Security Best Practices for Enterprise VoIP. Preventing Attacks and Managing Risk

Transcription

1 Security Best Practices for Enterprise VoIP Preventing Attacks and Managing Risk A Sipera White Paper September 2007

2 Summary To take full advantage of unified communications (UC), enterprises are extending their voice over IP (VoIP) network to soft phones, WiFi/dual-mode phones and other devices. At the same time, they are connecting to service providers using Session Initiation Protocol (SIP) trunks, creating federations with other enterprises, and integrating collaboration, multimedia and presence applications. By leveraging its internal IP PBX to handle external calls using VoIP and adding unified communications applications, enterprises can decrease costs, improve collaboration and ensure business continuity. But, many enterprises have yet to realize the potential security implications of extending their VoIP network over public and/or untrusted networks. There are a number of security best practices that must be followed to prevent attacks and minimize risk in order to extend VoIP securely. Some of these best practices can be borrowed from the data world and include: ensuring security patches are up-to-date, installing the latest anti-virus software, encrypting the traffic for privacy, and authenticating the users. But if you assume this is the end of the story and existing data security measures are enough to protect your unified communications, then this white paper would not be needed. Enterprises must understand that VoIP and UC applications have unique security requirements to data networks that need to be addressed to ensure your unified communications infrastructure is protected. At the same time, VoIP/UC threats, which are very different from data threats, can allow hackers to carry out spoofing and denial-of-service attacks, unwanted reboots, unauthorized toll calls (toll fraud), and to take over the device and either steal or delete confidential data that raises compliance and risk management concerns. This white paper will look at these VoIP/UC-specific security requirements and in particular threats targetting the enterprise VoIP/UC network and users including reconnaissance, eavesdropping, spoofing, denial of service (DoS), VoIP spam, and VoIP-to-data exploits. Once identified, this paper will explore VoIP/UC security best practices, the shortcomings of existing data security products in satisfying those best practices, and the requirements for a comprehensive VoIP/UC security solution.

3 Introduction Traditionally, threats from VoIP and unified communications do not make it to the list of the top information security issues. Such lists contain threats like system probing, attacks, default password attacks, and sniffing. However, like any complex computer network, VoIP/UC networks have their own unique security challenges that must be addressed. To give a simple example, standard security best practices recommend the separation of the voice virtual local area network (VLAN) from the data VLAN to prevent traffic from one network to reach another network. However, unified communications enable soft phones to be installed on the data VLAN but talk to hard VoIP phones on the voice VLAN. Completely blocking the traffic between the two VLANs will prevent this communication. Consequently, IT administrators may end up allowing traffic between the two VLANs freely but, if not monitored, it also allows worms, viruses and other attacks to cross over and vice-versa. While some enterprises may not deploy soft phones today, VoIP soft phones are an integral part of any unified communications framework. At the same time, enterprises could introduce other issues by extending the IP PBX to VoIP remote users working at home or integrating WiFi/dual-mode phones that may connect to any untrusted access point. Finally, to get the full benefits of unified communications, enterprises must open their VoIP/UC networks to their service provider using SIP trunks to bypass the PSTN or create federations among partners and bypass the service provider all together. In all these cases the VoIP/UC network is now open and exposed to untrusted networks, devices, or users. Therefore, because of the inherently open nature of unified communications, one cannot ignore VoIP/ UC threats while investing other resources to protect critical assets and confidential data residing on the data network. Equal importance must be given to protecting VoIP/UC devices to achieve comprehensive security across the enterprise. This paper outlines a number of potential attacks that puts VoIP/UC among the top information security concerns for CIOs/CSOs and looks at the VoIP security best practices for preventing them and managing risk. Benefits of Extending Unified Communications Real-time, unified communications have a significant and obvious appeal for enterprises and end-users because they allow the Internet and existing data networks to become a cost-effective transport for things most people want to do such as: placing voice calls, participating in video conferences, exchanging instant messages (IMs), and a host of other communications applications. In addition enterprises are embracing VoIP and unified communications to increase productivity and improve collaboration. Security Best Practices for Enterprise VoIP 2

