Verteiltes Monitoring von SIP-basierten Angriffen
|
|
- Hector Clarke
- 8 years ago
- Views:
Transcription
1 59. DFN-Betriebstagung, Berlin, Verteiltes Monitoring von SIP-basierten Angriffen Prof. Dr.-Ing. Erwin P. Rathgeb Dirk Hoffstadt, MS M.Sc. Adnan Aziz, M.Sc. Networking Technology Group Institute for Experimental Mathematics & Institute for Computer Science & Business Information Systems University of Duisburg-Essen Overview Introduction SIP fraud and misuse scenarios Multi-stage Toll Fraud scheme SIP misuse detection for forensic analysis Tools: SIP Trace Recorder and SIP Honeypots Clustering: from packets to attacks Typical multi-stage attack example Distributed real-time SIP misuse detection Distributed System overview Deployment options Hardware Software Virtual sensors Page 2 1
2 Voice over IP Threats and misuse scenarios Threat Description Goal Flooding Fuzzing SPIT Registration Hijacking/ Toll Fraud Flood the device with VoIP protocol packets like INVITE, OPTIONS Send malformed messages to the system (e.g. PROTOS) Unwanted calls, often initiated automatically Compromise user account, make (toll) calls Denial of Service (brute force) Denial of Service (exploit software vulnerabilities) Trick users into spending money or revealing secret information (Phishing) Save money on toll calls Earn money from toll calls Make calls anonymously Denial of Service: Generic threat, mitigation approaches known in principle (overload control, rigorous programming) SPIT: Adaptation of generic threat, mitigation based on signalling (SPIT Filter) or media (voice recognition and analysis) Registration Hijacking/Toll Fraud: Novel, specific threat, High damage potential (financial, legal) Page 3 State of SIP misuse Attacks monitored by PBX vendor Data from 01/2011 Page 4 2
3 Benefit/cost for VoIP attacks Attacker module for lab tests Registration Hijacking SIPvicious ToolBox svmap Scan for SIP registrars svwar Scan for active extensions svcrack Password scan Denial of Service SIP-INVITE Flooder Perform DoS attack with SIP-Invites SPIT Generator Asterisk SW-PBX with call files Generate SPIT calls with freely configurable announcement Call file extension for Phishing Record answers Page 5 Common SIP misuse scenario Multi-stage scheme for Toll Fraud Toll Fraud is particularly attractive Immediate financial benefit Caller anonymization Predominant misuse scheme at the moment Basic scheme Stage 1: Find SIP server Server Scan Stage 2: Find active extensions Extension Scan Stage 3: Crack password Registration ti Hijacking Stage 4: Make calls using victim s account Toll Fraud Page 6 3
4 Common SIP misuse scenario Stage 1: Server Scan Anywhere 200 OK Internet Company SIP-Server Server OPTIONS Attacker sends SIP OPTIONS messages to detect active SIP server in a network SIP packets from one source IP address directed to multiple targets Scan behaviour: 1 to 96 OPTIONS messages per server Variations by using other SIP messages (e.g. INVITE) Result: List of active SIP servers Page 7 Common SIP misuse scenario Stage 2: Extension Scan Internet REGISTER Not found Unauthorized Attacker sends multiple SIP REGISTER messages to detect active user accounts / extensions SIP packets from one source IP address directed to one target host (SIP server) Different extensions / account names Scan behaviour: 1 to 40,000 REGISTER messages per server Result: List of active extensions/user accounts Page 8 4
5 Common SIP misuse scenario Stage 3: Registration Hijacking Internet REGISTER 250 Password: Forbidden 200 OK 250 Attacker sends multiple SIP REGISTER messages to guess the password Successful attack: Server sends a 200 OK message SIP packets from one source IP address directed to one target host and one extension Scan behaviour: up to 13 million messages per extension Result: Valid credentials for active extension Page 9 Common SIP misuse scenario Stage 4: Toll Fraud Chargeable calls: abroad, 0900, mobile Register at 250@ company.de with password 2244 Internet 250 Attacker registers at a previously cracked extension Attacker sends INVITE messages to establish Toll Fraud calls Chargeable calls to abroad or premium numbers Toll Fraud can cause the account owner substantial financial damage Result: Calls via victim s account Page 10 5
6 SIP misuse detection tools SIP Trace Recorder Internet Monitoring Port STR DB Target subnet SIP Trace Recorder (STR) Passive SIP monitoring and logging Stateful correlation, e.g. CDR generation Detection of successful attacks Optional privacy preservation Deployment in production networks Focus: Statistical attack analysis Target Network Page 11 SIP misuse detection tools SIP Trace Recorder and SIP Honeypots Internet Monitoring Port Evaluation and Presentation STR DB No active VoIP components VoIP Server Full Interaction Full Honeypot Interaction Full Honeypot Interaction Honeypot Low Interaction Low Honeypot Interaction Low Honeypot Interaction Honeypot Target Network SIP Trace Recorder (STR) Passive SIP monitoring and logging Stateful correlation, e.g. CDR generation Detection of successful attacks Optional privacy preservation Deployment in production networks Focus: Statistical attack analysis Full Interaction SIP Honeypot Extended SIP Server with logging function Full SIP functionality Call handling Media handling Focus: Detailed forensic analysis NEW: Low Interaction SIP Honeypot Script based Low resource utilization High flexibility Limited SIP functionality Focus: Dynamic experiments Evaluation and Presentation Consolidation of all attack data Automated data collection Flexible analysis capabilities Various views on data Attack clustering Web-based GUI Page 12 6
