Villains and Voice Over IP

Transcription

1 Villains and Voice Over IP Heather Bonin ECE 578 March 7, 2004

2 Table of Contents Introduction... 3 How VOIP Works... 3 Ma Bell and her Babies... 3 VoIP: The New Baby on the Block... 3 Security Issues... 4 Availability... 4 Authentication... 8 Confidentiality... 8 Integrity Conclusions References

3 Introduction Vonage, Skype, Verizon, SpeakEasy, Yak, 3Com. The list of VoIP (Voice Over Internet Protocol) service providers goes on, as companies jump in to capitalize on this long-anticipated technology. However, like many technologies the race has been to deploy it successfully and worry about security later. This paper presents a brief overview of how VoIP works and then describes the types of security vulnerabilities VoIP systems face. How VOIP Works Ma Bell and her Babies The telephone network we re all familiar with, once symbolized by Ma Bell and often referred to as POTS (plain old telephone service) or the PSTN (public switched telephone network), involves large bandwidth requirements, complex signaling, and expensive telephone switches. Although the complicated, inefficient and proprietary nature of POTS is a major drawback, these characteristics have historically protected POTS from security attacks. In addition to relative security, users also expect Ma Bell to be there whenever they pick up the phone. The level of reliability demanded of telephone service is vastly greater than that demanded by users of a data network. VoIP: The New Baby on the Block VoIP comprises the software, hardware, and standards (protocols) necessary to digitize voice and sends it as data packets over networks that use standard components 3

4 such as routers, network switches, gateways, and firewalls. The use of standard components and data compression techniques greatly reduces the cost and bandwidth of VoIP and makes rapid implementation easy [Goode 2002]. However, combining the voice and data networks not only exposes voice communication to new security threats, it also transfers responsibility for voice communication security from the traditional carrier such as Ma Bell to the enterprise (and its IT staff) [Tanase 2004]. Security Issues Because VoIP sends voice as data packets one fear is that IT professionals will assume that they can simply add VoIP components to their networks and continue to take the exact same security precautions they always have to make their networks secure. The remainder of this paper will address the new challenges enterprises and IT professionals face when implementing VoIP. These challenges are roughly divided into the types of attacks that may be encountered attacks on availability, confidentiality/privacy, authentication, and integrity with the understanding that often there is overlap among these categories. Availability Denial of service (DoS) attacks are common on networks. For the first time, telephone service is easily subject to these types of attacks, and users expectation that the telephone work during emergencies (call 911) makes securing VoIP against availability attacks of paramount importance. 4

5 Power loss is the ultimate DoS attack. To avoid this vulnerability, the entire physical VoIP network must be secured, redundant and provided with a backup power source. Note that if the power is out, and the VoIP is connected with digital service only, calls outside the network will fail. Thus, a good safeguard is to always have a few analog lines within the VoIP system, to make sure that emergency calls can always be placed [Robles 2004]. Controlling telephone access to the network and services is also necessary to avoid a DoS attack. If an attacker can gain access to any part of the communication network, they can overwhelm the system with bogus messages, which at the least, will slow performance and at worst result in a DoS [Kuhn et al. 2005]. VoIP networks are particularly vulnerable to these types of attacks because the Quality of Service requirement of telephone voice transmission is much greater than that for data networks since packet loss and delay are not tolerated in voice transmission. Segmenting the VoIP network from an enterprise s data network using VLAN (virtual local area network) technology is one recommended practice to reduce DoS attacks. Controlling access between segments can also filter out spoofed (unknown) devices and keep them from connecting to other segments. However, the greatest value of segmenting is the ability to use a NIDS (network intrusion detection system) to monitor against attacks [Halpern 2003]. Within the VLAN, IP phones should have their own DHCP server so that if a DoS attack on the data network occurs, critical phone services will be unaffected [Robles 2004]. Typically IP phones use DHCP (dynamic host control protocol) to get an IP 5

