• CHAPTER 10• Voice Security

VoIP Security Requirements:

Integrity:The recipient should receive the packets

that the originator sends without and change to content.

Privacy:A third party should not be able to read the

data

AuthenticityEach party should be confident they are

communicating with whom each claims to be

Availability/Protection from Denial-of ServiceThe VoIP service should be available to

users at all times

Shared-Key:

A common shared-key between users

• Each pair of users must have the same key

• Does not scale well with multiple pairs of users

• The key is used to encrypt the message

• A hash is calculated from the shared key

Asymmetric Key:

Each user has a Private-key as well as a Public-key

• Only the corresponding public-key can decrypt the message that is encrypted with the private-key

• Only the corresponding private-key can decrypt the message that is encrypted with the public-key

• Has a one-to-one relationship between keys

• Keys can be exchanged over an unsecured network

Asymmetric Key:

Phases

• Authentication phase

• Secure communication phase

• CPU-intensive process

• Unique shared secret per session

Digital Signature:

Uses a set of complimentary algorithms for signing and for verification

• A Digital signature is obtained from a Certificate Authority (CA)

• A hash of the message is created with the private key to create a Digital Signature

• Recipient verifies the signature by running a verification algorithm over the message content using the public-key of the sender

Digital Signature continued:

Uses a set of complimentary algorithms for signing and for verification

• Digital signatures provide authentication

• Digital signatures provide message integrity

• Each signature is appended to the message in clear text

• Digital signatures do not provide privacy

Certificate Authority:

The Certificate Authority receives the public-key at the time of key generation.

The Certificate Authority will verify the identity of the sender and issue a certificate

Each device in the system has a public-key of the CA

At the time of contact each system will:• Present its certificate to it’s peer• Each will run a verification• If verified the keys are stored

Public-key:

Common Protocols

• Transport layer Security (TLS) Independent of applications Rides on top of Transport layer protocols Can be used with multiple services

• Record Protocol Lower-layer protocol Provides privacy and integrity Used DES or RC4 for encryption

• Client layer Authenticates Negotiates

TLS:

Public-key:

Common Protocols continued

•Ipsec Uses Authentication Header (AH) Uses Encapsulation Security Payload (ESP) AH provides authentication and integrity ESP provides privacy, authenticity, and

integrity Tunnel-mode

Protects only the payload Header inserted between the Ip header

and the transport layer header (TCP/UDP) Transport-mode

Encapsulates the entire packet Ipsec header is added between the outer

and inner IP headers

Public-key:

Common Protocols continued

•Ipsec

Public-key:

Common Protocols continued

IPsec

Public-key:

Common Protocols continued

IPsec

Public-key:

Common Protocols continued

•Secure Real Time Protocol (SRTP) Integrity Authentication Privacy

Protecting Voice Devices:

•Disable Unused Ports/Services Disable Telnet Disable Trivial File Transport Protocol

•Simple Network management Protocol Use only read-only mode

•Disable Unused Ports on layer 2 switches Administrative shut down

Protecting Voice Devices continued:

•Host-based Intrusion Protection System (HIPS)

Software agent installed on each device Collects information about traffic Information compared against a set of rules System can take preventative action

Terminating application Rate-limit data

Protecting Voice Infrastructure:

•Segmentation VLAN’s IP addressing Traffic types Separate DHCP servers

•Traffic Policing Limit bandwidth to Codec used G.711 is 64 kbps plus overhead Queuing techniques

•802.1x Authentication EAP protocol RADIUS authentication server Layer 2

Protecting Voice Infrastructure continued:

•802.1x Authentication

Protecting Voice Infrastructure continued:

Layer 2 tools

•DHCP Snooping Only allow DHCP offers from known sources Enabled on switches Switch(config)#ip dhcp snooping Switch(config-if)#ip dhcp snooping trust Switch(config-if)#ip dhcp snooping limit

rate [rate] Switch(config)#ip dhcp snooping vlan

number [number] DHCP snooping binding database (IP-to-

MAC)

Protecting Voice Infrastructure continued:

Layer 2 tools

•IP Source Guard Used with DHCP Snooping On untrusted ports only DHCP messages

allowed until DHCP response is received Uses DHCP snooping binding database Per port Installs a Vlan Access Control List (VACL)

Protecting Voice Infrastructure continued:

Layer 2 tools

•Dynamic ARP Inspection Attacker sends it’s own MAC address as a

reply Man-in-the-middle attack Uses the DHCP binding database Drops malicious packets

Protecting Voice Infrastructure continued:

Layer 2 tools

•CAM overflow and Port Security Attacker sends fictitious MAC addresses to

fill CAM table When CAM table is filled switch will forward

packets out all active ports (broadcast) Use port security features Switch(config-if)#switchport port-security

maximum [number]

Protecting Voice Infrastructure continued:

Layer 2 tools

•Circumventing VLANs Uses trunk ports to obtain access 802.1q or ISL Disable DTP on non trunk ports Switch(config-if)#switchport mode access

Protecting Voice Infrastructure continued:

Layer 2 tools

•NIPS Network Based Intrusion Protection System

In series In parallel Examines every packet Does not protect against “Atomic” attacks Delay is a problem for voice

Protecting Voice Infrastructure continued:

Layer 2 tools

•BPDU Guard and Root Guard Exploits Spanning-tree protocol Listens on configured ports for BPDU’s Rogue device tries to become the root

bridge Violation can disable the port Used with portfast Root Guard will port into a root-inconsistent

state Root Guard will allow the device to

participate in spanning-tree

Protecting Voice Infrastructure continued:

Layer 3 tools

•Routing authentication Not available for all protocols Can use simple password Can use Message-digest (MD5) encryption Not available on RIPv1 Shared keys between systems

Protecting Voice Infrastructure continued:

Layer 3 tools

•TCP intercepts Denial of Service attacks Sends multiple “syn” packets Never completes the three-way handshake Uses falsified IP addresses Can limit half-open secessions Intercept mode allows the router to respond

before forwarding packets to client

Protecting Voice Infrastructure:

Security Planning and Policies

•Transitive trust Eliminate re-authentication at each device

•VoIP Protocol-Specific Issues Use of computer based softphones• VLAN’s• Trunking• Double tagging

Protecting Voice Infrastructure continued:

Security Planning and Policies

•Complexity tradeoffs Bandwidth overhead Delay CA cost

•NAT/Firewall Traversal Opens pathways for voice traffic Does not work well with encryption (port

numbers)

•Password and Access Control Minimum length Complexity Equipment access

End of Chapter 10