7 SIP misuse detection results Honeypot vs SIP Trace Recorder New Honeypot Honeypot Monitoring STR Monitoring 1 Dec 09 Jan 10 Feb 10 Mar 10 Apr 10 May 10 Jun 10 Jul 10 Aug 10 Sep 10 Oct 10 Nov 10 Dec 10 Jan 11 Feb 11 Mar 11 Apr 11 May 11 Jun 11 Jul 11 Aug 11 Sep 11 Oct 11 Nov 11 Dec 11 Jan 12 From 2009 until November 2010 Operated and monitored only the SIP Honeypots without t global monitoring From December 2010 until now STR was installed to monitor complete subnets Substantial increase in the number of captured SIP messages Detection accuracy for multi stage attacks significantly improved On May, 17th, a new Honeypot was set up, resulting in a massive peak Page 13 SIP Trace Recorder Results Network without active SIP components Network A Network B amount of SIP Messages All traffic in the network is generated by Server Scans used to detect SIP-capable devices Attackers continuously search for SIP devices throughout the Internet Page 14 7
8 SIP Trace Recorder Results Network with active SIP components Network A Network B amount of SIP Messages The fraction of Server Scan packets in network with SIP server is rather low and can be traced back to occasional scans Majority of messages in network A belongs to Registration Hijacking attacks Attackers directly attack the SIP devices in network A and do not scan the network repeatedly to get the addresses Page 15 SIP Trace Recorder Evaluation & Presentation web interface Filter Options Geolocation analysis SIP messages per day User agent analysis Page 16 8
9 SIP misuse detection Clustering: From packets to attacks Server Scans different IP addresses extension 100 SIP method: OPTIONS Extensions Scans same IP address different extensions SIP method: REGISTER Registration Hijacking same IP address same extension SIP method: REGISTER different credentials Toll Fraud same IP address known Honeypot extension SIP method: INVITE From counting packets to analysing attacks Alternative view on the collected data Identify and analyse attack variants Month Server OPTIONS Scan Extension REGISTER Scan Reg. REGISTER Hijacking Toll INVITE Fraud , , , , , , , , , , , ,603, , , , ,963, , , ,483, , , , , , ,243, , , , , , , , ,259, , , , , , , , ,037, Page 17 SIP misuse detection results Attack stage patterns 100% tacks Cumulativ ve distribution function of at 90% 80% 70% 60% 50% 40% 30% 20% 10% Server Scan Extension Scan Registration Hijacking Toll Fraud 0% Number of SIP messages Page 18 9
10 SIP misuse detection results Attack tools used User Agent Server Scan Ext Scan RegHij. Toll Fraud friendly-scanner % % % - sundayddr % Asterisk PBX % SIPPER for Phoner % Eyebeam/X-Lite % Known Softphones % Others % % % % Analysis based on packet count only shows that 98% are generated by Sipvicious and related implementations Cluster based analysis Sundayddr is strictly a server scanning tool Sipvicious is the only tool currently used for multi-stage attacks Toll Fraud attempts are performed using popular SIP softphones (e.g., eyebeam, X-Lite, Sipper) or the open source PBX Asterisk Asterisk PBX Automated calls by using scripts without human interaction Page 19 SIP misuse detection results Improved attack stage correlation Source IP XXX Source IP XXX Source IP XXX ,420 messages Server Scan 2,751 messages Extension Scan 504,069 messages Registration Hijacking Dynamic Low Interaction Honeypot 162 calls Toll Fraud Attempt calls Toll Fraud Attempt :15: :17:04 5 minutes :20: :22:45 28 hours 3 days :21:46 Attack successful Typical example attack a total of 508,643 SIP messages Toll Fraud calls are launched after a significant period of time originate from different IP addresses Paper: Improved Detection and Correlation of Multi Stage VoIP Attack Patterns by using a Dynamic Honeynet System IEEE ICC 2013, June 2013 Page 20 10
11 SIP misuse detection results Identification of attack variations Input data collected by the STR and the SIP Honeypot System More than 90 million SIP messages Collected between 12/2009 and 12/2012 Method Message clustering Map packets to attack instances and attack stages Comparison of instances of the same attack stages Based on IP and SIP header information Based on number of messages and timing Results Classification of major attack variants Server Scan: 7, Extension Scan: 2, Registration Hijacking: 2, Toll Fraud: 3 Significant number of minor variations identified Attackers start to modify code of attack tools Camouflage attacks, more softphone like behaviour Page 21 Generic Attack Replay Tool (GART) Set of attack samples with broad coverage Replaying real attack samples in arbitrary networks Can be used to test and calibrate detection and mitigation algorithms and components Comprehensive set of attack variants Based on overall STR database Currently total of 5684 attack samples Extraction of one typical sample per attack variant for reduced database > 40 GB Data Provides broad coverage STR Database Set of sample attacks configurable Built using Java Platform independent SQLite database Fast Lightweight Stage 1 Variation Stage 2 Variation Stage 3 Variation SQLite Database Stage 4 Variation Page 22 11
