Security of sip based voice over ip voip in enterprise networks
Download
1 / 19

- PowerPoint PPT Presentation


  • 476 Views
  • Uploaded on

Security of SIP-based Voice over IP (VoIP) in enterprise networks. Christina Chalastanis. Agenda Importance of VoIP security in enterprises Threat & Risk Analysis of VoIP in enterprises Securing enterprise VoIP systems Security concepts for SIP mobility in hosted VoIP deployments

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about '' - Roberta


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Security of sip based voice over ip voip in enterprise networks l.jpg

Security of SIP-based Voice over IP (VoIP) in enterprise networks

Christina Chalastanis

  • Agenda

  • Importance of VoIP security in enterprises

  • Threat & Risk Analysis of VoIP in enterprises

  • Securing enterprise VoIP systems

  • Security concepts for SIP mobility in hosted VoIP deployments

  • Conclusion

November 30th, 2006

Supervisors at Alcatel SEL

Dr. S. Rupp

Dipl.-Ing. F.J. Banet

Supervisors at Universität Stuttgart

Prof. Dr. P. Kühn (IKR)

Dipl.-Ing. A. Gutscher (IKR)

Dipl.-Ing. M.Neubauer


Voip security in full bloom l.jpg
VoIP security in full bloom networks

  • Voice over IP Security Alliance (VOIPSA) in early 2005

  • VoIP servers and IP phones in the “Top 20 Internet Security Attack Target List” (SANS Institute) in mid-November, 2006

  • Massive publication in 2005 and 2006 of

    • White papers

    • Recommendations

    • Articles

  • New software tools for VoIP attacks

  • Emergence of new role in enterprises: VoIP administrator


Importance of voip security in enterprise networks l.jpg
Importance of VoIP security in enterprise networks networks

  • Popularity of VoIP increasing in enterprises

  • Security often considered as secondary, but fundamental

  • Lack of confidence of enterprises about level of VoIP security

  • However, VoIP security not utopian

  • Importance of thorough tailored analysis of threats and risks

  • VoIP certainly target of predilection of attackers

    => VoIP security major concern for vendors, manufacturers, researchers, service providers



Hybrid model of voip deployment l.jpg
Hybrid model of VoIP deployment networks

PBX= Private Exchange Branch IP-PBX=Internet Protocol Private Exchange Branch


Threat analysis characterization of the voip system l.jpg
Threat analysis: characterization of the VoIP system networks

PBX= Private Exchange Branch IP-PBX=Internet Protocol Private Exchange Branch


Threat risk analysis process l.jpg

likelihood networks

Threat & Risk analysis: process

impact

int./ext

risk

  • Distinction of threats:

    • Network-based

    • Application-based

    • Wireless VoIP

    • Mobility

I= Internal H= High M=Medium M+=Medium-to-high

  • Process:

    • VOIPSA Taxonomy used as a frame

    • Schneier’ attack tree model

  • Assessment:

    • Likelihood = motivation ´difficulty

      [ ´ existing protective measures]

    • Risk = likelihood ´ impact



Overview of security technical solutions l.jpg
Overview of security technical solutions networks

  • Encryption of SIP signalling stream and RTP media stream

  • SIP authentication mechanisms

  • SIP-aware firewalls

  • SPIT prevention

  • VoIP Virtual Private Networks (VPNs)

  • Voice over WLAN (VoWLAN): WPA2 (802.11i standard)

  • However: protocols not always implemented in products, interoperability problems, traditional firewalls, vulnerabilities in architectures


Comparison of four major sets of recommendations for voip security institutions l.jpg
Comparison of four major sets of recommendations for VoIP security : Institutions

  • NIST = National Institute of Standards and Technology (USA) “Security considerations for Voice over IP systems” (Jan. 2005)

  • BSI = Federal Office for Security in Information Technology (Germ.) “VoIPsec – Studie zur Sicherheit von Voice over Internet Protocol” (Oct. 2005)

