VoIP Security Customer Best Practices Guide August 2015 2015 IntelePeer
Contents Contents... 2 Getting Started... 3 Pre-Deployment Considerations... 3 Preparation Check-List... 3 Common Security Threats... 4 Security Best Practices... 7 Importance of an SBC... 7 General Security Measures... 8 Securing Connections from Dynamic IP Addresses... 10 VoIP Encryption... 11 Securing VoIP Devices... 11 Service Provider Support... 12 Call Barring... 13 Fraud Alerts... 13 VoIP Checklist... 13 2015 IntelePeer 2
Getting Started IntelePeer takes the security of our customers information and systems very seriously. Telephony using Voice over IP solutions delivers many benefits including cost savings and increased flexibility, but as with much of today's technologies, there are security threats that must be considered. We ve compiled some of the best advice from service providers, security experts and vendors to create a best practices guide for minimizing your security risks in VoIP environments. The security measures outlined in this document include on-premise IP-PBX configuration steps, as well as tools available from IntelePeer to help you minimize your security risks. Pre-Deployment Considerations Before implementing a VoIP PBX system, know that maintaining a secure environment requires duediligence and that pre-cautionary steps must be taken to protect your business environment. Because a PBX can make almost unlimited chargeable calls very quickly, it has become a profitable target for professional hackers. Hackers continuously scan VoIP PBXs for weaknesses and engineers who specialize in VoIP security can setup measures to ensure PBX security and prevent such risks. Preparation Check-List Here is a checklist of tasks and responsibilities to securely set-up and maintain your PBX prior to installation. During Setup 1. Subscribe to security mailing lists for all vendors that your solution encompasses 2. Set up regular calendar of maintenance activities that are relevant to your installation 3. Keep a list of all hardware and software assets with versions of software/firmware Regular Checks (recommended daily) 1. Check security mailing lists for new vulnerabilities and apply recommend fixes 2. Check SBC logs 3. Check call logs for unexpected call traffic 4. Check network graphs for unexpected traffic 2015 IntelePeer 3
Common Security Threats There are industrial-grade scanners operating around the clock to find and exploit unsecured IP-PBXs and hosted handsets. Like any PC or Network with direct Internet access, an IP-PBX must be secured against malicious attacks before deployment. The following security issues and attacks have been identified on many standard VoIP implementations. 1. Call Interception One of the most commonly encountered problems with VoIP set-ups, is when data passing through VoIP gateways is not encrypted by default. If a malicious attacker finds the stream s source, the signal can be hijacked and the hijacker can listen to conversations. To intercept calls, the attacker only requires physical access to a LAN segment that the VOIP packets travel across. In order to safeguard against call interception, most enterprises use Ethernet switches instead of hubs to limit the number of locations for a possible exploit. Call interception is more risky with unsecured wireless networks as attackers can easily enter a corporate network and listen in on phone calls. 2. Denial of Service attacks A DoS attack flood the network with large amounts of data resulting in disruption of services. This data can be in many forms, but all prevent the network from functioning properly. A DoS attack can be far more devastating if the attack is carried out by multiple computers (such an attack is called a DDoS). DDoS attacks may target different parts of the network; however, if your VoIP infrastructure is directly connected to the primary network it may be affected by the DDoS attack. Denial of service attacks can cause several problems for VoIP sessions. Some DDoS attacks may not bring down the network, but may cause severe traffic disruption due to increased latency, jitter and packet loss. 3. Exfiltration of Data Another major problem an enterprise may encounter is the exfiltration of confidential data from their networks. In this scenario, attackers make use of RTP sessions to extract information from a corporate environment. VoIP packets, unlike data packets in other formats, are much more difficult to scan for hidden content or data without introducing delay into the entire data stream. Exfiltration attacks are usually carried out by VoIP Trojans that send data out of the host system as an RTP stream. 2015 IntelePeer 4
