Voice over IP Security



Similar documents
Securing SIP Trunks APPLICATION NOTE.

Recommended IP Telephony Architecture

Ingate Firewall/SIParator SIP Security for the Enterprise

VoIP Security regarding the Open Source Software Asterisk

SIP Trunking. Cisco Press. Christina Hattingh Darryl Sladden ATM Zakaria Swapan. 800 East 96th Street Indianapolis, IN 46240

Tim Bovles WILEY. Wiley Publishing, Inc.

VOICE OVER IP SECURITY

Best Practices for Securing IP Telephony

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

Voice Over IP and Firewalls

SIP Trunking Configuration with

Voice over IP Security

Basic Vulnerability Issues for SIP Security

Cisco ASA, PIX, and FWSM Firewall Handbook

Cisco ASA 5500 Series Unified Communications Deployments

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Securing Cisco Network Devices (SND)

Secure Communication and VoIP Threats in Next Generation Networks

Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, Eschborn, Germany

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Connecting MPLS Voice VPNs Enabling the Secure Interconnection of Inter-Enterprise VoIP

TLS and SRTP for Skype Connect. Technical Datasheet

Voice over IP. VoIP (In) Security. Presented by Darren Bilby NZISF 14 July 2005

Implementing Cisco IOS Network Security

VoIP Security Threats and Vulnerabilities

Threats to be considered (1) ERSTE GROUP

Voice Over IP (VoIP) Denial of Service (DoS)

Session Border Controllers in Enterprise

Implementing VoIP monitoring solutions. Deployment note

IINS Implementing Cisco Network Security 3.0 (IINS)

SIP SECURITY WILEY. Dorgham Sisalem John Floroiu Jiri Kuthan Ulrich Abend Henning Schulzrinne. A John Wiley and Sons, Ltd.

OpenScape Session Border Controller Delivering security, interoperability and cost savings to the enterprise network border

An outline of the security threats that face SIP based VoIP and other real-time applications

White Paper. avaya.com 1. Table of Contents. Starting Points

Securing Networks with PIX and ASA

Threat Mitigation for VoIP

SIP Security Controllers. Product Overview

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

Avaya SBCE 6.3 Security Configuration and Best

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios

S-Series SBC Interconnect Solutions. A GENBAND Application Note May 2009

Enumerating and Breaking VoIP

Session Border Controller

Kommunikationsdienste im Internet Möglichkeiten und Risiken

ABC SBC: Securing the PBX. FRAFOS GmbH

Voice over IP (VoIP) Vulnerabilities

CS5008: Internet Computing

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Business Phone Security. Threats to VoIP and What to do about Them

Securing Unified Communications for Healthcare

How the ETM (Enterprise Telephony Management) System Relates to Session Border Controllers (SBCs) A Corporate Whitepaper by SecureLogix Corporation

Terminology and Definitions Acronyms and Abbreviations Acknowledgement

CCNA Security. IINS v2.0 Implementing Cisco IOS Network Security ( )

Network Security Fundamentals

VoIP Security* Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011

Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall

Session Border Controller and IP Multimedia Standards. Mika Lehtinen

AdvOSS Session Border Controller

Cisco Certified Security Professional (CCSP)

Villains and Voice Over IP

Cisco Integrated Services Routers Performance Overview

Implementing Cisco IOS Network Security v2.0 (IINS)

Security Technology: Firewalls and VPNs

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

VOIP SECURITY ISSUES AND RECOMMENDATIONS

Security Considerations

Session Initiation Protocol (SIP) Vulnerabilities. Mark D. Collier Chief Technology Officer SecureLogix Corporation

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

SIP and VoIP 1 / 44. SIP and VoIP

SIP Trunking with Microsoft Office Communication Server 2007 R2

VoIP Security: How Secure is Your IP Phone?

How To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack

Next Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6?

