1 / 9

VoIP Security

VoIP Security. Sanjay Kalra Juniper Networks. x. x. x. x. VoIP Issues. Address Translation Conversion of private/public IP addresses Firewalls challenged by small signaling/media packets VoIP protocols not understood by all firewall’s. Security DoS attacks Service theft Fraud

thomasmharris
Download Presentation

VoIP Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. VoIP Security Sanjay Kalra Juniper Networks

  2. x x x x VoIP Issues Address Translation • Conversion of private/public IP addresses • Firewalls challenged by small signaling/media packets • VoIP protocols not understood by all firewall’s Security • DoS attacks • Service theft • Fraud • SPIT & Vishing • Protocol Vulnerabilities SS7 IN Network Softswitch Media Gateway Media Gateway Application Server Media Server OSS Softswitch Class 5 Switch Router Other Carrier VoIP Service Provider Internet or IP NW POTS IP Network Carrier to Carrier Wholesale VoIP Peering Regulatory Compliance • E-911 • Lawful intercept • CALEA support Service Assurance • Quality of service • Admission enforcement • Lack of reporting Carrier to Enterprise Carrier to SOHO/Residential Hosted IP Centrex IP PBX Services Voice Over Broadband (Cable, DSL) Wireless/Mobile Router IP PBX Wireless/ Mobile Base Station Cable/DSL Modem Data FW/NAT 10.1 10.1 20.1 MGCP IAD H.323/SIP Endpoints Wireless IP Phone Mobile Phone SIP/H.323 Phones POTS Phone SIP/H.323 Phones SOHO/Residential SME Enterprise

  3. VoIP Attack Examples • Vishing – Spam email from Paypal asking users to leave credit card number. • Toll Fraud – 2 people convicted to toll fraud using brute force. Resold minutes stolen from VOIP carriers. • DOS – Buffer Overflow in Asterisk. • DOS – Session Border Controller of a carrier compromised as could not provide security

  4. VoIP security risks en detail Infrastructure (D)DoS attacks Route poisoning Traffic padding IP and ARP spoofing Session hijacking/replay VoIP protocol vulnerabilities VoIP content Call intercept Confidentiality issues Vishing Unwanted content Spambots collecting VoIP addresses Route server hacks can redirect calls Illegal call intercept Recording of conversations through accessing infrastructure (Ethereal records VoIP traffic as audio file) SS7 IN Network Softswitch Media Gateway Media Gateway Application Server Media Server OSS Softswitch Class 5 Switch Router Other Carrier VoIP Service Provider Internet or IP NW VoIP infrastructure Server OS vulnerabilities Registration DoS attacks Invite overflows Excessive call setup rate Billing fraud Malformed protocol messages Man-in-the middle attacks DHCP/ARP spoofing POTS IP Network Carrier to Carrier Wholesale VoIP Peering Carrier to Enterprise Carrier to SOHO/Residential Hosted IP Centrex IP PBX Services Voice Over Broadband (Cable, DSL) Wireless/Mobile Router IP PBX Wireless/ Mobile Base Station Cable/DSL Modem Data FW/NAT 10.1 10.1 20.1 MGCP IAD H.323/SIP Endpoints Wireless IP Phone Mobile Phone SIP/H.323 Phones POTS Phone SIP/H.323 Phones SOHO/Residential SME Enterprise

  5. VoIP Security Mitigation H.323 and SIP ALGs dynamically open and close FW ports to keep network secure IP PBX DoS or Hacking Attacks Back door to corporate network Combination of ALGs, firewall and zone capabilities keep data network secure Encrypt VoIP connections with site-to-site VPN (DES, 3DES, AES) to prevent eavesdropping Voice call intercept All LAN segments have voice access Zones enable separation of VoIP network elements to ensure appropriate policies are applied

  6. Tiered Approach to security • Integrated control between layers of the network • Filter at the edge • Use equipment that can be controlled to filter at the edge • Don’t allow unwanted traffic into the network • Provide Topology hiding at the edge • Hide all the internal network • Centralised Management • Alerts come to a central place • Operator can be involved in the process • Threat risk reduced by layers • If one layer misses the threat another catches it

  7. VoIP Security Toolkit • IDP to mitigate VoIP attacks • Zone Based Architecture • Security through Firewall ALGs • Voice Eavesdropping Prevention through encryption • Unauthorized Use Prevention with Policy access control • Resilient VPN Connectivity with Dynamic Tunnel Failover

  8. Defense Against VoIP Security Threats VoIP Security Threat Ramifications Defense Technology FW with SIP attack protection IDP with SIP sigs/protocol anom DoS attack on PBX, IP Phone or gateway All voice communications fail Hacker listens to voice mails, accesses call logs, company directories, etc. Unauthorized access to PBX or voice mail system Zones, ALGs, policy-based access control Hacker utilizes PBX for long-distance calling, increasing costs VPNs, encryption (IPSec or other) Toll fraud Eavesdropping or man-in-the-middle attack Voice conversations unknowingly intercepted and altered VPNs, encryption (IPSec or other) Infected PBX and/or phones rendered useless, spread problems throughout network IDP with SIP protocol anomaly and stateful signatures Worms/trojans/viruses on IP phones, PBX ALGs, SIP attack prevention, SIP source IP limitations, UDP Flood Protection, Authentication SPIT (VoIP SPAM) and Vishing Lost productivity, annoyance and financial Loss

More Related