DEPLOYING VoIP SECURELY



Similar documents
Using Ranch Networks for Internal LAN Security

Recommended IP Telephony Architecture

Ranch Networks for Hosted Data Centers

Configuring a Mediatrix 500 / 600 Enterprise SIP Trunk SBC June 28, 2011

Next Generation IPv6 Network Security a Practical Approach Is Your Firewall Ready for Voice over IPv6?

White Paper. avaya.com 1. Table of Contents. Starting Points

Securing SIP Trunks APPLICATION NOTE.

A Brief Overview of VoIP Security. By John McCarron. Voice of Internet Protocol is the next generation telecommunications method.

PETER CUTLER SCOTT PAGE. November 15, 2011

VOICE OVER IP SECURITY

Secure VoIP for optimal business communication

Voice Over IP (VoIP) Denial of Service (DoS)

Best Practices for Securing IP Telephony

Security issues in Voice over IP: A Review

Voice over IP Basics for IT Technicians

Gateways and Their Roles

IP Telephony Basics. Part of The Technology Overview Series for Small and Medium Businesses

Voice Over IP and Firewalls

Contents Introduction Why Fax over IP? How Real-time Fax over IP works Implementation with MessagePlus/Open Summary. About this document

FIREWALLS & CBAC. philip.heimer@hh.se

Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks

10 Key Things Your VoIP Firewall Should Do. When voice joins applications and data on your network

SIP Trunking Configuration with

SIP Trunking with Microsoft Office Communication Server 2007 R2

Deploying Firewalls Throughout Your Organization

Voice over IP (VoIP) Basics for IT Technicians

ENTERPRISE SESSION BORDER CONTROLLERS: SAFEGUARDING TODAY S AND TOMORROW S UNIFIED COMMUNICATIONS

Intro to Firewalls. Summary

Network Considerations for IP Video

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

CMPT 471 Networking II

Creating Business-Class VoIP: Ensuring End-to-End Service Quality and Performance in a Multi-Vendor Environment. A Stratecast Whitepaper

Evaluating IPv6 Firewalls & Verifying Firewall Security Performance

Deploying the ShoreTel IP Telephony Solution with a Meru Networks Wireless LAN

Payment Card Industry (PCI) Data Security Standard

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

ehealth and VoIP Overview

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

1 ABSTRACT 3 2 CORAL IP INFRASTRUCTURE 4

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Security and Risk Analysis of VoIP Networks

Cisco Virtual Office Express

Networking for Caribbean Development

How To Prevent Hacker Attacks With Network Behavior Analysis

Network Performance Monitoring at Minimal Capex

How to Choose the Right Industrial Firewall: The Top 7 Considerations. Li Peng Product Manager

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Network Security Topologies. Chapter 11

Is Your Network Ready for VoIP? > White Paper

SIP Security Controllers. Product Overview

Load Balancing for Microsoft Office Communication Server 2007 Release 2

Cisco Advanced Services for Network Security

Cyber Security Where Do I Begin?

Basic Vulnerability Issues for SIP Security

Packetized Telephony Networks

Protecting and controlling Virtual LANs by Linux router-firewall

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

IVCi s IntelliNet SM Network

Cisco Application Networking for IBM WebSphere

Cisco Virtualization Experience Infrastructure: Secure the Virtual Desktop

Technical Note. ForeScout CounterACT: Virtual Firewall

Jive Core: Platform, Infrastructure, and Installation

MINIMUM NETWORK REQUIREMENTS 1. REQUIREMENTS SUMMARY... 1

convergence: preparing the enterprise network

Second-generation (GenII) honeypots

Voice over IP (VoIP) Vulnerabilities

Cisco Virtual Office Unified Contact Center Architecture

Application Note Configuring the Synapse SB67070 SIP Gateway for Broadvox GO! SIP Trunking

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Application Note Patton SmartNode in combination with a CheckPoint Firewall for Multimedia security

VoIP Security: How Secure is Your IP Phone?

