1. 15 April
2008
IP Telephony Security:
Deploying Secure IP Telephony in t he
aspect of Net work infrastructure
The objective is to integrate IP telephony and traditional data
services onto a shared network infrastructure without
compromising the security of either service. Protective
mechanisms against all types of attacks must be applied in a
holistic manner throughout the enterprise network.
2. 15 April
2008
IP Telephony Security:
Deploying Secure IP Telephony in t he
aspect of Net work infrastructure
Prepared by :
Maheen mehnaz
ID # 071-618-056
Ete ~ 605
Section ~ 02
Prepared for :
Dr. Mashiur Rahman
N o r t h So u t h U n ive r s it y
3. IP Telephony Security
Abstract
This paper provides best-practice information to interested parties for designing and
implementing secure IP telephony networks. Many enterprises, whether large or small, are
now considering implementation of IP Telephony systems and services in their networks.
What has been a separate circuit switched telephony network on its own, is with the advent
of IP Telephony suddenly a part of the IT and IP infrastructure, available and manageable
as virtually any other application within that framework. Questions then arise whether
telephony is as secure as it was when it was a technology and network on its own, or if
even IP Telephony may compromise the integrity and availability of other applications,
especially if IP Telephony becomes integrated with these other applications. And one has
to also consider the impact of IP Telephony calls originating from an external IP network.
This document has the purpose to clarify the issues mentioned above and provides an
outline for the measures, which need to be taken in order to securely implement IP
Telephony in enterprise networks. As we will see, already today there are technologies and
products available that can be installed and used to secure the usage of IP Telephony as
well as other related applications.
I
4. IP Telephony Security
April 15, 2008
Contents
Introduction ........................................................................................................................... 2
Section: 1 ............................................................................................................................... 2
Identifying and Understanding the Risks .............................................................................. 2
Threats in voice over IP (VoIP)............................................................................................. 2
Section: 2 ............................................................................................................................... 3
Attacks against the IP Telephony Network ........................................................................... 3
Packet Sniffers/Call Interception....................................................................................... 3
Virus and Trojan-Horse Applications ............................................................................... 3
Toll Fraud .............................................................................................................................. 3
IP Spoofing............................................................................................................................ 3
Denial of Service ................................................................................................................... 3
Application Layer Attacks..................................................................................................... 4
Section: 3 ............................................................................................................................... 4
Security Solutions of IP Telephony....................................................................................... 4
Encryption ..................................................................................................................... 4
Section: 4 ............................................................................................................................... 6
Designing Guidelines for Small IP Telephony system ..................................................... 7
Section: 5 ............................................................................................................................... 9
Defining a Security Framework ..8
Section: 6 ............................................................................................................................. 10
1
5. IP Telephony Security
April 15, 2008
Introduction
As voice over IP (VoIP) installations increasingly evolve from PBX trunking over private
data networks to IP telephony (IPT)-based it becomes increasingly important to recognize
and address associated security issues. The risk and threat to enterprises deploying IP
telephony are very real, and although few incidents have been reported in public, these are
expected to increase in number as IP telephony deployments increase in number and size.
To mitigate these threats appropriately, the actual risks must be identified and mapped to a
security framework. This framework can then be used to establish security requirements
for the products used to obtain an appropriate level of security for the IPT solution.
However, since IP telephony is a service that enables direct communication between end-
user IP phones throughout an enterprise, it is critical that security measures allow this type
of peer-to-peer traffic flow while protecting the telephony service.
Section: 1
Identifying and Understanding the Risks
IP telephony is still a young technology with rapidly evolving products, and the initial
focus typically is on issues other than security, such as telephony-grade reliability, voice
quality, and telephony features. General security risks can be grouped into the four areas:
1. Interception and impersonation of IPT sessions invading privacy or tampering with
information
2. Intrusion of other network services facilitated by the IPT implementation
3. Non-authorized or fraudulent use of IPT equipment
4. Malicious degradation of voice service (denial-of-service, virus, and hacker attacks)
Threats in voice over IP (VoIP)
Threats associated with VoIP are narrowed into the following categories:
Service disruption and annoyance The attempt to disrupt the VoIP service,
including management, provisioning, access, and operations. Attacks in this
category can affect any network element that supports the VoIP service, including
routers, DNS servers, SIP proxies, session border controllers, and so on.