4 But the true potential of these business applications have yet to be realized as most are deployed in a closed network. These benefits can be increased tenfold if the IP PBX and its real-time communications are extended outside the enterprise to remote and mobile workers, branches, and soft phones along with connecting to service providers using SIP trunks. More importantly, cost-savings, business continuity, mobility, and the trend towards outsourcing are compelling enterprises to open up its communications infrastructure beyond the enterprise perimeter, as shown in Figure 1. REMOTE WORKER Cost reductions & capital savings; Employee Lifestyle VOICE/DATA CENTER(S) IP PBX IP PBX Cost reductions; Disaster recovery & business continuity Internet VISP Mobile Worker WAN/VISP PSTN Cost reductions; Productivity & collaboration HEADQUARTERS Cost reductions & capital savings; Business continuity BRANCH(ES) Figure 1: Extending the IP PBX can help the enterprise realize many business benefits. By extending VoIP to remote workers and connecting branch offices, the enterprise can drastically decrease telecommunications charges by leveraging its internal IP PBX to handle calls to/from such locations without needing any telecom provider and route international calls over the Internet at much lower rates. Mobile workers can also significantly reduce plan overages and roaming charges while enjoying true mobility, with one phone and number, by using WiFi/dual-mode phones. But cost is only part of the appeal, these new communications applications enable increased efficiencies and collaboration with integration of soft clients and IT infrastructure such as Microsoft OCS into one converged network. Plus connecting to your service provider using a SIP trunk gives enterprises the ability to implement a crucial business continuity and disaster recovery plan. VoIP is Different These benefits do not come without a significant tradeoff as we can see by taking a step back and looking at what happened with Internet-based applications and communications. Because the Internet is an open system, any user can freely connect to it at any time from any place with little effort or oversight. This makes the Internet an untrusted network and a fertile breeding ground for a wide variety of malicious Security Best Practices for Enterprise VoIP 3

5 and unauthorized activities that can affect any enterprise, group, or user. Network protocols, operating systems, web browsers, clients and other applications are persistent targets of attacks. Real-time Peer-to-Peer Protocol and Feature Rich VoIP and Unified Communications are Different Separate signaling and media planes Low tolerance to false positives/negatives, non-availability and/or low quality Maintain call states in real-time for thousands of users with minimal QoS impact Figure 2: VoIP and Unified Communications are very different than data applications At the same time, it s important to understand that unified communications, including VoIP, are very different than web applications and , as shown in Figure 2. VoIP/UC is real-time by its very nature and involves maintaining several dozen states for thousands of users with minimal QoS impact. The protocols themselves, such as SIP, are feature-rich and involve the use of separate signaling and media planes which allow devices to talk peer-to-peer rather than the traditional client-server methods of the data world. Finally, there is an extremely low tolerance to false positives/negatives, non-availability or low quality as compared to the data world. It s easy to see that unified communications demand unique security best practices and a security solution that not only borrows applicable best security practices from the data world but adds specific VoIP/UC protection techniques that take into account the real-time, peer-to-peer, and feature-rich nature of these session-based protocols. But before we look at these VoIP/UC security best practices, it helps to understand the unique threats that a VoIP/UC network may face. VoIP/UC Security Risks and Vulnerabilities are Different As enterprises move to deploy unified communications, the traditionally closed phone network is now open to Internet-based software and connectivity. While this offers tremendous value and ubiquitous connectivity as shown above, it also makes the communications network prone to attacks similar to other Internet-based devices. More importantly, unlike other IP-based clients, the IP-based phone acts like a server in that it is always ready to receive calls so anyone can send unsolicited message to it and either ring it, cause a denial of service, or launch a variety of other attacks. Security Best Practices for Enterprise VoIP 4