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

INTRODUCTION TO FIREWALL SECURITY

Level: 3 Credit value: 9 GLH: 80. QCF unit reference R/507/8351. This unit has 6 learning outcomes.

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Complete Protection against Evolving DDoS Threats

WAN Traffic Management with PowerLink Pro100

The Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network

Cisco PIX vs. Checkpoint Firewall

Cconducted at the Cisco facility and Miercom lab. Specific areas examined

Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios

Solution Brief. Secure and Assured Networking for Financial Services

Security & Reliability in VoIP Solution

Cisco Application Networking for BEA WebLogic

Voice over IP Networks: Ensuring quality through proactive link management

Chapter 9 Firewalls and Intrusion Prevention Systems

VPN Lesson 2: VPN Implementation. Summary

Avaya Aura Session Manager Overview

Overview. Summary of Key Findings. Tech Note PCI Wireless Guideline

1 hours, 30 minutes, 38 seconds Heavy scan. All scanned network resources. Copyright 2001, FTP access obtained

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Villains and Voice Over IP

Guidance Regarding Skype and Other P2P VoIP Solutions

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

CTS2134 Introduction to Networking. Module Network Security

Voice Over Internet Protocol (VOIP) SECURITY. Rick Kuhn Computer Security Division National Institute of Standards and Technology

Transcription:

DEPLOYING VoIP SECURELY Everyone knows that Voice-over-IP (VoIP) has been experiencing rapid growth. Even still, you might be surprised to learn that: 10% of all voice traffic is now transmitted with VoIP technology (IDC) AT&T had VoIP service available to the top 100 US markets by the end of the first quarter 2004 (AT&T) It is estimated that 7 million will be in circulation by 2007 (InStat/MDR) The Problem (or at least the one most recently identified) The mass deployment of this new technology also brings along with it many challenges one area being the security of your network. Because IP networks are subject to sophisticated, automated attacks, voice traffic on those networks is more vulnerable says David Fraley, author of Cyberwarfare: VoIP and Convergence Increase Vulnerability. In fact, the U.K. s National Infrastructure Coordination Centre (NICC) recently released findings (http://www.uniras.gov.uk/vuls/2004/006489/h323.htm) that equipment from many vendors who have implemented the H.323 protocol standard for IP Telephony contains flaws that can be exploited by attackers. According to tests commissioned by NICC, these vulnerabilities can leave products open to: Denial-of-Service (DoS) attacks Buffer-overflow attacks Insertion of malicious code into the compromised equipment According to CERT Advisory CA-2004-01 (http://www.cert.org/advisories/ca-2004-01.html), companies affected by these vulnerabilities include: Cisco Secure Extreme CheckPoint Computing Foundry Netscreen Cyberguard Fujitsu Nokia Symantec Hitachi Microsoft Stonesoft Intel Nortel WatchGuard Juniper Avaya 3COM NEC Alcatel AT&T F5 D-Link Page 1

As just one example, Cisco alone has many products that contain vulnerabilities in the processing of H.323 messages (http://www.cisco.com/warp/public/707/cisco-sa- 20040113-h323.shtml#process): All Cisco products that run Cisco IOS software and support H.323 packet processing IOS Firewall IOS Network Address Translation Call Manager Conference Connection 7905 IP Phone BTS 10200 Softswitch Internet Service Node H.323 Gateway, H.323 Gatekeeper ATA18x Series Analog Telephony Devices In some cases, Cisco does not plan to fix the vulnerabilities that have been identified. CERT Recommendations Carnegie Mellon University operates the CERT Coordination Center, which is a major reporting center for Internet security problems. CERT was founded by the Defense Advanced Research Projects Agency (DARPA) and they provide technical advice and coordinate responses to security compromises, identify trends in intruder activity, work with other security experts to identify solutions to security problems, and disseminate information to the broad community. The CERT/CC also analyzes product vulnerabilities, publishes technical documents, and presents training courses. In the CERT Advisory referenced above, recommendations are issued to help companies protect their networks from these vulnerabilities. Among their recommendations are the following: 1. Block access to H.323 services on devices that do not need to be exposed 2. Limit access to only those machines that use H.323 for critical business functions, and limit access of any type to only those areas of the network where they are needed 3. Consider disabling application-layer inspection of H.323 packets by Firewalls 4. Coordinate among telephony, application, network, and desktop staff to assess the threat in individual network segments Page 2

