Threats to be considered (1) ERSTE GROUP



Similar documents
Recommended IP Telephony Architecture

Securing SIP Trunks APPLICATION NOTE.

Voice over IP Security

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

Securing VoIP Networks using graded Protection Levels

Best Practices for Securing IP Telephony

VoIP Security: How Secure is Your IP Phone?

SIP Trunking Configuration with

KISUMU LAW COURTS: SPECIFICATIONS FOR A UNIFIED COMMUNICATION SYSTEM / VOICE OVER INTERNET PROTOCOL (VOIP) SOLUTION. Page 54 of 60

The Trivial Cisco IP Phones Compromise

7.1. Remote Access Connection

VOICE OVER IP SECURITY

VoIP Security regarding the Open Source Software Asterisk

CTS2134 Introduction to Networking. Module Network Security

SIP Security Controllers. Product Overview

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Security & Reliability in VoIP Solution

Implementing Cisco Collaboration Devices v1.0. Version: Demo. Page <<1/10>>

VOIP Security Essentials. Jeff Waldron

Configuring DHCP Snooping

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

VoIP Security Threats and Vulnerabilities

Ingate Firewall/SIParator SIP Security for the Enterprise

Security Considerations in IP Telephony Network Configuration

VoIP Resilience and Security Jim Credland

Connecting with Vonage

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

PENTEST. Pentest Services. VoIP & Web.

Security and Risk Analysis of VoIP Networks

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Grandstream Networks, Inc. UCM6100 Security Manual

VoIPon Solutions Tel: +44 (0) Ranch Asterisk VoIP Solution

Developing Network Security Strategies

Voice over IP Basics for IT Technicians

Implementing Cisco IOS Network Security

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

What is VLAN Routing?

VOIP THE ULTIMATE GUIDE VERSION /23/2014 onevoiceinc.com

Application Note Configuring the Synapse SB67070 SIP Gateway for Broadvox GO! SIP Trunking

IINS Implementing Cisco Network Security 3.0 (IINS)

VOIP SECURITY ISSUES AND RECOMMENDATIONS

All You Wanted to Know About WiFi Rogue Access Points

Ron Shuck, CISSP, CISM, CISA, GCIA Infrastructure Security Architect Spirit AeroSystems

NetVanta 7060/7100 Configuration Checklist

V310 Support Note Version 1.0 November, 2011

Evolution PBX User Guide for SIP Generic Devices

VoIP Survivor s s Guide

Securing end devices

How to Build a Simple Virtual Office PBX System Using TekSIP and TekIVR

Gigabit Multi-Homing VPN Security Router

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Voice over IP (VoIP) Basics for IT Technicians

Gigabit Content Security Router

Security Guidance for Deploying IP Telephony Systems

Configuring the Dolby Conference Phone with Cisco Unified Communications Manager

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Avaya one-x Mobile Installation Guide

A Reality Check on Security in VoIP

iscsi Security (Insecure SCSI) Presenter: Himanshu Dwivedi

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Network Security Fundamentals

Connecting with Free IP Call

Voice Over IP (VoIP) Denial of Service (DoS)

Networking Devices. Lesson 6

Enumerating and Breaking VoIP

SNRS. Securing Networks with Cisco Routers and Switches. Length 5 days. Format Lecture/lab

VoIPon Tel: +44 (0) Fax: +44 (0)

Network Services Internet VPN

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Vocia MS-1 Voice-over-IP Interface. Avaya System Verification. Configuring Avaya Aura Session Manager system with Biamp s Vocia MS-1

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications

Installation of the On Site Server (OSS)

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

Basic Vulnerability Issues for SIP Security

LifeSize Transit Deployment Guide June 2011

Session Border Controllers in Enterprise

SIP Trunking with Microsoft Office Communication Server 2007 R2

Tim Bovles WILEY. Wiley Publishing, Inc.

LifeSize Video Communications Systems Administrator Guide

BroadCloud PBX Polycom VLAN Support

SIP and VoIP 1 / 44. SIP and VoIP

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Avaya SBCE 6.3 Security Configuration and Best

6.40A AudioCodes Mediant 800 MSBG

VoIP Security. Customer Best Practices Guide. August IntelePeer

SIP Trunking Quick Reference Document

Multi-layered Security Solutions for VoIP Protection

CABLING REQUIREMENTS:

Configure IOS Catalyst Switches to Connect Cisco IP Phones Configuration Example

Transcription:

VoIP-Implementation Lessons Learned Philipp Schaumann Erste Group Bank AG Group IT-Security philipp.schaumann@erstegroup.com http://sicherheitskultur.at/ Seite 1 Threats to be considered (1) Eavesdropping on voice or signalling traffic, either through sniffing, man-in-the-middle or other techniques Unauthorized silent participation in calls Denial of Service for voice traffic or phones (e.g. destination unavailable, call forwarding, etc.), QoS Attacks from the voice network /voice port into the data network (sniffing of data or network or switch config details, DoS, attacks against systems and data storage, etc.) Attacks from the switch-port of the phone to both networks Spoofing of phones using non-phone hardware to participate as unauthorized internal caller Spoofing of users, impersonation, voice session hijacking Modification to the caller ID functionality (faking other telephone numbers) Seite 2

Threats to be considered (2) Subverting phones through manipulation of their config files or their internal software (comparably easy for soft phones ) Unauthorized use of the CTI, JTAPI and TAPI functionality (modifying configs or accessing signalling or traffic information) Loss of emergency call functionality in case of power failures Spam against voice mailboxes, including phishing attacks Attacks over the boundary between the VoIP-network and the SS7- networks (PSTN, traditional phone provider), both directions Unauthorized change regarding whether to record or not-record a call Using the recording functionality to route voice traffic to unauthorized systems Manipulation of already recorded calls (modification, deletion) in the archive Unauthorized access to the phone call archive Seite 3 VoIP Security is Communication Security Who is Who in your network? Is everybody authenticated? Is everybody talking on a secure channel? Seite 5

Authent. Protocols and Mechanisms How to ensure that we know who to talk to? Record. Box Voice GW PSTN PSTN Auth. Box Device Authentication User Authentication PBX PBX Device Authentication IP Phone Support f. X.509 Support for 802.1x, how? IP Phone Question: How is the authentication between each of the components implemented (component authentication) and how are the users authenticated? PIN, Token, Support f. X.509 Seite 6 Communication Protocols How is the Encryption Handled? Record. Box Signal Traffic/ CTL Voice GW Signal Traffic/CTL PSTN PSTN Auth. Box PBX Signal Traffic PBX Voice Traffic Signal Traffic IP Phone IP Phone Voice Traffic Seite 7

VoIP Security is Network Security You are introducing some very flexible devices into your network You are introducing connection points that you don t physically control You are opening some very new attack possibilities How to secure the network(s)? Are voice and data really separated? How to administer the networ(s)? Seite 8 The Big-Picture Multiple Security Zones Server Zone Call Mgr Voice Recorder Voice Mail Presence Server GW to PSTN Web Access to the server zone???? Voice-aware Firewall voice VLAN / server LAN voice truncs to branches and other countries (MPLS) voice VLAN + VLAN Switch-Port Configuration User Zone Seite 9

Separation of Voice and Data on LAN Security Challenge Switch-Port Bad news: the MS Windows IP-stack does not support this Disable DTP (dynamic truncing) on untrusted ports Accept Bridge Protocol Data Units (BPDUs) only on trusted ports Graphics Curtesy of Cisco Seite 10 Port Security in the Switch Various Options IEEE 802.1x (with several authentication options - EAP- TLS or PEAP, but needs to be supported in the devices and comes with challenges regarding multiple domains - fallback is MAB (MAC authentication bypass)) static CAM table dynamic CAM (sticky option, max. no. of MACs per port) Graphics Curtesy of Cisco Seite 11

DHCP Security DHCP traffic only on trusted ports Enable DHCP Snooping Graphics Curtesy of Cisco Seite 12 Administration Multiple Security Zones Admin LAN Server Zone Call Mgr Voice Recorder Voice Mail Presence Server GW to PSTN voice VLAN / server LAN Voice-aware Firewall voice truncs to branches and other countries (MPLS) voice VLAN + VLAN Admin LAN User Zone Seite 13

VoIP Security is Device Security You are introducing some very flexible devices into your network You are opening some very new attack possibilities How to secure the devices? Can you trust them? Why actually?? Seite 14 Device Security Can somebody change the software or config that is stored in the devices, loaded into the device? Hardware Phones Soft Phones (??) Signed, but who checks the signature?? Seite 15

Secure Configuration Graphics Curtesy of Cisco Seite 16 Secure Deployment Cisco Discovery Protocol (CDP) Easy way to configure the devices and to allow for later flexibility But it is executed BEFORE IEEE 802.1x Use with great care! Employ additional checks if available (e.g. power consumption, voice traffic recognition,.) Seite 17

VoIP Security is Planning Security The Design Workshop (1) How exactly will the system be implemented? What authentication is used where What encryption is used where (SRTP, TLS, Ipsec) Recording, Voice Mail, Music-on-Hold, Separation of Voice and Data IP-Layout Passing through the Firewalls (NAT-challenge) Seite 18 The Design Workshop (2) How exactly will the system be implemented? Phone Security Deployment and Enrolment of Phones Deployment of Certificates, Distribution of PIN and Passwords,.. Dialing Plan Seite 19

Questions Seite 20

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information