Voice over IP (VoIP) security PowerPoint Presentation, PPT - DocSlides

Voice over IP (VoIP) security

Introduction

Voice over IP and IP telephony

Network convergence

Telephone and IT

PoE

(Power over Ethernet)

Mobility and Roaming

Telco

Switched -> Packet (IP)

Closed world -> Open world

Security

and privacy

IPhreakers

VoIP

vs

3G

Architecture: protocols

Signaling

User location

Session

Setup

Negotiation

Modification

Closing

Transport

Encoding, transport, etc.

Architecture: protocols

SIP

IETF - 5060/5061 (TLS) - “HTTP-like, all in one”

Proprietary extensions

Protocol becoming an architecture

“End-to-end” (between IP PBX)

Inter-AS MPLS VPNs

Transitive trust

IM extensions (SIMPLE)

H.323

Protocol family

H.235 (security), Q.931+H.245 (management), RTP, CODECs, etc.

ASN.1

Architecture: protocols

RTP (Real Time Protocol)

5004/

udp

RTCP

No

QoS

/bandwidth management

Packet reordering

CODECs

old: G.711 (PSTN/POTS - 64Kb/s)

current: G.729 (8Kb/s)

Architecture: systems

Systems

SIP Proxy

Call Manager/IP PBX

User management and reporting (HTTP, etc)

H.323

: GK (

GateKeeper

)

Authentication server (Radius)

Billing servers (CDR/billing)

DNS, TFTP, DHCP servers

Architecture: systems

Voice Gateway (IP-PSTN)

Gateway Control Protocols

Signaling: SS7 interface

Media Gateway Controller

Controls the MG (

Megaco

/H.248)

SIP interface

Signaling Gateway

Interface between MGC and SS7

SCTP

- ISUP, Q.931

Transport

Media Gateway: audio conversion

Architecture: firewall/VPN

Firewall

“Non-

stateful

” filtering

“

Stateful

” filtering

Application layer filtering (ALGs)

NAT / “firewall piercing”

(H.323 : 2xTCP, 4x dynamic UDP - 1719,1720)

(SIP : 5060/

udp

)

Encrypted VPN

SSL/TLS

IPsec

Where to encrypt (LAN-LAN, phone-phone, etc)?

VOIP Threats

Denial of Service

ICMP Flood

IP

Spoofing

Port Scans

Land Attack

IP

Source Route

Evasdropping

or recording

In VOIP eavesdropping is a type of an attack, if an attacker able to

eavesdropp

a communication. Then he can launch different type of an attack like Man in the Middle attack etc.

Call Hijacking and Spoofing

Call Redirection

Voice SPAM (

Vishing

, Mailbox Stuffing, Unsolicited Calling)

Voicemail Hacking

VOIP Attacks

Signaling Layer Attacks

SIP Registration Hijacking

Impersonating a Server

SIP Message Modification

SIP Cancel / SIP BYE attack

SIP DOS attack

Media Layer Attacks

Eavesdropping

RTP insertion attack

SSRC collision attacks

Signaling Layer Attacks

SIP Registration attack

Attacker impersonates a valid UA to a registrar himself as a valid user agent. So attacker can

recieve

calls for a

legitmate

user.

Impersonating a Server

When an attacker impersonates a remote server and user agent request are served by the attacker machine.

SIP Message Modification

If an attacker launches a man in the middle attack and modify a message. Then attacker could lead the caller to connect to malicious system.

SIP CANCEL / SIP BYE

SIP Denial of Service

In SIP attacker creates a bogus request that contained a fake IP address and Via field in the SIP header contains the identity of the target host.

Media Layer Attacks

Eavesdropping

SSRC collision

If an attacker

eavesdropp

the conversation and uses one’s peer SSRC to send RTP packet to other peer, it causes to terminate a session.

Security Solutions

Two types of security solutions

End-to-End security

In SIP end points can ensure end-to-end security to those messages which proxy does not read, like SDP messages could

be

protectedusing

S/MIME.

Media is transferred directly, so end-to-end security is achieved by SRTP.

Hop-by-hop security

TLS, IPSec

TLS provide transport layer security over TCP. Normally SIP URI is in the form of

sip:abc@example.com

, but if we are using TLS then SIP URI will be

sips:abc@example.com

and signaling must be send encrypted.

Authentication

Authentication means to identify a person.

If we take SIP as signaling protocol in VOIP, it defines two mechanisms for authentication

•

HTTP digest authentication

• S/MIME

HTTP Digest Authentication

•

HTTP digests mechanisms used between users to proxies, users to

users

but not between proxies to proxies.

S/MIME

•

S/MIME uses X.509 certificates to authenticate end users in the

same

way that web browsers use them.

Media Encryption

In VOIP media is send directly between users using RTP. Encryption of media is achieved

by

IPSec

Secure

RTP (

SRTP)

It provides a framework for encryption and message authentication of RTP and RTCP.

Cipher

Algorithum

: AES

Authenitcation

is an optional feature.

SRTP uses Security Description for Media Streams (SDES)

algorithum

to negotiate session keys in SDP.

MIKKEY

Mikkey

provides its own authentication and integrity

mechanisim

.

Mikkey

messages carried in a SDP with a=key-mgmt

attritbute

.

There are Specialized Hacking Tools

SIPScan

- enumerate SIP interfaces

TFTPBrute

- TFTP directory attacking

UDP and RTP Flooder -

DoS

tools

hping2 – TCP session flooding

Registration Hijacker - tool to take over H.323 session

SIVUS - SIP authentication and registration auditor

Vomit - RTP Playback

VOIP HOPPER – IP Phone

mimicing

tool

Dsniff

- various utilitarian tools (

macof

and

arpspoof

)

Wireshark

(Ethereal) /

tcpdump

- packet capture and protocol analysis

Thanks

You