not mentioned H = High M = Medium

comparison of four major sets of recommendations for voip security extract 2 2
Comparison of four major sets of recommendations for VoIP security: Extract (2/2)

Level of security

DISA

BSI

NIST

NSA

NM = Not mentioned H = High M = Medium no=disagree

comparison of four major sets of recommendations for voip security results
Comparison of four major sets of recommendations for VoIP security: Results
  • Points of divergence:
      • Subdivision of voice VLAN into further VLANs: number?
      • Softphones: for which level of security?
      • Configuration of IP phones at the terminal or through a web interface?
  • Common points:
      • Physical protection of VoIP servers:
        • physically secured areas
        • access only to authorized personnel
        • Protection against power cuts
      • Data and voice segregation :
        • at least, 1 voice VLAN & 1 data VLAN
        • Subdivision in “producing VLAN” and “consuming VLAN”
        • Dedicated DHCP and AAA servers for VoIP
      • VoIP network protection and internal traffic control
        • Network Intrusion Detection Systems (NIDS) connected to each switch port
        • L3 & 4 firewall between voice and data VLANs
      • Call privacy and confidentiality: VoIP VPNs over the Internet
comparison of solutions
Comparison of solutions

Solution 2: VPN to the enterprise

Solution 1: VPN to the VoIP service provider

  • Mobile workers perceived as external by hosted IP-PBX
  • Possible configuration of hosted PBX to restrict access to some services => impact of laptop theft lower
  • Mobile workers perceived as internal by hosted IP-PBX
  • Impact of laptop theft higher: attacker access all services as an internal worker
  • Several hops: QoS of voice can be worse
conclusion
Conclusion
  • Summary
    • Modelling of the VoIP migration steps in enterprises
    • Identification of VoIP-specific security requirements
    • Comparison of taxonomies
    • Identification and classification of threats using the Schneier’s attack trees and the VOIPSA taxonomy
    • Comparison of recommendations published by major institutions
    • New topic: security in hosted VoIP deployments supporting mobile workers
  • Conclusions
    • Confidentiality/Privacy & Integrity/Authenticity most important VoIP security requirements
    • VOIPSA Threat Taxonomy: best frame for threat analysis
    • DISA and NSA recommendations: most helpful to enterprises
    • Small enterprises: ask appropriate questions to VoIP service providers about security mechanisms in hosted solutions
  • Further work:
    • Deeper study of the hosted VoIP deployment supporting mobility and optimization of solutions