6 In fact, VoIP networks have thousands of unique vulnerabilities that can be exploited to launch a variety of attacks. Over the last 4 years, the Sipera VIPER lab, which is comprised of knowledgeable VoIP and security developers, architects, and engineers, has identified over 20,000 threats that can be launched against SIP, UMA and IMS networks both endpoints and servers. Unique VoIP attacks as catalogued by Sipera VIPER Lab Signaling attacks on infrastructure SIP UMA IMS Fuzzing 3543 >20000 BNF Impractical Errors >4000 Syntax Errors >6000 Delimiter Errors >6000 Field Value Errors >3000 Context Dependent errors >1000 State Dependent errors >500 Reconnaissance Floods >30 47 >60 Distributed floods >30 32 >40 Total > >20108 Signaling attacks on end users SIP UMA IMS Misuse/spoofing Session anomalies Stealth Spam Total Media attacks RTP/RTCP/RTSP Fuzzing 10 Floods 4 Misuse/spoofing 7 Total 21 Table 1: Unique SIP, UMA and IMS vulnerabilities as catalogued by Sipera VIPER Lab All told, enterprises need to be aware of, and effectively protect their network from, these attacks against their infrastructure and the additional ones against end-users which are unique to unified communications. Some of the more prevalent and potentially damaging VoIP-specific threats include: Reconnaissance Unlike traditional phone networks, discovering VoIP endpoints and servers available on the corporate network is very easy and is generally the first step towards exploiting vulnerabilities and penetrating the network. Several well-known scanning tools may be used to discover VoIP endpoints and nodes in the network. Security Best Practices for Enterprise VoIP 5

7 Spoofing Several VoIP phones may accept requests from random source IP addresses without authenticating the sender. This vulnerability can be used to send spoofed messages directly to the phone. Either source IP address or application level information like caller ID can be spoofed. Additionally, malformed messages may be directed to the phone to exploit vulnerabilities. Eavesdropping There are several tools which may sniff data over networks. If the signaling and/or media traffic used for voice communication is not sufficiently encrypted, it may be possible to capture media packets and reconstruct an intelligible conversation. Weak Authentication Authentication mechanisms used in VoIP infrastructures may have implementation flaws. For example, it may not cross-check username in credentials with username requesting service access allowing usernames and caller-ids to be spoofed. Easy caller ID spoofing simplifies social engineering attacks. Signaling and Media Manipulation Unencrypted signaling channels can be easily sniffed to inject spoofed messages and either disconnect or redirect voice communication. Similarly, injecting specially crafted low volume media packets may be possible in unencrypted media channels to degrade voice quality. DoS/DDoS Flooding the phone with spoofed requests is a very simple and effective way to overwhelm the phone s protocol stack and cause denial of service (DoS). Some phones may even reboot when under such an attack. In the case of distributed DoS (DDoS) attacks, the attacker(s) will use multiple sources to launch the assault or a single source masquerading as multiple sources to attack the target system. Unique to VoIP phones is a low volume attack, called stealth DoS that causes the phone to ring continuously. VoIP Spam / Phishing VoIP spam or Spam-over-Internet Telephony (SPIT) is unsolicited and unwanted bulk messages broadcast over VoIP to an enterprise network s end-users. The cost of launching millions of such spam calls is greatly reduced compared to the cost using traditional telephone network. Additionally, phishing attacks have been seen which ask un-suspecting users to go to a particular web-site or call a specific number to verify their personal details and account information. Security Best Practices for Enterprise VoIP 6

8 Fuzzing Malicious users employ fuzzing techniques to create maliciously formatted messages to exploit vulnerabilities like buffer overflow, format string, and other implementation flaws. Several phones accept requests from random source IP address making it easier to send malicious packets to the phone directly by bypassing security mechanism employed at the server. Service Theft/Fraud Using spoofing, replayed authentication credentials and a whole host of other techniques it may be possible for hackers to steal the VoIP service for their own financial gain. A well-publicized incident of this occurred in June 2006 when Edwin Pena was charged for allegedly defrauding VoIP service providers to garner as much as $1 million from un-suspecting customers. Regulatory and Compliance Depending on the industry, unified communications may be subject to various regulatory requirements. In the US the most high-profile acts that may apply include the Sarbanes-Oxley Act (SOX), the Gramm- Leach-Bliley Act (GLBA), or the Health Insurance Portability and Accountability Act (HIPAA). Because your VoIP network is subject to all of the same security threats as the data network and several unique ones as outlined in this paper it s important to see how these regulatory requirements apply to your specific industry. VoIP-to-Data Exploits Even with fully deployed, traditional data security in place, it is also possible to launch a buffer overflow which allows an attacker hacker to take control of an enterprise softphone and get access to all the data that is stored on the victim s laptop. Furthermore, the attacker can also do following damage to victim s laptop: Copy the confidential data to a remote computer Delete the data Deny access to the data Change system registry Shutdown or reboot the laptop New VoIP-specific Threats The threats above are unique to VoIP when VoIP is compared to traditional phone systems and should obviously be a major concern to the enterprise as they transition their TDM network to VoIP/UC. While many of these threats are similar to data threats, such as spoofing, eavesdropping, and weak authentication, there are also new VoIP threats that are not found in either TDM or data networks and may be of bigger concern to the enterprise and require new VoIP/UC security best practices. These new VoIPspecific threats include: Security Best Practices for Enterprise VoIP 7

