Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Security
Document related concepts
Network tap wikipedia , lookup
Deep packet inspection wikipedia , lookup
Computer security wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Distributed firewall wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Transcript
VoIP Security Sanjay Kalra Juniper Networks VoIP Issues September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California Address Translation Conversion of private/public DoS attacks Media Media IP Media addresses Application OSS Softswitch Gateway Server Server Service theft Gateway Class 5 RouterFirewalls challenged by small Other Switch Fraud Carrier signaling/media VoIP Service Provider packets SPIT & Vishing Internet VoIP protocols not understood or IP NW Protocol Vulnerabilities POTS by all firewall’s IP Network Security SS7 IN Network Softswitch Regulatory Compliance to Enterprise Carrier E-911 IP Centrex Hosted Lawful intercept IP PBX Services IP PBX CALEA support 10.1 10.1 20.1 Carrier to Carrier Wholesale VoIP Peering Service Assurance Carrier to SOHO/Residential Quality of service Voice Over Broadband (Cable, DSL) Wireless/Mobile Admission enforcementWireless/ Router Cable/DSL Mobile Data Modem Base Station Lack of reporting FW/NAT MGCP IAD H.323/SIP Endpoints SIP/H.323 Phones Enterprise SIP/H.323 Phones POTS Phone SME Wireless IP Phone SOHO/Residential Mobile Phone 3 www.ITEXPO.com VoIP Attack Examples September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California • Vishing – Spam email from Paypal asking users to leave credit card number. • Toll Fraud – 2 people convicted to toll fraud using brute force. Resold minutes stolen from VOIP carriers. • DOS – Buffer Overflow in Asterisk. • DOS – Session Border Controller of a carrier compromised as could not provide security 4 www.ITEXPO.com VoIP security risks en detail Infrastructure VoIP content September 10-12, 2007 • Los Angeles Convention Center • attacks Los Angeles, California (D)DoS Call intercept Route poisoning Confidentiality issues SS7 IN Softswitch Traffic padding Network Vishing Media IP and ARP spoofing Unwanted content Media Gateway Application Media OSS Softswitch Gateway Server Server Spambots collecting VoIP addresses Session hijacking/replay Class 5 Router Other Switch Route server hacks can redirect VoIP protocolCarriercalls VoIP Service Provider Illegal call intercept vulnerabilities Internet or IP NW Recording of conversations through accessing POTS IP Network Carrierrecords to CarrierVoIP traffic as infrastructure (Ethereal VoIP infrastructure Wholesale VoIP audio file) Server OS vulnerabilities Registration DoS attacks Carrier to Enterprise Invite overflows Hosted IP Centrex IP PBX Excessive call setup rate Billing fraud 10.1 10.1 20.1 messages Malformed protocol Man-in-the middle attacks SIP/H.323 Phones DHCP/ARP spoofing Enterprise Peering Carrier to SOHO/Residential Services IP PBX Voice Over Broadband (Cable, DSL) Wireless/Mobile Router Data FW/NAT Wireless/ Mobile Base Station Cable/DSL Modem MGCP IAD H.323/SIP Endpoints SIP/H.323 Phones POTS Phone SME Wireless IP Phone SOHO/Residential Mobile Phone 5 www.ITEXPO.com VoIP Security Mitigation September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California IP PBX DoS or Hacking Attacks Back door to corporate network Voice call intercept All LAN segments have voice access H.323 and SIP ALGs dynamically open and close FW ports to keep network secure Combination of ALGs, firewall and zone capabilities keep data network secure Encrypt VoIP connections with siteto-site VPN (DES, 3DES, AES) to prevent eavesdropping Zones enable separation of VoIP network elements to ensure appropriate policies are applied 6 www.ITEXPO.com Tiered Approach to security September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California • Integrated control between layers of the network • Filter at the edge – Use equipment that can be controlled to filter at the edge – Don’t allow unwanted traffic into the network • Provide Topology hiding at the edge – Hide all the internal network • Centralised Management – Alerts come to a central place – Operator can be involved in the process • Threat risk reduced by layers – If one layer misses the threat another catches it 7 www.ITEXPO.com VoIP Security Toolkit September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California • • • • IDP to mitigate VoIP attacks Zone Based Architecture Security through Firewall ALGs Voice Eavesdropping Prevention through encryption • Unauthorized Use Prevention with Policy access control • Resilient VPN Connectivity with Dynamic Tunnel Failover 8 www.ITEXPO.com Defense Against VoIP Security Threats September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California VoIP Security Threat DoS attack on PBX, IP Phone or gateway Unauthorized access to PBX or voice mail system Toll fraud Ramifications All voice communications fail Hacker listens to voice mails, accesses call logs, company directories, etc. Hacker utilizes PBX for long-distance calling, increasing costs Eavesdropping or man-in-the-middle attack Voice conversations unknowingly intercepted and altered Worms/trojans/viruses on IP phones, PBX Infected PBX and/or phones rendered useless, spread problems throughout network SPIT (VoIP SPAM) and Vishing Lost productivity, annoyance and financial Loss Defense Technology FW with SIP attack protection IDP with SIP sigs/protocol anom Zones, ALGs, policy-based access control VPNs, encryption (IPSec or other) VPNs, encryption (IPSec or other) IDP with SIP protocol anomaly and stateful signatures ALGs, SIP attack prevention, SIP source IP limitations, UDP Flood Protection, Authentication 9 www.ITEXPO.com
