Download Chapter X Slides

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Unix security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Wireless security wikipedia , lookup

Mobile security wikipedia , lookup

History of cryptography wikipedia , lookup

Cryptography wikipedia , lookup

Diffie–Hellman key exchange wikipedia , lookup

Project 25 wikipedia , lookup

Secure multi-party computation wikipedia , lookup

Deep packet inspection wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Certificate authority wikipedia , lookup

Authentication wikipedia , lookup

Web of trust wikipedia , lookup

Electronic authentication wikipedia , lookup

3-D Secure wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Digital signature wikipedia , lookup

Transcript
VOICE OVER IP FUNDAMENTALS
•
•
CHAPTER 10
Voice Security
VoIP Security Requirements:
Integrity:
The recipient should receive the packets that the
originator sends without and change to content.
Privacy:
A third party should not be able to read the data
Authenticity
Each party should be confident they are
communicating with whom each claims to be
Availability/Protection from Denial-of Service
The VoIP service should be available to users at
all times
Shared-Key:
A common shared-key between users
• Each pair of users must have the same key
• Does not scale well with multiple pairs of users
• The key is used to encrypt the message
• A hash is calculated from the shared key
Asymmetric Key:
Each user has a Private-key as well as a Public-key
• Only the corresponding public-key can decrypt the
message that is encrypted with the private-key
• Only the corresponding private-key can decrypt
the message that is encrypted with the public-key
• Has a one-to-one relationship between keys
• Keys can be exchanged over an unsecured network
Asymmetric Key:
Phases
• Authentication phase
• Secure communication phase
• CPU-intensive process
• Unique shared secret per session
Digital Signature:
Uses a set of complimentary algorithms for signing and
for verification
• A Digital signature is obtained from a Certificate
Authority (CA)
• A hash of the message is created with the private
key to create a Digital Signature
• Recipient verifies the signature by running a
verification algorithm over the message content
using the public-key of the sender
Digital Signature continued:
Uses a set of complimentary algorithms for signing and
for verification
• Digital signatures provide authentication
• Digital signatures provide message integrity
• Each signature is appended to the message in clear
text
• Digital signatures do not provide privacy
Certificate Authority:
The Certificate Authority receives the public-key at the
time of key generation.
The Certificate Authority will verify the identity of the
sender and issue a certificate
Each device in the system has a public-key of the CA
At the time of contact each system will:
• Present its certificate to it’s peer
• Each will run a verification
• If verified the keys are stored
Public-key:
Common Protocols
• Transport layer Security (TLS)
 Independent of applications
 Rides on top of Transport layer protocols
 Can be used with multiple services
• Record Protocol
 Lower-layer protocol
 Provides privacy and integrity
 Used DES or RC4 for encryption
• Client layer
 Authenticates
 Negotiates
TLS:
Public-key:
Common Protocols continued
• Ipsec
 Uses Authentication Header (AH)
 Uses Encapsulation Security Payload (ESP)
 AH provides authentication and integrity
 ESP provides privacy, authenticity, and integrity
 Tunnel-mode
 Protects only the payload
 Header inserted between the Ip header and the
transport layer header (TCP/UDP)
 Transport-mode
 Encapsulates the entire packet
 Ipsec header is added between the outer and
inner IP headers
Public-key:
Common Protocols continued
• Ipsec
Public-key:
Common Protocols continued
IPsec
Public-key:
Common Protocols continued
IPsec
Public-key:
Common Protocols continued
• Secure Real Time Protocol (SRTP)
 Integrity
 Authentication
 Privacy
Protecting Voice Devices:
• Disable Unused Ports/Services
 Disable Telnet
 Disable Trivial File Transport Protocol
• Simple Network management Protocol
 Use only read-only mode
• Disable Unused Ports on layer 2 switches
 Administrative shut down
Protecting Voice Devices continued:
• Host-based Intrusion Protection System (HIPS)




Software agent installed on each device
Collects information about traffic
Information compared against a set of rules
System can take preventative action
 Terminating application
 Rate-limit data
Protecting Voice Infrastructure:
• Segmentation
 VLAN’s
 IP addressing
 Traffic types
 Separate DHCP servers
• Traffic Policing
 Limit bandwidth to Codec used
 G.711 is 64 kbps plus overhead
 Queuing techniques
• 802.1x Authentication
 EAP protocol
 RADIUS authentication server
 Layer 2
Protecting Voice Infrastructure continued:
• 802.1x Authentication
Protecting Voice Infrastructure continued:
Layer 2 tools
• DHCP Snooping
 Only allow DHCP offers from known sources
 Enabled on switches
 Switch(config)#ip dhcp snooping
 Switch(config-if)#ip dhcp snooping trust
 Switch(config-if)#ip dhcp snooping limit rate [rate]
 Switch(config)#ip dhcp snooping vlan number
[number]
 DHCP snooping binding database (IP-to-MAC)
Protecting Voice Infrastructure continued:
Layer 2 tools
• IP Source Guard
 Used with DHCP Snooping
 On untrusted ports only DHCP messages allowed
until DHCP response is received
 Uses DHCP snooping binding database
 Per port
 Installs a Vlan Access Control List (VACL)
Protecting Voice Infrastructure continued:
Layer 2 tools
• Dynamic ARP Inspection
 Attacker sends it’s own MAC address as a reply
 Man-in-the-middle attack
 Uses the DHCP binding database
 Drops malicious packets
Protecting Voice Infrastructure continued:
Layer 2 tools
• CAM overflow and Port Security
 Attacker sends fictitious MAC addresses to fill
CAM table
 When CAM table is filled switch will forward
packets out all active ports (broadcast)
 Use port security features
 Switch(config-if)#switchport port-security
maximum [number]
Protecting Voice Infrastructure continued:
Layer 2 tools
• Circumventing VLANs
 Uses trunk ports to obtain access
 802.1q or ISL
 Disable DTP on non trunk ports
 Switch(config-if)#switchport mode access
Protecting Voice Infrastructure continued:
Layer 2 tools
• NIPS Network Based Intrusion Protection System
 In series
 In parallel
 Examines every packet
 Does not protect against “Atomic” attacks
 Delay is a problem for voice
Protecting Voice Infrastructure continued:
Layer 2 tools
• BPDU Guard and Root Guard
 Exploits Spanning-tree protocol
 Listens on configured ports for BPDU’s
 Rogue device tries to become the root bridge
 Violation can disable the port
 Used with portfast
 Root Guard will port into a root-inconsistent state
 Root Guard will allow the device to participate in
spanning-tree
Protecting Voice Infrastructure continued:
Layer 3 tools
• Routing authentication
 Not available for all protocols
 Can use simple password
 Can use Message-digest (MD5) encryption
 Not available on RIPv1
 Shared keys between systems
Protecting Voice Infrastructure continued:
Layer 3 tools
• TCP intercepts
 Denial of Service attacks
 Sends multiple “syn” packets
 Never completes the three-way handshake
 Uses falsified IP addresses
 Can limit half-open secessions
 Intercept mode allows the router to respond
before forwarding packets to client
Protecting Voice Infrastructure:
Security Planning and Policies
• Transitive trust
 Eliminate re-authentication at each device
• VoIP Protocol-Specific Issues
 Use of computer based softphones
• VLAN’s
• Trunking
• Double tagging
Protecting Voice Infrastructure continued:
Security Planning and Policies
• Complexity tradeoffs
 Bandwidth overhead
 Delay
 CA cost
• NAT/Firewall Traversal
 Opens pathways for voice traffic
 Does not work well with encryption (port numbers)
• Password and Access Control
 Minimum length
 Complexity
 Equipment access
End of Chapter 10