Eavesdropping and traffic analysis The attack aims to extract verbal or textual
(for example, credit card number or pin) content from a conversation or analyze
communications between parties to establish communication patterns, which can
later be used to support other attacks.
Masquerading and impersonation In this category, targets include users, end
user devices, and network elements and can be realized by manipulating the
signaling or media streams remotely or through unauthorized access to VoIP
components (for example, signaling gateways, the SIP registrar, or DNS servers).
For example, if a telecommunications provider is using only caller ID information
2
6. IP Telephony Security
April 15, 2008
to authenticate subscribers to their voice mailboxes, it is possible for an attacker to
spoof caller ID information to gain access to a user s voice mailbox.
Unauthorized access The difference between masquerading and unauthorized
access is that the attacker does not need to impersonate another user or network
element, but rather can gain direct access using a vulnerability such as a buffer
overflow, default configuration, and poor signaling or network access controls.
Fraud Fraud can be realized by manipulating the signaling messages or the
configuration of VoIP components, including the billing systems.
Section: 2
Attacks against the IP Telephony Network
Packet Sniffers/Call Interception
A packet sniffer is a software application that uses a network adapter card in promiscuous
mode to capture all network packets that are sent across a particular collision domain.
Sniffers are used legitimately in networks today to aid in troubleshooting and traffic
analysis.
Virus and Trojan-Horse Applications
The primary vulnerabilities for end-user workstations are viruses and Trojan horse attacks.
Viruses refer to malicious software that is attached to another program to execute a
particular unwanted function on a user's workstation.
Toll Fraud
This attack constitutes theft of service, namely phone calls. There are numerous methods
the hacker could use to accomplish this task. In its basic case toll fraud includes an
unauthorized user accessing an unattended IP phone to place calls. A more complex attack
might include placing a rogue IP phone or gateway on the network to place unauthorized
calls.
IP Spoofing
An IP spoofing attack occurs when a hacker inside or outside a network impersonates the
conversations of a trusted computer. A hacker can do this in one of two ways. The hacker
uses either an IP address that is within the range of trusted IP addresses for a network or an
authorized external IP address that is trusted.
Denial of Service
Certainly the most publicized form of attack, denial of service (DoS) attacks are also
among the most difficult to completely eliminate. Even among the hacker community, DoS
attacks are regarded as trivial and considered bad form because they require so little effort
to execute.
These attacks include the following:
TCP SYN Flood
Ping of Death
UDP fragment flood
3
7. IP Telephony Security
April 15, 2008
ICMP fragment flood
If not properly mitigated, all of these sample DoS attacks could render a voice segment
unusable.
Application Layer Attacks
Application layer attacks can be implemented using several different methods. One of the
most common methods is exploiting well-known weaknesses in software that are
commonly found on servers, such as send mail, HTTP, and FTP. By exploiting these
weaknesses, hackers can gain access to a computer with the permissions of the account
running the application.
Section: 3
Security Solutions of IP Telephony
Encryption
S/MIME (Secure/Multipurpose Internet Mail Extensions). Provides a way to send and
receive secure MIME data. Based on the MIME standard, S/MIME provides the following
cryptographic security services for electronic messaging applications: authentication,
message integrity and non-repudiation of origin (using digital signatures) and privacy and
data security (using encryption) and by hop-by-hop
SIPS (requires Transport Layer Security, TLS, on whole signaling path). A client/server
protocol that allows peers to communicate in a way that is designed to prevent
eavesdropping, tampering, or message forgery
Key exchange done using MIKEY (Multimedia Internet KEYing). A key management
scheme that can be used for real-time applications (both for peer-to-peer communication
and group communication) supporting SRTP
Denial of service (DoS) attacks
DoS against SIP (over UDP). ICMP Error Message (Port Unreachable, Protocol
Unreachable, Network Unreachable) sent to the target where a caller is sending SIP (over
UDP) messages
Using SIP CANCEL message. Preventing UAs from making and receiving calls and
making UAs drop the call and using SIP BYE message
DoS attacks Example
Preventing SIP Client-A from making call
4
8. IP Telephony Security
April 15, 2008
The attacker messages cancel a pending request with same Call-ID,TO, From Cseq fields
SIP Client-A drops the call just initiated
Call Hijacking
After INVITE message, a 301 Moved Permanently message would hijack the call
towards whomever the attacker decides (himself of another client)
Identity Theft
Registering address instead of other (if requires authentication might use another type of
attack)
5
9. IP Telephony Security
April 15, 2008
SPAM over Internet Telephony (SPIT)
Same thread as with email (hundreds of calls just with publicity messages, the phone is
ringing all day, etc.). Problem increase with respect to traditional telephony
Solutions of SPAM over Internet Telephony (SPIT)
Most E-mail filters rely on content analysis. But in voice calls, it is too late to analyze
media for spamming. Voice Spam Detection is difficult
Detection in real time before the media arrives
Great variety of solution
Black lists (worst case)
White list (it is ok)
Grey-listing (faulty system that would be preventable)
Section: 4
Designing Secure IP Telephony Solutions
Small IP Telephony Design
The small IP telephony design utilizes the small network design. The corporate Internet
module has been modified to support voice services including Public Switched Telephone
Network (PSTN) access for WAN backup and local calls, and VLANs for data/voice
segmentation. The campus has been modified to support IP phones, PC-based IP Phones,
proxy services, and VLANs. The entire small business design is shown in here for
reference:
Figure 1 Small Network Detailed Model
Voice Threats Mitigated
Unauthorized access This type of access is mitigated through filtering at the firewall.