  • NSA = National Security Agency (USA)“Security Guidance for Deploying IP Telephony Systems” (Feb. 2006)

  • DISA = Defense Information Systems Agency (USA)“Internet Protocol Telephony & Voice over Internet Protocol – Security Technical Implementation Guide – version 2” (Apr. 2006)


Comparison of four major sets of recommendations for voip security approaches l.jpg
Comparison of four major sets of recommendations for VoIP security: Approaches

  • Classification of recommendations

    • Areas of network infrastructure (NSA)

    • Critical points like physical protection, policies for softphones, call privacy and confidentiality, and others (DISA)

  • Granularity and depth

    • Superficial (NIST)

    • Very detailed (BSI, NSA, DISA); it depends on the topics

  • Categorization of security levels

    • Security levels defined by the strength of mitigation (NSA)

    • Security levels defined by the vulnerability severity they have to mitigate (DISA, BSI)

  • Focus on particular topics


  • Comparison of four major sets of recommendations for voip security extract 1 2 l.jpg
    Comparison of four major sets of recommendations for VoIP security: Extract (1/2)

    Level of security

    DISA

    BSI

    NIST

    NSA

    NM = Not mentioned H = High M = Medium


    Comparison of four major sets of recommendations for voip security extract 2 2 l.jpg
    Comparison of four major sets of recommendations for VoIP security: Extract (2/2)

    Level of security

    DISA

    BSI

    NIST

    NSA

    NM = Not mentioned H = High M = Medium no=disagree


    Comparison of four major sets of recommendations for voip security results l.jpg
    Comparison of four major sets of recommendations for VoIP security: Results

    • Points of divergence:

      • Subdivision of voice VLAN into further VLANs: number?

      • Softphones: for which level of security?

      • Configuration of IP phones at the terminal or through a web interface?

  • Common points:

    • Physical protection of VoIP servers:

      • physically secured areas

      • access only to authorized personnel

      • Protection against power cuts

    • Data and voice segregation :

      • at least, 1 voice VLAN & 1 data VLAN

      • Subdivision in “producing VLAN” and “consuming VLAN”

      • Dedicated DHCP and AAA servers for VoIP

    • VoIP network protection and internal traffic control

      • Network Intrusion Detection Systems (NIDS) connected to each switch port

      • L3 & 4 firewall between voice and data VLANs

    • Call privacy and confidentiality: VoIP VPNs over the Internet




  • Setting the problem l.jpg
    Setting the problem deployments


    Comparison of solutions l.jpg
    Comparison of solutions deployments

    Solution 2: VPN to the enterprise

    Solution 1: VPN to the VoIP service provider

    • Mobile workers perceived as external by hosted IP-PBX

    • Possible configuration of hosted PBX to restrict access to some services => impact of laptop theft lower

    • Mobile workers perceived as internal by hosted IP-PBX

    • Impact of laptop theft higher: attacker access all services as an internal worker

    • Several hops: QoS of voice can be worse


    Conclusion l.jpg
    Conclusion deployments

    • Summary

      • Modelling of the VoIP migration steps in enterprises

      • Identification of VoIP-specific security requirements

      • Comparison of taxonomies

      • Identification and classification of threats using the Schneier’s attack trees and the VOIPSA taxonomy

      • Comparison of recommendations published by major institutions

      • New topic: security in hosted VoIP deployments supporting mobile workers

    • Conclusions

      • Confidentiality/Privacy & Integrity/Authenticity most important VoIP security requirements

      • VOIPSA Threat Taxonomy: best frame for threat analysis

      • DISA and NSA recommendations: most helpful to enterprises

      • Small enterprises: ask appropriate questions to VoIP service providers about security mechanisms in hosted solutions

    • Further work:

      • Deeper study of the hosted VoIP deployment supporting mobility and optimization of solutions


    ad