Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation [email protected]

Network and VoIP Security –More Important Than Ever

Mark D. CollierChief Technology OfficerSecureLogix [email protected]

General Security Trends Good news

Bad news

Going forward

Network-Based Security

Managed Security Services

Internal Application/VoIP Security

OutlineOutline

Basic security measures, such as anti-virus, firewalls, and anti-spyware, are ubiquitously deployed

Average losses due to security breaches are up, but down significantly from 2001 and 2002 (*)

The number of incidents is down (*)

Incidents are being reported at a greater rate (*)

General Security TrendsSome Good News

Security Trends

(*) Source – 2007 Computer Crime and Security Survey

Security Trends





Security Trends

Security Trends



Security Trends



Security Trends

General Security TrendsSome Bad News


Signature based-detection systems are being pushed to the limit

The platforms, network, and applications are getting more and more complex

Attacks are becoming increasing complex

Perimeter security has many issues

Security funding is a small part of IT spending – no more than 10% and often less than 5% (*)

Targeted attacks are increasing (*)


Security Trends


Security Trends



Security Trends



Increased deployment of Intrusion Detection and Prevention Systems (IDSs and IPSs)

Possible increase the in use of Network Admission Control (NAC)

Network-Based Security solutions are available

Managed Security Services solutions are available

Increased focus on internal application security

New applications such as Voice Over IP (VoIP) moving onto the data network

General Security TrendsGoing Forward

Security Trends

Enterprise customers are deploying firewalls, IDSs/IPSs, AV, anti-SPAM on network edge

Some disadvantages: Expensive

Multiple vendors and difficult to manage

Does not scale well

Network-based SecurityIntroduction

Network-basedSecurity

ClientEnterprise

ClientEnterprise

3rd Party Network

Primary Provider IP Network

Edge Edge

Network-based security embeds security capability in the network

Some advantages: Leverages security capability in the network

Centralized management

Scales better

Network-based SecurityIntroduction


ClientEnterprise

ClientEnterprise

3rd Party Network

Edge Edge

AT&T IP NetworkVPN, Firewall, IDS, Anti-Virus, etc.

Firewall, IDS, Anti-Virus, etc.

Leverages security expertise

Greatly assists with threat reconnaissance

Broad network visibility allows greater awareness and warning of attacks

The impact of major Worm attacks are seen well in advance of when they are a threat to an enterprise

The only real solution to DoS and DDoS attacks

A great defense in depth approach

Still may need network defense and internal security

Network-based SecurityAdvantages


Network-based SecurityEarly Detection of Attacks


Reconnaissance Scanning System Access Damage Track Coverage

Preventive Phase(Defense)

Reactive Phase (Defense)

Web-Based Information Collection

SocialEngineering

Broad Network Mapping

TargetedScan

Service Vulnerability Exploitation

PasswordGuessing

DDOS Zombie Code Installation

System FileDelete

Log File Changes

Use of Stolen Accounts for Attack

AT&T Security ServicePrimary Emphasis

Network-based SecurityDoS and DDoS Attacks


TARGETEDServer

AT&T IP Backbone

EnterpriseServer

Network-based SecurityAT&T Offerings


Polic

y M

anag

emen

t

Iden

tity

Man

agem

ent

Intru

sion

Man

agem

ent

Perim

eter

Secur

ity

Secur

eCon

nect

ivity

Mon

itorin

g

& M

gmt

Inci

dent

Man

agem

ent

Network-Based Security Platform

AT&T Internet Protect®

AT&T DDoS Defense AT&T My Internet Protect AT&T Private Intranet Protect AT&T Network-Based Firewalls AT&T Secure E-Mail Gateway AT&T Web Security Services

Managed Security Services (MSS) are a viable alternative to in-house security staffing

Leverage experienced staff, who are familiar with security processes and products

Often can be more cost effective

Eliminates the need to retain and train staff

Security assessments/audits are commonly outsourced

Managed Security ServicesIntroduction

Managed SecurityServices

Managed Security ServicesEnterprise Penetration




Managed Security ServicesAssessments/Audits


Managed Security ServicesAT&T Offerings


Premises-Based Firewalls

Managed Intrusion Detection

Endpoint Security Service

Token Authentication

Despite availability of network-based security, managed services, and customer-premise edge security, securing applications is still important

Voice Over IP (VoIP) is one internal application that must be secured

Application/VoIP SecurityVoIP SecurityIntroduction

An enterprise website often contains a lot of information that is useful to a hacker: Organizational structure and corporate locations

Help and technical support

Job listings

Phone numbers and extensions

Public Website ResearchIntroduction

Gathering InformationFootprinting

Public Website Research Countermeasures

It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it

Try to limit amount of detail in job postings

Remove technical detail from help desk web pages


Google is incredibly good at finding details on the web: Vendor press releases and case studies