9 Gaining access to the network using a VoIP phone: The LAN port available on several VoIP phones can directly connect a malicious laptop to the private LAN. Exploiting the management interface of the VoIP phone: Several phones can be accessed over http and used to get into private call records and to initiate unauthorized calls. Negotiating less secure signaling and media encryption options: Unless a policy is enforced to ensure all calls are setup for media to be encrypted in the first place, a malicious phone that refuses to use SRTP will result in unencrypted media between the phones which makes it easy to eavesdrop into the coversation. Voic flooding: Unless a time-of-day based policy is applied, a VoIP voic server can be flooded with un-solicited messages to fill up everyone s voic boxes. Adopting and Enforcing VoIP/UC Security Best Practices So far, we have discussed numerous vulnerabilities in VoIP/UC applications that can be exploited to steal service, cause a denial of service, eavesdrop on the conversation, steal confidential data and cause other damage to data and VoIP networks. These attacks can be from external sources such as hackers, malicious users and spammers or internal threats from disgruntled employees, infected PCs or attachments. Despite these concerns, the enterprise should not shy away from extending their IP PBX and deploying unified communications. These issues are easily addressed through up front planning and assessment of risk, ongoing maintenance and proper configuration of the infrastructure, and installing a comprehensive VoIP security solution which proactively solves many of these security best practices. The best practices below may seem straightforward enough but, in spite of this white paper and several other documents on this topic, they are not always enforced or correctly followed. The reasons behind this may be budgets, time, misunderstandings, or even just apathy towards security. Whatever the reasons, leaving VoIP/UC networks unprotected makes it and the co-existing data networks vulnerable to numerous security threats. To truly secure data and VoIP/UC networks, enterprises must adopt and enforce some security best practices that are borrowed from data security but there are also new and unique VoIP/UC-specific security best practices that are even more important and will be explored first. Perform a VoIP/UC vulnerability assessment As part of your VoIP/UC planning, a thorough security assessment should be performed to identify the risks and potential vulnerabilities. These services should start with the discovery of all VoIP/UC Security Best Practices for Enterprise VoIP 8

10 assets, protocols, and applications on the networks which are then analyzed using the most up-to-date vulnerability information databases. If possible, a penetration test of the applications, infrastructure and devices themselves should be conducted to ensure they are protected from VoIP/UC-related attacks. Implementation of strong UC policies Defining groups and applying policies for each provides an additional layer of security within the VoIP/UC network and allows the enterprise IT manager to control who talks to whom using which device and from which network. To implement this best practice, it s imperative to be able to apply granular UC security policies based on network, user, device and time of day. This enables the policies to not only be strong but also flexible and ensure applications, users and devices are controlled. Police interconnection points with VoIP/UC-specific firewall VoIP/UC relies on opening and closing a range of media ports while signaling protocols use well-known ports on the firewall. To maintain security between the enterprise network and the Internet or between data and voice VLANs, firewalls that are VoIP-aware and track call state must be deployed to dynamically handle NAT (Network Address Translation) and inspect all traffic that goes through it. Even better, deploying a VoIP/UC security product that can simplify existing firewall rules and minimize the number of ports that must be opened makes the system even more secure. Apply sophisticated VoIP/UC-specific intrusion prevention techniques When implementing an intrusion prevention system, enterprise should look for those that are aware of the complex nature of VoIP/UC protocols, and can conduct detection, mitigation and prevention in realtime. Further, such a device should also be able to understand user behavior, as this is the most effective method of analyzing and eliminating false positives/negatives, which can be extremely damaging to the VoIP/UC service and user experience. Together, this intrusion prevention system (IPS) functionality proactively protects the VoIP/UC service from attacks, misuse and service abuse. Other VoIP/UC security best practices There are some additional best practices that are specific to VoIP/UC which are crucial to addressing the new VoIP-specific threats that are not seen in either TDM or data networks and include: Ensuring QoS while enforcing security. Disable LAN ports on VoIP phones since these ports can be used to connect a laptop and get directly onto enterprise LAN. For example, what if such a port is on a public lobby phone. Disable unencrypted signaling and media options on all phone to enforce TLS and SRTP encryption of the signaling and media at all times Have a strategy to keep the phone system available during emergencies Apply time-of-day security policies since some behavior which is not suspicious during day can be suspicious at night in a VoIP/UC system. Security Best Practices for Enterprise VoIP 9

