1 / 33

VoIP Security Presentation

sheba
Télécharger la présentation

VoIP Security Presentation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. VoIP Security Presentation

    3. VoIP Introduction VoIP Vendors Security Concerns Structural security issues Implementation security issues Security Checklist Alleviate structural issues Proper implementation procedures Agenda

    4. VoIP Introduction Protocols SIP H323 IAX SKINNY MGCP Network Setup ToS/QoS NAT/STUN CODECS G711u G729 GSM FoIP T.38 G711u

    5.

    6.

    8. Major VoIP Vendors Service Provider/Large Enterprise Broadsoft Sylantro Cisco Call Manager Enterprise/Large Business Cisco Call Manager Avaya Broadsoft Asterisk (Few Vendors) Small Business Cisco CME (Call Manager Express) Asterisk (Many Vendors)

    9. VoIP Security Tools Ethereal (http://www.ethereal.com) Packet Sniffer RTP Stream Decoder Cain (http://www.oxid.it) ARP spoofing Packet Sniffer RTP Playback SiVuS (http://www.vopsecurity.org/html/tools.html) VoIP Vulnerability Scanner General Purpose VoIP packet generation, spoofing, testing tool.

    10. VoIP Security Concerns VoIP Protocols and Media Not Encrypted No Centralized Username/Password Management Many devices configured with default passwords (phones, analog adapters, SIP Accounts, etc) VoIP System becomes central point of convergence for Data, Network services, and voice. VoIP Depends on unsecured network services (TFTP/FTP) Social Engineering Concerns VoIP Systems open new line of communication from outside world (PSTN) into network services.

    11. VoIP is not Encrypted Cisco is one of few vendors currently supporting SRTP encryption of voice media streams (Call Manager 4.1, SKINNY protocol). It is not enabled by default, and works only with supported phones. SRTP is not secured for use across the public internet. The SRTP headers may be exposed, rendering the encryption useless. When using VoIP across the public internet use VPN technology to secure your calls. Intraoffice VoIP can be secured by using a separate network or VLAN for Voice traffic if SRTP is not available.

    12. SIP/RTP Interception Demonstration of Call Interception ..

    13. Default Administration Passwords VoIP handsets can be locally configured, and have default administration credentials which are easily found on the internet. With these credentials users can change their extension number, codec settings, and much more.

    14. Registration Spoofing Can Cause effective DoS attack. Can be used to masquerade as someone else. Attack performed by reconfiguring a phone to have the same SIP user id as another phone. Could be massively applied to redirect all calls for entire enterprise to a different entity.

    16. No Centralized User Management No Vendor supports integration to directory services for SIP user management ( Unless external Radius Authentication is used). Some systems may store username/passwords in unencrypted flat files, or unencrypted databases. With a SIP username and password, a person can masquerade as someone else. Because there is no centralized management, maintenance is difficult. This causes people to use a single username and password for all phones, or use a person's extension number as both username and password.

    17. VoIP Center of Communication VoIP Systems allow easy integration of multiple services. VoIP System must communicate with many different network services. This can create a central store of credentials, which if compromised could grant access to many systems.

    18.

    19. VoIP Depends on TFTP/FTP TFTP and FTP are unencrypted protocols. Many VoIP phones use these protocols for automated configuration and software updates. A user on the network could upload a bad software load for all of the phones, causing them to crash, lose features, or even cause them to brick. A malicious user could upload bad configuration files for phones, causing similar problems. Also they could use this means to perform spoofing attacks mentioned earlier. Both Polycom and Cisco require that the configuration directory be writeable as they use the directory to upload log information as well as per phone configuration overrides.

    20. Social Engineering with VoIP Caller ID Spoofing Make Called Party think you are someone else Attempt to gain information or access that you shouldn't have Incoming Call Spoofing Make Calling Party believe you are someone else Gain information you shouldn't have Outgoing Call Redirection If VoIP System is breached, attacker could redirect an outgoing call to himself to gain information.

    21. New Public Access Avenue Integrated VoIP Systems open your network to a new public access mechanism namely the PSTN. If Dialplans, IVRs and Menus are not properly implemented, attackers can gain access to private information or system resources.

    24. VoIP Security Solutions

    25. Encrypt VoIP Traffic Where ever possible encrypt VoIP Traffic with VPN technologies. If VoIP is implemented on a corporate LAN use SRTP if it is available, if not, attempt to segregate VoIP traffic from normal data traffic using either VLANs or a completely separate physical network. If Cisco Call Manager is in use, use the latest version that supports encryption, and enable said encryption.

    26. Use Unique Username/Password Phones should be configured with non-default administrative passwords. Enable authentication on SIP accounts. SIP accounts should use unique usernames and passwords (not just extension numbers). Because of the lack of centralized management this is cumbersome to implement but worth it.

    27. Secure VoIP System Ensure that VoIP System is not accessible from public internet. Use good passwords on all accounts on VoIP System. All integration with external systems should be achieved using encrypted protocols and passwords. Store as few passwords as possible on VoIP System.

    28. Secure VoIP Configuration If phone configuration relies on FTP (Polycom) use non-default username/password for FTP account. If phone configuration relies on TFTP you must implement an auditing process of the configuration files. Unfortunately, because these protocols are unencrypted, a determined user can gain access to these directories and reconfigure phones pretty much at will using techniques already discussed. Internal Firewalls/ACLs should be configured to block telnet and http traffic from reaching voice VLANs or subnets. Notes.Notes.

    29. Social Engineering Resolution VoIP Social Engineering is no different from other social engineering issues already known. Users need to be trained on proper procedure, and must not violate procedure based on any trust factors that may be introduced. Spoofing CallerID and Called Party information with VoIP is very easy. Users must be trained not to trust CallerID. VoIP Systems should have security audits often to ensure that the system has not been compromised allowing a malicious user to redirect outbound calls.

    30. Secure All Access Avenues VoIP Integration projects often open database, CRM, customer information, or employee information to access from the PSTN. All PSTN access routes should be guarded by PINs at the very least. PINs should not be empty or set to a default. All configuration menus should be guarded by PINs/passwords.

    32. Questions & Answers

    33. www.singlepointnetworks.com

More Related