12 Generic Attack Replay Tool (GART) Set of attack samples with broad coverage Mapping of relevant header values according to local network To send attack traffic to local SIP server To receive responses at the sender Attack data characteristics are preserved Time stamps Sequence of packets Minimum configuration efforts Functional test was successful Paper: Development and Analysis of Generic VoIP Attack Sequences Based on Analysis of Real Attack Traffic IEEE TrustCom, July 2013 Page 23 BMBF Project SUNsHINE Fraud and misuse detection and mitigation for VoIP networks 4 partners 4 associated partners 2 year project, ends April 2013 (plus 3 months extension) Homepage Page 24 12
13 SUNsHINE Architecture Page 25 Real-time SIP misuse detection Security System Misuse Detection Passive behaviour Different environments PBX, Router, Home Gateways Detection by using attack signatures Dynamically loadable Standalone Low Interaction Honeypot plugin SCS Low Interaction Honeypot plugin Attacker Firewall Central Service (SCS) Aggregation of sensor alerts Based on SCS rules Management s Attack signature management Interface to mitigation components 0900 Callee Page 26 13
14 Realtime Misuse Detection & Mitigation Security System Mitigation Interface Alert SCS Low Interaction Honeypot plugin Attacker Firewall 0900 Callee Page 27 Realtime Misuse Detection & Mitigation Security System Mitigation Interface (2) Alert erbl SCS Low Interaction Honeypot plugin Attacker Firewall 0900 Callee Page 28 14
15 Monitoring Overview Rule-based attack detection and reporting of misuse in SIP-based networks Light-weight software component for different hardware and software platforms Implemented in C++ using libpcap [1], Java version also available Input Data (Network interface, PCAP file, Socket) SIP traffic analysis The receives all traffic that is sent to any of the Honeypots Process of misuse detection and reporting is separated into three phases Capturing and filtering of SIP messages Analysis of SIP messages Recognize sequences of SIP messages that are characterized by pre-defined rules Report information (e.g., source IP, signature ID) about detected attacks to the Central Service via a secure interface Rules Listener Message Queue Analyzer Notification Page 29 Monitoring Rules (XML) Different attack types and variations are defined as a XML sensor rules E.g. Registration Hijacking Each rule defines a specific pattern of SIP messages and timing conditions Analysis based on signatures Timing conditions IPv4 information Source IP, Destination IP and Ports SIP Request / SIP Response SIP Header fields E.g., From, To, Via, Contact, Call- ID, Cseq Comparison of different header values (equal, not equal) within received SIP messages Page 30 15
16 Central Service Architecture / Mode of Operation SCS Interface (SSI) Controller Process (SCP) Store Reports Database SCS Incoming Reports Configuration, Rules, Status, etc. Management Worker Process (WP) SCS Rules SCS Analyse Results Store Notifications SCS Notification Process (NP) Actions SCS Notification Interface (SNI) Mitigation Components erbl Service Page 31 Monitoring - Deployment options Software installation in network devices PBXs, FritzBox, router, Vmware Virtual Machine Guest OS: Ubuntu LTS or Debian Linux network interfaces (Capturing & Management) Standard PC or Server with Ubuntu LTS 2 network interfaces (Capturing & Management) ALIX system boards or Raspberry Pi OS: Debian Linux 7.1 Up to 3 network interfaces E.g., Bridging, +Honeypot, standalone Optional: Honeypot Plugin Virtual Central sensor / honeypot Traffic captured on multiple remote interfaces and tunneled to sensor Answer packets tunneled to originating interfaces Page 32 16
17 Distributed System Current NorNet setup SCS Virtual Machine Simula I1 I2 Attacker SIP Honeypot NTNU Universitetet i Tromsø I1 I Internet Universitetet i Bergen I University Duisburg- Essen I1 I Page 33 Distributed System Overview SCS Interface (SSI) Each sensor is connected to SCS ID, secret, MAC address, location info TLS secured (HTTPS) with server certificate t check Status updates and keep-alive messages Auto provisioning which is managed and controlled by SCS Configuration Signatures SIP traffic analysis based on sensor signatures Report generator Sends reports to SCS according to sensor signature settings Source IP, destination IP, signature ID, sensor ID, timestamp, source port, destination port, signature version Optional: extended reports Pre-defined SIP header values Page 34 17
18 Distributed Systems Central Service Overview Management Configuration Signatures ( Web-Editor or XML file) <-> signature mapping Status, report and statistics presentation Central logging SCS Features Receives sensor reports via SCS Interface (SSI) Central MySQL database Reports, signatures, SCS rules, sensor configurations, status, etc. Analysis based on SCS rules Depends on ID and Signature ID PHP script logic with pre-defined variables and result values Notification interface to mitigation components Up to three different actions per SCS rule Actions erbl Firewall alert PBX notification Page 35 Central Service Management Website (Screenshot) Page 36 18
