Download Chapter X Slides

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
Document related concepts

Distributed firewall wikipedia , lookup

Computer security wikipedia , lookup

Unix security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Wireless security wikipedia , lookup

Mobile security wikipedia , lookup

History of cryptography wikipedia , lookup

Cryptography wikipedia , lookup

Diffie–Hellman key exchange wikipedia , lookup

Project 25 wikipedia , lookup

Secure multi-party computation wikipedia , lookup

Deep packet inspection wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Certificate authority wikipedia , lookup

Authentication wikipedia , lookup

Web of trust wikipedia , lookup

Electronic authentication wikipedia , lookup

3-D Secure wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Digital signature wikipedia , lookup

Transcript 
VOICE OVER IP FUNDAMENTALS
•
•
CHAPTER 10
Voice Security
VoIP Security Requirements:
Integrity:
The recipient should receive the packets that the
originator sends without and change to content.
Privacy:
A third party should not be able to read the data
Authenticity
Each party should be confident they are
communicating with whom each claims to be
Availability/Protection from Denial-of Service
The VoIP service should be available to users at
all times
Shared-Key:
A common shared-key between users
• Each pair of users must have the same key
• Does not scale well with multiple pairs of users
• The key is used to encrypt the message
• A hash is calculated from the shared key
Asymmetric Key:
Each user has a Private-key as well as a Public-key
• Only the corresponding public-key can decrypt the
message that is encrypted with the private-key
• Only the corresponding private-key can decrypt
the message that is encrypted with the public-key
• Has a one-to-one relationship between keys
• Keys can be exchanged over an unsecured network
Asymmetric Key:
Phases
• Authentication phase
• Secure communication phase
• CPU-intensive process
• Unique shared secret per session
Digital Signature:
Uses a set of complimentary algorithms for signing and
for verification
• A Digital signature is obtained from a Certificate
Authority (CA)
• A hash of the message is created with the private
key to create a Digital Signature
• Recipient verifies the signature by running a
verification algorithm over the message content
using the public-key of the sender
Digital Signature continued:
Uses a set of complimentary algorithms for signing and
for verification
• Digital signatures provide authentication
• Digital signatures provide message integrity
• Each signature is appended to the message in clear
text
• Digital signatures do not provide privacy
Certificate Authority:
The Certificate Authority receives the public-key at the
time of key generation.
The Certificate Authority will verify the identity of the
sender and issue a certificate
Each device in the system has a public-key of the CA
At the time of contact each system will:
• Present its certificate to it’s peer
• Each will run a verification
• If verified the keys are stored
Public-key:
Common Protocols
• Transport layer Security (TLS)
 Independent of applications
 Rides on top of Transport layer protocols
 Can be used with multiple services
• Record Protocol
 Lower-layer protocol
 Provides privacy and integrity
 Used DES or RC4 for encryption
• Client layer
 Authenticates
 Negotiates
TLS:
Public-key:
Common Protocols continued
• Ipsec
 Uses Authentication Header (AH)
 Uses Encapsulation Security Payload (ESP)
 AH provides authentication and integrity
 ESP provides privacy, authenticity, and integrity
 Tunnel-mode
 Protects only the payload
 Header inserted between the Ip header and the
transport layer header (TCP/UDP)
 Transport-mode
 Encapsulates the entire packet
 Ipsec header is added between the outer and
inner IP headers
Public-key:
Common Protocols continued
• Ipsec
Public-key:
Common Protocols continued
IPsec
Public-key:
Common Protocols continued
IPsec
Public-key:
Common Protocols continued
• Secure Real Time Protocol (SRTP)
 Integrity
 Authentication
 Privacy
Protecting Voice Devices:
• Disable Unused Ports/Services
 Disable Telnet
 Disable Trivial File Transport Protocol
• Simple Network management Protocol
 Use only read-only mode
• Disable Unused Ports on layer 2 switches
 Administrative shut down
Protecting Voice Devices continued:
• Host-based Intrusion Protection System (HIPS)




