h 323 hardware and software vulnerabilities l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
H.323 Hardware and Software Vulnerabilities PowerPoint Presentation
Download Presentation
H.323 Hardware and Software Vulnerabilities

Loading in 2 Seconds...

play fullscreen
1 / 35

H.323 Hardware and Software Vulnerabilities - PowerPoint PPT Presentation


  • 209 Views
  • Uploaded on

H.323 Hardware and Software Vulnerabilities. Jeremy Freeman Brian Leger Robert Muller . Agenda. H.323 and Convergence Software Vulnerabilities Hardware Vulnerabilities Wrap Up. Convergence and H.323. Convergence.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'H.323 Hardware and Software Vulnerabilities' - daphne


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
h 323 hardware and software vulnerabilities

H.323Hardware and SoftwareVulnerabilities

Jeremy Freeman

Brian Leger

Robert Muller

H.323: Hardware and Software Vulnerabilities

agenda
Agenda
  • H.323 and Convergence
  • Software Vulnerabilities
  • Hardware Vulnerabilities
  • Wrap Up

H.323: Hardware and Software Vulnerabilities

convergence and h 323

Convergence and H.323

H.323: Hardware and Software Vulnerabilities

convergence
Convergence

“The capability of one public network to carry all types of traffic – voice, data, and video – as packets.”

- The Essential Guide to Telecommunications, 3rd Edition. Annabel Z. Dodd.

H.323: Hardware and Software Vulnerabilities

voice over ip
Voice over IP
  • Started in 1995
  • PC to PC
  • A few companies using proprietary software
    • Net2Phone
    • VocalTec
    • Dialpad

H.323: Hardware and Software Vulnerabilities

voice over ip6
Voice over IP
  • Significant savings to businesses
    • Less expensive moves, adds and changes (MACs)
    • Reduced personnel
    • Lower infrastructure and management costs
  • Significant savings for everyone
    • Lower long distance charges, especially overseas

H.323: Hardware and Software Vulnerabilities

voice over ip7
Voice over IP

Growth of International VoIP traffic

H.323: Hardware and Software Vulnerabilities

interoperability
Interoperability

The issue is whether to cling to incompatible

proprietary systems

OR

To embrace universal standards?

The answer is clear:

  • H.323 (ITU-T)
  • SIP (IETF)

H.323: Hardware and Software Vulnerabilities

h 323
H.323
  • H.323 is an umbrella protocol used to transmit real time multimedia over packet-based networks.
  • Its goal is to provide reliable quality of service and delivery over an IP network that does not guarantee either.

H.323: Hardware and Software Vulnerabilities

h 323 security h 235
H.323 Security: H.235

Specifies security requirements for (H.323

and H.245-based) multimedia terminals.

Four security services are covered:

  • Authentication
  • Integrity
  • Privacy
  • Non-repudiation

H.323: Hardware and Software Vulnerabilities

h 323 entities
H.323 Entities
  • Terminals
  • Gateways
  • Multipoint control units (MCUs)
  • Gatekeepers

H.323: Hardware and Software Vulnerabilities

h 323 terminal
H.323 Terminal

Endpoint in the H.323 network

  • Multimedia PC
  • Stand-alone device
  • Even a simple telephone

H.323: Hardware and Software Vulnerabilities

h 323 gateway
H.323 Gateway

Gateway provides:

  • Control signaling translation
  • Audio/video codec translation
  • Data format translation
  • Call setup/termination functionality on both sides of the network

H.323: Hardware and Software Vulnerabilities

h 323 mcu
H.323 MCU

Multipoint control units (MCUs)

  • Mediates multi-party (3 or more endpoints in an H.323 network
  • Required only if multiparty conferences are desired

H.323: Hardware and Software Vulnerabilities

h 323 gatekeeper
H.323 Gatekeeper
  • The “brains” of an H.323 network
  • Manages a single ‘zone’
  • All of the devices in that zone must register with the gatekeeper:
    • terminals,
    • gateways
    • MCUs
    • routers

H.323: Hardware and Software Vulnerabilities

h 323 network
H.323 Network

H.323: Hardware and Software Vulnerabilities

software vulnerabilities

Software Vulnerabilities

H.323: Hardware and Software Vulnerabilities

cert bulletin
CERT Bulletin
  • CERT Advisory CA-2004-01
    • Multiple H.323 Message Vulnerabilities
    • January 2004
  • Submitted by U.K.’s National Infrastructure Security Coordination Centre (NISCC)
  • Exploitation of Vulnerabilities
    • DoS
    • Execution of Malicious Code

H.323: Hardware and Software Vulnerabilities

h 225 0 call setup phase
H.225.0Call Setup Phase

H.323: Hardware and Software Vulnerabilities

h 225 0 call setup phase20
H.225.0Call Setup Phase
  • End Points listen on port 1720 for incoming calls.
  • No security at this point.
  • Malformed messages will cause the receiver to either hang or crash.
  • OUSPG testing suite.

