Villains and Voice Over IP

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Villains and Voice Over IP"

Transcription

1 Villains and Voice Over IP Heather Bonin ECE 578 March 7, 2004

2 Table of Contents Introduction... 3 How VOIP Works... 3 Ma Bell and her Babies... 3 VoIP: The New Baby on the Block... 3 Security Issues... 4 Availability... 4 Authentication... 8 Confidentiality... 8 Integrity Conclusions References

3 Introduction Vonage, Skype, Verizon, SpeakEasy, Yak, 3Com. The list of VoIP (Voice Over Internet Protocol) service providers goes on, as companies jump in to capitalize on this long-anticipated technology. However, like many technologies the race has been to deploy it successfully and worry about security later. This paper presents a brief overview of how VoIP works and then describes the types of security vulnerabilities VoIP systems face. How VOIP Works Ma Bell and her Babies The telephone network we re all familiar with, once symbolized by Ma Bell and often referred to as POTS (plain old telephone service) or the PSTN (public switched telephone network), involves large bandwidth requirements, complex signaling, and expensive telephone switches. Although the complicated, inefficient and proprietary nature of POTS is a major drawback, these characteristics have historically protected POTS from security attacks. In addition to relative security, users also expect Ma Bell to be there whenever they pick up the phone. The level of reliability demanded of telephone service is vastly greater than that demanded by users of a data network. VoIP: The New Baby on the Block VoIP comprises the software, hardware, and standards (protocols) necessary to digitize voice and sends it as data packets over networks that use standard components 3

4 such as routers, network switches, gateways, and firewalls. The use of standard components and data compression techniques greatly reduces the cost and bandwidth of VoIP and makes rapid implementation easy [Goode 2002]. However, combining the voice and data networks not only exposes voice communication to new security threats, it also transfers responsibility for voice communication security from the traditional carrier such as Ma Bell to the enterprise (and its IT staff) [Tanase 2004]. Security Issues Because VoIP sends voice as data packets one fear is that IT professionals will assume that they can simply add VoIP components to their networks and continue to take the exact same security precautions they always have to make their networks secure. The remainder of this paper will address the new challenges enterprises and IT professionals face when implementing VoIP. These challenges are roughly divided into the types of attacks that may be encountered attacks on availability, confidentiality/privacy, authentication, and integrity with the understanding that often there is overlap among these categories. Availability Denial of service (DoS) attacks are common on networks. For the first time, telephone service is easily subject to these types of attacks, and users expectation that the telephone work during emergencies (call 911) makes securing VoIP against availability attacks of paramount importance. 4

5 Power loss is the ultimate DoS attack. To avoid this vulnerability, the entire physical VoIP network must be secured, redundant and provided with a backup power source. Note that if the power is out, and the VoIP is connected with digital service only, calls outside the network will fail. Thus, a good safeguard is to always have a few analog lines within the VoIP system, to make sure that emergency calls can always be placed [Robles 2004]. Controlling telephone access to the network and services is also necessary to avoid a DoS attack. If an attacker can gain access to any part of the communication network, they can overwhelm the system with bogus messages, which at the least, will slow performance and at worst result in a DoS [Kuhn et al. 2005]. VoIP networks are particularly vulnerable to these types of attacks because the Quality of Service requirement of telephone voice transmission is much greater than that for data networks since packet loss and delay are not tolerated in voice transmission. Segmenting the VoIP network from an enterprise s data network using VLAN (virtual local area network) technology is one recommended practice to reduce DoS attacks. Controlling access between segments can also filter out spoofed (unknown) devices and keep them from connecting to other segments. However, the greatest value of segmenting is the ability to use a NIDS (network intrusion detection system) to monitor against attacks [Halpern 2003]. Within the VLAN, IP phones should have their own DHCP server so that if a DoS attack on the data network occurs, critical phone services will be unaffected [Robles 2004]. Typically IP phones use DHCP (dynamic host control protocol) to get an IP 5