11 Data security best practices needed for VoIP/UC Along with these new VoIP/UC-specific security best practices above, the following best practices borrowed from the data must also be implemented: Keep security patches up to date: Inadequate patching exposes the VoIP and data network to risks that could easily be avoided. Many attacks target software vulnerabilities and flaws in the implementation to achieve very specific and potentially damaging aims. A very systematic approach to monitoring and installing patches from the vendor must be formed and religiously followed to protect your assets. Install and maintain a good anti-virus system: Ensure all laptops, servers and other devices have a sophisticated anti-virus systems installed and updated regularly to prevent viruses, worms and other malware from affecting both the data and VoIP network. While existing anti-virus solutions do not adequately protect against VoIP attacks because it does not recognize them, you do want to ensure that a virus or worm does not impact the VoIP/UC network or applications from the data side as the infrastructures converge. Enforce strong authentication and encryption wherever possible: It s imperative that all signaling be encrypted but just as important is that all media be encrypted to ensure privacy and confidentiality of the conversation. At the same time, all end-points should be verified using digest, certificates or ideally 2-factor authentication techniques. Inbound calls should only be accepted from trusted or verifiable sources. Secure WiFi access points: Anyone implementing a WiFi network knows that you need to secure it and ensure only authorized endpoints have access and the traffic is encrypted. Now with WiFi/ dual-mode phones being deployed in the enterprise, similar precautions need to be taken to ensure no rogue devices gain access to the network for either VoIP or data communications. Use VLANs to keep voice and data traffic separate: By segmenting voice and data traffic using virtual LANs, VoIP traffic is prioritized resulting in lower latency and better quality. VLAN separation also helps to prevent data attacks from affecting the VoIP network. However, if you re rolling out soft clients, enabling Microsoft OCS or incorporating other collaboration applications then this separation will be far less effective as you need to allow voice traffic to go on the data VLAN and vice-versa which means you need to police the interconnection point. Security Best Practices for Enterprise VoIP 10

12 Comprehensive VoIP/UC Security Sitting at the edge of the enterprise network or in front of the IP PBX, as shown in Figure 3, a dedicated, comprehensive VoIP security applicance can address the most important and VoIP/UC-specific issues raised above and ensure best practices are followed. Hacker VOICE/DATA CENTER(S) IP PBX IP PBX Centralized EMS Spammer REMOTE WORKER VoIP Remote User Security SIP Trunk Security Internet IP PBX Security VISP Mobile Worker WAN PSTN Rogue Device HEADQUARTERS Infected PC Rogue Employee BRANCH(ES) Figure 3: A comprehensive VoIP security appliance can be deployed within the enterprise network to protect the IP PBX and securely enable VoIP remote users and SIP trunks. Such a purpose-built appliance must solve firewall/nat traversal, simplify firewall rules, terminate encrypted traffic to the enterprise when the VoIP phone is external to the enterprise, and offer finegrained policy enforcement to apply different security and call routing rules, based on user, device, access network and time of day. But, most importantly, any dedicated VoIP security solution should offer VoIP-specific IPS functionality to protect against signaling and media vulnerabilities through sophisticated security methodologies while maintaining the highest media quality. UC Threat Prevention UC Policy Compliance Secure UC Access Figure 4: Comprehensive VoIP/UC security includes 3 core pieces of functionality. Security Best Practices for Enterprise VoIP 11