6 address; DHCP servers are prone to denial of service attacks that result in IP address starvation. An attacker can also force a system reboot by repeatedly overloading the login and password buffers from a remote login terminal. Doing so results not only in a DoS attack but also may revert passwords back to defaults or do a memory dump of critical parameters, creating new system vulnerabilities. To protect against this type of attack, the VoIP system must be protected by a firewall [Kuhn et al. 2005]. Because the call servers open and close ports for new connections continuously, managing the access controls for a firewall for VoIP is a challenge [Tanase 2004]. According to Cisco, for most networks, securing all connections between the data and voice segments by using a stateful firewall is not possible because in most enterprises, multiple data and voice segments exist, often on the same switch. In these cases, at the very least, PC-based IP phones should not be used because PC-based IP phones are datasegment based (and thus susceptible to any attack against the data segment) but require access to the voice segment for call control [Halpern 2003]. For example, the Code-Red and Nimda viruses launched a successful DoS attack against PC-based IP phone systems [Halpbern 2003]. connections: According to Cisco, a firewall should control the following VoIP system The voic system when placed in the data segment connecting to the callprocessing manager in the voice segment 6

7 IP phones in a voice segment connecting to the call-processing manager in another voice segment for call establishment control and configuration IP phones in the voice segment connecting to the voic system when placed in the data segment IP phones in the voice segment browsing resources via the proxy server in the voice segment Users in the data segment browsing the call-processing manager in the voice segment Proxy server in the voice segment accessing resources in the data segment PC-based IP phones in the data segment accessing the call-processing manager in the voice segment for call establishment PC-based IP phones in the data segment accessing the voic system when placed in the voice segment Note that a firewall will not protect against IP and MAC spoofing where an attacker uses a valid IP and MAC address and modifies packet headers so that the message appears to come from the valid user. This type of attack involves a breach in authentication and integrity. Like switches, VoIP phones often have a default login/password combination that allows a user to modify network information [Kuhn et al. 2005]. If default password combinations (such as admin/admin or root/root) are not changed, an attacker could launch a full-scale DoS attack or opt for a less obvious attack such as port mirroring whereby the attacker can intercept all phone conversations. Like any system, VoIP software is vulnerable to attack due to flaws that can be exploited (such as crashing the system by sending packets with specially designed headers) and introduction of malicious code to create a DoS. Vigilance in installing software patches immediately upon their release is necessary to reduce the possibility of 7

8 attacks. Likewise, most call processing servers are based on general-purpose OSs and should be hardened. Server hardening (eliminating vulnerabilities) includes applying service packs and patches and removing unnecessary services and features, and may be done with a vulnerability scanning tool. The servers should also have a minimal number of jobs running. Authentication Requiring user authentication mitigates the risks of toll fraud where a nonauthorized telephone is allowed to use the network and services. Authenticating each user with a password (as long as it s well chosen and long enough) is the best way to ensure authentication, however users may rebel against having to remember yet another password. Other ways to reduce toll fraud are the use of a dedicated DHCP server and mapping MAC addresses to IP addresses on the DCHP server so that each telephone always boots from the same address; both these efforts make it harder for an imposter to use the network. Also, at the call processing server, new devices should be added manually to the network instead of using an auto-registration function [Robles 2004]. Toll fraud is just one type of threat an unauthorized user can accomplish. Eavesdropping, impersonation, and repudiation are also a concern when users are not properly authenticated. Confidentiality Using POTS, eavesdropping was typically done by physically wire tapping the phone line or switch. The data network used for VoIP is much more susceptible to eavesdropping because an attacker that can gain access to any point of the network can 8

9 possibly capture the IP data stream. However that does not mean that the security of the VoIP physical infrastructure should be ignored. Hubs on IP phones should be disabled and a notification system for alerting IT administrators when an IP phone has been disconnected from the network should be employed. In general, the entire physical system, including mobile phone units, should fall under a comprehensive security policy to limit traditional phone tapping [Kuhn et al. 2005]. As discussed under Availability, switches typically have default login/password combinations. If the default is not changed, an attacker can mirror all packets on one port to another and thereby eavesdrop on conversation and remain unnoticed (it is hard to remain unnoticed when physically wiretapping Ma Bell.) Port mirroring can be disabled. Cisco recommends mitigating against ARP cache poisoning and flooding as well. An ARP command is used to find addresses. An attacker can corrupt the ARP cache by flooding it with ARP commands. Once the cache is corrupted, an attacker can reroute voice traffic to eavesdrop. This type of attack is mitigated by using strong authentication. Web services used for remote administration are another area of vulnerability that may expose plaintext HTTP packets containing sensitive information to attackers. A simple way to reduce eavesdropping is to use the HTTPS with Secure Socket Layer protocol instead of HTTP. Even when VoIP is implemented on its own separate VLAN, eavesdropping is possible using tools such as DSNIFF (a collection of tools to passively monitor a network for interesting data such as passwords that handles FTP, Telnet, HTTP, POP, etc.) [Duffy 9