6 address; DHCP servers are prone to denial of service attacks that result in IP address starvation. An attacker can also force a system reboot by repeatedly overloading the login and password buffers from a remote login terminal. Doing so results not only in a DoS attack but also may revert passwords back to defaults or do a memory dump of critical parameters, creating new system vulnerabilities. To protect against this type of attack, the VoIP system must be protected by a firewall [Kuhn et al. 2005]. Because the call servers open and close ports for new connections continuously, managing the access controls for a firewall for VoIP is a challenge [Tanase 2004]. According to Cisco, for most networks, securing all connections between the data and voice segments by using a stateful firewall is not possible because in most enterprises, multiple data and voice segments exist, often on the same switch. In these cases, at the very least, PC-based IP phones should not be used because PC-based IP phones are datasegment based (and thus susceptible to any attack against the data segment) but require access to the voice segment for call control [Halpern 2003]. For example, the Code-Red and Nimda viruses launched a successful DoS attack against PC-based IP phone systems [Halpbern 2003]. connections: According to Cisco, a firewall should control the following VoIP system The voic system when placed in the data segment connecting to the callprocessing manager in the voice segment 6

7 IP phones in a voice segment connecting to the call-processing manager in another voice segment for call establishment control and configuration IP phones in the voice segment connecting to the voic system when placed in the data segment IP phones in the voice segment browsing resources via the proxy server in the voice segment Users in the data segment browsing the call-processing manager in the voice segment Proxy server in the voice segment accessing resources in the data segment PC-based IP phones in the data segment accessing the call-processing manager in the voice segment for call establishment PC-based IP phones in the data segment accessing the voic system when placed in the voice segment Note that a firewall will not protect against IP and MAC spoofing where an attacker uses a valid IP and MAC address and modifies packet headers so that the message appears to come from the valid user. This type of attack involves a breach in authentication and integrity. Like switches, VoIP phones often have a default login/password combination that allows a user to modify network information [Kuhn et al. 2005]. If default password combinations (such as admin/admin or root/root) are not changed, an attacker could launch a full-scale DoS attack or opt for a less obvious attack such as port mirroring whereby the attacker can intercept all phone conversations. Like any system, VoIP software is vulnerable to attack due to flaws that can be exploited (such as crashing the system by sending packets with specially designed headers) and introduction of malicious code to create a DoS. Vigilance in installing software patches immediately upon their release is necessary to reduce the possibility of 7

8 attacks. Likewise, most call processing servers are based on general-purpose OSs and should be hardened. Server hardening (eliminating vulnerabilities) includes applying service packs and patches and removing unnecessary services and features, and may be done with a vulnerability scanning tool. The servers should also have a minimal number of jobs running. Authentication Requiring user authentication mitigates the risks of toll fraud where a nonauthorized telephone is allowed to use the network and services. Authenticating each user with a password (as long as it s well chosen and long enough) is the best way to ensure authentication, however users may rebel against having to remember yet another password. Other ways to reduce toll fraud are the use of a dedicated DHCP server and mapping MAC addresses to IP addresses on the DCHP server so that each telephone always boots from the same address; both these efforts make it harder for an imposter to use the network. Also, at the call processing server, new devices should be added manually to the network instead of using an auto-registration function [Robles 2004]. Toll fraud is just one type of threat an unauthorized user can accomplish. Eavesdropping, impersonation, and repudiation are also a concern when users are not properly authenticated. Confidentiality Using POTS, eavesdropping was typically done by physically wire tapping the phone line or switch. The data network used for VoIP is much more susceptible to eavesdropping because an attacker that can gain access to any point of the network can 8

9 possibly capture the IP data stream. However that does not mean that the security of the VoIP physical infrastructure should be ignored. Hubs on IP phones should be disabled and a notification system for alerting IT administrators when an IP phone has been disconnected from the network should be employed. In general, the entire physical system, including mobile phone units, should fall under a comprehensive security policy to limit traditional phone tapping [Kuhn et al. 2005]. As discussed under Availability, switches typically have default login/password combinations. If the default is not changed, an attacker can mirror all packets on one port to another and thereby eavesdrop on conversation and remain unnoticed (it is hard to remain unnoticed when physically wiretapping Ma Bell.) Port mirroring can be disabled. Cisco recommends mitigating against ARP cache poisoning and flooding as well. An ARP command is used to find addresses. An attacker can corrupt the ARP cache by flooding it with ARP commands. Once the cache is corrupted, an attacker can reroute voice traffic to eavesdrop. This type of attack is mitigated by using strong authentication. Web services used for remote administration are another area of vulnerability that may expose plaintext HTTP packets containing sensitive information to attackers. A simple way to reduce eavesdropping is to use the HTTPS with Secure Socket Layer protocol instead of HTTP. Even when VoIP is implemented on its own separate VLAN, eavesdropping is possible using tools such as DSNIFF (a collection of tools to passively monitor a network for interesting data such as passwords that handles FTP, Telnet, HTTP, POP, etc.) [Duffy 9