H.323: Hardware and Software Vulnerabilities

ouspg test suite
OUSPG Test Suite
  • Oulu University Secure Programming Group (OUSPG)
    • Finland, January 2004
    • Also developed test suite for SNMP in 2002.
  • PROTOSTest Suite c07-h2250v4
  • Developed to expose vulnerabilities in the H.323 protocol (specifically H.225.0)
  • Exercises all of the fields in the H.225.0 protocol
  • 4500+ test cases.
  • http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4

H.323: Hardware and Software Vulnerabilities

microsoft
Microsoft
  • January 2004 Security bulletin MS04-001
  • Buffer overflow in ISA Server 2000 Firewall Service
  • Crashes the system!!
  • Workarounds
    • Access lists for port 1720
    • Block 1720
      • Cuts off VoIP to the outside world!

H.323: Hardware and Software Vulnerabilities

cisco
Cisco
  • “Security Advisory: Vulnerabilities in H.323 Message Processing”
  • Internetwork Operating System (IOS) software
  • Same issues as MS
    • Buffer overflow
  • Cisco recommends Upgrade!!! ASAP!!
    • Blocking 1720 and access list will work too.

H.323: Hardware and Software Vulnerabilities

mitigating these problems
Mitigating These Problems
  • Code Reviews
  • Spiral Methodology
  • Time to release and schedule pressures cut into testing extreme cases.

H.323: Hardware and Software Vulnerabilities

hardware vulnerabilities

Hardware Vulnerabilities

H.323: Hardware and Software Vulnerabilities

hardware vulnerabilities26
Hardware Vulnerabilities
  • Firewalls
  • Vendor products
  • I blame software!

H.323: Hardware and Software Vulnerabilities

firewalls
Firewalls
  • Both ends need to be configured for H.323
  • “Phase I: H.323 terminal (A) starts by sending a “Setup message” to another H.323 terminal (B) containing its destination address. Terminal (B) responds by sending a Q.931 “Alerting message” followed by a “Connect message” if the call is accepted. During this first phase of call signaling, the only port used for communication is TCP port 1720. If the destination terminal accepts the call, the second phase of negotiations using the H.245 protocol begin.
  • Phase II: During the H.245 negotiations, both terminals will exchange their terminal capabilities. The terminal capabilities include media type, codec choices, and multiplex information. Each terminal will respond with a “terminal Capability Set Ack message”. The terminals’ capabilities may be resent at any time during the call.

H.323: Hardware and Software Vulnerabilities

firewalls28
Firewalls
  • Phase III: the final phase of the call setup deals with the master/slave relating between the two terminals. The master/slave relationship is used to resolve any conflict that may arise between the two terminals during the duration of the call. Once the call setup process is complete, the audio and video channels are opened and the video conference call begins.”

H.323: Hardware and Software Vulnerabilities

firewalls29
Firewalls
  • Phase II & III – ports dynamically assigned. Which ports will be used…hard to configure rules when you don’t know? Leaving ports open and alone creates big hole in firewall.

H.323: Hardware and Software Vulnerabilities

solutions
Solutions
  • Cisco
    • One zone w/inside equipment
    • One zone w/outside (Internet)
    • Each zone has router/gatekeeper
    • Inside stuff registers w/inside gatekeeper
    • Outside stuff registers w/outside gatekeeper
    • One port for H.323 traffic

H.323: Hardware and Software Vulnerabilities

solutions31
Solutions
  • Aravox
    • Filter device between firewall and ISP
    • All traffic goes through firewall
    • H.323 traffic filtered and sent
    • Other traffic goes through firewall

H.323: Hardware and Software Vulnerabilities

vendor products w problems
Vendor products w/problems
  • TandBerg, Cisco, Polycom, and Intel to name a few.
  • Products are/should be to standard, BUT that doesn’t mean different vendors’ products play nice together.
  • DoS: CPU 100% utilized, service degrades; calls can drop; no new calls. Have to reboot.

H.323: Hardware and Software Vulnerabilities

what to do
What To Do?
  • Upgrade to latest software/firmware (highly recommended)
  • Use a firewall (good idea, but has its own problems)
  • Block ports (cool if you don’t want to ever use it again)
  • Create access list of trusted addresses

H.323: Hardware and Software Vulnerabilities

conclusion
Conclusion
  • H.323 has vulnerabilities
  • Exploiting these cause DoS
  • Hardware and Software to blame.
  • Buffer overflows should’ve been accounted for during development.
  • Constant upgrading keeps network safe.

H.323: Hardware and Software Vulnerabilities

questions

Questions?

H.323: Hardware and Software Vulnerabilities