19 Distributed System The NorNet approach Physically distributed sensors at different sites in the internet Deployment of hardware or installation of software reqired Local management necessary Privileged access to network interfaces required Virtually distributed sensors (NorNet approach) One central only (in Essen, Germany) Distributed NorNet nodes to capture input traffic GRE Tunnel(s) between each node and the central Filters TCP/UDP traffic on port 5060 Traffic redirection to the central by using DNAT via GRE tunnels Reverse direction is realized by routing policies Pros No software component on productive systems (no influence) Easy to manage single sensor Cons More bandwidth required in contrast to distributed approach Possible delays Page 37 Distributed System First NorNet results Node IP Node Name Number of Reports Simula Simula Uni Tromsø UDE UDE Uni Stavanger Uni Bergen Høgskoleni Narvik NTNU Page 38 19
20 VoIP fraud and misuse detection Conclusions SIP devices on the Internet are constantly scanned and attacked Significant damage possible Flexible and powerful attack tools readily avaiable for download SIPvicious Local monitoring over several years Development of sophisticated monitoring tools Analysis of attack traffic Distributed monitoring required to get a global view Distributed s System Several sensors deployed d around Germany NorNet adds significant number of additional monitoring points Technical details and live demos in the VoIP session Cooperation with DFN would be highly appreciated Deployment of hardware/software/virtual sensors Page 39 20
VoIP Fraud and Misuse
DFN Tagung 15.10.2013 VoIP Fraud and Misuse Detection and Mitigation Prof. Dr.-Ing. Erwin P. Rathgeb Dirk Hoffstadt, M.Sc. Networking Technology Group Institute for Experimental Mathematics & Institute
More informationVOIP Attacks On The Rise
VOIP Attacks On The Rise Voice over IP (VoIP) infrastructure has become more susceptible to cyber-attack due to the proliferation of both its use and the tools that can be used for malicious purposes.
More informationA Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack
A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack Abhishek Kumar Department of Computer Science and Engineering-Information Security NITK Surathkal-575025, India Dr. P. Santhi
More informationKommunikationsdienste im Internet Möglichkeiten und Risiken
Die Zukunft der Kommunikationsdienste im Internet Möglichkeiten und Risiken Erwin P. Rathgeb Technik der Rechnernetze, Universität Duisburg-Essen Jochen Kögel, Marc Barisch IKR, Universität Stuttgart Steffen
More information10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network
10 Key Things Your Firewall Should Do When voice joins applications and data on your network Table of Contents Making the Move to 3 10 Key Things 1 Security is More Than Physical 4 2 Priority Means Clarity
More informationA Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.
A Brief Overview of VoIP Security By John McCarron Voice of Internet Protocol is the next generation telecommunications method. It allows to phone calls to be route over a data network thus saving money
More informationSPAM over Internet Telephony (SPIT) und Abwehrmöglichkeiten
Zukunft der Netze, 20.03.2009 SPAM over Internet Telephony (SPIT) und Abwehrmöglichkeiten Dirk Hoffstadt (Uni Duisburg-Essen) Christoph Sorge (NEC) Yacine Rebahi (Fraunhofer FOKUS) Outline Introduction
More informationEnumerating and Breaking VoIP
Enumerating and Breaking VoIP Introduction Voice over Internet Protocol (VoIP) has seen rapid implementation over the past few years. Most of the organizations which have implemented VoIP are either unaware
More information7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?
7 Network Security 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework 7.4 Firewalls 7.5 Absolute Security? 7.1 Introduction Security of Communications data transport e.g. risk
More informationEvaluation of Security for a H.323-based VoIP Emulated Architecture
Evaluation of Security for a H.323-based VoIP Emulated Architecture Eng. MARIUS HERCULEA, Professor VIRGIL DOBROTA Ph.D. Abstract Evaluation tests were conducted on H.323 Cisco Gatekeeper, Gateways and
More informationFRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com
WebRTC for Service Providers FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This document is copyright of FRAFOS GmbH. Duplication or propagation or
More informationRadware s Behavioral Server Cracking Protection
Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information
More informationGlobal VoIP Security Threats Large Scale Validation Based on Independent Honeynets
Global VoIP Security Threats Large Scale Validation Based on Independent Honeynets Markus Gruber, Dirk Hoffstadt, Adnan Aziz, Florian Fankhauser, Christian Schanes, Erwin Rathgeb and Thomas Grechenig Vienna
More informationRam Dantu. VOIP: Are We Secured?