10 2001] to listen to traffic on all segments, effectively turning a switched medium into a shared one. An attacker can then take the IP phone conversation trace captured using UNIX s tool tcpdump and use VOMIT (voice over misconfigured Internet telephones) to change the VoIP data into playable.wav files [Halpern 2003]. Encryption is certainly the best way to mitigate against eavesdropping, and also helps defend against packet replay attacks. Attackers can still sniff data, but they can t read it. Two options for encryption are SRTP (secure real-time protocol) used at the session layer, or IPSec VPN (IP Security virtual private network) at the transport layer. However, encryption has a down-side a main attraction of VoIP is its performance and Quality of Service: and encryption carries large bandwidth penalties particularly for the gateway. It is critical when using encryption to have a dedicated encryption processor and to choose an efficient algorithm. Solely encrypting communication is not sufficient; an end-to-end solution must be incorporated that includes encryption of the firmware in IP telephones using SRTP, otherwise confidentiality can still be compromised. Note that SRTP does not do authentication whereas IPSec does [Tanase 2004]. Of course, information about the call itself (such as incoming and outgoing calls and their duration) might be almost as important as the content of the call [Tanase 2004], and protecting these data can be a challenge. 10

11 Integrity Maintaining integrity means thwarting malicious attackers as well as protecting against unauthorized actions by authorized users. Man-in-the-middle attacks on the IP gateway and IP phone are possible and can result in identity theft or call redirection. In a man-in-the-middle attack, detecting any change to call parameters can be difficult to thwart against [Tanase 2004]. When an IP phone reboots and requests a DHCP response, an attacker can initiate a response that includes false information from a bogus DHCP server [Kuhn et al. 2005]. Attacks that make a phone reboot have previously been discussed, and include MAC spoofing and ping flooding. Again, using a DHCP server with static IP addresses will protect the system from some but not all of these attacks. Some attacks are based on vulnerabilities of the actual protocols used in VoIP, such as SIP (session initiation protocol) and H.323 [Goode 2002]. SIP and H.323 are peer-to-peer protocols used to setup, maintain, and terminate calls. Buffer overflow can be accomplished by placing invalid data in SIP headers [Tucker 2004]. As VoIP rises in popularity its protocols are being put to the test; in fact, different protocols such as SIP and H.323 are still competing for ascendancy, requiring companies to squander resources that could go toward making their product resistant to attacks in order to take multiple protocols into consideration during development. 11

12 Conclusions Hardware, software, and protocols for VoIP are still in development and thus a comprehensive understanding of all the security challenges VoIP faces is currently impossible. The race to develop these components and be first in the market has also made creating secure systems a secondary priority. User requirements for VoIP such as the Quality of Service and emergency access make implementing security solutions and protecting VoIP systems more challenging as well. However, there are four keys to securing a VoIP system from attacks. The first is to encrypt voice packets and the rest of the VoIP system. The second is to segment the VoIP system from the data network and control access between the voice and data segments using a firewall. The third is to constantly monitor all parts of the network and make sure they are up to current security standards. The fourth is to authenticate VoIP system users. Undertaking these major efforts will prevent a majority of confidentiality, availability, integrity and authentication breaches. 12

13 References Duffy, R Finding DSNIFF on Your Network. SANS Reading Room. Goode, B Voice over Internet Protocol (VoIP). Proceedings of the IEEE. 90: 9. Halpern, J SAFE: IP Telephony Security in Depth. Cisco Systems, Inc. Kuhn, D., Walsh, J., and S. Fries Security Considerations for Voice Over IP Systems: Recommendations of the National Institute of Standards and Technology. NIST Special Publications Robles, F The VoIP Dilemma. SANS Institute, Information Security Reading Room. Tanase, M Voice over IP Security. Tucker, G Voice over Internet Protocol (VoIP) and Security. SANS Institute, Information Security Reading Room. 13

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method. A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

Voice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005

Voice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005 Voice over IP VoIP (In) Security Presented by Darren Bilby NZISF 14 July 2005 Security-Assessment.com Who We Are NZ s only pure-play security firm Largest team of security professionals in NZ Offices in

More information

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,

More information

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Cconducted at the Cisco facility and Miercom lab. Specific areas examined Lab Testing Summary Report July 2009 Report 090708 Product Category: Unified Communications Vendor Tested: Key findings and conclusions: Cisco Unified Communications solution uses multilayered security