4. Vishing Vishing (or voice phishing) is the practice of using a telephone system to gain access to confidential personal and financial information. Voice phishing tricks the victim into trusting the caller to inadvertently release sensitive information. Due to its nature, vishing attacks are very difficult to mitigate, but user awareness against such attacks is the best solution. Vishing is typically used to steal information such as credit card numbers or user information used in identity theft schemes. Some fraudsters utilize features facilitated by Voice over IP (VoIP), such as caller ID spoofing to display a number of their choosing on the recipient s phone line and automated systems (IVR). 5. Spamming over Internet Telephony (SPIT) VoIP spam or SPIT (Spam over Internet Telephony) is the mass sending of automatically dialed, pre-recorded phone calls using VoIP. These messages are sent hundreds of times to several victims and are very difficult to monitor and mitigate. As VoIP systems make use of computer systems, it is extremely easy to send massive amounts of voice spam to thousands of different VoIP users. VoIP technology has many free and open source tools that are easily accessible (e.g. Asterisk and SIP). Such tools greatly simplify the job of the VoIP spammer. One technology that is commonly exploited to carry out SPIT attacks is the Session Initiation Protocol (SIP). SPIT attacks can be mitigated using a variety of techniques including: Blacklisting and Whitelisting possible spammers Audio Captures Reputation Systems Consent Based Communication 6. Caller ID Spoofing Caller ID is used to identify the caller s information. By spoofing, the caller ID can appear to be a legitimate call asking for confidential information which can further lead to data breaches. There are websites that can be used to spoof calls (spooftell.com, covertcalling.com, etc.); many of which are restricted to specific countries. 7. Viruses and malware Viruses and malware are a prevalent threat across all technologies and can act to bring down the entire VoIP network or abuse the VoIP usage. Malwares posing as software leak VoIP credentials open a remote backdoor on the target. Software phones are more vulnerable to such attacks. 2015 IntelePeer 5
8. General Scanning and Directory Scanning General and directory scanning is the process of finding VoIP Hosts and running services on the network. Nmap is commonly used for this purpose. After hosts are found and ports identified, scans are used to find running services. Once the hosts are found and ports identified, the type of device can be determined using Network stack fingerprinting. 9. Registration Hacking Registration hijacking occurs when an attacker impersonates a valid user agent and replaces the legitimate registration with its own address. This attack causes all incoming calls to be sent to the user agent registered by the attacker. 10. Man-In-The-Middle Attacks The basic concept is an attacker broadcasts spoofed advertisements of the MAC address and thus forces subsequent IP packets to flow through the attacker's host. This thereby allows communications eavesdropping between two users. 11. Session Manipulation An example of Session Manipulation is Session Tear Down, which occurs when an attacker observes the signaling for a call, then sends spoofed SIP BYE messages to the participating user agents (UA). Most SIP UAs do not require strong authentication, which allows an attacker to send a properly crafted BYE message to the two UAs, tearing down the call. This same methodology can be applied to other messaging such as redirect. 12. Equipment Reboot Equipment reboot uses SIP messaging, including NOTIFY/check-sync messages sent to User Agent, causing a reboot rendering the device almost inoperative. 13. War Dialing War Dialing (or wardialing) is the technique of using a call script to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers IP phones, voicemail boxes and fax machines. Hackers use the resulting lists for predicting user accounts (by capturing voicemail greetings), or locating entry-points into the computer or other electronic systems. 2015 IntelePeer 6
Security Best Practices If you have a network that connects to the Internet, then it is a potential open door for attackers. It is worth considering a few basic aspects of security to amply protect yourself. Attack on voice systems is nothing new and hackers have been attacking company telephone systems for decades, even before VoIP came along. An attacker may just be attempting to get some free long distance calls for himself, but there are also organized criminals who want to use your telephone system to route international calls at your cost. Some may route calls to premium rate numbers (which they have set-up) to make money. In any case, the result is the same: your phone bill is increased and the money is in their pocket. Attacks to get free calls are known as toll fraud attacks, whereas attacks to call premium rate numbers are known as revenue share fraud, and usually International Revenue Share Fraud (IRSF). To ensure VoIP security, you should first safeguard yourself with adequate network security. Your VoIP system consists of elements like a PBX (for example Asterisk), and VoIP phones or soft-clients (software that acts as a phone from your computers desktop). Each of these devices are often fully functional computing devices that have web interfaces and configuration screens, and you need to consider how to secure each device as you would secure a desktop PC. Importance of an SBC Contrary to some opinions, Session Border Controllers (SBCs) are the best edge device for security in VoIP deployments. SBC are developed explicitly for voice traffic and have the same built in security features as a standard network firewall. SBCs commonly maintain full session state and offer the following functions: Security Protects the network and other devices from: o Malicious attacks such as a denial-of-service attack (DoS) or distributed denial-of-service (DDoS) o Toll fraud via rogue media streams o Topology hiding o Malformed packet protection o Encryption of signaling (via TLS and IPSec) and media (SRTP) Connectivity allows different parts of the network to communicate through the use of a variety of techniques, such as: o NAT traversal o SIP normalization via SIP message and header manipulation o IPv4 to IPv6 interworking 2015 IntelePeer 7