Toll fraud Access control limits only known telephony devices from communicating
with one another.
Denial of service TCP setup controls limit exposure to the call-processing manager.
6
10. IP Telephony Security
April 15, 2008
IP spoofing RFC 2827 and 1918 filters are placed at the Internet service provider (ISP)
edge and local firewall router.
Designing Guidelines for Small IP Telephony system
Designing include routing, NAT, VLAN, voice services, VPN, and stateful firewall.
Router setup is the greatest flexibility for the small network because the router supports all
the advanced services that may be necessary in today s networks. Firewall must be setup
cause:
First, firewalls are generally Ethernet only, requiring some conversion to access PSTN
and the WAN. This access would then most likely occur through the use of an additional
router.
Second, firewalls in this small scale of a design generally do not support enough
interfaces or VLANs to provide segmentation between the Internet edge, public service,
data, and voice segments.
Third, for the branch mode of operation, firewalls do not support the same backup voice
services for local call processing that routers do in case of head end failure.
Medium IP Telephony Design
Medium IP telephony design has been modified to support IP phones, PC-based IP Phones,
voice services, proxy services, PSTN for WAN backup and local calls, and VLANs for
data/voice segmentation. The entire medium business design is shown here for reference:
Figure 2 Medium Network Detailed Model
Voice Threats Mitigated
Packet sniffers/call interception A switched infrastructure limits the effectiveness of
sniffing.
7
11. IP Telephony Security
April 15, 2008
Virus and Trojan-horse applications Host-based virus scanning prevents most viruses
and many Trojan horses.
Unauthorized access This type of access is mitigated through the use of HIDS and
application access control.
Application layer attacks Operating systems, davices, and applications are kept up-to-
date with the latest security fixes, and most servers are additionally protected by HIDS.
Toll fraud The call-processing manager will not allow unknown phones to be
configured.
Denial of service Separation of the voice and data segments significantly reduces the
likelihood of an attack.
Large IP Telephony Design
Some changes have been made to the design, including:
PC-based IP Phones were added to data segments of the R&D and marketing user groups.
An additional voice segment was added for the voice-mail system.
PSTN for local calls was added to the edge distribution module.
The call-processing segment in the server module was made highly available and front
ended with a pair of stateful firewalls.
HIDS was installed on all voice-related services.
NIDS was tuned to the correct flows in the voice and related segments.
The entire enterprise design is shown in Figure for reference:
Figure 3 Large Network Detailed Model
Voice Threats Mitigated
Packet sniffers/call interception A switched infrastructure limits the effectiveness of
sniffing.
8
12. IP Telephony Security
April 15, 2008
Virus and Trojan-horse applications Host-based virus scanning prevents most viruses
and many Trojan horses.
Unauthorized access This type of access is mitigated through the use of HIDS and
application access control.
Caller identity spoofing Arpwatch notifies the administrator of the unknown device.
Toll fraud Access control limits only known telephony networks from communicating
with one another.
Section: 5
Defining a Security Framework
Two main principles of a security framework are the simplification of design and
configuration, and the limitation of exposure. A useful strategy is to divide the actual
solution into domains and to limit access rights to each domain depending on functions and
associated trust levels within each domain.