More information

The Trivial Cisco IP Phones Compromise

The Trivial Cisco IP Phones Compromise Security analysis of the implications of deploying Cisco Systems SIP-based IP Phones model 7960 Ofir Arkin Founder The Sys-Security Group ofir@sys-security.com http://www.sys-security.com September 2002

More information

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005 SCADA System Security ECE 478 Network Security Oregon State University March 7, 2005 David Goeke Hai Nguyen Abstract Modern public infrastructure systems

More information

Voice Over IP (VoIP) Denial of Service (DoS)

Voice Over IP (VoIP) Denial of Service (DoS) Introduction Voice Over IP (VoIP) Denial of Service (DoS) By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com Denial of Service (DoS) is an issue for any IP network-based

More information

ICANWK406A Install, configure and test network security

ICANWK406A Install, configure and test network security ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with

More information

Attachment Q5. Voice over Internet Protocol (VoIP)

Attachment Q5. Voice over Internet Protocol (VoIP) DHS 4300A Sensitive Systems Handbook Attachment Q5 To Handbook v. 11.0 Voice over Internet Protocol (VoIP) Version 11.0 December 22, 2014 Protecting the Information that Secures the Homeland This page

More information

Data Security in a Converged Network

Data Security in a Converged Network Data Security in a Converged Network A Siemens White Paper Author: Contributors: Joel A. Pogar National Practice Manager Secure Network Services Joel.Pogar@icn.siemens.com Jeff Corcoran Solutions Architect,

More information

Ron Shuck, CISSP, CISM, CISA, GCIA Infrastructure Security Architect Spirit AeroSystems

Ron Shuck, CISSP, CISM, CISA, GCIA Infrastructure Security Architect Spirit AeroSystems Ron Shuck, CISSP, CISM, CISA, GCIA Infrastructure Security Architect Spirit AeroSystems VOIP Components Common Threats How Threats are Used Future Trends Provides basic network connectivity and transport

More information

CPNI VIEWPOINT 02/2007 ENTERPRISE VOICE OVER IP

CPNI VIEWPOINT 02/2007 ENTERPRISE VOICE OVER IP ENTERPRISE VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

Basics of Internet Security

Basics of Internet Security Basics of Internet Security Premraj Jeyaprakash About Technowave, Inc. Technowave is a strategic and technical consulting group focused on bringing processes and technology into line with organizational

More information

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security? 7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk

More information

VOIP THE ULTIMATE GUIDE VERSION 1.0. 9/23/2014 onevoiceinc.com

VOIP THE ULTIMATE GUIDE VERSION 1.0. 9/23/2014 onevoiceinc.com VOIP THE ULTIMATE GUIDE VERSION 1.0 9/23/2014 onevoiceinc.com WHAT S IN THIS GUIDE? WHAT IS VOIP REQUIREMENTS OF A VOIP SYSTEM IMPLEMENTING A VOIP SYSTEM METHODS OF VOIP BENEFITS OF VOIP PROBLEMS OF VOIP

More information

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA

Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA A Seminar report On Packet Sniffers Submitted in partial fulfillment of the requirement for the award of degree Of MCA SUBMITTED TO: www.studymafia.org SUBMITTED BY: www.studymafia.org Preface I have made

More information

IP Phone Security: Packet Filtering Protection Against Attacks. Introduction. Abstract. IP Phone Vulnerabliities

IP Phone Security: Packet Filtering Protection Against Attacks. Introduction. Abstract. IP Phone Vulnerabliities W H I T E P A P E R By Atul Verma Engineering Manager, IP Phone Solutions Communications Infrastructure and Voice Group averma@ti.com Introduction The advantages of a converged voice and data network are

More information

VOICE OVER IP SECURITY

VOICE OVER IP SECURITY VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats Achieving Truly Secure Cloud Communications How to navigate evolving security threats Security is quickly becoming the primary concern of many businesses, and protecting VoIP vulnerabilities is critical.

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

Ingate Firewall/SIParator SIP Security for the Enterprise

Ingate Firewall/SIParator SIP Security for the Enterprise Ingate Firewall/SIParator SIP Security for the Enterprise Ingate Systems February, 2013 Ingate Systems AB (publ) Tel: +46 8 600 77 50 BACKGROUND... 1 1 NETWORK SECURITY... 2 2 WHY IS VOIP SECURITY IMPORTANT?...

