Threats to be considered (1) ERSTE GROUP

Transcription

1 VoIP-Implementation Lessons Learned Philipp Schaumann Erste Group Bank AG Group IT-Security Seite 1 Threats to be considered (1) Eavesdropping on voice or signalling traffic, either through sniffing, man-in-the-middle or other techniques Unauthorized silent participation in calls Denial of Service for voice traffic or phones (e.g. destination unavailable, call forwarding, etc.), QoS Attacks from the voice network /voice port into the data network (sniffing of data or network or switch config details, DoS, attacks against systems and data storage, etc.) Attacks from the switch-port of the phone to both networks Spoofing of phones using non-phone hardware to participate as unauthorized internal caller Spoofing of users, impersonation, voice session hijacking Modification to the caller ID functionality (faking other telephone numbers) Seite 2

2 Threats to be considered (2) Subverting phones through manipulation of their config files or their internal software (comparably easy for soft phones ) Unauthorized use of the CTI, JTAPI and TAPI functionality (modifying configs or accessing signalling or traffic information) Loss of emergency call functionality in case of power failures Spam against voice mailboxes, including phishing attacks Attacks over the boundary between the VoIP-network and the SS7- networks (PSTN, traditional phone provider), both directions Unauthorized change regarding whether to record or not-record a call Using the recording functionality to route voice traffic to unauthorized systems Manipulation of already recorded calls (modification, deletion) in the archive Unauthorized access to the phone call archive Seite 3 VoIP Security is Communication Security Who is Who in your network? Is everybody authenticated? Is everybody talking on a secure channel? Seite 5

3 Authent. Protocols and Mechanisms How to ensure that we know who to talk to? Record. Box Voice GW PSTN PSTN Auth. Box Device Authentication User Authentication PBX PBX Device Authentication IP Phone Support f. X.509 Support for 802.1x, how? IP Phone Question: How is the authentication between each of the components implemented (component authentication) and how are the users authenticated? PIN, Token, Support f. X.509 Seite 6 Communication Protocols How is the Encryption Handled? Record. Box Signal Traffic/ CTL Voice GW Signal Traffic/CTL PSTN PSTN Auth. Box PBX Signal Traffic PBX Voice Traffic Signal Traffic IP Phone IP Phone Voice Traffic Seite 7

4 VoIP Security is Network Security You are introducing some very flexible devices into your network You are introducing connection points that you don t physically control You are opening some very new attack possibilities How to secure the network(s)? Are voice and data really separated? How to administer the networ(s)? Seite 8 The Big-Picture Multiple Security Zones Server Zone Call Mgr Voice Recorder Voice Mail Presence Server GW to PSTN Web Access to the server zone???? Voice-aware Firewall voice VLAN / server LAN voice truncs to branches and other countries (MPLS) voice VLAN + VLAN Switch-Port Configuration User Zone Seite 9

5 Separation of Voice and Data on LAN Security Challenge Switch-Port Bad news: the MS Windows IP-stack does not support this Disable DTP (dynamic truncing) on untrusted ports Accept Bridge Protocol Data Units (BPDUs) only on trusted ports Graphics Curtesy of Cisco Seite 10 Port Security in the Switch Various Options IEEE 802.1x (with several authentication options - EAP- TLS or PEAP, but needs to be supported in the devices and comes with challenges regarding multiple domains - fallback is MAB (MAC authentication bypass)) static CAM table dynamic CAM (sticky option, max. no. of MACs per port) Graphics Curtesy of Cisco Seite 11

6 DHCP Security DHCP traffic only on trusted ports Enable DHCP Snooping Graphics Curtesy of Cisco Seite 12 Administration Multiple Security Zones Admin LAN Server Zone Call Mgr Voice Recorder Voice Mail Presence Server GW to PSTN voice VLAN / server LAN Voice-aware Firewall voice truncs to branches and other countries (MPLS) voice VLAN + VLAN Admin LAN User Zone Seite 13

7 VoIP Security is Device Security You are introducing some very flexible devices into your network You are opening some very new attack possibilities How to secure the devices? Can you trust them? Why actually?? Seite 14 Device Security Can somebody change the software or config that is stored in the devices, loaded into the device? Hardware Phones Soft Phones (??) Signed, but who checks the signature?? Seite 15

8 Secure Configuration Graphics Curtesy of Cisco Seite 16 Secure Deployment Cisco Discovery Protocol (CDP) Easy way to configure the devices and to allow for later flexibility But it is executed BEFORE IEEE 802.1x Use with great care! Employ additional checks if available (e.g. power consumption, voice traffic recognition,.) Seite 17

9 VoIP Security is Planning Security The Design Workshop (1) How exactly will the system be implemented? What authentication is used where What encryption is used where (SRTP, TLS, Ipsec) Recording, Voice Mail, Music-on-Hold, Separation of Voice and Data IP-Layout Passing through the Firewalls (NAT-challenge) Seite 18 The Design Workshop (2) How exactly will the system be implemented? Phone Security Deployment and Enrolment of Phones Deployment of Certificates, Distribution of PIN and Passwords,.. Dialing Plan Seite 19

10 Questions Seite 20