Ram Dantu Professor, Computer Science and Engineering Director, Center for Information and Computer Security University of North Texas rdantu@unt.edu www.cse.unt.edu/~rdantu VOIP: Are We Secured? 04/09/2012
More informationVoice Over IP (VoIP) Denial of Service (DoS)
Introduction Voice Over IP (VoIP) Denial of Service (DoS) By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com Denial of Service (DoS) is an issue for any IP network-based
More informationGrandstream Networks, Inc. UCM6100 Security Manual
Grandstream Networks, Inc. UCM6100 Security Manual Index Table of Contents OVERVIEW... 3 WEB UI ACCESS... 4 UCM6100 HTTP SERVER ACCESS... 4 PROTOCOL TYPE... 4 USER LOGIN... 4 LOGIN TIMEOUT... 5 TWO-LEVEL
More informationOfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide
OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server Quick Start Guide October 2013 Copyright and Legal Notice. All rights reserved. No part of this document may be
More informationThe #1 Issue on VoIP, Fraud!
Know your enemy Sun Tzu's The Art of War The #1 Issue on VoIP, Fraud! How to identify, prevent and reduce damages caused by fraud Flavio E. Goncalves About me Author of the book Building Telephony Systems
More informationVOICE OVER IP SECURITY
VOICE OVER IP SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
More informationA Comprehensive Framework for Detecting and Preventing VoIP Fraud and Misuse
A Comprehensive Framework for Detecting and Preventing VoIP Fraud and Misuse Dirk Hoffstadt, Erwin Rathgeb Computer Networking Technology Group University of Duisburg-Essen Essen, Germany {dirk.hoffstadt,erwin.rathgeb}@iem.uni-due.de
More informationVoIP Security regarding the Open Source Software Asterisk
Cybernetics and Information Technologies, Systems and Applications (CITSA) 2008 VoIP Security regarding the Open Source Software Asterisk Prof. Dr.-Ing. Kai-Oliver Detken Company: DECOIT GmbH URL: http://www.decoit.de
More informationVOIP THE ULTIMATE GUIDE VERSION 1.0. 9/23/2014 onevoiceinc.com
VOIP THE ULTIMATE GUIDE VERSION 1.0 9/23/2014 onevoiceinc.com WHAT S IN THIS GUIDE? WHAT IS VOIP REQUIREMENTS OF A VOIP SYSTEM IMPLEMENTING A VOIP SYSTEM METHODS OF VOIP BENEFITS OF VOIP PROBLEMS OF VOIP
More informationFRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com
WebRTC for the Enterprise FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This document is copyright of FRAFOS GmbH. Duplication or propagation or extracts
More informationPROFESSIONAL SECURITY SYSTEMS
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
More informationSecuring SIP Trunks APPLICATION NOTE. www.sipera.com
APPLICATION NOTE Securing SIP Trunks SIP Trunks are offered by Internet Telephony Service Providers (ITSPs) to connect an enterprise s IP PBX to the traditional Public Switched Telephone Network (PSTN)
More informationThe Trivial Cisco IP Phones Compromise
Security analysis of the implications of deploying Cisco Systems SIP-based IP Phones model 7960 Ofir Arkin Founder The Sys-Security Group ofir@sys-security.com http://www.sys-security.com September 2002
More informationEINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL
EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL PREPARATIONS STUDYING SIP PROTOCOL The aim of this exercise is to study the basic aspects of the SIP protocol. Before executing the exercise you should
More informationWave SIP Trunk Configuration Guide FOR BROADVOX
Wave SIP Trunk Configuration Guide FOR BROADVOX Last updated 1/7/2014 Contents Overview... 1 Special Notes... 1 Before you begin... 1 Required SIP trunk provisioning and configuration information... 1
More informationVoice over IP Security
Voice over IP Security Patrick Park Cisco Press Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA vii Contents Introduction xvii Part I VoIP Security Fundamentals 3 Chapter 1 Working with
More informationCS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013
CS 356 Lecture 17 and 18 Intrusion Detection Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists
More informationStorming SIP Security
Attack Sandro Gauci Difficulty VoIP is a hot and steadily gaining market share in the phone business. As people constantly seek to make long distance calls cheaper, they are moving away from relying on
More informationName. Description. Rationale
Complliiance Componentt Description DEEFFI INITION Network-Based Intrusion Detection Systems (NIDS) Network-Based Intrusion Detection Systems (NIDS) detect attacks by capturing and analyzing network traffic.