More information

Voice over IP Security

Voice over IP Security Voice over IP Security Patrick Park Cisco Press Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA vii Contents Introduction xvii Part I VoIP Security Fundamentals 3 Chapter 1 Working with

More information

CPNI VIEWPOINT 01/2007 INTERNET VOICE OVER IP

CPNI VIEWPOINT 01/2007 INTERNET VOICE OVER IP INTERNET VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

VoIP Security Challenges: 25 Ways to Secure your VoIP Network from Versign Security, Dec 01, 2006

VoIP Security Challenges: 25 Ways to Secure your VoIP Network from Versign Security, Dec 01, 2006 VoIP Security Challenges: 25 Ways to Secure your VoIP Network from Versign Security, Dec 01, 2006 VoIP technology has the tech geeks buzzing. It has been touted as: - the killer of telecoms - a solution

More information

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs

Network Security. 1 Pass the course => Pass Written exam week 11 Pass Labs Network Security Ola Lundh ola.lundh@hh.se Schedule/ time-table: landris.hh.se/ (NetwoSec) Course home-page: hh.se/english/ide/education/student/coursewebp ages/networksecurity cisco.netacad.net Packet

More information

VoIP Security Threats and Vulnerabilities

VoIP Security Threats and Vulnerabilities Abstract VoIP Security Threats and Vulnerabilities S.M.A.Rizvi and P.S.Dowland Network Research Group, University of Plymouth, Plymouth, UK e-mail: info@network-research-group.org This paper presents the

More information

Security and Risk Analysis of VoIP Networks

Security and Risk Analysis of VoIP Networks Security and Risk Analysis of VoIP Networks S.Feroz and P.S.Dowland Network Research Group, University of Plymouth, United Kingdom e-mail: info@network-research-group.org Abstract This paper address all

More information

Securing SIP Trunks APPLICATION NOTE. www.sipera.com

Securing SIP Trunks APPLICATION NOTE. www.sipera.com APPLICATION NOTE Securing SIP Trunks SIP Trunks are offered by Internet Telephony Service Providers (ITSPs) to connect an enterprise s IP PBX to the traditional Public Switched Telephone Network (PSTN)

More information

Packet Sniffing on Layer 2 Switched Local Area Networks

Packet Sniffing on Layer 2 Switched Local Area Networks Packet Sniffing on Layer 2 Switched Local Area Networks Ryan Spangler ryan@packetwatch.net Packetwatch Research http://www.packetwatch.net December 2003 Abstract Packet sniffing is a technique of monitoring

More information

Cisco Advanced Services for Network Security

Cisco Advanced Services for Network Security Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs

More information

VoIP Security: How Secure is Your IP Phone?

VoIP Security: How Secure is Your IP Phone? VoIP Security: How Secure is Your IP Phone? Dan York, CISSP Director of IP Technology, Office of the CTO Chair, Mitel Product Security Team Member, Board of Directors, VoIP Security Alliance (VOIPSA) ICT

More information

T.38 fax transmission over Internet Security FAQ

T.38 fax transmission over Internet Security FAQ August 17, 2011 T.38 fax transmission over Internet Security FAQ Give me a rundown on the basics of T.38 Fax over IP security. Real time faxing using T.38 SIP trunks is just as secure as sending faxes

More information

Implementing Cisco Unified Communications Security (UCSECv1.0)

Implementing Cisco Unified Communications Security (UCSECv1.0) Implementing Cisco Unified Communications Security (UCSECv1.0) Course Objectives Identify vulnerabilities in Cisco Unified Communications networks and describe security strategies, cryptographic services,

More information

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance

VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance Valerie J.M. Watzlaf, PhD, RHIA, FAHIMA, Sohrab Moeini, MS, and Patti Firouzan, MS, RHIA Department of Health Information

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module

CS 665: Computer System Security. Network Security. Usage environment. Sources of vulnerabilities. Information Assurance Module CS 665: Computer System Security Network Security Bojan Cukic Lane Department of Computer Science and Electrical Engineering West Virginia University 1 Usage environment Anonymity Automation, minimal human

More information

Chapter 8 Router and Network Management

Chapter 8 Router and Network Management Chapter 8 Router and Network Management This chapter describes how to use the network management features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. These features can be found by

More information

VoIP Resilience and Security Jim Credland

VoIP Resilience and Security Jim Credland VoIP Resilience and Security Jim Credland About THUS plc Provider and user of VoIP and Soft Switch technologies Developing Enterprise Security Standards NISCC VoIP Working Group Security Considerations

More information

An outline of the security threats that face SIP based VoIP and other real-time applications

