1 / 17

Voice over IP (VoIP) security

Voice over IP (VoIP) security. Introduction. Voice over IP and IP telephony Network convergence Telephone and IT PoE (Power over Ethernet) Mobility and Roaming Telco Switched -> Packet (IP) Closed world -> Open world Security and privacy IPhreakers VoIP vs 3G.

fineen
Download Presentation

Voice over IP (VoIP) security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Voice over IP (VoIP) security

  2. Introduction • Voice over IP and IP telephony • Network convergence • Telephone and IT • PoE (Power over Ethernet) • Mobility and Roaming • Telco • Switched -> Packet (IP) • Closed world -> Open world • Security and privacy • IPhreakers • VoIP vs 3G

  3. Architecture: protocols • Signaling • User location • Session • Setup • Negotiation • Modification • Closing • Transport • Encoding, transport, etc.

  4. Architecture: protocols • SIP • IETF - 5060/5061 (TLS) - “HTTP-like, all in one” • Proprietary extensions • Protocol becoming an architecture • “End-to-end” (between IP PBX) • Inter-AS MPLS VPNs • Transitive trust • IM extensions (SIMPLE) • H.323 • Protocol family • H.235 (security), Q.931+H.245 (management), RTP, CODECs, etc. • ASN.1

  5. Architecture: protocols • RTP (Real Time Protocol) • 5004/udp • RTCP • No QoS/bandwidth management • Packet reordering • CODECs • old: G.711 (PSTN/POTS - 64Kb/s) • current: G.729 (8Kb/s)

  6. Architecture: systems • Systems • SIP Proxy • Call Manager/IP PBX • User management and reporting (HTTP, etc) • H.323: GK (GateKeeper) • Authentication server (Radius) • Billing servers (CDR/billing) • DNS, TFTP, DHCP servers

  7. Architecture: systems • Voice Gateway (IP-PSTN) • Gateway Control Protocols • Signaling: SS7 interface • Media Gateway Controller • Controls the MG (Megaco/H.248) • SIP interface • Signaling Gateway • Interface between MGC and SS7 • SCTP - ISUP, Q.931 • Transport • Media Gateway: audio conversion

  8. Architecture: firewall/VPN • Firewall • “Non-stateful” filtering • “Stateful” filtering • Application layer filtering (ALGs) • NAT / “firewall piercing” • (H.323 : 2xTCP, 4x dynamic UDP - 1719,1720) • (SIP : 5060/udp) • Encrypted VPN • SSL/TLS • IPsec • Where to encrypt (LAN-LAN, phone-phone, etc)?

  9. VOIP Threats • Denial of Service • ICMP Flood • IP Spoofing • Port Scans • Land Attack • IP Source Route • Evasdropping or recording • In VOIP eavesdropping is a type of an attack, if an attacker able to eavesdropp a communication. Then he can launch different type of an attack like Man in the Middle attack etc. • Call Hijacking and Spoofing • Call Redirection • Voice SPAM (Vishing, Mailbox Stuffing, Unsolicited Calling) • Voicemail Hacking

  10. VOIP Attacks • Signaling Layer Attacks • SIP Registration Hijacking • Impersonating a Server • SIP Message Modification • SIP Cancel / SIP BYE attack • SIP DOS attack • Media Layer Attacks • Eavesdropping • RTP insertion attack • SSRC collision attacks

  11. Signaling Layer Attacks • SIP Registration attack • Attacker impersonates a valid UA to a registrar himself as a valid user agent. So attacker can recieve calls for a legitmate user. • Impersonating a Server • When an attacker impersonates a remote server and user agent request are served by the attacker machine. • SIP Message Modification • If an attacker launches a man in the middle attack and modify a message. Then attacker could lead the caller to connect to malicious system. • SIP CANCEL / SIP BYE • SIP Denial of Service • In SIP attacker creates a bogus request that contained a fake IP address and Via field in the SIP header contains the identity of the target host.

  12. Media Layer Attacks • Eavesdropping • SSRC collision • If an attacker eavesdropp the conversation and uses one’s peer SSRC to send RTP packet to other peer, it causes to terminate a session.

  13. Security Solutions • Two types of security solutions • End-to-End security • In SIP end points can ensure end-to-end security to those messages which proxy does not read, like SDP messages could be protectedusingS/MIME. • Media is transferred directly, so end-to-end security is achieved by SRTP. • Hop-by-hop security • TLS, IPSec • TLS provide transport layer security over TCP. Normally SIP URI is in the form of sip:abc@example.com, but if we are using TLS then SIP URI will be sips:abc@example.com and signaling must be send encrypted.

  14. Authentication • Authentication means to identify a person. • If we take SIP as signaling protocol in VOIP, it defines two mechanisms for authentication • HTTP digest authentication • S/MIME • HTTP Digest Authentication • HTTP digests mechanisms used between users to proxies, users to users but not between proxies to proxies. • S/MIME • S/MIME uses X.509 certificates to authenticate end users in the same way that web browsers use them.

  15. Media Encryption • In VOIP media is send directly between users using RTP. Encryption of media is achieved by • IPSec • Secure RTP (SRTP) • It provides a framework for encryption and message authentication of RTP and RTCP. • Cipher Algorithum: AES • Authenitcation is an optional feature. • SRTP uses Security Description for Media Streams (SDES) algorithum to negotiate session keys in SDP. • MIKKEY • Mikkey provides its own authentication and integrity mechanisim. • Mikkey messages carried in a SDP with a=key-mgmt attritbute.

  16. There are Specialized Hacking Tools • SIPScan - enumerate SIP interfaces • TFTPBrute - TFTP directory attacking • UDP and RTP Flooder - DoS tools • hping2 – TCP session flooding • Registration Hijacker - tool to take over H.323 session • SIVUS - SIP authentication and registration auditor • Vomit - RTP Playback • VOIP HOPPER – IP Phone mimicing tool • Dsniff- various utilitarian tools (macof and arpspoof) • Wireshark (Ethereal) / tcpdump - packet capture and protocol analysis

  17. Thanks You

More Related