Figure 4 Conceptual IP Telephony Security Model
End-User Devices: IP Phone
The IP phone is an end-user device that provides voice and call signaling connections, and
in some cases, advanced feature support, Web browsing, wireless connectivity, etc.
1. Must authenticate itself to the call control server or a proxy server upon initial
registration.
2. Must support strong authentication for any remote configuration or software upgrade.
9
13. IP Telephony Security
April 15, 2008
3. Should support a configurable access control list to control any incoming traffic (e.g.,
H.323/SIP, RTP, HTTP, FTP, DHCP).
4. When supporting an additional Ethernet port for PC connectivity, should have this
implemented via a switching function combined with VLAN functionality.
IPT Media related server: The Voice Gateway
The voice gateway is a network entity that provides media conversion (and in some cases,
signaling conversion) between the IP network and the public switched telephone network.
1. Must support strong authentication for any configuration or software upgrades.
2. Provides denial-of-service protection on the IP interface.
3. Should be configured to route calls only via the call control server.
4. Has a server component that should be configured with both virus protection and host-
based intrusion detection.
5. Should support a media protocol authentication on a per-packet basis.
IPT Call Control-Related Servers: The Call Control Server
It contains all routing, service, and user information, and it can control access to servers
containing this information.
1. Is a software entity typically implemented on commercially availably operating systems.
All standard security precautions should be taken turning off all unused services,
keeping patching of OS and services up-to-date, and using only the operating system for
the call control server.
2. Implemented on secure operating systems (e.g., Linux, Unix) by leading vendors.
3. Should have all user or device access to servers authenticated and authorized.
4. Must support strong authentication for any configuration or software upgrades.
5. Should support application-level, hop-by-hop signaling message authentication.
6. Should support encryption of call setup information.
IPT Operational and Management Access
All IPT operational and management access must be restricted and accessed only via
strong authentication control.
Section: 6
Conclusion
After all VoIP technology reaches across the globe penetrating all types of markets. In
Bangladesh now Call Center(s) are establishing everywhere so security system should be
taken as the size of networks and enterprise. It is true that VoIP security is an issue and one
that is being addressed. More and more VoIP service providers are looking at ways to
provide VoIP security for their customers to remove the vulnerability that exists for
security risks.
10
14. IP Telephony Security
April 15, 2008
Every business regardless of size has concern over keeping their business dealings safe and
secure. One of the challenges seen today has to do with computers and hackers. Since
VoIP or Voice over IP technology uses the computer to create voice streams, many
business owners have questions regarding VoIP security.
Appendix: Architecture Taxonomy
Firewall: Stateful packet-filtering device that maintains state tables for IP-based protocols.
Traffic is allowed to cross the firewall only if it conforms to the access-control filters
defined, or if it is part of an already established session in the state table.
Router: A wide spectrum of flexible network devices, which provide many routing and
security services for all performance requirements. Most devices are modular and have a
range of LAN and WAN physical interfaces.
Host IDS: Host intrusion detection system is a software application that monitors activity
on an individual host. Monitoring techniques can include validating operating system and
application calls, checking log files, file system information, and network connections.
Network IDS: Network intrusion detection system. Typically used in a nondisruptive
manner, this device captures traffic on a LAN segment and tries to match the real-time
traffic against known attack signatures. Signatures range from atomic (single packet and
direction) signatures to composite (multipacket) signatures requiring state tables and Layer
7 application tracking.
Application server: Provides application services directly or indirectly for enterprise end
users. Services can include workflow, general office, and security applications.
Management server: Provides network management services for the operators of
enterprise networks. Services can include general configuration management, monitoring
of network security devices, and operation of the security functions.
Call-process manager: Provides call setup/establishment and customizable user-based
configurations; also known as IP PBX.
Voice-mail system: Provides IP-based voice-mail storage and autoattendant.
PC-based IP Phone: Any application that has the ability to reside on a user system (for
example, desktop) and place calls to other IP telephony systems over the IP network.
11
15. IP Telephony Security
April 15, 2008
Voice-enabled router: A router as defined previously with the additional capabilities of
call processing (as listed previously) and legacy voice systems support (for example,
Public Switched Telephone Network [PSTN]).
References
RFC 2543 SIP: Session Initiation Protocol:
http://www.cisco.com/warp/public/788/voip/voice_rfcs.html
RFC 2705 MGCP: Media Gateway Control Protocol
http://www.ietf.org/rfc/rfc2705.txt?number=2705
Partner Product References
Diagram legend
12