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

(d-5273) CCIE Security v3.0 Written Exam Topics

Transparent weaknesses in VoIP

VoIP Security. Customer Best Practices Guide. August IntelePeer

Security & Reliability in VoIP Solution

Sonus Networks engaged Miercom to evaluate the call handling

SIP, Security and Session Border Controllers

Securing VoIP Networks using graded Protection Levels

CPNI VIEWPOINT 02/2007 ENTERPRISE VOICE OVER IP

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

OpenScape UC Firewall and OpenScape Session Border Controller

How To Pass A Credit Course At Florida State College At Jacksonville

Chapter 7 Transport-Level Security

EdgeMarc 4508T4/4508T4W Converged Networking Router

Guidance Regarding Skype and Other P2P VoIP Solutions

Challenges and opportunities for Open Source solutions

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology

Welltel - Session Border Controller SBC 120

CPNI VIEWPOINT 03/2007 HOSTED VOICE OVER IP

Transcription:

Voice over IP Security Patrick Park Cisco Press Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA

vii Contents Introduction xvii Part I VoIP Security Fundamentals 3 Chapter 1 Working with VoIP 5 VoIP Benefits 6 VoIP Disadvantages 8 Sources of Vulnerability 10 IP-Based Network Infrastructure 10 Open or Public Networks 11 Open VoIP Protocol 11 Exposed Interface 11 Real-Time Communications 11 Mobility 11 Lack of Security Features and Devices 11 Voice and Data Integration 12 Vulnerable Components 12 Myths Versus Reality 14 Legacy Versus VoIP Systems 14 Protecting Networks Using Strict Authentication and Encryption 14 Protecting Networks Using a Data Security Infrastructure 15 Summary 15 End Notes 16 References 16 Chapter 2 VoIP Threat Taxonomy 19 Threats Against Availability 20 Call Flooding 20 Malformed Messages (Protocol Fuzzing) 22 Spoofed Messages 24 Call Teardown 25 Toll Fraud 26 Call Hijacking 26 Registration Hijacking 27 Media Session Hijacking 27 Server Impersonating 28 QoS Abuse 29

VIII Threats Against Confidentiality 30 Eavesdropping Media 30 Call Pattern Tracking 32 Data Mining 33 Reconstruction 34 Threats Against Integrity 34 Message Alteration 35 Call Rerouting 35 Call Black Holing 36 Media Alteration 37 Media Injection 37 Media Degrading 38 Threats Against Social Context 38 Misrepresentation 39 Call Spam (SPIT) 39 IM Spam (SPIM) 40 Presence Spam (SPPP) 41 Phishing 42 Summary 43 End Notes 44 References 44 Chapter 3 Security Profiles in VoIP Protocols 47 H.323 48 Overview 48 Components 49 Basic Call Flow 50 Security Profiles 52 H.235 Annex D (Baseline Security) 54 H.235 Annex E (Signature Security) 55 H.235 Annex F (Hybrid Security) 56 SIP 57 Overview 58 Components 58 Basic Call Flow 60 Session Setup Example 61

ix Security Profiles 67 Digest Authentication 68 Identity Authentication 69 Secure/Multipurpose Internet Mail Extensions (S/MIME) 70 Secure RTP 71 TLS 71 IPSec 73 MGCP 74 Overview 74 Basic Call Flow 75 Security Profiles 75 Summary 78 End Notes 79 References 80 Chapter 4 Cryptography 83 Symmetric (Private) Key Cryptography 84 DES 85 3DES 87 AES 89 SubBytes 89 ShiftRows 90 MixColumns 91 AddRoundKey 92 Asymmetric (Public) Key Cryptography 92 RSA 93 Digital Signature 95 Hashing 96 Hash Function (MD5) 97 SHA 98 Message Authentication Code 99 MAC Versus Digital Signature 100 Key Management 100 Key Distribution 101 Summary 103 End Notes 104 References 104

X Chapters VoIP Network Elements 107 Security Devices 108 VoIP-Aware Firewall 108 NAT 109 Session Border Controller 113 Lawful Interception Server 114 Service Devices 116 Customer Premise Equipment 116 Call Processing Servers 117 PAP Versus CHAP 119 RADIUS Versus TACACS+ 120 Summary 120 End Notes 121 References 122 Part II VoIP Security Best Practices 125 Chapter 6 Analysis and Simulation of Current Threats 127 Denial of Service 128 Intentional Flooding 129 Simulation 129 Analysis 135 Mitigation 137 Unintentional Flooding 138 Analysis 139 Mitigation 141 Malformed Messages 143 Simulation 144 Analysis 150 Mitigation 154 Sniffing/Eavesdropping 154 Simulation 154 Analysis 158 Mitigation 161 Spoofing/Identity Theft 162 Simulation 162 Prespoofing Scan 162 Identity Theft 163 Analysis 164 Mitigation 165