An outline of the security threats that face SIP based VoIP and other real-time applications A Taxonomy of VoIP Security Threats An outline of the security threats that face SIP based VoIP and other real-time applications Peter Cox CTO Borderware Technologies Inc VoIP Security Threats VoIP Applications

More information

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN) MIS5206 Week 12 Your Name Date 1. Which significant risk is introduced by running the file transfer protocol (FTP) service on a server in a demilitarized zone (DMZ)? a) User from within could send a file

More information

Security. TestOut Modules 12.6 12.10

Security. TestOut Modules 12.6 12.10 Security TestOut Modules 12.6 12.10 Authentication Authentication is the process of submitting and checking credentials to validate or prove user identity. 1. Username 2. Credentials Password Smart card

More information

Best Practices for Securing IP Telephony

Best Practices for Securing IP Telephony Best Practices for Securing IP Telephony Irwin Lazar, CISSP Senior Analyst Burton Group Agenda VoIP overview VoIP risks Mitigation strategies Recommendations VoIP Overview Hosted by VoIP Functional Diagram

More information

Network Access Security. Lesson 10

Network Access Security. Lesson 10 Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.

More information

Security Guidance for Deploying IP Telephony Systems

Security Guidance for Deploying IP Telephony Systems Report Number: I332-016R-2005 Security Guidance for Deploying IP Telephony Systems Systems and Network Attack Center (SNAC) Released: 14 February 2006 Version 1.01 SNAC.Guides@nsa.gov ii This Page Intentionally

More information

CPNI VIEWPOINT 03/2007 HOSTED VOICE OVER IP

CPNI VIEWPOINT 03/2007 HOSTED VOICE OVER IP HOSTED VOICE OVER IP AUGUST 2007 Abstract Voice over IP (VoIP) is the term used for a set of technologies that enable real time voice or video conversations to take place across IP networks. VoIP devices

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

DEPLOYING VoIP SECURELY

DEPLOYING VoIP SECURELY DEPLOYING VoIP SECURELY Everyone knows that Voice-over-IP (VoIP) has been experiencing rapid growth. Even still, you might be surprised to learn that: 10% of all voice traffic is now transmitted with VoIP

More information

VoIP Security regarding the Open Source Software Asterisk

VoIP Security regarding the Open Source Software Asterisk Cybernetics and Information Technologies, Systems and Applications (CITSA) 2008 VoIP Security regarding the Open Source Software Asterisk Prof. Dr.-Ing. Kai-Oliver Detken Company: DECOIT GmbH URL: http://www.decoit.de

More information

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006 WIRELESS SECURITY Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Wireless LAN Security Learning Objectives Students should be able

More information

Ten Deadly Sins in Wireless Security

Ten Deadly Sins in Wireless Security Ten Deadly Sins in Wireless Security The emergence and popularity of wireless devices and wireless networks has provided a platform for real time communication and collaboration. This emergence has created

More information

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology Voice Over Internet Protocol (VOIP) SECURITY Rick Kuhn Computer Security Division National Institute of Standards and Technology What is VOIP? Voice Over Internet Protocol Voice Communications over data-style

More information

VOIP SECURITY ISSUES AND RECOMMENDATIONS

VOIP SECURITY ISSUES AND RECOMMENDATIONS VOIP SECURITY ISSUES AND RECOMMENDATIONS Sathasivam Mathiyalakan MSIS Department, College of Management, University of Massachusetts Boston Phone: (617) 287 7881; Email: Satha.Mathiyalakan@umb.edu ABSTRACT

More information

Introduction of Intrusion Detection Systems

Introduction of Intrusion Detection Systems Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:

More information

Networking for Caribbean Development

Networking for Caribbean Development Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n

More information

Beyond Quality of Service (QoS) Preparing Your Network for a Faster Voice over IP (VoIP)/ IP Telephony (IPT) Rollout with Lower Operating Costs

Beyond Quality of Service (QoS) Preparing Your Network for a Faster Voice over IP (VoIP)/ IP Telephony (IPT) Rollout with Lower Operating Costs Beyond Quality of Service (QoS) Preparing Your Network for a Faster Voice over IP (VoIP)/ IP Telephony (IPT) Rollout with Lower Operating Costs Beyond Quality of Service (QoS) Cost Savings Unrealized THE

More information

THE TOP SECURITY QUESTIONS YOU SHOULD ASK A CLOUD COMMUNICATIONS PROVIDER

THE TOP SECURITY QUESTIONS YOU SHOULD ASK A CLOUD COMMUNICATIONS PROVIDER THE TOP SECURITY QUESTIONS YOU SHOULD ASK A CLOUD COMMUNICATIONS PROVIDER How to ensure a cloud-based phone system is secure. BEFORE SELECTING A CLOUD PHONE SYSTEM, YOU SHOULD CONSIDER: DATA PROTECTION.