13 The ideal comprehensive VoIP/UC security solution would incorporate three core pieces of functionality, as shown in Figure 4: UC threat prevention to ensure unique VoIP/UC attacks are proactively recognized, detected, and eliminated; UC policy compliance to enforce granular polices to all UC traffic based on user, device, network and time of day; and secure UC access to guarantee the privacy and authentication of all UC traffic to the enterprise and limit the number of ports open on existing firewalls. This functionality for comprehensively securing unified communications must include the following features: VoIP/UC Threat Prevention Floods and fuzzing prevention: Protection from volume based denial of service attacks and malformed message fuzzing attacks. Customized scrubbing rules detect and remove malformed messages which may crash, make it vulnerable or degrade the performance of the VoIP systems (servers and end points). Media anomaly prevention: Selectively enables the media traffic and enforces rules on the type of traffic carried based on the negotiated signaling and other configured policies (for example prevent video, prevent modem/fax). This also prevents bandwidth abuse. Spoofing prevention: Various validation techniques are applied to detect and prevent device and caller ID spoofing including the use of fingerprints for different protocol fields/messages which trigger further validations and verifications. Stealth attack prevention: Based on behavior learning, the product can detect nuisance/annoying calls to individual users and selectively block these calls. Stealth attacks are typically undetectable by traditional data security devices and SBCs that rely on rate-limiting. Reconnaissance prevention: It must monitor source behavior to detect application layer scans and block out the attackers. Spam protection: Unlike spam, where the content is available to perform text analysis, VoIP spam must be prevented by blocking a call even before the actual message is delivered. Compute and maintain network-wide caller trust scores and apply various policies to detect and protect against spammers, including VoIP Turing tests to identify machine generated calls. Signature updates: New signatures for detecting new known and potential attacks must be easily added to a central attack signatures database and automatically distributed to all appliances in the network. VoIP/UC Policy Compliance Whitelist/Blacklist: Used to allow/block specific endpoints based on caller identity, SIP URI, IP Address, or device name. Entire domains can also be blocked. Signaling Firewall: Signaling rules allow you to define the action to be taken (allow or deny) for each type of signaling request and response message. Signaling rules allow fine grained control over protocol headers, methods, and requests. Security Best Practices for Enterprise VoIP 12

14 Media Firewall: Media rules allow you to enforce RTP media packet parameters such as codec types (both audio and video), codec matching priority, firewall rules and NAT considerations. Application Control: Application rules allow you to enforce which types of and how many unified communication sessions are allowed for applications such as: voice, video, and/or IM. Call Routing Policies: Routing rules allow fine grained control over inbound packet transport settings, name server addresses and resolution methods, next hop routing information, and outbound packet transport types. Secure VoIP/UC Access Message integrity: Message integrity means that the recipient is assured that what they receive is exactly what the sender transmitted. This is achieved by standard HMAC techniques used in TLS and SRTP Privacy: Privacy prevents unauthorized network users to eavesdrop on data sent to and from the network by encrypting it, thereby assuring confidentiality to authorized users. This is achieved by standard encryption algorithms used by TLS and SRTP. Authentication: Authentication identifies the parties exchanging information and ensures each party can be sure of whom they are communicating with. This is achieved by using two-factor authentication such as RSA SecurID, exchanging digital certificates and/or encrypted password based digest authentication techniques. Replay protection: Replay protection ensures that transmitted data cannot be captured and replayed at another time. This is achieved by integrity protection of sequence numbers or random nonces. Firewall/NAT traversal: Media uses ephemeral UDP ports that need to be open during the call. Enforce signaling/media integrity by allowing media traffic to use only the negotiated port numbers while blocking all non-negotiated ports to prevent media attacks. And for remote users behind NAT, the VoIP Firewall must keep the port mapping on the remote NAT refreshed to be able to successfully connect new calls. Secure Firewall Channel: Tunnel VoIP/UC traffic to the IP PBX to ensure only one port is open in the internal firewall and that there is no access to other data services. This functionality is crucial to simplifying firewall rules and ensuring the security of the system making it a key advantage over traditional firewalls. Call Admission Control: Set limit on maximum number of simultaneous calls, bandwidth usage, and call rate for each network, domain, and user group. Security Best Practices for Enterprise VoIP 13