An Alternative Approach to the Problem CERT Recommendations 1 and 2 above state that special security precautions should be taken with devices that support H.323 interfaces, furthermore H.323 devices should be protected and separated from the non-h.323 devices to lower the risk of attack. By installing a device in the LAN that subdivides it into separate zones, one can solve the problem of internal security by seamlessly enhancing your existing network. PSTN Media Gateway Internet Fw IP PBX Layer 2 Backbone Switch Existing Network Conf Rm A Third Second First Data Ctr. S1: Servers with Financial Apps S2: Servers with Sales Apps WLAN 4 S3: Servers with HR Apps WLAN 3 WLAN 2 WLAN 1 Figure 1 Converged Enterprise LAN with IP PBX Figure 1 shows a typical IP PBX installation where a single LAN infrastructure is used for both voice and data. This office has a Perimeter Firewall, a Layer 2 Backbone Switch, a Data Center, an IP PBX, and sprinkled throughout the LAN, intermixed with, Wireless LAN Access Points, and other network devices. Page 3

PSTN Media Gateway VoIP Security Device Ports trunked together, containing Internet Fw IP PBX Layer 2 Backbone Switch Existing Network Conf Rm A Third Second First Data Ctr. S1: Servers with Financial Apps S2: Servers with Sales Apps WLAN 4 S3: Servers with HR Apps WLAN 3 WLAN 2 WLAN 1 Figure 2 Converged LAN with VoIP Security Device overlay As illustrated in Figure 2, a VoIP Security Device can be added as an overlay on this network to provide many security and performance-enhancing functions. The existing network can be subdivided into logical segments by using. The are brought back to the VoIP Security Device, where they can be grouped into Secure Virtual Zones, each of which represents an area of trust within the network. So for instance, the LAN can be divided according to various parameters such as organizational structure, voice vs. data, and guest areas vs. non-guest areas. The table below describes one approach for how the example network might be divided. Zone Number Zone Description 1 IP Hard Phones and Soft Phones 2 IP PBX and Media Gateway 3 Wireless LAN Access Points & Conference Rooms 4 Internet 5 Accounting 6 Accounting Servers/Applications 7 Sales and Admin 8 Sales Servers/Applications 9 Human Resources 10 Human Resources Servers/Applications Page 4

So what has this accomplished relative to CERT Recommendations 1 and 2? First, H.323 devices, such as the, are not exposed to the outside world. In fact, they are only exposed to the other devices with which they must communicate. Second, since all of the voice products have been segmented into their own Secure Virtual Zone, different security policies can be implemented for voice devices vs. data (non-voice) devices. One example of a policy unique to the voice zone is that it is necessary to leave TCP ports open for H.323 to perform call set-up between the various voice devices. Similarly it is necessary to leave UDP ports open for the media stream traffic on voice devices - more on this below. Correspondingly, voice ports for data devices, or any non-voice device, would be blocked. The segmentation of the network provided by the VoIP Security Device allows this to be easily accomplished. As a result, H.323 ports are open only where absolutely necessary, and only to other devices meeting these same criteria. What about CERT Recommendation #3 to disable application-layer inspection of H.323 packets by Firewalls? To understand the implications of this recommendation lets first review why some Firewalls inspect H.323 messages in the first place. In IP Telephony, call set-up messages are separated from, and handled differently than, the media streams that actually carry the voice conversation. Call set-up messages typically use only a single port (although this may vary by vendor), just like data services (for instance, HTTP s use of port 80). However the VoIP media streams generally use port numbers across a wide range (dynamically assigned) since there can be many simultaneous streams. The specific ports that will be used for the media streams vary on a call-by-call basis and therefore cannot be secured with a static firewall rule. Given this uncertainty, how do the media streams get through a Firewall? In today s networks, one of two approaches are typically used: (1) the range of potential IP addresses & protocol port combinations are left open permanently, leaving a huge gaping security hole, or (2) the Firewall uses application-layer inspection of the call set-up messages in an attempt to discern which IP addresses & protocol port combinations to allow so that a call may pass through the firewall. This is precisely the function that CERT is now recommending to be disabled. With this second alternative unavailable, Network Administrators face a choice between leaving the ports open permanently or shutting off VoIP traffic into their LAN entirely.. There is however a third alternative that effectively solves the dilemma install a VoIP Security Device as shown in Figure 2. Rather than employing application-layer inspection at the firewall to open and close ports, the VoIP Security Device takes a different approach, which is to receive messages from the IP PBX the very device that should be controlling where and when calls are to be placed and terminated. The messages instruct the VoIP Security Device to open and close the ports corresponding to the beginning and end of each phone call. In addition to solving the recently identified H.323 vulnerability, this approach has more advantages. Page 5