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

Voice over IP (VoIP) Vulnerabilities

Voice over IP (VoIP) Vulnerabilities Voice over IP (VoIP) Vulnerabilities The Technical Presentation Diane Davidowicz NOAA Computer Incident Response Team N-CIRT diane.davidowicz@noaa.gov "Security problems in state of the art IP-Telephony

More information

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network 10 Key Things Your Firewall Should Do When voice joins applications and data on your network Table of Contents Making the Move to 3 10 Key Things 1 Security is More Than Physical 4 2 Priority Means Clarity

More information

Strategies to Keep Your VoIP Network Secure

Strategies to Keep Your VoIP Network Secure V OIP NETWORK SECURITY VoIP enterprise deployments need strategies to help provide a balance between security and ease of use. Wesley Chou Strategies to Keep Your VoIP Network Secure A s VoIP technology

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications Draft ITU-T Recommendation X.805 (Formerly X.css), architecture for systems providing end-to-end communications Summary This Recommendation defines the general security-related architectural elements that

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

IBM Managed Security Services Vulnerability Scanning:

IBM Managed Security Services Vulnerability Scanning: IBM Managed Security Services August 2005 IBM Managed Security Services Vulnerability Scanning: Understanding the methodology and risks Jerry Neely Network Security Analyst, IBM Global Services Page 2

More information

AppDirector Load balancing IBM Websphere and AppXcel

AppDirector Load balancing IBM Websphere and AppXcel TESTING & INTEGRATION GROUP SOLUTION GUIDE AppDirector Load balancing IBM Websphere and AppXcel INTRODUCTION...2 RADWARE APPDIRECTOR...3 RADWARE APPXCEL...3 IBM WEBSPHERE...4 SOLUTION DETAILS...4 HOW IT

More information

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones

Network Security. Computer Security & Forensics. Security in Compu5ng, Chapter 7. l Network Defences. l Firewalls. l Demilitarised Zones Network Security Security in Compu5ng, Chapter 7 Topics l Network AAacks l Reconnaissance l AAacks l Spoofing l Web Site Vulnerabili5es l Denial of Service l Network Defences l Firewalls l Demilitarised

More information

Internet Security ECOM 5347 Lab 1 Sniffing. Sniffing. Become aware of a class of vulnerabilities known as sniffing. Learn how to use a sniffer tool.

Internet Security ECOM 5347 Lab 1 Sniffing. Sniffing. Become aware of a class of vulnerabilities known as sniffing. Learn how to use a sniffer tool. Objectives Sniffing Become aware of a class of vulnerabilities known as sniffing. Learn how to use a sniffer tool. What is a packet sniffer? Sniffing is eavesdropping on the network and A packet sniffer

More information

Linux Network Security

Linux Network Security Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols

More information

Topics in Network Security

Topics in Network Security Topics in Network Security Jem Berkes MASc. ECE, University of Waterloo B.Sc. ECE, University of Manitoba www.berkes.ca February, 2009 Ver. 2 In this presentation Wi-Fi security (802.11) Protecting insecure

More information

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD NATIONAL SECURITY AGENCY Ft. George G. Meade, MD Serial: I732-010R-2008 30 April 2008 Network Infrastructure Division Systems and Network Analysis Center Activating Authentication and Encryption for Cisco

More information

FIREWALLS & CBAC. philip.heimer@hh.se

FIREWALLS & CBAC. philip.heimer@hh.se FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

GlobalSCAPE DMZ Gateway, v1. User Guide

GlobalSCAPE DMZ Gateway, v1. User Guide GlobalSCAPE DMZ Gateway, v1 User Guide GlobalSCAPE, Inc. (GSB) Address: 4500 Lockhill-Selma Road, Suite 150 San Antonio, TX (USA) 78249 Sales: (210) 308-8267 Sales (Toll Free): (800) 290-5054 Technical

More information

Security Considerations in IP Telephony Network Configuration

Security Considerations in IP Telephony Network Configuration Security Considerations in IP Telephony Network Configuration Abstract This Technical Report deals with fundamental security settings in networks to provide secure VoIP services. Example configurations

