chapter 10 voice security. voip security requirements: integrity: the recipient should receive the...
TRANSCRIPT
![Page 1: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/1.jpg)
• CHAPTER 10• Voice Security
![Page 2: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/2.jpg)
VoIP Security Requirements:
Integrity:The recipient should receive the packets
that the originator sends without and change to content.
Privacy:A third party should not be able to read the
data
AuthenticityEach party should be confident they are
communicating with whom each claims to be
Availability/Protection from Denial-of ServiceThe VoIP service should be available to
users at all times
![Page 3: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/3.jpg)
Shared-Key:
A common shared-key between users
• Each pair of users must have the same key
• Does not scale well with multiple pairs of users
• The key is used to encrypt the message
• A hash is calculated from the shared key
![Page 4: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/4.jpg)
Asymmetric Key:
Each user has a Private-key as well as a Public-key
• Only the corresponding public-key can decrypt the message that is encrypted with the private-key
• Only the corresponding private-key can decrypt the message that is encrypted with the public-key
• Has a one-to-one relationship between keys
• Keys can be exchanged over an unsecured network
![Page 5: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/5.jpg)
Asymmetric Key:
Phases
• Authentication phase
• Secure communication phase
• CPU-intensive process
• Unique shared secret per session
![Page 6: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/6.jpg)
Digital Signature:
Uses a set of complimentary algorithms for signing and for verification
• A Digital signature is obtained from a Certificate Authority (CA)
• A hash of the message is created with the private key to create a Digital Signature
• Recipient verifies the signature by running a verification algorithm over the message content using the public-key of the sender
![Page 7: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/7.jpg)
Digital Signature continued:
Uses a set of complimentary algorithms for signing and for verification
• Digital signatures provide authentication
• Digital signatures provide message integrity
• Each signature is appended to the message in clear text
• Digital signatures do not provide privacy
![Page 8: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/8.jpg)
Certificate Authority:
The Certificate Authority receives the public-key at the time of key generation.
The Certificate Authority will verify the identity of the sender and issue a certificate
Each device in the system has a public-key of the CA
At the time of contact each system will:• Present its certificate to it’s peer• Each will run a verification• If verified the keys are stored
![Page 9: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/9.jpg)
Public-key:
Common Protocols
• Transport layer Security (TLS) Independent of applications Rides on top of Transport layer protocols Can be used with multiple services
• Record Protocol Lower-layer protocol Provides privacy and integrity Used DES or RC4 for encryption
• Client layer Authenticates Negotiates
![Page 10: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/10.jpg)
TLS:
![Page 11: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/11.jpg)
Public-key:
Common Protocols continued
•Ipsec Uses Authentication Header (AH) Uses Encapsulation Security Payload (ESP) AH provides authentication and integrity ESP provides privacy, authenticity, and
integrity Tunnel-mode
Protects only the payload Header inserted between the Ip header
and the transport layer header (TCP/UDP) Transport-mode
Encapsulates the entire packet Ipsec header is added between the outer
and inner IP headers
![Page 12: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/12.jpg)
Public-key:
Common Protocols continued
•Ipsec
![Page 13: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/13.jpg)
Public-key:
Common Protocols continued
IPsec
![Page 14: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/14.jpg)
Public-key:
Common Protocols continued
IPsec
![Page 15: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/15.jpg)
Public-key:
Common Protocols continued
•Secure Real Time Protocol (SRTP) Integrity Authentication Privacy
![Page 16: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/16.jpg)
Protecting Voice Devices:
•Disable Unused Ports/Services Disable Telnet Disable Trivial File Transport Protocol
•Simple Network management Protocol Use only read-only mode
•Disable Unused Ports on layer 2 switches Administrative shut down
![Page 17: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/17.jpg)
Protecting Voice Devices continued:
•Host-based Intrusion Protection System (HIPS)
Software agent installed on each device Collects information about traffic Information compared against a set of rules System can take preventative action
Terminating application Rate-limit data
![Page 18: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/18.jpg)
Protecting Voice Infrastructure:
•Segmentation VLAN’s IP addressing Traffic types Separate DHCP servers
•Traffic Policing Limit bandwidth to Codec used G.711 is 64 kbps plus overhead Queuing techniques
•802.1x Authentication EAP protocol RADIUS authentication server Layer 2
![Page 19: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/19.jpg)
Protecting Voice Infrastructure continued:
•802.1x Authentication
![Page 20: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/20.jpg)
Protecting Voice Infrastructure continued:
Layer 2 tools
•DHCP Snooping Only allow DHCP offers from known sources Enabled on switches Switch(config)#ip dhcp snooping Switch(config-if)#ip dhcp snooping trust Switch(config-if)#ip dhcp snooping limit
rate [rate] Switch(config)#ip dhcp snooping vlan
number [number] DHCP snooping binding database (IP-to-
MAC)
![Page 21: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/21.jpg)
Protecting Voice Infrastructure continued:
Layer 2 tools
•IP Source Guard Used with DHCP Snooping On untrusted ports only DHCP messages
allowed until DHCP response is received Uses DHCP snooping binding database Per port Installs a Vlan Access Control List (VACL)
![Page 22: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/22.jpg)
Protecting Voice Infrastructure continued:
Layer 2 tools
•Dynamic ARP Inspection Attacker sends it’s own MAC address as a
reply Man-in-the-middle attack Uses the DHCP binding database Drops malicious packets
![Page 23: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/23.jpg)
Protecting Voice Infrastructure continued:
Layer 2 tools
•CAM overflow and Port Security Attacker sends fictitious MAC addresses to
fill CAM table When CAM table is filled switch will forward
packets out all active ports (broadcast) Use port security features Switch(config-if)#switchport port-security
maximum [number]
![Page 24: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/24.jpg)
Protecting Voice Infrastructure continued:
Layer 2 tools
•Circumventing VLANs Uses trunk ports to obtain access 802.1q or ISL Disable DTP on non trunk ports Switch(config-if)#switchport mode access
![Page 25: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/25.jpg)
Protecting Voice Infrastructure continued:
Layer 2 tools
•NIPS Network Based Intrusion Protection System
In series In parallel Examines every packet Does not protect against “Atomic” attacks Delay is a problem for voice
![Page 26: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/26.jpg)
Protecting Voice Infrastructure continued:
Layer 2 tools
•BPDU Guard and Root Guard Exploits Spanning-tree protocol Listens on configured ports for BPDU’s Rogue device tries to become the root
bridge Violation can disable the port Used with portfast Root Guard will port into a root-inconsistent
state Root Guard will allow the device to
participate in spanning-tree
![Page 27: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/27.jpg)
Protecting Voice Infrastructure continued:
Layer 3 tools
•Routing authentication Not available for all protocols Can use simple password Can use Message-digest (MD5) encryption Not available on RIPv1 Shared keys between systems
![Page 28: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/28.jpg)
Protecting Voice Infrastructure continued:
Layer 3 tools
•TCP intercepts Denial of Service attacks Sends multiple “syn” packets Never completes the three-way handshake Uses falsified IP addresses Can limit half-open secessions Intercept mode allows the router to respond
before forwarding packets to client
![Page 29: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/29.jpg)
Protecting Voice Infrastructure:
Security Planning and Policies
•Transitive trust Eliminate re-authentication at each device
•VoIP Protocol-Specific Issues Use of computer based softphones• VLAN’s• Trunking• Double tagging
![Page 30: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/30.jpg)
Protecting Voice Infrastructure continued:
Security Planning and Policies
•Complexity tradeoffs Bandwidth overhead Delay CA cost
•NAT/Firewall Traversal Opens pathways for voice traffic Does not work well with encryption (port
numbers)
•Password and Access Control Minimum length Complexity Equipment access
![Page 31: CHAPTER 10 Voice Security. VoIP Security Requirements: Integrity: The recipient should receive the packets that the originator sends without and change](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f265503460f94c3cef6/html5/thumbnails/31.jpg)
End of Chapter 10