o VPN connectivity o Protocol translations between SIP, SIP-I, H.323 Quality of Service the QoS policy of a network and prioritization of flows is usually implemented by the SBC. It can include such functions as: o Traffic policing o Resource allocation o Rate limiting o Call admission control o ToS/DSCP bit setting Media services many of the new generation of SBCs also provide built-in digital signal processors (DSPs) to enable them to offer border-based media control and services such as: o DTMF relay and interworking o Media transcoding o Tones and announcements o Data and fax interworking o Support for voice and video calls Statistics and billing information since all sessions that pass through the edge of the network pass through the SBC, it is a natural point to gather statistics and usage based information on these sessions. General Security Measures Passwords. Secure all VoIP devices that have a configuration interface, including phones, PBX's, IP Phones, Soft Clients, workstations and other networked devices. Reinforce the use of strong passwords on VoIP phones with a policy on the PBX to require them. Leaving just a single phone with a default password, weak password or no password significantly increases the risk of a toll-fraud attack. Never leave any system with the default or factory password. Attackers know these passwords, and this is the simplest attack. If your users choose their own passwords and PINs then try to discourage them from using obvious passwords, or ones that are easy to guess if you know a little about the person (e.g. car registration, partner s name etc.). PIN numbers like 1111 or 1234 are easily guessed by attackers. Here are a few strategies for creating strong passwords: o Join two or more words, perhaps that tell a story that the owner will remember, e.g. bonsaitreecare, blacklabrador o Include numbers as well as letters in the password, e.g. 10terhooks, 5after12 2015 IntelePeer 8
o Studies have shown that password length is the single most important factor in password security. Use longer passwords with 8 characters as a minimum, 12 or more is better. These types of password are more resistant to dictionary attack where an automated system tries to log on many times, using a list of common words and logins, e.g. 12345, pa33word, etc. VPN. An encrypted Virtual Private Network is a way for remote users (e.g. home workers) to access your network securely. Access is via a password, and traffic is encrypted so that no-one on the Internet can monitor and capture your data. Patches. Keep systems up-to-date with operating system patches. New system vulnerabilities are being found every week, so it is important to patch systems regularly. Unused Services. Disable any unused services in order to avoid misuse. For example, if you don t use the voicemail system, disable it, as an attacker might exploit a weakness to gain access to further services. WiFi. Wireless brings its own set of system vulnerabilities. If you allow WiFi access, make sure you use a secure encryption system (like WPA2) to make it difficult for strangers to join your network, and choose a secure passphrase (see passwords, above). Management Interfaces. Secure VoIP systems (PBX, phone, etc.) behind your company SBC. Remember if someone can reconfigure these systems remotely, then there is a possibility to reroute calls to international destinations or to premium numbers. Control ports left open on the Internet is easily found, in some cases even using a simple Google search. Mobile VoIP. If you use VoIP from smartphones (which is increasingly common), then configure the access PIN on the phone. Mobiles get lost and stolen, so you should prevent the phone being used (for services including VoIP) with a PIN. Many phones have a feature to automatically erase phone content after a PIN has been incorrectly entered a number of times. Consider using encryption services for remote VoIP phones, especially if these remote phones connect via public Wi-Fi hotspots. Even if you do not consider that your phone calls are sufficiently confidential to need this level of secrecy, encrypting VoIP traffic can provide some valuable additional security controls. Mobility Services. Think carefully about the remote services you want users to have. For example, it can be very useful for remote users to be able to reconfigure call forwarding 2015 IntelePeer 9
features, so that calls are forwarded to home or mobile numbers. The flipside of this is that an attacker might use the same feature to reroute calls to a premium number. Any service that allows a remote caller to get back to the PBX dial tone has potential for making unauthorized calls at your expense. Lock down the PBX. A VoIP phone can register with a PBX from anywhere in the world. You may choose to limit registrations to within your own office network, or only allow preconfigured VoIP phones access. You may be able to secure phones via password, IP address or MAC (physical) address. This is a good policy to grant access to specified users, i.e. deny access by default, and create exceptions for authorized users. Patches. Just as with network systems, VoIP components also have vulnerabilities that can be fixed with