Contenu connexe Similaire à I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source (20) I N T E R O P09 Suhas Desai Secure Your Vo I P Network With Open Source1. Secure Your VoIP Network with Open Source
Suhas Desai
www.interop.com/mumbai
Friday, 9 October 2009, 12:15–01:30 PM, Bombay Exhibition Centre
10/12/2009
Track: Emerging Technology and Trends - Open Source
2. Agenda
About VoIP Security
Open Source Testing Tools
Sample Testing Approach
Summary
Confidential © Tech Mahindra 2008 2
3. Agenda
About VoIP Security
Open Source Testing Tools
Sample Testing Approach
Summary
Confidential © Tech Mahindra 2008 3
4. VoIP Overview
Introduction to VoIP
VoIP is being rapidly embraced across most markets as an alternative to the
traditional PSTN
VoIP deployment can impact applications, networks and infrastructure that use a wide
variety of platform base
The cost savings of VoIP as compared to that of circuit switched networks is
encouraging companies to move to VoIP
Issues and Concerns
VoIP deployment has brought along with it many security concerns like Non-
Repudiation, Authentication, Call Quality, Integrity and Privacy
VoIP calls to PSTN are not allowed in India
Confidential © Tech Mahindra 2008 4
5. VoIP Security Threats & Impact
VoIP Security Threats
• An attacker tries to break telephone network and uses this network
Phreaking for malicious activities like making long calls or to tap conversions.
Eavesdropping • An attacker tries to intercept telephone lines with electronic devices.
• Voice Phishing is used to leverage VoIP technology for social
Vishing engineering to retrieve confidential information like credit card
numbers, financial details.
SPIT • Spamming over Internet Telephony is like e-mail spamming where
VoIP calls are sent as a spam to victim.
Impact
Loss of Confidentiality, Integrity and Authentication
Loss of Privacy
Non-repudiation
Social Threats
QoS
Confidential © Tech Mahindra 2008 5
6. Possible Mitigation Considerations
Deploy VoIP traffic monitors
•Monitor the connections for logging the fraudulent activities.
Employ encryption techniques
•Strong encryption techniques allow privacy and confidentiality over the network.
Use voice firewalls
•Control inbound and outbound connections by filtering the traffic.
Use adequate security infrastructure
•Deploy secure gateways, gatekeepers & proxy servers to protect network traffic.
Use IPsec tunneling
•IPsec provides the secure communication over network by providing authentication and encryption.
Conduct regular security audits
•Audit VoIP network regularly for security vulnerabilities .
Use VoIP platforms with adequate security features
•Prefer proven VoIP platform with built in security features for development and deployment of VoIP
applications.
Confidential © Tech Mahindra 2008 6
7. Agenda
About VoIP Security
Open Source Testing Tools
Sample Testing Approach
Summary
Confidential © Tech Mahindra 2008 7
8. Commercial Security Tools
Need to perform security assessment of VoIP network with below tools!
Commercial Security Testing Tools
Tool Description
CommView VoIP Analyzer Captures Real-time VoIP events.
Etherpeek Sniffs VoIP traffic.
EnableSecurity VoIPPack for CANVAS Performs scans, enumeration, and password attacks.
Detects the actual protocol, administrative interfaces and VoIP
Passive Vulnerability Scanner
scanner(s).
VoIPAudit VoIP vulnerability scanner.
SiPBlast Tests VoIP infrastructure.
NSAUDITOR SIP UDP traffic generator / flooder .
Codenomicon VoIP Fuzzers Commercial versions of the free PROTOS toolset.
Mu Dynamics VoIP, IPTV, IMS Fuzzing Platform Fuzzing appliance for SIP, Diameter, H.323 and MGCP protocols.
Spirent ThreatEx Protocol Fuzzer and robustness tester.
SiPCPE Evaluates SIP infrastructure protocol.
Confidential © Tech Mahindra 2008 8
9. Open Source and VoIP
Why Open Source?
Source code available
Easy to customize, code reuse and redistributable.
Cost Savings
Open Source Tools
SIP Proxies SIP Clients
Mini-SIP-Proxy, MjServer, MySIPSwitch, Cockatoo, Ekiga, FreeSWITCH, JPhone, Kphone,
NethidPro3.0.6, Net-SIP, JAIN-SIP Linphone, minisip,MjUA, OpenSIPStack, OpenZoep,
Proxy,OpenSBC,OpenSER, PJSUA, QuteCom ex-Open Wengo, SFLphone,
OpenSIPS, partysip, SaRP, sipd, SIPExpress Router, Shtoom, SipToSis, sipXezPhone, sipXphone, Twinkle,
Siproxd, SIPVicious, sipX, Vocal, Yxa. YATE, YeaPhone.
SIP Tools
H.323 Clients
Callflow, Open Source Asterisk AMI,
pjsip-perf, miTester for SIP,PROTOS Test Suite, FGnomeMeeting, ohphoneX,OpenPhone
SFTF, SIP CallerID, SIPbomber, Sipp, Sipper, SIP
Proxy, Sipsak, SIP Soft client, SIPVicious tool
suite, SMAP, Vovida.org load balancer.