More informationITSPA. Recommendations for secure deployment of an IP-PBX. Public. Node4 Limited Richard Buxton 31/05/2011
ITSPA Recommendations for secure deployment of an IP-PBX Public Node4 Limited Richard Buxton 31/05/2011 Recommendations for secure deployment of an IP-PBX Node4 are members of the Internet Telephony Service
More informationCTS2134 Introduction to Networking. Module 8.4 8.7 Network Security
CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by
More informationVOIP TELEPHONY: CURRENT SECURITY ISSUES
VOIP TELEPHONY: CURRENT SECURITY ISSUES Authors: Valeriu IONESCU 1, Florin SMARANDA 2, Emil SOFRON 3 Keywords: VoIP, SIP, security University of Pitesti Abstract: Session Initiation Protocol (SIP) is the
More informationBasic Vulnerability Issues for SIP Security
Introduction Basic Vulnerability Issues for SIP Security By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com The Session Initiation Protocol (SIP) is the future
More informationStrategies to Keep Your VoIP Network Secure
V OIP NETWORK SECURITY VoIP enterprise deployments need strategies to help provide a balance between security and ease of use. Wesley Chou Strategies to Keep Your VoIP Network Secure A s VoIP technology
More informationETM System SIP Trunk Support Technical Discussion
ETM System SIP Trunk Support Technical Discussion Release 6.0 A product brief from SecureLogix Corporation Rev C SIP Trunk Support in the ETM System v6.0 Introduction Today s voice networks are rife with
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More informationSecond-generation (GenII) honeypots
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. b.zdrnja@auckland.ac.nz Abstract Honeypots are security resources which trap malicious activities, so they
More informationWhite Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act
A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,
More informationArrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015
Arrow ECS University 2015 Radware Hybrid Cloud WAF Service 9 Ottobre 2015 Get to Know Radware 2 Our Track Record Company Growth Over 10,000 Customers USD Millions 200.00 150.00 32% 144.1 16% 167.0 15%
More informationnexvortex SIP Trunking Implementation & Planning Guide V1.5
nexvortex SIP Trunking Implementation & Planning Guide V1.5 510 S PRING S TREET H ERNDON VA 20170 +1 855.639.8888 Introduction Welcome to nexvortex! This document is intended for nexvortex Customers and
More informationproudly presents Homer-Shooting The secret Art of Troubleshooting VoIP in Real-Time with Homer & SIPGrep http://www.sipcapture.org
proudly presents Homer-Shooting The secret Art of Troubleshooting VoIP in Real-Time with Homer & SIPGrep http://www.sipcapture.org Alexandr Dubovikov Founder and Lead Developer of HOMER SIPCAPTURE, and
More informationVoice Over IP and Firewalls
Introduction Voice Over IP and Firewalls By Mark Collier Chief Technology Officer SecureLogix Corporation mark.collier@securelogix.com Use of Voice Over IP (VoIP) in enterprises is becoming more and more
More informationDeep Security/Intrusion Defense Firewall - IDS/IPS Coverage Statistics and Comparison
Deep Security/Intrusion Defense Firewall - IDS/IPS Trend Micro, Incorporated A technical brief summarizing vulnerability coverage provided by Deep Security and Intrusion Defense Firewall. The document
More informationCOUNTERSNIPE WWW.COUNTERSNIPE.COM
COUNTERSNIPE WWW.COUNTERSNIPE.COM COUNTERSNIPE SYSTEMS LLC RELEASE 7.0 CounterSnipe s version 7.0 is their next major release and includes a completely new IDS/IPS leveraging high performance scalability
More informationCyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014
Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014 Introduction: Cyber attack is an unauthorized access to a computer
More informationLinux Network Security
Linux Network Security Course ID SEC220 Course Description This extremely popular class focuses on network security, and makes an excellent companion class to the GL550: Host Security course. Protocols
More informationVoIP Recorder V2 Setup Guide
VoIP Recorder V2 Setup Guide V2.10b Software Requirement for VoIP Recorder V2 (VR2) Please install WinPCap first. VR2 uses WinPCap to sniff network traffic. Download link: It is free. http://www.winpcap.org/install/default.htm
More informationNETWORK SECURITY (W/LAB) Course Syllabus
6111 E. Skelly Drive P. O. Box 477200 Tulsa, OK 74147-7200 NETWORK SECURITY (W/LAB) Course Syllabus Course Number: NTWK-0008 OHLAP Credit: Yes OCAS Code: 8131 Course Length: 130 Hours Career Cluster: Information
More informationCustomized Data Exchange Gateway (DEG) for Automated File Exchange across Networks
Customized Data Exchange Gateway (DEG) for Automated File Exchange across Networks *Abhishek Vora B. Lakshmi C.V. Srinivas National Remote Sensing Center (NRSC), Indian Space Research Organization (ISRO),
More informationThreat Mitigation for VoIP
Threat Mitigation for VoIP Bogdan Materna, VP Engineering and CTO VoIPshield Systems Third Annual VoIP Security Workshop June 2, 2006 Overview Basics VoIP Security Impact Examples of real vulnerabilities
More informationMain characteristics. System
VoipSwitch is a software platform allowing for rapid VoIP services roll-out. It contains all necessary elements required in successful implementation of various VoIP services. Our customers can make money
More informationSecurity issues in Voice over IP: A Review
www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume 3 Issue 2 February, 2014 Page No. 3879-3883 Security issues in Voice over IP: A Review Rajni a, Preeti a, Ritu
More informationINTRUSION DETECTION SYSTEMS and Network Security
INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS
More informationA Lightweight Countermeasure to Cope with Flooding Attacks Against Session Initiation Protocol
A Lightweight Countermeasure to Cope with Flooding Attacks Against Session Initiation Protocol Intesab Hussain, Soufiene Djahel, Dimitris Geneiatakis ±, and Farid Naït-Abdesselam LIPADE, University of
More informationIDS / IPS. James E. Thiel S.W.A.T.