xi VoIP Spam 165 Voice Spam 165 IM Spam 167 Presence Spam 167 Mitigation 168 Content Filtering 168 Turing Test 168 Reputation System 169 Address Obfuscation 170 Limited-Use Address 171 Consent-Based Black/White List 171 Summary 172 End Notes 173 References 173 Chapter 7 Protection with VoIP Protocol 175 Authentication 175 User-to-Proxy Authentication 176 User-to-User Authentication 179 Encryption 182 Message Encryption (S/MIME) 183 S/MIME Certificates 184 S/MIME Key Exchange 185 Formatting S/MIME Bodies 186 Media Encryption 188 Key Derivation 188 SRTP Packet Processing 190 SRTPTest 191 Transport and Network Layer Security 193 Transport Layer Security 194 IPSec (Tunneling) 195 Threat Model and Prevention 195 Registration Hijacking 195 Impersonating a Server 196 Tearing Down Sessions 196 Denial-of-Service and Amplification 197 Limitations 198 Digest Authentication Limitations 198 S/MIME Limitations 198 TLS Limitations 199 SIPS URI Limitations 199

XII Summary 200 End Notes 200 References 201 Chapter 8 Protection with Session Border Controller 203 Border Issues 204 Between Access and Core Networks 206 Between Core and Peer Networks 207 Access and Peer SBCs 208 SBC Functionality 208 Network Topology Hiding 208 Example of Topology Hiding 209 DoS Protection 213 Policy-Driven Access Control 213 Hardware Architecture 215 Overload Prevention 216 Registration Timer Control 217 Ping Control 220 Load Balancing 220 NAT Traversal 222 Lawful Interception 224 Other Functions 226 Protocol Conversion 226 Transcoding 226 Number Translation 227 QoS Marking 228 Service Architecture Design 228 High Availability 229 Active-Standby 230 Active-Active 231 Network Connectivity 232 Service Policy Analysis 234 Virtualization 237 Optimization of Traffic Flow 239 Deployment Location 239 Media Control 240 Summary 245 End Notes 246 References 246

Protection with Enterprise Network Devices 249 Firewall 249 ASA and PIX Firewalls 251 Routed Mode 251 Transparent Mode 252 TLS Proxy Feature 253 Configuration Example 254 FWSM Firewall 256 Routed Mode 256 Transparent Mode 256 Configuration Example 257 Limitations 258 Unified Communications Manager Express 259 Access Control 259 Phone Registration Control 261 Secure GUI Management 263 Class of Restriction 264 After-Hours Call Blocking 266 Unified Communications Manager 267 Security Features and Certificates 267 Integrity and Authentication 269 Image Authentication 270 Device Authentication 270 File Authentication 270 Signaling Authentication 271 Digest Authentication 271 Authorization 272 Encryption 273 Signaling Encryption 273 Media Encryption 274 Configuration File Encryption 275 Configuration Guideline 275 Access Devices 277 IP Phone 278 Switch 278 Mitigate MAC CAM Flooding 278 Prevent Port Access 279 Prevent Network Extensions 280 Prevent Fraudulent DHCP Server 280 Mitigate DHCP DoS Attacks 281 Limit ARP Responses 282

xiv VLAN ACL 282 Deployment Example 284 Summary 286 End Notes 287 References 287 Part III Lawful Interception (CALEA) 289 Chapter 10 Lawful Interception Fundamentals 291 Definition and Background 292 Requirements from Law Enforcement Agents 293 Reference Model from an Architectural Perspective 294 AF (Access Function) 295 DF (Delivery Function) 295 CF (Collection Function) 296 SPAF (Service Provider Administration Function) 297 LEAF (Law Enforcement Administration Function) 297 Request and Response Interfaces 297 Operational Considerations 300 Detection by the Target Subscriber 300 Address Information for Call Content Interception 301 Content Encryption 302 Unauthorized Creation and Detection 303 Call Forwarding or Transfer 303 Capacity 304 Summary 304 End Notes 305 Chapter 11 Lawful Interception Implementation 307 Intercept Request Interface 308 SIP P-DCS Header 309 Intercept Process Flow for Outbound Call 310 Intercept Process Flow for Inbound Call 311 Cisco Sil 313 Device Interfaces 314 Intercept Process Flow for Standard Call 316 Intercept Process Flow for Forwarding Call 319 Intercept Process Flow for Conference Call 322 Predesign Considerations 325 Security Considerations 326 Configuration Example 327

XV Index 345 Call Data and Content Connection Interfaces 329 Call Content Connection Interface 330 Call Data Connection Interface 333 CDC Messages 333 Interface Between MD and LEA 339 Summary 341 End Notes 342 References 342

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information