Deploying ip telephony in an enterprise and the vulnerabilities that come with it
1 / 37

Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It - PowerPoint PPT Presentation

  • Uploaded on

Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It. Brennen Reynolds Department of Electrical and Computer Engineering University of California, Davis Security Lab Seminar – 7/17/02. Agenda. Introduction to IP Telephony

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It' - paul-tyler

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Deploying ip telephony in an enterprise and the vulnerabilities that come with it

Deploying IP Telephony in an Enterprise and the Vulnerabilities that Come With It

Brennen Reynolds

Department of Electrical and Computer Engineering

University of California, Davis

Security Lab Seminar – 7/17/02

Agenda Vulnerabilities that Come With It

  • Introduction to IP Telephony

  • Challenges Faced with Deploying IP Telephony in Enterprises

  • Proposed Architecture Solutions

  • Security Issues Surrounding Converged Networks

  • An Architecture to Handle DoS Attacks

What is ip telephony
What is IP Telephony? Vulnerabilities that Come With It

  • The use of the Internet Protocol to implement POTS telephony functionality over a data network

  • IP Telephony is NOT the same as VoIP

    • VoIP uses IP to transport voice traffic over ANY network

Implementing ip telephony
Implementing IP Telephony Vulnerabilities that Come With It

  • Key Protocols:

    • Signaling - SIP or H.323

      • Handles establishment, maintenance and teardown of sessions

    • Media Transport - RTP & RTCP

      • Transmits voice samples

    • Supporting Services - DNS, ENUM, TRIP, RSVP, STUN

      • Improve performance and ease of use

Typical call setup
Typical Call Setup Vulnerabilities that Come With It

The Location Service is being queries to check that the destination IP address represents a valid registered device, and for its IP Address

DNS Server

DNS Query for the IP Address of the SIP Proxy of the Destination Domain

Location Service

The INVITE is forwarded




A request is sent (SIP INVITE) to ESTABLISH a session

SIP Proxy


The request is forwarded to the End-Device

SIP Proxy


SIP IP Phone


Media Transport

SIP IP Phone

Destination device returns its IP Address to the originating device and a media connection is opened

Why ip telephony
Why IP Telephony? Vulnerabilities that Come With It

  • Advanced Services

    • video, email, instant messaging and web

  • Reduced Network Costs

    • Cheap computer equipment vs. expensive proprietary teleco equipment

    • Reduced bandwidth usage per call

      • G.711 (PSTN codec) uses 64 kbps per call

      • IP Telephony codecs can use anywhere from 32 kbps to 5.3 kbps per call

Enterprise network layout
Enterprise Network Layout Vulnerabilities that Come With It

Challenges Vulnerabilities that Come With It

  • Speech quality

    • Network Delay, Jitter, Packet Loss, Encoding Technique

  • Network requirements

    • Must match current carrier grade network uptime (99.999% or 5 min downtime per year)

    • Must be capable of handling huge volume of calls (in addition to other data applications)

    • Must allow for network modification

Challenges cont
Challenges Cont. Vulnerabilities that Come With It

  • Access Management & Traffic Prioritization

    • Voice and data traffic have different requirements

    • Users must always be able to make a high quality call

      • Large data transfers may need to be throttled back

  • Security

    • Both data and voice share same network resources

    • IP protocol has security problems associated with it

    • Call signaling is now in-band with call data

    • Added intelligence at network edge (phone)

    • Susceptibility to attacks

Problems encountered
Problems Encountered Vulnerabilities that Come With It

  • Major categories of problems

    • Network Capacity

    • Network Middleboxes

      • Firewall

      • Network Address Translation

Infrastructure problems
Infrastructure Problems Vulnerabilities that Come With It

  • How much load would be added by IP Telephony?

  • Can an enterprise network designed for standard data applications provide the necessary guarantees?

  • Should IP Telephony be run over a separate data network?

Firewall problems
Firewall Problems Vulnerabilities that Come With It

  • Must allow new ports to be open

    • Application doesn’t use well know ports

    • Ports are negotiated at runtime

      • Transmitted in application level header

  • Must allow UDP traffic to pass through firewall

    • Many enterprises don't want to allow this

Nat problems
NAT Problems Vulnerabilities that Come With It

  • User Agents require routable end-to-end connections

    • Purpose of NAT is to use private (hidden addresses)

  • IP address is now included in multiple places in packet

    • Not just IP header

    • NAT devices only translate IP header information

Proposed solutions
Proposed Solutions Vulnerabilities that Come With It

  • All Access

  • Traffic Redirection

  • Application Proxy

  • Protocol Tunneling

All access
All Access Vulnerabilities that Come With It

  • Removes all restrictions

  • Accomplished by removing NAT devices

  • Removal of all firewall rules

  • Provides no security at all

Traffic redirection

All telephony traffic that is destined for endpoints outside the enterprise are redirected over the PSTN