IDS / IPS An introduction to intrusion detection and intrusion prevention systems James E. Thiel January 14, 2005 S.W.A.T. Drexel University Overview Intrusion Detection Purpose Types Detection Methods
More informationDeep Security Vulnerability Protection Summary
Deep Security Vulnerability Protection Summary Trend Micro, Incorporated This documents outlines the process behind rules creation and answers common questions about vulnerability coverage for Deep Security
More informationNetwork Access Security. Lesson 10
Network Access Security Lesson 10 Objectives Exam Objective Matrix Technology Skill Covered Exam Objective Exam Objective Number Firewalls Given a scenario, install and configure routers and switches.
More informationDeep Security Intrusion Detection & Prevention (IDS/IPS) Coverage Statistics and Comparison
Deep Security Intrusion Detection & Prevention (IDS/IPS) Trend Micro, Incorporated A technical brief summarizing vulnerability coverage provided by Deep Security. The document also outlines a comparison
More informationIntegration of Voice over Internet Protocol Experiment in Computer Engineering Technology Curriculum
Integration of Voice over Internet Protocol Experiment in Computer Engineering Technology Curriculum V. Rajaravivarma and Farid Farahmand Computer Electronics and Graphics Technology School of Technology,
More informationWLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.
Wireless LAN Attacks and Protection Tools (Section 3 contd.) WLAN Attacks Passive Attack unauthorised party gains access to a network and does not modify any resources on the network Active Attack unauthorised
More informationSIPSTATION User Guide. Schmooze Com Inc.
Schmooze Com Inc. Chapters Overview Logging In & Adding a Key Account Settings Route & Trunk Configuration DID Configuration Recap Overview The SIPSTATION module, when combined with a SIPSTATION SIP Trunk
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationSystem Specification. Author: CMU Team
System Specification Author: CMU Team Date: 09/23/2005 Table of Contents: 1. Introduction...2 1.1. Enhancement of vulnerability scanning tools reports 2 1.2. Intelligent monitoring of traffic to detect
More informationChallenges and opportunities for Open Source solutions
GDS20910 39HA83090K2 D3 S20910 328MGD 7 W510200RQ1 UT 10 T28GHY620 JH7 BE4ET276 90K2 D39HA83 0K2 D39HA830 8JD6200NS12 RQ1 UTW510200 H7 BE4ET2763J 8HGDOI0912 M1 Y620110 T28GH UTW510200 83090K2 GDS20910
More informationNext Generation. VoIP Application Firewall. www.novacybersecurity.com
Next Generation VoIP Application Firewall Are you aware that you are vulnerable to all threats on the Internet? With increasing voice and video transmission over IP and emerging new technologies such as
More informationWebRTC: Why and How? FRAFOS GmbH. FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com
WebRTC: Why and How? FRAFOS GmbH FRAFOS GmbH Windscheidstr. 18 Ahoi 10627 Berlin Germany info@frafos.com www.frafos.com This docume nt is copyright of FRAFOS GmbH. Duplication or propagation or e xtracts
More informationCom.X IP PBX The complete communications solution in a box
IP PBX Utilising VPN security when extending PBX services to remote users Virtual Private Network It is not uncommon for a single company to occupy more than one set of premises. Individual users on geographically
More informationSIP Security Controllers. Product Overview
SIP Security Controllers Product Overview Document Version: V1.1 Date: October 2008 1. Introduction UM Labs have developed a range of perimeter security gateways for VoIP and other applications running
More informationSHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper
SHARE THIS WHITEPAPER Top Selection Criteria for an Anti-DDoS Solution Whitepaper Table of Contents Top Selection Criteria for an Anti-DDoS Solution...3 DDoS Attack Coverage...3 Mitigation Technology...4
More informationIPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region
IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express
More informationWeb Analytics Understand your web visitors without web logs or page tags and keep all your data inside your firewall.
Web Analytics Understand your web visitors without web logs or page tags and keep all your data inside your firewall. 5401 Butler Street, Suite 200 Pittsburgh, PA 15201 +1 (412) 408 3167 www.metronomelabs.com
More informationFonality. Optimum Business Trunking and the Fonality Trixbox Pro IP PBX Standard Edition V4.1.2- p13 Configuration Guide
Fonality Optimum Business Trunking and the Fonality Trixbox Pro IP PBX Standard Edition V4.1.2- p13 Configuration Guide Fonality Table of Contents 1. Overview 2. SIP Trunk Adaptor Set-up Instructions 3.