H.323 Gatekeeper
RTP Proxies
GNU Gatekeeper
AG Projects,Maxim Sobolev's RTPproxy,MediaProxy.
Confidential © Tech Mahindra 2008 9
10. Contd…
PBX Platforms Security Testing Tools
Asterisk, CallWeaver, OpenPBX, VoIP Sniffing Tools
PBX4Linux, SIPexchange PBX Pingtel's AuthTool, Cain & Abel, Oreka, PSIPDump, rtpBreak ,
SIP PBX, sipwitch,sipX. SIPomatic, SIPv6 Analyzer, UCSniff, VoiPong,
VoIPong ISO Bootable, VOMIT , WIST.
VoIP Scanning and Enumeration Tools:
IVR Platforms
enumIAX, iaxscan, iWar, SCTPScan,
Bayonne, CT Server, OpenVXI,SEMS, sipX PBX, SIP Forum Test Framework (SFTF), SIP-Scan,
VoiceXML SIPcrack, Sipflanker, SIPSCAN , SiVuS, SMAP.
VoiceMail Servers VoIP Packet Flooding Tools:
IAXFlooder, INVITE Flooder, kphone-ddos ,
RTP Flooder, Scapy, SIPBomber, SIPsak, SIPp .
Lintad, OpenUMS, SEMS,VOCP.
Fax Servers VoIP Fuzzing Tools:
Asteroid, PROTOS H.323 Fuzzer, PROTOS SIP Fuzzer
Asterisk Fax Email Gateway, Lintad,Hylafax.
VoIP Signaling Manipulation Tools:
Development Platforms BYE Teardown, SipRogue, VoIPHopper
H323plus, OpenBloX, Ooh323c, ++Skype.
Confidential © Tech Mahindra 2008 10
11. Best Practices for Using Open Source Tools
Monitor VoIP traffic
• Continuously monitor VoIP traffic to identify VoIP attacks. Use tools - SIP-Scan, SiVuS , SMAP
etc.
Use encryption
• Apply encryption for end points communication. Use SRTP (Secure Real Time Protocol).
Use Firewalls
• Put VoIP network before open source firewalls. Use firewalls - iptables.
Conduct security audits
• Audit VoIP network regularly for security vulnerabilities and configuration flaws. Use - VoIP
Security Audit Program (VSAP).
Secure gateways, gatekeepers
• Control the number of concurrent connections for proper utilize bandwidth.
Secure proxy servers
• Authenticate authorized access control. Use Asterisk.
Use IPsec tunneling
• Ipsec provides secure communication over the public networks.
Secure VoIP platforms
• Prefer VoIP platform with built in security features for development and deployment of VoIP
applications
Confidential © Tech Mahindra 2008 11
12. Contd…
Open source products/tools provides options for :
Secure configuration of servers
Secure configuration of clients
Securing gateways
Securing Firewalls
VOIP/SIP Security Assessment with Open Source before deployment :
VoIP Security
Footprinting Scanning
Testing
Eavesdropping
SiVuS Nessus •Cain and Abel
•VoIPong
•vomit
Fuzzing
nmap SiVuS •PROTOS SIP
fuzzing suite
SIP Protocol
Testing
•SIP Bomber
13. Agenda
About VoIP Security
Open Source Testing Tools
Sample Testing Approach
Summary
Confidential © Tech Mahindra 2008 13
14. Example 1 : SiVuS
Security assessment with SiVuS tool
SiVuS
SiVuS is the vulnerability scanner for VoIP networks that use the SIP protocol.
The scanner provides several powerful features to verify the robustness and
secure implementation of a SIP component.
SiVuS is used to verify the robustness and security of their SIP implementations
by generating the attacks that are included in the SiVuS database or by crafting
their own SIP messages using the SIP message generator.
1. SIP Component Discovery 2. Message Generator
Confidential © Tech Mahindra 2008 14
15. Example 1 : SiVuS
Security assessment with SiVuS tool
3. Security Findings Report
Confidential © Tech Mahindra 2008 15
16. Example 2 : SIP Bomber
Security assessment with SIP Bomber
SIP Bomber:
SIP Bomber is used to test SIP-protocol implementation.
SIP Bomber is complied on Linux machines with asterisk server for testing of SIP
server implementation.
1. Message Generator 2. Password Validation
Confidential © Tech Mahindra 2008 16
17. Agenda
About VoIP Security
Open Source Testing Tools
Sample Testing Approach
Summary
Confidential © Tech Mahindra 2008 17
18. Summary
Building VoIP network with open source is cost effective and
reliable.
VoIP network can be secured with open source tools, its
configurations and settings.
Tools like SiVuS and SIP Bomber can be used to assess your VoIP
security.
References
Web
• http://www.voipsa.org
• http://www.voip-info.org
Books
• Patrick Park;”Voice over IP Security” - Ciscopress.
• Thomas Porter, Jan Kanclirz Jr;”Practical VoIP Security” - Syngress Publishing, Inc.
• James Ransome and John Rittinghouse;”Voice over Internet Protocol Security” - Elsevier
• Alan B. Johnston, David M. Piscitello;”Understanding Voice over IP Security” -Artech House
Confidential © Tech Mahindra 2008 18