10 2001] to listen to traffic on all segments, effectively turning a switched medium into a shared one. An attacker can then take the IP phone conversation trace captured using UNIX s tool tcpdump and use VOMIT (voice over misconfigured Internet telephones) to change the VoIP data into playable.wav files [Halpern 2003]. Encryption is certainly the best way to mitigate against eavesdropping, and also helps defend against packet replay attacks. Attackers can still sniff data, but they can t read it. Two options for encryption are SRTP (secure real-time protocol) used at the session layer, or IPSec VPN (IP Security virtual private network) at the transport layer. However, encryption has a down-side a main attraction of VoIP is its performance and Quality of Service: and encryption carries large bandwidth penalties particularly for the gateway. It is critical when using encryption to have a dedicated encryption processor and to choose an efficient algorithm. Solely encrypting communication is not sufficient; an end-to-end solution must be incorporated that includes encryption of the firmware in IP telephones using SRTP, otherwise confidentiality can still be compromised. Note that SRTP does not do authentication whereas IPSec does [Tanase 2004]. Of course, information about the call itself (such as incoming and outgoing calls and their duration) might be almost as important as the content of the call [Tanase 2004], and protecting these data can be a challenge. 10

11 Integrity Maintaining integrity means thwarting malicious attackers as well as protecting against unauthorized actions by authorized users. Man-in-the-middle attacks on the IP gateway and IP phone are possible and can result in identity theft or call redirection. In a man-in-the-middle attack, detecting any change to call parameters can be difficult to thwart against [Tanase 2004]. When an IP phone reboots and requests a DHCP response, an attacker can initiate a response that includes false information from a bogus DHCP server [Kuhn et al. 2005]. Attacks that make a phone reboot have previously been discussed, and include MAC spoofing and ping flooding. Again, using a DHCP server with static IP addresses will protect the system from some but not all of these attacks. Some attacks are based on vulnerabilities of the actual protocols used in VoIP, such as SIP (session initiation protocol) and H.323 [Goode 2002]. SIP and H.323 are peer-to-peer protocols used to setup, maintain, and terminate calls. Buffer overflow can be accomplished by placing invalid data in SIP headers [Tucker 2004]. As VoIP rises in popularity its protocols are being put to the test; in fact, different protocols such as SIP and H.323 are still competing for ascendancy, requiring companies to squander resources that could go toward making their product resistant to attacks in order to take multiple protocols into consideration during development. 11

12 Conclusions Hardware, software, and protocols for VoIP are still in development and thus a comprehensive understanding of all the security challenges VoIP faces is currently impossible. The race to develop these components and be first in the market has also made creating secure systems a secondary priority. User requirements for VoIP such as the Quality of Service and emergency access make implementing security solutions and protecting VoIP systems more challenging as well. However, there are four keys to securing a VoIP system from attacks. The first is to encrypt voice packets and the rest of the VoIP system. The second is to segment the VoIP system from the data network and control access between the voice and data segments using a firewall. The third is to constantly monitor all parts of the network and make sure they are up to current security standards. The fourth is to authenticate VoIP system users. Undertaking these major efforts will prevent a majority of confidentiality, availability, integrity and authentication breaches. 12

13 References Duffy, R Finding DSNIFF on Your Network. SANS Reading Room. Goode, B Voice over Internet Protocol (VoIP). Proceedings of the IEEE. 90: 9. Halpern, J SAFE: IP Telephony Security in Depth. Cisco Systems, Inc. Kuhn, D., Walsh, J., and S. Fries Security Considerations for Voice Over IP Systems: Recommendations of the National Institute of Standards and Technology. NIST Special Publications Robles, F The VoIP Dilemma. SANS Institute, Information Security Reading Room. Tanase, M Voice over IP Security. Tucker, G Voice over Internet Protocol (VoIP) and Security. SANS Institute, Information Security Reading Room. 13