More informationKASPERSKY DDOS PROTECTION. Discover how Kaspersky Lab defends businesses against DDoS attacks
KASPERSKY DDOS PROTECTION Discover how Kaspersky Lab defends businesses against DDoS attacks CYBERCRIMINALS ARE TARGETING BUSINESSES If your business has ever suffered a Distributed Denial of Service (DDoS)
More informationPassive Logging. Intrusion Detection System (IDS): Software that automates this process
Passive Logging Intrusion Detection: Monitor events, analyze for signs of incidents Look for violations or imminent violations of security policies accepted use policies standard security practices Intrusion
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationRecommended IP Telephony Architecture
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
More informationA Model-based Methodology for Developing Secure VoIP Systems
A Model-based Methodology for Developing Secure VoIP Systems Juan C Pelaez, Ph. D. November 24, 200 VoIP overview What is VoIP? Why use VoIP? Strong effect on global communications VoIP will replace PSTN
More informationNetwork Demilitarized Zone (DMZ)
Network Demilitarized Zone (DMZ) Jack Webb ICTN 6870 Jack Webb 2 Network Demilitarized Zone 1. Abstract In today s information security, it is necessary to take advantage of all possible security options
More informationSIP Trunking Quick Reference Document
SIP Trunking Quick Reference Document Publication Information SAMSUNG TELECOMMUNICATIONS AMERICA reserves the right without prior notice to revise information in this publication for any reason. SAMSUNG
More informationPotential Targets - Field Devices
Potential Targets - Field Devices Motorola Field Devices: Remote Terminal Units ACE 3600 Front End Devices ACE IP Gateway ACE Field Interface Unit (ACE FIU) 2 Credential Cracking Repeated attempts to
More informationRecommendations for secure deployment of an IP-PBX
Internet Telephony Services Providers Association Recommendations for secure deployment of an IP-PBX Version 2 November 2013 Contact: admin@itspa.org.uk Contents Introduction... 3 Health Warning!... 3
More informationCrystal Gears. Crystal Gears. Overview:
Crystal Gears Overview: Crystal Gears (CG in short) is a unique next generation desktop digital call recording system like no other before. By widely compatible with most popular telephony communication
More informationBest Practices for Securing IP Telephony
Best Practices for Securing IP Telephony Irwin Lazar, CISSP Senior Analyst Burton Group Agenda VoIP overview VoIP risks Mitigation strategies Recommendations VoIP Overview Hosted by VoIP Functional Diagram
More informationAchieving Truly Secure Cloud Communications. How to navigate evolving security threats
Achieving Truly Secure Cloud Communications How to navigate evolving security threats Security is quickly becoming the primary concern of many businesses, and protecting VoIP vulnerabilities is critical.
More informationDynamic Honeypot Construction
Dynamic Honeypot Construction 2nd Annual Alaska Information Assurance Workshop Christopher Hecker U. of Alaska, Fairbanks 9-5-2006 Presentation l Brief Introduction l Project Overview l Future Work l References
More informationVoIP Security Challenges: 25 Ways to Secure your VoIP Network from Versign Security, Dec 01, 2006
VoIP Security Challenges: 25 Ways to Secure your VoIP Network from Versign Security, Dec 01, 2006 VoIP technology has the tech geeks buzzing. It has been touted as: - the killer of telecoms - a solution
More informationDoS: Attack and Defense
DoS: Attack and Defense Vincent Tai Sayantan Sengupta COEN 233 Term Project Prof. M. Wang 1 Table of Contents 1. Introduction 4 1.1. Objective 1.2. Problem 1.3. Relation to the class 1.4. Other approaches
More informationVirtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN
Virtual private network Network security protocols COMP347 2006 Len Hamey Instead of a dedicated data link Packets securely sent over a shared network Internet VPN Public internet Security protocol encrypts
More informationIP PBX. SD Card Slot. FXO Ports. PBX WAN port. FXO Ports LED, RED means online
1 IP PBX SD Card Slot FXO Ports PBX LAN port PBX WAN port FXO Ports LED, RED means online 2 Connect the IP PBX to Your LAN Internet PSTN Router Ethernet Switch FXO Ports 3 Access the PBX s WEB GUI The
More informationSecurity Event Management. February 7, 2007 (Revision 5)
Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST
More informationIntroducing Cisco Voice and Unified Communications Administration Volume 1
Introducing Cisco Voice and Unified Communications Administration Volume 1 Course Introduction Overview Learner Skills and Knowledge Course Goal and Course Flow Additional Cisco Glossary of Terms Your
More informationAvaya TM G700 Media Gateway Security. White Paper
Avaya TM G700 Media Gateway Security White Paper March 2002 G700 Media Gateway Security Summary With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional
More informationAvaya G700 Media Gateway Security - Issue 1.0
Avaya G700 Media Gateway Security - Issue 1.0 Avaya G700 Media Gateway Security With the Avaya G700 Media Gateway controlled by the Avaya S8300 or S8700 Media Servers, many of the traditional Enterprise
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More information2. From a control perspective, the PRIMARY objective of classifying information assets is to:
MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected
More informationIntrusion Detection Systems
Intrusion Detection Systems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-07/
More informationDenial of Service attacks: analysis and countermeasures. Marek Ostaszewski
Denial of Service attacks: analysis and countermeasures Marek Ostaszewski DoS - Introduction Denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended
More information