Some of these advantages are: It is not necessary for the VoIP Security Device to understand the myriad versions of signaling protocols and proprietary extensions used by various IP Telephony vendors. It is not necessary for the VoIP Security Device to be modified in the field every time one of the IP Telephony vendors changes their proprietary extensions. Firewall performance is superior with this approach since it is not slowed down by application-layer protocol inspection IP PBX s implement complex call control algorithms, which are influenced by features such as multi-party conferencing and third-party call control. Tracking call state in this environment can be complex and difficult. A PBX is specifically designed to do this whereas a Firewall is not. If call state tracking is not performed properly, calls can be dropped mid-stream. The application-layer approach suffers from this problem whereas the approach described in this document does not. Additional Benefits of the Proposed Solution In addition to the above benefits, the VoIP Security Device is perfectly positioned in the network to also provide many other valuable functions. These include the following security-related functions: The LAN can be subdivided into multiple Secure Zones with each Secure Zone having its own independent security policies. Separate Zones for Voice and Data Denial of Service protection Authentication can be enabled so that it is required to enter or exit a Secure Zone. This means that no packets from a user will be allowed through the VoIP Security Device until the user first enters their Username and Password. Once the user is authenticated, they are then permitted to only enter those areas of the network to which they have been authorized. This enables a Single-Sign-On approach: once the user is authenticated by the VoIP Security Device, they can be allowed access to those applications to which they are permitted without further sign-on if desired. Security breaches can be automatically or manually isolated and quarantined within a Zone. Wireless LANs can be separated into their own Zone, with stricter security policies applied to this Zone. Network hiding is provided between each pair of Secure Zones Rate limiting and port mirroring can be configured for any Zone. Security based on MAC addresses Outgoing connections and port scans from a Zone can be denied Low latency and high throughput Page 6

In addition to security functions, the VoIP Security Device could provide the following non-security functions: Overlay without reconfiguration - The device should be able to be added as an overlay to upgrade an existing LAN without needing to (1) rewire the LAN to achieve Secure Zones, or (2) reconfigure IP addresses. Quality of Service o Bandwidth Management / Traffic Shaping - Guaranteed, minimum, maximum, and burst bandwidth should be supported, based upon Source or Destination Zone, IP address (or range), MAC address, or Port number (or range). Thus it is possible to prioritize traffic on a per-call, per-user, or per-application basis. o Full support for end-to-end QoS should be provided by (1) setting TOS or DiffServ priority for outgoing traffic and (2) classification and prioritization of incoming traffic based on TOS or DiffServ. Health Monitoring Multicasting and Switching Accounting and Traffic Studies Remote Management Summary Converged networks are complex and drive the need for increased security and performance requirements. New security vulnerabilities in complex VoIP equipment will continue to be found. However, low-cost, highly-secure VoIP Security Devices exist today and can mitigate these risks in a straightforward and cost-effective manner. Page 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information