Download Cutting Edge VoIP Security Issues Color

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
page
42
page
43
page
44
page
45
page
46
page
47
page
48
page
49
page
50
page
51
page
52
page
53
page
54
page
55
page
56
page
57
page
58
page
59
page
60
page
61
page
62
page
63
page
64
page
65
page
66
page
67
page
68
Document related concepts

Post-quantum cryptography wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cyberwarfare wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Information security wikipedia , lookup

Unix security wikipedia , lookup

Airport security wikipedia , lookup

Wireless security wikipedia , lookup

Cyberattack wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Mobile security wikipedia , lookup

Distributed firewall wikipedia , lookup

Security-focused operating system wikipedia , lookup

Social engineering (security) wikipedia , lookup

Computer security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Network and VoIP Security –
More Important Than Ever
Mark D. Collier
Chief Technology Officer
SecureLogix Corporation
[email protected]
Outline
General Security Trends

Good news

Bad news

Going forward
Network-Based Security
Managed Security Services
Internal Application/VoIP Security
Outline
General Security Trends
Some Good News
Security Trends
Basic security measures, such as anti-virus, firewalls, and
anti-spyware, are ubiquitously deployed
Average losses due to security breaches are up, but down
significantly from 2001 and 2002 (*)
The number of incidents is down (*)
Incidents are being reported at a greater rate (*)
(*) Source – 2007 Computer Crime and Security Survey
General Security Trends
Some Good News
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security Trends
Some Good News
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security Trends
Some Good News
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security Trends
Some Good News
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security Trends
Some Bad News
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security Trends
Some Bad News
Security Trends
Signature based-detection systems are being pushed to the
limit
The platforms, network, and applications are getting more
and more complex
Attacks are becoming increasing complex
Perimeter security has many issues
Security funding is a small part of IT spending – no more
than 10% and often less than 5% (*)
Targeted attacks are increasing (*)
(*) Source – 2007 Computer Crime and Security Survey
General Security Trends
Some Bad News
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security Trends
Some Bad News
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security Trends
Going Forward
Security Trends
Increased deployment of Intrusion Detection and Prevention
Systems (IDSs and IPSs)
Possible increase the in use of Network Admission Control
(NAC)
Network-Based Security solutions are available
Managed Security Services solutions are available
Increased focus on internal application security
New applications such as Voice Over IP (VoIP) moving onto
the data network
Network-based
Security
Network-based Security
Introduction
Enterprise customers are deploying firewalls, IDSs/IPSs,
AV, anti-SPAM on network edge
3rd Party Network
Primary Provider IP Network
Some disadvantages:
Edge
Edge
Client
Enterprise
Client
Enterprise

Expensive

Multiple vendors and difficult to manage

Does not scale well
Network-based
Security
Network-based Security
Introduction
Network-based security embeds security capability in the
network
3rd Party Network
AT&T IP Network
VPN, Firewall, IDS, Anti-Virus, etc.
Edge
Edge
Firewall, IDS,
Anti-Virus, etc.
Some advantages:
Client
Enterprise

Leverages security capability in the network

Centralized management

Scales better
Client
Enterprise
Network-based Security
Advantages
Network-based
Security
Leverages security expertise
Greatly assists with threat reconnaissance
Broad network visibility allows greater awareness and
warning of attacks
The impact of major Worm attacks are seen well in advance
of when they are a threat to an enterprise
The only real solution to DoS and DDoS attacks
A great defense in depth approach
Still may need network defense and internal security
Network-based
Security
Network-based Security
Early Detection of Attacks
Web-Based
Information
Collection
Social
Engineering
Reconnaissance
Broad
Network
Mapping
Service
Vulnerability
Exploitation
Targeted
Scan
Scanning
Password
Guessing
System Access
Preventive Phase
(Defense)
AT&T Security Service
Primary Emphasis
DDOS Zombie
Code
Installation
Use of Stolen
Accounts
for Attack
System File
Delete
Damage
Log File
Changes
Track Coverage
Reactive Phase
(Defense)
Network-based Security
DoS and DDoS Attacks
AT&T IP
Backbone
Enterprise
Server
TARGETED
Server
Network-based
Security
Network-based Security
AT&T Offerings