Resumes of VoIP personnel

Mailing lists and user group postings

Web-based VoIP logins

Google HackingIntroduction


Determine what your exposure is

Be sure to remove any VoIP phones which are visible to the Internet

Disable the web servers on your IP phones

There are services that can helpyou monitor your exposure: www.cyveilance.com

ww.baytsp.com

Google HackingCountermeasures


Consists of various techniques used to find hosts: Ping sweeps

ARP pings

TCP ping scans

SNMP sweeps

After hosts are found, the type of device can be determined

Classifies host/device by operating system

Once hosts are found, tools can be used to find available network services

Host/DeviceDiscovery and Identification

Gathering InformationScanning

Host/Device DiscoveryPing Sweeps/ARP Pings


Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps

VLANs can help isolate ARP pings

Ping sweeps can be blocked at the perimeter firewall

Use secure (SNMPv3) version of SNMP

Change SNMP public strings

Host/Device DiscoveryCountermeasures


Involves testing open ports and services on hosts/devices to gather more information

Includes running tools to determine if open services have known vulnerabilities

Also involves scanning for VoIP-unique information such as phone numbers

Includes gathering information from TFTP servers and SNMP

EnumerationIntroduction

Gathering InformationEnumeration

Vulnerability TestingTools


Vulnerability TestingCountermeasures


The best solution is to upgrade your applications and make sure you continually apply patches

Some firewalls and IPSs can detect and mitigate vulnerability scans

TFTP EnumerationIntroduction

Almost all phones we tested use TFTP to download their configuration files

The TFTP server is rarely well protected

If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password

The files are downloaded in the clear and can be easily sniffed

Configuration files have usernames, passwords, IP addresses, etc. in them


TFTP EnumerationCountermeasures


It is difficult not to use TFTP, since it is so commonly used by VoIP vendors

Some vendors offer more secure alternatives

Firewalls can be used to restrict access to TFTP servers to valid devices

SNMP EnumerationIntroduction

SNMP is enabled by default on most IP PBXs and IP phones

Simple SNMP sweeps will garner lots of useful information

If you know the device type, you can use snmpwalk with the appropriate OID

You can find the OID using Solarwinds MIB

Default “passwords”, called community strings, are common


Disable SNMP on any devices where it is not needed

Change default public and private community strings

Try to use SNMPv3, which supports authentication

SNMP EnumerationCountermeasures


The VoIP network and supporting infrastructure are vulnerable to attacks

VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter

Attacks include: Flooding attacks

Network availability attacks

Supporting infrastructure attacks

Network Infrastructure DoSAttacking The NetworkNetwork DoS

Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests

Flooding AttacksIntroduction

Attacking The NetworkNetwork DoS

Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling)

Use rate limiting in network switches

Use anti-DoS/DDoS products

Some vendors have DoS support in their products (in newer versions of software)

Flooding AttacksCountermeasures


This type of attack involves an attacker trying to crash the underlying operating system: Fuzzing involves sending malformed packets, which exploit a

weakness in software

Packet fragmentation

Buffer overflows

Network Availability AttacksAttacking The NetworkNetwork DoS

A network IPS is an inline device that detects and blocks attacks

Some firewalls also offer this capability

Host based IPS software also provides this capability

Network Availability Attacks Countermeasures


VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc.

DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones

DNS cache poisoning involves tricking a DNS server into using a fake DNS response

Supporting Infrastructure AttacksAttacking The NetworkNetwork DoS

Configure DHCP servers not to lease addresses to unknown MAC addresses

DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries

Supporting Infrastructure AttacksCountermeasures


VoIP configuration files, signaling, and media are vulnerable to eavesdropping

Attacks include: TFTP configuration file sniffing (already discussed)

Number harvesting and call pattern tracking

Conversation eavesdropping

By sniffing signaling, it is possible to build a directory of numbers and track calling patterns

voipong automates the process of logging all calls

Wireshark is very good at sniffing VoIP signaling

Network EavesdroppingIntroduction

Attacking The NetworkEavesdropping

Conversation RecordingWireshark


Other tools include: vomit

Voipong

voipcrack (not public)

DTMF decoder

Conversation RecordingOther Tools


Use encryption: Many vendors offer encryption for signaling

Use the Transport Layer Security (TLS) for signaling

Many vendors offer encryption for media

Use Secure Real-time Transport Protocol (SRTP)

Use ZRTP

Use proprietary encryption if you have to

Network EavesdroppingCountermeasures


The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing: Eavesdropping on the conversation