More information

VoIP Time to Make the Call? Abstract

VoIP Time to Make the Call? Abstract VoIP Time to Make the Call? By Steve Sullivan Abstract Is it time to make the call and join the growing numbers of companies that are embracing Voice over IP technologies? Even though VoIP is a relatively

More information

Security Issues with Integrated Smart Buildings

Security Issues with Integrated Smart Buildings Security Issues with Integrated Smart Buildings Jim Sinopoli, Managing Principal Smart Buildings, LLC The building automation industry is now at a point where we have legitimate and reasonable concern

More information

Solution Review: Siemens Enterprise Communications OpenScape Session Border Controller

Solution Review: Siemens Enterprise Communications OpenScape Session Border Controller Solution Review: Siemens Enterprise Communications OpenScape Session Border Controller Russell Bennett UC Insights www.ucinsights.com russell@ucinsights.com Introduction Those familiar with unified communications

More information

1152 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART C: APPLICATIONS AND REVIEWS, VOL. 37, NO. 6, NOVEMBER 2007

1152 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART C: APPLICATIONS AND REVIEWS, VOL. 37, NO. 6, NOVEMBER 2007 1152 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS PART C: APPLICATIONS AND REVIEWS, VOL. 37, NO. 6, NOVEMBER 2007 Security Challenge and Defense in VoIP Infrastructures David Butcher, Member, IEEE,

More information

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015

Network Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015 Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan April 23, 2015 1 / 24 Secure networks Before the advent of modern telecommunication network,

More information

Avaya TM G700 Media Gateway Security. White Paper

Avaya TM G700 Media Gateway Security. White Paper Avaya TM G700 Media Gateway Security White Paper March 2002 G700 Media Gateway Security Summary With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional

More information

Basic Vulnerability Issues for SIP Security

Basic Vulnerability Issues for SIP Security Introduction Basic Vulnerability Issues for SIP Security By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com The Session Initiation Protocol (SIP) is the future

More information

Avaya G700 Media Gateway Security - Issue 1.0

Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional Enterprise

More information

Tk20 Network Infrastructure

Tk20 Network Infrastructure Tk20 Network Infrastructure Tk20 Network Infrastructure Table of Contents Overview... 4 Physical Layout... 4 Air Conditioning:... 4 Backup Power:... 4 Personnel Security:... 4 Fire Prevention and Suppression:...

More information

Network Security: Introduction

Network Security: Introduction Network Security: Introduction 1. Network security models 2. Vulnerabilities, threats and attacks 3. Basic types of attacks 4. Managing network security 1. Network security models Security Security has

More information

The #1 Issue on VoIP, Fraud!

The #1 Issue on VoIP, Fraud! Know your enemy Sun Tzu's The Art of War The #1 Issue on VoIP, Fraud! How to identify, prevent and reduce damages caused by fraud Flavio E. Goncalves About me Author of the book Building Telephony Systems

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region

IPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express

More information

A Reality Check on Security in VoIP

A Reality Check on Security in VoIP A Reality Check on Security in VoIP Communications Rick Robinson CISSP ISSAP IEEE Sr. Member Agenda Background Overview of Threats Top Ten With Reality Checks Trends Actions Pearls Questions Background

More information

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Introduction to Network Security

More information

VoIP Reliability in Managed Service Deployments

VoIP Reliability in Managed Service Deployments 1 VoIP Reliability in Managed Service Deployments Technical White Paper Introduction This White Paper introduces the Aspen 365 family of network appliances and explains how service providers offering a

More information

Introduction p. 2. Introduction to Information Security p. 1. Introduction

Introduction p. 2. Introduction to Information Security p. 1. Introduction Introduction p. xvii Introduction to Information Security p. 1 Introduction p. 2 What Is Information Security? p. 3 Critical Characteristics of Information p. 4 CNSS Security Model p. 5 Securing Components

More information

Security Awareness. Wireless Network Security

Security Awareness. Wireless Network Security Security Awareness Wireless Network Security Attacks on Wireless Networks Three-step process Discovering the wireless network Connecting to the network Launching assaults Security Awareness, 3 rd Edition

More information

Securing Voice over Internet Protocol

Securing Voice over Internet Protocol Proceedings of the International Multiconference on ISSN 1896-7094 Computer Science and Information Technology, pp. 21 29 2007 PIPS Securing Voice over Internet Protocol Ahmad Ghafarian, Randolph Draughorne,

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information