periodic software/firmware updates. Your PBX manufacturer or reseller may have recommended firmware versions; check with them. Call Limits. Your Internet telephony service provider (ITSP) may be able to provide services to protect you from overspend on your telephony service. For example, they may be able to limit calls to premium rate and international destinations. Some ITSPs can detect patterns of fraud, e.g. uncharacteristic repeated calls to overseas destinations and automatically prevent calls until you authorize the extra spend. Securing Connections from Dynamic IP Addresses It is not always possible to limit VoIP interconnects to static IP addresses. Most home workers will use a standard domestic broadband connection, virtually all of which use dynamic IP addresses. Roaming users connecting from Wi-Fi hotspots and users running VoIP apps on mobile devices will all connect from dynamic IP addresses. Where connections from dynamic IP addresses cannot be avoided, ensure that authentication for all user accounts is enabled and those robust passwords are chosen as discussed elsewhere in this document. Check that your PBX requires and enforces authentication for as wide range of operations as possible. At a minimum, user agent registration (SIP REGISTER), and call set-up (INVITE) must be authenticated. Other operations such as call termination (BYE) and presence and voice mail notification (SUBSCRIBE/NOTIFY) should also require authentication. These authentication requirements apply to internal IP phones and for remote users, as an attacker will target both categories. If your PBX cannot authenticate the full range of protocol operations or if for other reasons it is not practical to configure it to do so, consider using a specialist security gateway to provide the full range of authentication services. 2015 IntelePeer 10
For additional security, consider enabling encryption for remote and roaming users. The SBC can then be configured to allow only encrypted VoIP traffic from dynamic IP addresses. Where possible use a direct, dedicated connection for trunk/interconnect connections with your provider. A direct dedicated connection will greatly reduce the risk of a range of security threats. Whether using a direct dedicated connection or the public Internet, you should use an SBC. Configure the SBC to allow only authorized interconnect traffic to and from the trunk/interconnect provider; this reduces the risk of unauthorized access to your PBX. VoIP Encryption The SIP standard allows both signaling (call set-up) and media (audio or video streams) to be encrypted. The standard specifies the use of TLS for signaling encryption and SRTP for media encryption. TLS is the same as the protocol used to access a website providing online banking or other services needing encryption. SRTP is designed specifically for encrypting VoIP calls. It is a lightweight but a secure encryption protocol that avoids the overhead associated with VPN technologies designed primarily for data. Many IP phone vendors now offer call encryption and most soft-phone available for laptops, mobile phones and tablets include encryption. While only some IP-PBXs support encryption, a good SBC will handle encrypted calls. Encrypting VoIP calls provides many benefits including: Additional security for remote and roaming users connecting from dynamic IP addresses. Protection against a wide range of attacks that rely on monitoring VoIP calls. These include offline password recovery attacks, call termination attacks and a range of denial of service attacks. Defense against unauthorized eavesdropping. Call encryption is an area where VoIP can offer a superior service over fixed line and cellular networks. There are a number of documented, although illegal, techniques for monitoring calls on cellular networks. Where call privacy is important, VoIP offers a simple and cost effective mechanism to encrypt calls. Securing VoIP Devices Most IP-PBX installations use VoIP telephones installed on workers' desks. One of the great benefits of VoIP is that you can take your telephone anywhere in the world, plug it into the Internet and it will work exactly as it did back home or in your office. This has many advantages but it also brings increased security concerns. 2015 IntelePeer 11
Additionally, VoIP telephones and adapters are powerful online computers needing protection from an external attack, just like your PC. But don t worry, the security precautions you need to consider are simple and you already have what you need to apply them (almost everything discussed below applies also to users of softphones on PCs and Macs.) 1. With IntelePeer you can be certain that we follow industry best practices. 2. Any modern router that connects you to the Internet will have some kind of integrated firewall. Most corporate hotspots have a firewall in place for Guest logins. 3. Your device normally contains a username or account number plus a password, which it uses to log itself into your service provider s telephone network. Keep this password safe because it can be used by anybody anywhere to make phone calls from their own phone if they can get their hands on it. See section three for advice on passwords/pins. 4. If you dispose of a phone, you should remove your username/password first. Log-on to the device's web page and remove this information. A factory reset is even better, as it also removes the calling directory and records of your calls. 