AT&T
AT&T
AT&T
AT&T
AT&T
AT&T
AT&T
Internet Protect®
DDoS Defense
My Internet Protect
Private Intranet Protect
Network-Based Firewalls
Secure E-Mail Gateway
Web Security Services
Network-Based Security Platform
Network-based
Security
Managed Security Services
Introduction
Managed Security
Services
Managed Security Services (MSS) are a viable alternative to
in-house security staffing
Leverage experienced staff, who are familiar with security
processes and products
Often can be more cost effective
Eliminates the need to retain and train staff
Security assessments/audits are commonly outsourced
Managed Security Services
Enterprise Penetration
Managed Security
Services
(*) Source – 2007 Computer Crime and Security Survey
Managed Security Services
Assessments/Audits
Managed Security
Services
(*) Source – 2007 Computer Crime and Security Survey
Managed Security Services
AT&T Offerings
Premises-Based Firewalls
Managed Intrusion Detection
Endpoint Security Service
Token Authentication
Network-based
Security
Application/VoIP Security
VoIP Security
Introduction
Despite availability of network-based security, managed
services, and customer-premise edge security, securing
applications is still important
Voice Over IP (VoIP) is one internal application that must
be secured
Public Website Research
Introduction
Gathering Information
Footprinting
An enterprise website often contains a lot of information
that is useful to a hacker:

Organizational structure and corporate locations

Help and technical support

Job listings

Phone numbers and extensions
Public Website Research
Countermeasures
Gathering Information
Footprinting
It is difficult to control what is on your enterprise website,
but it is a good idea to be aware of what is on it
Try to limit amount of detail in job postings
Remove technical detail from help desk web pages
Google Hacking
Introduction
Gathering Information
Footprinting
Google is incredibly good at finding details on the web:

Vendor press releases and case studies

Resumes of VoIP personnel

Mailing lists and user group postings

Web-based VoIP logins
Google Hacking
Countermeasures
Gathering Information
Footprinting
Determine what your exposure is
Be sure to remove any VoIP phones which are visible to the
Internet
Disable the web servers on your IP phones
There are services that can help
you monitor your exposure:

www.cyveilance.com

ww.baytsp.com
Host/Device
Discovery and Identification
Gathering Information
Scanning
Consists of various techniques used to find hosts:

Ping sweeps

ARP pings

TCP ping scans

SNMP sweeps
After hosts are found, the type of device can be determined
Classifies host/device by operating system
Once hosts are found, tools can be used to find available
network services
Host/Device Discovery
Ping Sweeps/ARP Pings
Gathering Information
Scanning
Host/Device Discovery
Countermeasures
Gathering Information
Scanning
Use firewalls and Intrusion Prevention Systems (IPSs) to
block ping and TCP sweeps
VLANs can help isolate ARP pings
Ping sweeps can be blocked at the perimeter firewall
Use secure (SNMPv3) version of SNMP
Change SNMP public strings
Enumeration
Introduction
Gathering Information
Enumeration
Involves testing open ports and services on hosts/devices to
gather more information
Includes running tools to determine if open services have
known vulnerabilities
Also involves scanning for VoIP-unique information such as
phone numbers
Includes gathering information from TFTP servers and
SNMP
Vulnerability Testing
Tools
Gathering Information
Enumeration
Vulnerability Testing
Countermeasures
Gathering Information
Enumeration
The best solution is to upgrade your applications and make
sure you continually apply patches
Some firewalls and IPSs can detect and mitigate
vulnerability scans
TFTP Enumeration
Introduction
Gathering Information
Enumeration
Almost all phones we tested use TFTP to download
their configuration files
The TFTP server is rarely well protected
If you know or can guess the name of a
configuration or firmware file, you can download
it without even specifying a password
The files are downloaded in the clear and can be
easily sniffed
Configuration files have usernames, passwords, IP
addresses, etc. in them
TFTP Enumeration
Countermeasures
Gathering Information
Enumeration
It is difficult not to use TFTP, since it is so commonly used
by VoIP vendors
Some vendors offer more secure alternatives
Firewalls can be used to restrict access to TFTP servers to
valid devices
SNMP Enumeration
Introduction
Gathering Information
Enumeration
SNMP is enabled by default on most IP PBXs and IP
phones
Simple SNMP sweeps will garner lots of useful
information
If you know the device type, you can use snmpwalk
with the appropriate OID
You can find the OID using Solarwinds MIB
Default “passwords”, called community strings, are
common
SNMP Enumeration
Countermeasures
Gathering Information
Enumeration
Disable SNMP on any devices where it is not needed
Change default public and private community strings
Try to use SNMPv3, which supports authentication
Network Infrastructure DoS
Attacking The Network
Network DoS
The VoIP network and supporting infrastructure are
vulnerable to attacks
VoIP media/audio is particularly susceptible to any DoS
attack which introduces latency and jitter
Attacks include:

Flooding attacks

Network availability attacks

Supporting infrastructure attacks
Flooding Attacks
Introduction
Attacking The Network
Network DoS
Flooding attacks generate so many packets at a target, that it
is overwhelmed and can’t process legitimate requests
Flooding Attacks
Countermeasures
Attacking The Network
Network DoS
Layer 2 and 3 QoS mechanisms are commonly used to give
priority to VoIP media (and signaling)
Use rate limiting in network switches
Use anti-DoS/DDoS products
Some vendors have DoS support in their products (in newer
versions of software)
Network Availability Attacks
Attacking The Network
Network DoS
This type of attack involves an attacker trying to crash the
underlying operating system:

Fuzzing involves sending malformed packets, which exploit a
weakness in software

Packet fragmentation

Buffer overflows
Network Availability Attacks
Countermeasures
Attacking The Network
Network DoS
A network IPS is an inline device that detects and blocks
attacks
Some firewalls also offer this capability
Host based IPS software also provides this capability
Supporting Infrastructure Attacks
Attacking The Network
Network DoS
VoIP systems rely heavily on supporting services such as
DHCP, DNS, TFTP, etc.
DHCP exhaustion is an example, where a hacker uses up all
the IP addresses, denying service to VoIP phones
DNS cache poisoning involves tricking a DNS server into
using a fake DNS response
Supporting Infrastructure Attacks
Countermeasures
Attacking The Network
Network DoS
Configure DHCP servers not to lease addresses to unknown
MAC addresses
DNS servers should be configured to analyze info from
non-authoritative servers and dropping any response not
related to queries
Network Eavesdropping
Introduction
Attacking The Network
Eavesdropping
VoIP configuration files, signaling, and media are
vulnerable to eavesdropping
Attacks include:

TFTP configuration file sniffing (already discussed)

Number harvesting and call pattern tracking

Conversation eavesdropping
By sniffing signaling, it is possible to build a directory of
numbers and track calling patterns
voipong automates the process of logging all calls
Wireshark is very good at sniffing VoIP signaling
Conversation Recording
Wireshark
Attacking The Network
Eavesdropping
Conversation Recording
Other Tools
Other tools include:

vomit

Voipong

voipcrack (not public)

DTMF decoder
Attacking The Network
Eavesdropping
Network Eavesdropping
Countermeasures
Attacking The Network
Eavesdropping
Use encryption:

Many vendors offer encryption for signaling

Use the Transport Layer Security (TLS) for signaling

Many vendors offer encryption for media

Use Secure Real-time Transport Protocol (SRTP)

Use ZRTP

Use proprietary encryption if you have to
Network Interception
Introduction
Attacking The Network
Net/App Interception
The VoIP network is vulnerable to Man-In-The-Middle
(MITM) attacks, allowing:

Eavesdropping on the conversation

Causing a DoS condition

Altering the conversation by omitting, replaying, or inserting
media

Redirecting calls
Network Interception
ARP Poisoning
Attacking The Network
Net/App Interception
The most common network-level MITM attack is ARP
poisoning
Involves tricking a host into thinking the MAC address of
the attacker is the intended address
There are a number of tools available to support ARP
poisoning:

Cain and Abel

ettercap

Dsniff

hunt
Network Interception
ARP Poisoning
Attacking The Network
Net/App Interception
Network Interception
Countermeasures
Some countermeasures for ARP poisoning are:

Static OS mappings

Switch port security

Proper use of VLANs

Signaling encryption/authentication

ARP poisoning detection tools, such as arpwatch
Attacking The Network
Net/App Interception
Attacking The Application
Attacking The Application
VoIP systems are vulnerable to application attacks against
the various VoIP protocols
Attacks include:

Fuzzing attacks

Flood-based DoS

Signaling and media manipulation
Attacking The Application
Fuzzing
Fuzzing
Introduction
Fuzzing describes attacks where malformed packets are sent
to a VoIP system in an attempt to crash it
Research has shown that VoIP systems, especially those
employing SIP, are vulnerable to fuzzing attacks
There are many public domain tools available for fuzzing:

Protos suite

SipBomber

Asteroid

SFTF

Fuzzy Packet

SIP Proxy

NastySIP

SIPp

Scapy

SIPsak
Fuzzing
Commercial Tools
There are some commercial tools available:

Beyond Security BeStorm

Codenomicon

MuSecurity Mu-4000 Security Analyzer

Security Innovation Hydra

Sipera Systems LAVA tools
Attacking The Application
Fuzzing
Fuzzing
Countermeasures
Attacking The Application
Fuzzing
Make sure your vendor has tested their systems for fuzzing
attacks
Consider running your own tests
An VoIP-aware IPS can monitor for and block fuzzing
attacks
Flood-Based DoS
Attacking The Application
Flood-Based DoS
Several tools are available to generate floods at the
application layer:

rtpflood – generates a flood of RTP packets

inviteflood – generates a flood of SIP INVITE packets

SiVuS – a tool which a GUI that enables a variety of floodbased attacks
Virtually every device we tested was susceptible to these
attacks
Flood-Based DoS
Countermeasures
Attacking The Application
Flood-Based DoS
There are several countermeasures you can use for floodbased DoS:

Use VLANs to separate networks

Use TCP and TLS for SIP connections

Use rate limiting in switches

Enable authentication for requests

Use SIP firewalls/IPSs to monitor and block attacks
Attacking The Application
Sig/Media Manipulation
Registration Manipulation
Proxy
Proxy
Hijacked
Session
Hijacked
Media
User
Attacker
User
Attacking The Application
Sig/Media Manipulation
Session Teardown
Proxy
Proxy
Attacker Sends
BYE Messages
To UAs
User
Attacker
User
Attacking The Application
Sig/Media Manipulation
IP Phone Reboot
Proxy
Proxy
Attacker Sends
check-sync Messages
To UA
User
Attacker
User
Audio Insertion/Mixing
Proxy
User
Attacker Sees
Packets And
Inserts/Mixes In
New Audio
Attacking The Application
Sig/Media Manipulation
Proxy
Attacker
User
Signaling/Media Manipulation
Countermeasures
Attacking The Application
Sig/Media Manipulation
Some countermeasures for signaling and media
manipulation include:

Use digest authentication where possible

Use TCP and TLS where possible

Use SIP-aware firewalls/IPSs to monitor for and block attacks

Use audio encryption to prevent RTP injection/mixing
Voice SPAM
Introduction
Social Attacks
Voice SPAM
Voice SPAM refers to bulk, automatically generated,
unsolicited phone calls
Similar to telemarketing, but occurring at the frequency of
email SPAM
Not an issue yet, but will become prevalent when:

The network makes it very inexpensive or free to generate calls

Attackers have access to VoIP networks that allow generation of
a large number of calls
It is easy to set up a voice SPAM operation, using Asterisk,
tools like “spitter”, and free VoIP access
Voice SPAM
Countermeasures
Social Attacks
Voice SPAM
Some potential countermeasures for voice SPAM are:

Authenticated identity movements, which may help to identify
callers

Legal measures

Network-based filtering
Enterprise voice SPAM filters:

Black lists/white lists

Approval systems

Audio content filtering

Turing tests
VoIP Phishing
Introduction
Social Attacks
Phishing
Similar to email phishing, but with a phone
number delivered though email or voice
When the victim dials the number, the recording
requests entry of personal information
VoIP Phishing
Countermeasures
Traditional email spam/phishing
countermeasures come in to play here.
Educating users is a key
Social Attacks
Phishing
Final Thoughts
Final Thoughts
General network security is improving in
some ways, but new threats are emerging
Network-based security and managed security
services can be used to improve enterprise
security
Don’t neglect internal security and key
applications
Related documents
dos_nanog
dos_nanog
No Slide Title
No Slide Title
Honeynet Project
Honeynet Project
Cutting Edge VoIP Security Issues Color
Cutting Edge VoIP Security Issues Color
Systems Security
Systems Security
Malicious code, Mobile Code and Denial of Service attacks
Malicious code, Mobile Code and Denial of Service attacks
Research Areas - The George Washington University
Research Areas - The George Washington University
Heart Attack - Coffee Regional Medical Center
Heart Attack - Coffee Regional Medical Center
Distributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS)
Chapter 1 Exploring the Network
Chapter 1 Exploring the Network