Security & Encryption



Similar documents
SIP Trunking Configuration with

Security and Risk Analysis of VoIP Networks

SIP Trunking with Microsoft Office Communication Server 2007 R2

Securing Unified Communications for Healthcare

VOIP THE ULTIMATE GUIDE VERSION /23/2014 onevoiceinc.com

A Model-based Methodology for Developing Secure VoIP Systems

6 Steps to SIP trunking security. How securing your network secures your phone lines.

Recommended IP Telephony Architecture

Best Practices for Securing IP Telephony

The Need for Session Delivery Networks

FDIC Division of Supervision and Consumer Protection

Week 9 / Paper 3. VoCCN: Voice Over Content-Centric Networks

An outline of the security threats that face SIP based VoIP and other real-time applications

CHAPTER 1 INTRODUCTION

Implementing VoIP monitoring solutions. Deployment note

What is an E-SBC? WHITE PAPER

SecureCom Mobile s mission is to help people keep their private communication private.

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

White Paper. avaya.com 1. Table of Contents. Starting Points

An Oracle White Paper December The Value of Diameter Signaling in Security and Interworking Between 3G and LTE Networks

ENTERPRISE SESSION BORDER CONTROLLERS: SAFEGUARDING TODAY S AND TOMORROW S UNIFIED COMMUNICATIONS

Local Session Controller: Cisco s Solution for the U.S. Department of Defense Network of the Future

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

use it Messaging Fax Over IP (FoIP) Overview

How to choose the right IP gateway for your VoIP migration strategy. Deployment note

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Overview of NATO Technology Trends

Building A Secure Microsoft Exchange Continuity Appliance

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October Page 1 of 9

VOICE OVER IP SECURITY

Secure VoIP for optimal business communication

The next generation of knowledge and expertise Wireless Security Basics

Virtual Private Networks

Building the Lync Security Eco System in the Cloud Fact Sheet.

Session Border Controllers: Securing Real-Time Communications

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4

SIP and VoIP 1 / 44. SIP and VoIP

Basic Vulnerability Issues for SIP Security

Alexandre Weffort Thenorio - Data. IP-Telephony

S-Series SBC Interconnect Solutions. A GENBAND Application Note May 2009

Oracle s Tunneled Session Management Solution for Over-the-Top Services. Tap Into the Growing Demand for Secure, First-Class Services

Network Access Security. Lesson 10

How Proactive Business Continuity Can Protect and Grow Your Business. A CenturyLink White Paper

Introduction to Computer Networks and Data Communications

T.38 fax transmission over Internet Security FAQ

Securing SIP Trunks APPLICATION NOTE.

Internet Privacy Options

Voice over IP Basics for IT Technicians

Security Guidance for Deploying IP Telephony Systems

CPNI VIEWPOINT 01/2007 INTERNET VOICE OVER IP

Sectra Communications ensuring security with flexibility

Session Border Controllers in the Cloud

Product Information = = = sales@te-systems.de phone

Allstream Converged IP Telephony

SCADA SYSTEMS AND SECURITY WHITEPAPER

Video Conferencing and Security

Wireless Encryption Protection

PETER CUTLER SCOTT PAGE. November 15, 2011

Whitepaper SBC Sticker Shock

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Ingate Firewall/SIParator SIP Security for the Enterprise

Load Balancing for Microsoft Office Communication Server 2007 Release 2

Voice over IP (VoIP) Basics for IT Technicians

Voice over IP Security: Issues and Answers

dect provides high protection against unauthorized access

Session Border Controllers in Enterprise

Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios

High Performance VPN Solutions Over Satellite Networks

IP-VPN Architecture and Implementation O. Satty Joshua 13 December Abstract

Alarm over IP. What is Alarm over IP? How does Alarm over IP work? Intrusion Systems White Paper Series Alarm over IP

Why SSL is better than IPsec for Fully Transparent Mobile Network Access

Lucent VPN Firewall Security in x Wireless Networks

SIP Trunking and the Role of the Enterprise SBC

Secure Voice over IP (VoIP) Networks

Best Practices for deploying unified communications together with SIP trunking connectivity

Application Note Configuring the Synapse SB67070 SIP Gateway for Broadvox GO! SIP Trunking

VoIP Encryption in the Enterprise

SIP Security Controllers. Product Overview

Security Issues with Integrated Smart Buildings

White paper. Wireless Security: It s Like Securing Your Home

Link Layer and Network Layer Security for Wireless Networks

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Introduction to Encryption What it s all about

CONNECTING TO LYNC/SKYPE FOR BUSINESS OVER THE INTERNET NETWORK PREP GUIDE

Contents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary. About this document

Security and the Mitel Teleworker Solution

SIP SECURITY JULY 2014

Enabling Security Features in Firmware DGW v2.0 June 22, 2011

VoIP in Military Applications

Combining Voice over IP with Policy-Based Quality of Service

Secure Network Access Solutions for Banks and Financial Institutions. Secure. Easy. Protected. Access.

Wireless Network Security

OpenScape UC Firewall and OpenScape Session Border Controller

VoIP Security Challenges: 25 Ways to Secure your VoIP Network from Versign Security, Dec 01, 2006

How To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack

SITEL Voice Architecture

SBC WHITE PAPER. The Critical Component

Zscaler Internet Security Frequently Asked Questions

Threat Mitigation for VoIP

Ebonyi State University Abakaliki 2 Department of Computer Science. Our Saviour Institute of Science and Technology 3 Department of Computer Science

Transcription:

Security & Encryption Introduction: the importance of encryption nected networks, spies can tap into the connection from Encryption for security is thousands of years old. With the No longer can any business or government agency take the invention of telephone networks, it was inevitable that risk of not employing encryption; luckily, the cost of encryp- forms of encryption would be developed to keep commu- tion in modern IP networks is very low. anywhere. Even the tools to find and intercept calls are free! nications secret. Radio networks made encryption critical, since the transmissions were easily intercepted. Internet Governments, militaries, and banks have employed encryption for decades. While encryption equipment was clumsy and expensive, those transferring critical data and voice had Corporate LAN no other option. Historically, the act of intercepting voice calls ( wire tapping ) required a physical connection, often near the source, which made the interception of voice calls difficult. So there was a balance between risk and cost. Wiretap Figure 2. Any network attached to a public IP network can be hacked. Analog Phone Part 1: The Basics of Encryption This treatise will guide those who are not IT or VoIP experts through the confusing world of securing their networks with encryption. It is often easy for a hacker located anywhere in the world Figure 1. Traditional wiretaps generally required a physical connection, but with VoIP the wiretap may be on the other side of the world. to target a desk or mobile phone user connected to a VoIP network and intercept and record the conversation. While this type of crime is commonly reported to be committed Voice over IP (VoIP) however, has ushered in a new level of by governments, what is not often reported (though also concern for loss of secrecy. The protocol itself is publicly happens every day) is corporate espionage of VoIP networks. available, making it easy to hack. With worldwide intercon- Many of these intrusions go undetected. 081000-087-20151125 Page 1 of 6 +1.585.924.6500 sales@redcom.com www.redcom.com

How easy is it? So easy a schoolboy can do it. With VoIP software programs, spies (and children) can find networks and locate VoIP connections. Free, downloadable programs such as Wireshark make it easy to see the digitized voice, to export it to a recorder, and even listen to a conversation in real time. Popular encryption algorithms include: : Secure Communications Interoperability Protocol AES: Advanced Encryption Standard Suite B: US government group of encryption algorithms which includes AES Encryption Architectures There are two main architectures for implementing security encryption: End-to-End and the Secure (or non-secure) Enclave. Figure 3. Free computer software enables hackers to analyze networks, locate targets, and record both voice and data. End-to-End encryption means that the user devices (phones, tablets, etc.) each have their own encryption capabilities, either built-in or just outside of the device. Both ends of a call (that is, both devices) must have matching encryption; if they do not the call will still work, but it will not be encrypted. The Basis of Encryption: Algorithms and Keys Encryption is the process of changing a message so that it cannot be easily read or deciphered. With digital (including VoIP) encryption, the series of 1s and 0s that make up the message are scrambled so that they do not resemble the original data packet and are not easily deciphered. This process uses mathematical algorithms to produce the encrypted data. Encrypted Figure 4. Typical encrypted secure end-to-end VoIP call. The problem with algorithm encryption alone is that it can be decrypted and intercepted with computers. To make the decryption far more difficult, a different base key is used for each call when it is subject to the encryption algorithm. This results in different output for each call, even though the same key is used. Key lengths vary greatly depending on the encryption algorithm used. They can range from 128-bit to 2048-bit or more. For best results, use a combination of a proven secure algorithm and a key length that minimizes the likelihood of compromise via brute-force computing. Even then, there are concerns that governments with billiondollar budgets for computing resources can compromise this encryption. Unencrypted The problem with end-to-end encryption has historically been that any device or service must have a matching encryption. This was often expensive just for end-to-end scenarios, but becomes technically difficult and very expensive to encrypt trunk-level calls, such as those to Analog Phone Figure 5. Even though one device is secure, the other is not, so the call will not be encrypted. Conference bridges and Automated Attendant services. Typically most core equipment does not offer an internal 081000-087-20151125 Page 2 of 6

encryption interface; the solution is to front-end the device with encryption and keep the entire package in a room or enclosure that is considered trustworthy, and any humans with access are also considered trustworthy. This is called a Secure Enclave. SECURE ENCLAVE Analog Phones Non- Secure Analog Phone Figure 6. Secure Enclave is a building or room which itself, and everything in it, is considered secure even though the equipment inside may be non-secure equipment. SWT Encryption limited to US military-licensed use is categorized as Type 1 encryption. Typical legacy devices include: SWT: Secure Wireline Terminal from General Dynamics STU: Secure Telephone Unit : Secure Terminal Equipment from L3 viper: Secure VoIP phone from General Dynamics OMNI: L3 device compatible with SWT Some encryption devices are similar to the US military Type 1 encryption, but the encryption algorithms are de-tuned to a lower standard and are categorized generically as non-type 1 encryption. A common non-type 1 commercial line-side encryption device is General Dynamic s Sectéra BDI. All of the above devices listed are intended for end-to-end (i.e. phone-to-phone) encryption. supports interfaces for these devices such that encryption and decryption can be utilized to deliver secure access to Unified Communications features such as Conferencing. Part 2: Encryption Protocols and Devices By far the greatest users of legacy (i.e. before VoIP) encryption were military. Today though, open and free encryption standards for VoIP have made highly secure communications available to many VoIP users. SECURE ENCLAVE s solutions support both legacy and VoIP encryption protocols and devices, an important ability since most networks are not all legacy or all IP, but hybrid. In this case, it is imperative that the core intelligent network nodes (switches) are capable of translating between the various encryption methods. Legacy Encryption Legacy encryption refers to non-voip encryption methods, and includes encryption for analog telephones, and military encrypted devices such as the analog STU and analog or ISDN-based. Figure 7. Secure Conference server for encrypted VoIP, secure, and radio users. VoIP Encryption As previously noted, VoIP communications are easily intercepted. However, the high computing power available on small chips and the publication of open standards has made VoIP encryption both imperative and relatively inexpensive. VoIP communications differ from legacy communications in that VoIP actually has two paths for communications: one for call set-up, and one for the actual voice or data. Neither are secure by default, meaning hackers can obtain phone 081000-087-20151125 Page 3 of 6

numbers, URLs, IP addresses, and listen to and even manipulate the voice conversation. VoIP call setup information SLICE is, by 2100 default, not secure when using typical industry-standard protocols such as SIP. Transport Layer Security (TLS) can add a layer of security to this signaling. The voice payload (as well as video and data) of VoIP is conveyed using Real Time Transport Protocol (RTP), which has an encrypted version, Secure RTP (SRTP). Thus, the combination of TLS and SRTP encrypt both the voice and the call set-up for VoIP calls. Figure 8. Non-secure (not encrypted) VoIP call showing separate call setup and voice routing. TLS Secure Secure IPSec is typically provided by networking devices, such as the Brocade vrouter. It is ideal for IP-based virtual private networks. Some, but not all, devices (phones) support IPSec, so the link between the phone and IPSec-enabled router is not secure. In this case it is wise to use TLS and IPSec in the network. It is important to note that SRTP, TLS, and IPSec encrypt not only voice, but data, video, and instant messaging as well. TLS SRTP IPSec Tunnel Internet Figure 10. IPSec Tunneling adds an additional level of security for calls transiting non-secure networks Mobile, Radio, and Wi-Fi Encryption TLS SRTP Intercepted radio transmissions have won (and lost) wars. Any radio-transmitted signal is easy to intercept, and as a result mission-critical radios have enjoyed encryption for years. It must be realized that the term radios includes not only military radios, but also handheld radios, mobile and smart phones, microwave, Wi-Fi, and even satellite phones. TLS Secure Secure Figure 9. Secure VoIP call with both call setup information and voice encryption. Today, many radios include encryption, such as WEP and WPA2 on commodity Wi-Fi routers. This encryption though only encrypts between the radio devices (for example, between the Wi-Fi router and the laptop), not through the remainder of the network. IPSec VoIP communications contain many layers with upper layers being encapsulated into the lower layers. TLS and SRTP are upper layers of encryption and secures an individual data stream between two endpoints. IPSec is a lower layer encryption, and secures all data streams between its endpoints. Think of TLS and SRTP as trains with the doors locked, and IPSec as a long tunnel for the trains, completely secured. Given that radio (especially Wi-Fi) is the easiest transmission to capture, it is imperative that any VoIP traffic going over radio is encrypted end-to-end. V.150.1 for Proprietary Encryption Devices Though powerful commercial encryption equipment is commercially available, recent world events have cast doubt on the true security offered by this equipment. 081000-087-20151125 Page 4 of 6

The solution for those untrusting of commercial encryption products is to design their own. While this is not terribly difficult to do, the problem lies in that networks may not be able to successfully pass modem-based proprietary encryption. However, this problem is mitigated by the V.150.1 protocol supported in s HDX and SLICE 2100 platforms, allowing reliable transport between encryption devices across an IP network. Your Device Security by Design Beyond encryption, the poor design of some VoIP networks may increase their susceptibility to attack. Security deficient designs can include centralization architecture and/or substandard equipment. Non Secure Proprietary Encryption transported via V.150.1 Figure 11. Create your own encryption with the V.150.1 protocol Distributed vs. Centralized architecture The trend to save money by using one large VoIP softswitch (centralized) rather than many smaller ones (distributed) simply makes it easier to locate a targeted victim. In simple math, it s harder to find a particular target in one of twenty switching cores than it is to find the target in one large one. PSTN Your Device Distributed networks, by their very design, are also more resilient. s that rely on one softswitch core have one single point of failure; if it is attacked and fails, the whole network fails. On the other hand, with a distributed network consisting of many smaller softswitch cores, attackers must disable every single core in order to effect the same total failure. Distributed architectures are used in PC networks, so why would anyone do the exact opposite in VoIP networks? s products are scalable from a small number of users to thousands. systems make a variety of options available to network designers, but those truly focused on security will deploy many small systems rather than one large one. Firewalls and SBCs PSTN IP Figure 13. Distributed network provides redundancy and resilience. Most people know that a firewall can block certain types of intrusions. However, traditional firewalls are deficient for VoIP networks because they are unable to recognize VoIP traffic and apply proper security measures. As a workaround, administrators often create static firewall policies to allow all traffic for selected sources and destinations, ultimately making the network more vulnerable and limiting flexibility. Figure 12. Centralized network, susceptible to single-point of attack. 081000-087-20151125 Page 5 of 6

Web, Email, etc. Firewall Private SBC Untrusted that almost anyone can breach an unsecured network. Thus encryption is no longer an option; it is absolutely mandatory. For complete protection, networks require both a firewall and a Session Border Controller (SBC). Each serves different functions to analyze IP traffic data and protect the network. SBCs tend to be more intelligent concerning the voice and video applications of the network, and thus can better analyze data and stop attacks and fraud. Conclusion VoIP Traffic Figure 13. Private IP networks carrying voice should be defended by both a Firewall and SBC. At no time in the history of mankind have communications been so susceptible to malicious attacks, fraud, and eavesdropping. VoIP networks are particularly vulnerable. The internet knowledge base along with free tools for analyzing and listening have proven time and time again Developments of IP security mechanisms and devices have made encryption inexpensive and relatively easy to deploy. Given that many networks are in a state of migration (not wholesale replacement), gateways and core switches must be capable of supporting both legacy and IP encryption. s product solutions bridge the divide between secure and unsecure networks, and secure legacy and secure IP. With s products, networks can enjoy Unified Communications by capping the existing network without replacing it, and moving secure communications to s IP-based platforms. Equipped with a vast variety of landline, VoIP, radio, and secure interfaces, products build the bridge that enable network transformation while offering a secure setting for business continuity. Security Features by Platform Security SLICE SLICE 2100 SLICE IP HDX Infinion VoIP Encryption AES V.150.1 TLS SRTP Radio Gateway Firewall Distributed 2015 Laboratories, Inc., the logo and SLICE are registered trademarks and Infinion is a trademark of Laboratories, Inc. All other trademarks are property of their respective owners. Subject to change without notice or obligation. 081000-087-20151125 Page 6 of 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information