Negates the reduced cost of deploying IP telephony because a large amount of PSTN voice trunks are still required

Traffic Redirection

Application proxy

An proxy server is positioned in parallel with the firewall the enterprise are redirected over the PSTN

All IP telephony traffic is routed through the proxy instead of the firewall

Each new application will require an individual proxy

Additional interface to the enterprise network

Application Proxy

Protocol tunneling

All IP telephony traffic is sent through a tunnel running over a fixed port scheme

Added overhead of encapsulation of each packet

Provides avenue for malicious traffic to disguise itself as legitimate

Protocol Tunneling

Stem network architecture

Firewall is aware of entire network stack and automatically open pinholes

SIP proxy server protected in the DMZ

Requires replacement of existing firewalls with dynamic, intelligent versions

STEM Network Architecture

Solving security issues
Solving Security Issues open pinholes

  • With Strong Authentication

  • With Payload Encryption

  • With Enterprise Domain Authentication

  • With Network Architecture

Strong authentication
Strong Authentication open pinholes

  • Call Based Denial of Service

    • CANCEL messages, BYE message, Unavailable responses

  • Call Redirection

    • Re-registering with bogus terminal address, user moved to new address, must use additional proxy

  • User Impersonation

Payload encryption
Payload Encryption open pinholes

  • Capture and decoding of voice stream

    • Can be done in real-time very easily

  • Capture of DTMF information

    • Voice mail access code, credit card number, bank account

  • Call profiling based on information in message headers

Enterprise domain authentication
Enterprise Domain Authentication open pinholes

  • Unauthorized party connected to enterprise network making calls

    • Enterprise networks are easy to get access to

      • Wireless, conference rooms, waiting areas

    • A single user could easily saturate voice ports at M/S gateway if they wanted to

Network architecture
Network Architecture open pinholes

  • Resource consumption DoS attacks

    • Network bandwidth, server resources, human time

  • Camouflaging hostile traffic

  • Malicious data flows

Dos attacks in converged networks
DoS Attacks in Converged Networks open pinholes

  • Three points of attack

    • Network bandwidth between enterprise and external network

    • Server resources at control points

    • End user’s efficiency

Internet originated attack
Internet Originated Attack open pinholes

  • Enterprise network connection can be flooded using techniques like SYN flooding

  • Resources on SIP proxy can be exhausted by a large flood of incoming calls

  • End user receives large number of SIP INVITE requests in a brief period of time

Pstn originated attack
PSTN Originated Attack open pinholes

  • Signaling link between M/S gateway and PSTN STP becomes saturated with messages

  • Voice ports on the M/S gateway are completely allocated

  • Large number of PSTN endpoints attempt to contact a single individual resulting in a high volume of INVITE messages

Network framework for detecting and responding to dos attacks
Network Framework For Detecting and Responding to DoS Attacks

  • Each resource consumption DoS attack has a unique signature

    • All the signatures have a similar behavior

  • An algorithm can be created to detect this behavior

  • Sensors can be implemented based on the algorithm

  • Appropriate responses can be activated to reduce the impact of the attack after detection

Information sampling
Information Sampling Attacks

  • IP telephony and the underlying protocol (TCP) both include some form of handshaking during the connection setup phase

  • Monitoring the volume of connection attempts vs. volume of complete connection handshakes can be used to detect an attack

Detection algorithm
Detection Algorithm Attacks

  • All connection setup attempts and complete handshakes are counted during the observation period

  • Upon expiration of the sampling period the difference is computed and normalized

  • Under normal operation, the resulting value should be very close to 0

  • In the presence of an attack, the result is a large positive number

Types of attack sensors
Types of Attack Sensors Attacks

  • To ensure the detection and protection of the three targets, two sensors must be built

    • Application Layer Attack Sensor

    • Network Layer Attack Sensor

Application layer attack sensor
Application Layer Attack Sensor Attacks

  • Monitors the number of SIP INVITE requests vs. SIP OK (call acceptance) responses

  • Each URI is monitored independently

  • Upon flood detection, proxy or M/S gateway return temporally busy messages

Network layer attack sensor
Network Layer Attack Sensor Attacks

  • Monitors the number of TCP SYN and ACK packets

  • Traffic is monitored at a high level aggregate

  • Upon attack detection, throttling is applied by perimeter devices (e.g. firewall)

    • If attack persists, traceback technologies can be used to drop malicious traffic at an upstream point

Future work
Future Work Attacks

  • Implementation of the sensors and collection of performance and detection results

  • Design of a module to detect malicious flows

Questions? Attacks