Causing a DoS condition

Altering the conversation by omitting, replaying, or inserting media

Redirecting calls

Network InterceptionIntroduction

Attacking The NetworkNet/App Interception

The most common network-level MITM attack is ARP poisoning

Involves tricking a host into thinking the MAC address of the attacker is the intended address

There are a number of tools available to support ARP poisoning: Cain and Abel

ettercap

Dsniff

hunt

Network InterceptionARP Poisoning


Network InterceptionARP Poisoning


Network InterceptionCountermeasures


Some countermeasures for ARP poisoning are: Static OS mappings

Switch port security

Proper use of VLANs

Signaling encryption/authentication

ARP poisoning detection tools, such as arpwatch

VoIP systems are vulnerable to application attacks against the various VoIP protocols

Attacks include: Fuzzing attacks

Flood-based DoS

Signaling and media manipulation

Attacking The ApplicationAttacking The Application

Fuzzing describes attacks where malformed packets are sent to a VoIP system in an attempt to crash it

Research has shown that VoIP systems, especially those employing SIP, are vulnerable to fuzzing attacks

There are many public domain tools available for fuzzing: Protos suite

Asteroid

Fuzzy Packet

NastySIP

Scapy

FuzzingIntroduction

Attacking The ApplicationFuzzing

SipBomber

SFTF

SIP Proxy

SIPp

SIPsak

There are some commercial tools available: Beyond Security BeStorm

Codenomicon

MuSecurity Mu-4000 Security Analyzer

Security Innovation Hydra

Sipera Systems LAVA tools

FuzzingCommercial Tools


Make sure your vendor has tested their systems for fuzzing attacks

Consider running your own tests

An VoIP-aware IPS can monitor for and block fuzzing attacks

FuzzingCountermeasures


Several tools are available to generate floods at the application layer: rtpflood – generates a flood of RTP packets

inviteflood – generates a flood of SIP INVITE packets

SiVuS – a tool which a GUI that enables a variety of flood-based attacks

Virtually every device we tested was susceptible to these attacks

Attacking The ApplicationFlood-Based DoSFlood-Based DoS

There are several countermeasures you can use for flood-based DoS: Use VLANs to separate networks

Use TCP and TLS for SIP connections

Use rate limiting in switches

Enable authentication for requests

Use SIP firewalls/IPSs to monitor and block attacks

Flood-Based DoSCountermeasures

Attacking The ApplicationFlood-Based DoS

Proxy

User

Proxy

Attacker

HijackedMedia

HijackedSession

User

Registration ManipulationAttacking The Application Sig/Media Manipulation

Attacker SendsBYE Messages

To UAs

Attacker

Proxy Proxy

User User

Session TeardownAttacking The Application Sig/Media Manipulation

Attacker Sendscheck-sync Messages

To UA

Attacker

Proxy Proxy

User User

IP Phone RebootAttacking The Application Sig/Media Manipulation

Attacker SeesPackets And

Inserts/Mixes InNew Audio

Attacker

Proxy Proxy

User User

Audio Insertion/MixingAttacking The Application Sig/Media Manipulation

Some countermeasures for signaling and media manipulation include: Use digest authentication where possible

Use TCP and TLS where possible

Use SIP-aware firewalls/IPSs to monitor for and block attacks

Use audio encryption to prevent RTP injection/mixing

Attacking The Application Sig/Media ManipulationSignaling/Media Manipulation

Countermeasures

Voice SPAM refers to bulk, automatically generated, unsolicited phone calls

Similar to telemarketing, but occurring at the frequency of email SPAM

Not an issue yet, but will become prevalent when: The network makes it very inexpensive or free to generate calls

Attackers have access to VoIP networks that allow generation of a large number of calls

It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access

Voice SPAMIntroduction

Social AttacksVoice SPAM

Some potential countermeasures for voice SPAM are: Authenticated identity movements, which may help to identify callers

Legal measures

Network-based filtering

Enterprise voice SPAM filters: Black lists/white lists

Approval systems

Audio content filtering

Turing tests

Voice SPAMCountermeasures

Social AttacksVoice SPAM

VoIP PhishingIntroduction

Similar to email phishing, but with a phone number delivered though email or voice

When the victim dials the number, the recording requests entry of personal information

Social AttacksPhishing

VoIP PhishingCountermeasures

Traditional email spam/phishing countermeasures come in to play here.

Educating users is a key

Social AttacksPhishing

Final Thoughts

General network security is improving in some ways, but new threats are emerging

Network-based security and managed security services can be used to improve enterprise security

Don’t neglect internal security and key applications

Final Thoughts

Documents

Network and VoIP Security – More Important Than Ever Mark D. Collier Chief Technology Officer SecureLogix Corporation [email protected]