Software agent installed on each device
Collects information about traffic
Information compared against a set of rules
System can take preventative action
 Terminating application
 Rate-limit data
Protecting Voice Infrastructure:
• Segmentation
 VLAN’s
 IP addressing
 Traffic types
 Separate DHCP servers
• Traffic Policing
 Limit bandwidth to Codec used
 G.711 is 64 kbps plus overhead
 Queuing techniques
• 802.1x Authentication
 EAP protocol
 RADIUS authentication server
 Layer 2
Protecting Voice Infrastructure continued:
• 802.1x Authentication
Protecting Voice Infrastructure continued:
Layer 2 tools
• DHCP Snooping
 Only allow DHCP offers from known sources
 Enabled on switches
 Switch(config)#ip dhcp snooping
 Switch(config-if)#ip dhcp snooping trust
 Switch(config-if)#ip dhcp snooping limit rate [rate]
 Switch(config)#ip dhcp snooping vlan number
[number]
 DHCP snooping binding database (IP-to-MAC)
Protecting Voice Infrastructure continued:
Layer 2 tools
• IP Source Guard
 Used with DHCP Snooping
 On untrusted ports only DHCP messages allowed
until DHCP response is received
 Uses DHCP snooping binding database
 Per port
 Installs a Vlan Access Control List (VACL)
Protecting Voice Infrastructure continued:
Layer 2 tools
• Dynamic ARP Inspection
 Attacker sends it’s own MAC address as a reply
 Man-in-the-middle attack
 Uses the DHCP binding database
 Drops malicious packets
Protecting Voice Infrastructure continued:
Layer 2 tools
• CAM overflow and Port Security
 Attacker sends fictitious MAC addresses to fill
CAM table
 When CAM table is filled switch will forward
packets out all active ports (broadcast)
 Use port security features
 Switch(config-if)#switchport port-security
maximum [number]
Protecting Voice Infrastructure continued:
Layer 2 tools
• Circumventing VLANs
 Uses trunk ports to obtain access
 802.1q or ISL
 Disable DTP on non trunk ports
 Switch(config-if)#switchport mode access
Protecting Voice Infrastructure continued:
Layer 2 tools
• NIPS Network Based Intrusion Protection System
 In series
 In parallel
 Examines every packet
 Does not protect against “Atomic” attacks
 Delay is a problem for voice
Protecting Voice Infrastructure continued:
Layer 2 tools
• BPDU Guard and Root Guard
 Exploits Spanning-tree protocol
 Listens on configured ports for BPDU’s
 Rogue device tries to become the root bridge
 Violation can disable the port
 Used with portfast
 Root Guard will port into a root-inconsistent state
 Root Guard will allow the device to participate in
spanning-tree
Protecting Voice Infrastructure continued:
Layer 3 tools
• Routing authentication
 Not available for all protocols
 Can use simple password
 Can use Message-digest (MD5) encryption
 Not available on RIPv1
 Shared keys between systems
Protecting Voice Infrastructure continued:
Layer 3 tools
• TCP intercepts
 Denial of Service attacks
 Sends multiple “syn” packets
 Never completes the three-way handshake
 Uses falsified IP addresses
 Can limit half-open secessions
 Intercept mode allows the router to respond
before forwarding packets to client
Protecting Voice Infrastructure:
Security Planning and Policies
• Transitive trust
 Eliminate re-authentication at each device
• VoIP Protocol-Specific Issues
 Use of computer based softphones
• VLAN’s
• Trunking
• Double tagging
Protecting Voice Infrastructure continued:
Security Planning and Policies
• Complexity tradeoffs
 Bandwidth overhead
 Delay
 CA cost
• NAT/Firewall Traversal
 Opens pathways for voice traffic
 Does not work well with encryption (port numbers)
• Password and Access Control
 Minimum length
 Complexity
 Equipment access
End of Chapter 10
Related documents
Lab 9
Lab 9
3 Key Economic Questions
3 Key Economic Questions
Legal Protections for Natural Areas
Legal Protections for Natural Areas
Controlling Infectious Diseases
Controlling Infectious Diseases
How to Use an Alternate TCP/IP Configuration
How to Use an Alternate TCP/IP Configuration
Legal and Ethical Issues - Krizan Classroom Website
Legal and Ethical Issues - Krizan Classroom Website
Day 4- Research Ethics
Day 4- Research Ethics
chap-09v2
chap-09v2
for ResNet - University of Michigan
for ResNet - University of Michigan
Course Learning Objectives:
Course Learning Objectives: