Ram Dantu Professor, Computer Science and Engineering Director, Center for Information and Computer Security University of North Texas rdantu@unt.edu www.cse.unt.edu/~rdantu VOIP: Are We Secured? 04/09/2012
Agenda Basic Operation of IP Phone VoIP migration (three steps) Difference between voice and data security Why VoIP security difficult Solutions
VoIP Network Elements I N T E L L I G E N T email LDAP Oracle XML SIP Proxy, Registrar & Redirect Servers SIP CPL 3pcc Application Services S E R V I C E S SIP SIP SIP User Agents (UA) RTP (Media) Legacy PBX PSTN CAS or PRI
Network Architecture 6/30/2008
Basic SIP Call-Flow SIP UA1 SIP UA2 INVITE w/ SDP for Media Negotiation 100 Trying 180/183 Ringing w/ SDP for Media Negotiation MEDIA 200 OK ACK MEDIA BYE 200 OK 6/30/2008
SIP Call Flow with Proxy Server Proxy Server Register OK (200) Invite Trying (100) Ringing (180) OK (200) ACK Register OK (200) Invite Ringing (180) OK (200) ACK RTP/RTCP media channels 6/30/2008
VoIP Migration 6/30/2008
Step1: IPPBX deployments in Enterprises PSTN Network Customer Premises Customer Premises IP Core Network - Large enterprises will handle VOIP calls directly - PSTN connectivity provided by Media Gateways - Regulation can not stop spammers outside USA (similar to SMTP spam) DNS Server for URL resolution 6/30/2008
STEP 2: Hosted IP Centrex FW, NAT, VoIP service provided by Carrier Networks Softswitches, MGW VoIP Proxy Server, SGW SGC, VoIP Centrex Server, Internet Carrier Network Customer Premises
Step 3: Carrier VoIP Network VoIP Trunk Softswitches, MGW VoIP Proxy Server, SGW SGC, VoIP Centrix Server, Internet Carrier Network - VoIP FW, NAT and Security provided by Carriers Customer Premises
VoIP creates issues with FW and NAT Reliability QoS must be maintained Separate signaling and media Data NAT traversal Data FW traversal
Wide open ports in voice traffic Signalling port and range of media ports fixed and permanently opened to inbound traffic IP PBX SC
FW and NAT Traversal Trusted Domain Data FW/NAT Un-trusted Domain Internet Traversal Client Traversal Server
Voice Spam Voice Spam is different from E-mail Spam Voice Spam at 2am E-Mail Spam at 2am
Email vs. Voice Mail Indirect (Un-intrusive) Email Internet Local SMTP Server Remote SMTP Server * Email server access is protected through series of mail servers and relays Direct (Intrusive) Voice Mail Network Voice Mail Server Would you allow un-trusted person to save directly on your system? * Voice mail has less barrier than data
Email versus Voice mail It is like postal versus door delivery, similar to voice mail server security versus data email server. Even though it is behind the firewall, he is connected to voice mail server, For example, pin number for your answering machine is only 2-4 digits Postal Delivery Home Delivery
Wide open ports in voice traffic Data Applications Voice over IP Main Gate is Closed Main Gate is Open
911 Emergency Safety Concerns - 911 and emergency service; DOS attack on the phone - There is no 911 application on data. But we need to support 911 application on voice service. - Phone is connected to emergency dispatch whereas PC is not connected to the emergency dispatch
Anonymous Phone Call Want to be called from anywhere Casual calling opens up the door. Anybody can call; bad guy or a grandma
Toll Fraud Calls can be forwarded to international by using end-user phone. When VoIP happens, toll fraud is going to increase Compromised phone Call made to Vulnerable Network Toll Fraud Call to Destination
Parameter Extended to include legacy PBX IP IP PBX VoiceMail Media GW WA N Attack can propagate to PSTN as well Voice Mail PBX PSTN
Points Of Pain
VoIP Security: Points of Pain Attackers can now attack massive numbers of IP Phones in a very short period of time. For example, an attacker with low end PC can put 2000 phones out of service in few minutes. Real-time IDS required for voice and video calls. Little time to deploy an effective fix manually. Unlike PCs, VoIP devices have limited resources to withstand DOS attacks.
Security: Points of Pain Too many security devices in the network and on top of it, they do not communicate to each other: Data Firewalls, Voice Firewalls, IDS, IPS, Virus scanners, SPAM filters, and Honeypots Lot of data; too many alerts, logs, and rules. Manual correlation is a nightmare. Instead automatic methods are required Cost of the devices and management of these devices Tolerance for SPAM is very low (zero tolerance).
Points of Pain VM Server security: Authentication and authorization of all the user access to the the voice mail. For example, tapping or hijacking of the voice mail of CFO Virus and worms can spread through the VPN and data network. In this situation, FW and IDS can not help because the attacker can be behind the FW
Securing Voice and Video over the Internet PI: Ram Dantu Network Security Laboratory (UNT is the lead)
VoIP Security Workshops December 2004, Dallas Chairs Ram Dantu, University of North Texas Sujeet Shenoi, University of Tulsa June, 2005, Washington, DC. Chair Ram Dantu Paul Kurtz, Cyber Security Industry Alliance and former special assistant to President Bush June 2006, West Berlin, Germany Chair Ram Dantu Henning Schulzrinne, Columbia University 6/30/2008
Conclusions Aggressive VoIP deployment by Enterprises By 2009 VoIP phone deployment is going to overtake legacy phone Voice security is different from data security. Not much work done on VoIP threat models. Increased threat level due to WLAN, VoWLAN, and mobility issues Our group is actively doing research on VoIP security, threats, models, attack graphs. In particular, we are working on detecting spam and unwanted calls. This approach can be called as telephone telepathy Please send your questions and comments to Rdantu@unt.edu (www.csci.unt.edu/~rdantu)