5. For softphones, remove the password and then uninstall the application. When disposing of a PC or laptop it is good practice to format the disk or even to remove and destroy it. 6. Change your password on your VoIP service itself and, if you are no longer using their service, delete any credit cards on file and cancel the account. 7. Keep the software on both your PC and phone patched up-to-date. Service Provider Support In most IP-PBX attacks, the motive is fraud. The attacker will make expensive calls, including calls to international destinations or to premium rate numbers from which they profit. If your IP-PBX has been compromised, any local policies you have in place to restrict calls will almost certainly be rendered useless. It is therefore important to work with your service provider to add an additional, external layer of protection. IntelePeer is well-versed in the area of security and has a number of safeguards in place to help combat fraud. Furthermore, IntelePeer has clearly demonstrated, with evidence, their understanding and commitment to security. There are a variety of ways in which IntelePeer supports the security of our customers, some of which are described below. 2015 IntelePeer 12
Call Barring You may wish to block calls to/from certain countries, numbers or area codes. If you do not need to make international calls for example, IntelePeer ensures this feature is not available to your business. Fraud Alerts IntelePeer monitors and takes measures to protect its network from fraudulent abuse and unauthorized access. Our fraud management practice incorporates proactive call screening and alert procedures to reduce fraud exposure. By monitoring fraud, IntelePeer attempts to reduce our customer s fraud risk. IntelePeer's fraud detection also works with our customers to share information related to fraud trends. Today s voice switching network alarms are based on specific patterns that indicate a high probability for fraud, i.e., long duration international calls, international PBX fraud, and calls terminating to known "high fraud" countries. If suspicious calling patterns are observed, IntelePeer s Customer Service organization makes reasonable attempts to alert the customer of the suspected fraud. It is up to the customer to advise IntelePeer of the appropriate action (for example, block the TN, ANI or entire TG). In the event that the customer does not respond, we will disable the effected Trunk Group until the customer is reached in order to maintain the integrity of the network. VoIP Checklist Below is a list of key issues that you should check off to ensure that your IP-PBX is VoIP Ready: Server Ensure you fully understand your system s functionality and capabilities and restrict access to those services which you do not use. Confirm the server you want to deploy the IP-PBX on is hardened, with unnecessary services disabled. Disable SSH Root access with SSH login via Secure Key and default ports changed, i.e. use 4245 for SSH not 22, etc. Secure the system physically, install it in a secure location and restrict access to that area Limit Max Trunk calls and Max calls per extension to your requirements Make certain that your server s operating system and ALL associated software that you are installing is latest version with ALL the latest security patches enabled. Change ALL the default passwords Passwords & Access 2015 IntelePeer 13
Ensure ALL passwords, including extension passwords are complex. If possible, require alpha/ numeric and as many digits as the system allows. Avoid 0000, 1234, extension number=pin passwords Limit password access to any maintenance ports. Require that passwords and access codes are changed regularly Delete/change passwords for ex-employees immediately following separation Set access PIN on smartphones that will use VOIP Limit external access to known IP s only Consider limiting call types by extension, if an extension user has no requirement to ring international/premium rate numbers then bar access to these call types. DISA - (Direct Inwards System Access) is typically used to allow employees to dial in from home and make outbound calls (usually high value call types, i.e. mobile, international etc.) via the company PBX. Limit VOIP registrations to office network Limit your extension registration source IP. For all extensions that are not public facing, (i.e. device that does not have to use public IPs for registration) ensure that those extensions are only accessible via your internal network. This ACL type limitation can be done at both the extension and trunk levels. Block access to unallocated mailboxes on the system, change the default PIN on unused mailboxes Security Checks Enable logging and check firewall logs weekly. Be vigilant for evidence of hacking. The inability to get an outbound line is usually a good indicator of high volumes of traffic through your system. Check for calls outside business hours. Reviews of calls should be regularly carried out to cover analysis of billed calls by originating extension also to identify irregular usage and unexpected traffic Assess security of all PBX peripherals/applications: platform, operating system, password and permissions scheme. Carefully evaluate the security of any onboard remote management utility (e.g. PC Anywhere) for possible holes. Enable a backup routine Back-up your system at least once every 30 days 2015 IntelePeer 14