Introduction Voice over IP and IP telephony Network convergence Telephone and IT PoE Power over Ethernet Mobility and Roaming Telco Switched gt Packet IP Closed world gt Open world ID: 595636
Download Presentation The PPT/PDF document "Voice over IP (VoIP) security" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Voice over IP (VoIP) securitySlide2
Introduction
Voice over IP and IP telephony
Network convergence
Telephone and IT
PoE
(Power over Ethernet)
Mobility and Roaming
Telco
Switched -> Packet (IP)
Closed world -> Open world
Security
and privacy
IPhreakers
VoIP
vs
3GSlide3
Architecture
: protocols
Signaling
User location
Session
Setup
Negotiation
Modification
Closing
Transport
Encoding, transport, etc.Slide4
Architecture
: protocols
SIP
IETF - 5060/5061 (TLS) - “HTTP-like, all in one”
Proprietary extensions
Protocol becoming an architecture
“End-to-end” (between IP PBX)
Inter-AS MPLS VPNs
Transitive trust
IM extensions (SIMPLE)
H.323
Protocol family
H.235 (security), Q.931+H.245 (management), RTP, CODECs, etc.
ASN.1Slide5
Architecture
: protocols
RTP (Real Time Protocol)
5004/
udp
RTCP
No
QoS
/bandwidth management
Packet reordering
CODECs
old: G.711 (PSTN/POTS - 64Kb/s)
current: G.729 (8Kb/s)Slide6
Architecture
: systems
Systems
SIP ProxyCall Manager/IP PBXUser management and reporting (HTTP, etc)H.323: GK (GateKeeper)Authentication server (Radius)Billing servers (CDR/billing)DNS, TFTP, DHCP serversSlide7
Architecture
: systems
Voice Gateway (IP-PSTN)
Gateway Control ProtocolsSignaling: SS7 interfaceMedia Gateway ControllerControls the MG (Megaco/H.248)SIP interfaceSignaling GatewayInterface between MGC and SS7SCTP
- ISUP, Q.931
Transport
Media Gateway: audio conversionSlide8
Architecture
: firewall/VPN
Firewall
“Non-stateful” filtering“Stateful” filteringApplication layer filtering (ALGs)NAT / “firewall piercing”
(H.323 : 2xTCP, 4x dynamic UDP - 1719,1720)
(SIP : 5060/
udp
)
Encrypted VPN
SSL/TLS
IPsec
Where to encrypt (LAN-LAN, phone-phone, etc)?Slide9
VOIP
Threats
Denial of Service
ICMP FloodIP Spoofing Port Scans Land AttackIP Source Route
Evasdropping
or recording
In VOIP eavesdropping is a type of an attack, if an attacker able to
eavesdropp
a communication. Then he can launch different type of an attack like Man in the Middle attack etc.
Call Hijacking and Spoofing
Call Redirection
Voice SPAM (
Vishing
, Mailbox Stuffing, Unsolicited Calling)
Voicemail HackingSlide10
VOIP
Attacks
Signaling Layer Attacks
SIP Registration Hijacking
Impersonating a Server
SIP Message Modification
SIP Cancel / SIP BYE attack
SIP DOS attack
Media Layer Attacks
Eavesdropping
RTP insertion attack
SSRC collision attacksSlide11
Signaling Layer Attacks
SIP Registration attack
Attacker impersonates a valid UA to a registrar himself as a valid user agent. So attacker can
recieve
calls for a
legitmate
user.
Impersonating a Server
When an attacker impersonates a remote server and user agent request are served by the attacker machine.
SIP Message Modification
If an attacker launches a man in the middle attack and modify a message. Then attacker could lead the caller to connect to malicious system.
SIP CANCEL / SIP BYE
SIP Denial of Service
In SIP attacker creates a bogus request that contained a fake IP address and Via field in the SIP header contains the identity of the target host.Slide12
Media Layer
Attacks
Eavesdropping
SSRC collision
If an attacker
eavesdropp
the conversation and uses one’s peer SSRC to send RTP packet to other peer, it causes to terminate a session.Slide13
Security
Solutions
Two types of security solutions
End-to-End security
In SIP end points can ensure end-to-end security to those messages which proxy does not read, like SDP messages could
be
protectedusing
S/MIME.
Media is transferred directly, so end-to-end security is achieved by SRTP.
Hop-by-hop security
TLS, IPSec
TLS provide transport layer security over TCP. Normally SIP URI is in the form of
sip:abc@example.com
, but if we are using TLS then SIP URI will be
sips:abc@example.com
and signaling must be send encrypted.Slide14
Authentication
Authentication means to identify a person.
If we take SIP as signaling protocol in VOIP, it defines two mechanisms for authentication
•
HTTP digest authentication
• S/MIME
HTTP Digest Authentication
•
HTTP digests mechanisms used between users to proxies, users to
users
but not between proxies to proxies.
S/MIME
•
S/MIME uses X.509 certificates to authenticate end users in the
same
way that web browsers use them.Slide15
Media Encryption
In VOIP media is send directly between users using RTP. Encryption of media is achieved
by
IPSec
Secure
RTP (
SRTP)
It provides a framework for encryption and message authentication of RTP and RTCP.
Cipher
Algorithum
: AES
Authenitcation
is an optional feature.
SRTP uses Security Description for Media Streams (SDES)
algorithum
to negotiate session keys in SDP.
MIKKEY
Mikkey
provides its own authentication and integrity
mechanisim
.
Mikkey
messages carried in a SDP with a=key-mgmt
attritbute
.Slide16
There
are Specialized Hacking Tools
SIPScan
- enumerate SIP interfaces
TFTPBrute
- TFTP directory attacking
UDP and RTP Flooder -
DoS
tools
hping2 – TCP session flooding
Registration Hijacker - tool to take over H.323 session
SIVUS - SIP authentication and registration auditor
Vomit - RTP Playback
VOIP HOPPER – IP Phone
mimicing
tool
Dsniff
- various utilitarian tools (
macof
and
arpspoof
)
Wireshark
(Ethereal) /
tcpdump
- packet capture and protocol analysisSlide17
Thanks
You