secured ip telephony. 2secured ip telephony. © 2008 aastra communications, ltd. agenda »toip :...
TRANSCRIPT
![Page 1: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/1.jpg)
Secured IP telephony
![Page 2: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/2.jpg)
2Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Agenda
» ToIP : risks ?
» Security analysis
» Bests practices
» Security in Aastra 5K solution
» Engineering
![Page 3: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/3.jpg)
ToIP : risks
![Page 4: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/4.jpg)
4Secured IP Telephony. © 2008 Aastra Communications, Ltd.
TDM versus ToIP
» TDM = dedicated solution without any link to is/it link.– Generally not seen in the Company’s security Policy.– A little of Applications– High Availability level (>99,99%)
» ToIP– Shared “transport” network: IP-Network– Deep Interaction in the IS/IT solutio:
ToIP is part of the company process ToIP projects are managed by DIS/IT managers
>> ToIP is part of the security policy of all Companies
![Page 5: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/5.jpg)
5Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Call listening-in– Physical access to wiring closet or to PSTN access (with sensor) needed with a
TDM solution (access to wiring closet)– No physical access needed with ToIP
» Service degradation : DoS (Denial of Service) or DDos (Distributed DoS) attacks– Potential vulnerability to virus or worm– New threats from network world (ex : SPIT = SPAM on unified messaging)– TDM solution availability = 99,998% !
» Fraudulent use of resources– Same risks as legacy telephony : rights bypassing / abusive call
Which risks ?
![Page 6: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/6.jpg)
6Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Attacks on access equipment– Phreaking : scan of numbers, toll-free number– Voice messaging equipment– Free telephony,
» Inappropriate use of facilities– Call forward for listening-in and extra-billing, telephony IT resale on black market,
advertising message, play on enterprise image…
» Denial of service– Busy line, call forward on VM,
>> ToIP is concerned too by such attacks
PhreakingExample of attack – legacy telephony
![Page 7: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/7.jpg)
7Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Signaling protocols subject to packet injection and listening (UDP = spoofing),
» Network sniffing : classic network analysis to obtain information» DoS on signaling flow : bad programming and saturation,» Play with protocol request: SIP/Cancel, SIP/bye,» Eavesdropping by capturing RTP flow (i.e with ethereal),» TFTP et DHCP attack : bad configuration to gain access…
>> ToIP is concerned too by such attacks
HackingExample of attack on IP protocol
![Page 8: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/8.jpg)
8Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Phreaking and HackingIn real life
» Attack on VoIP provider to steal minutes
» ~1 M$ of damage» Attack could have been prevented
if « best practices » had been respected.
![Page 9: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/9.jpg)
Security approach
![Page 10: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/10.jpg)
10Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Confidentiality– No illegal listening / illegal access to directory
» Integrity– Service can not be created, changed, or deleted without authorization
» Availability– Protection mechanism guaranty availability of service,
» Proof (Audit)– Log of actions / CDR
Objectives = CIA + P
![Page 11: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/11.jpg)
11Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Equipments
» Confidentiality, Integrity, Availability, and Proof (audit)
Routers
System
Network Servers
Switches
LAN
WAN
CommunDedicated to ToIP
Terminals
Applications
Gateways
Call server IPISDN
Level 2 & 3WAN
Managements
Windows, Unix...
ManagementRemote Access
Interfaces
![Page 12: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/12.jpg)
12Secured IP Telephony. © 2008 Aastra Communications, Ltd.
LAN
LAN
Call Server
Remote management
Remote working, mobility
SOHOIP PhoneCTI
SIP trunk
End to end security (1/2)
LAN WAN
INTERNET
RTC/RNIS
RTC/RNIS
Servers & Applications
Gateway
Legacy phones
WIFI&DECToIP
Signaling
GLOBAL APROACH
![Page 13: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/13.jpg)
13Secured IP Telephony. © 2008 Aastra Communications, Ltd.
End to end security (2/2)
» Same level of protection– On all equipments– On all software layer– End to end
IP
TCP UDP
RTPOperating system
Ethernet ATM
Physical layer
Datalink
Network
Application layer
Transport
![Page 14: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/14.jpg)
Best practices
![Page 15: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/15.jpg)
16Secured IP Telephony. © 2008 Aastra Communications, Ltd.
ToIP Security elements have to be reliable
» Correct end to end integration has impact on security devices :– Risks: security level adapted to security policy– Architecture : easy integration in existing infrastructure
Evolution of existing security devices Integration with existing data infrastructure
– Performances : quality of voice is a key factor – should not be dependant of network load
– Rules : flow control should be easy to implement (firewall, proxy, SBC,..)
>> Secrurity has to be transparent for telephony services
![Page 16: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/16.jpg)
17Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Converged network & security Respect of best practices
» Electrical protection adapted to ToIP security prerequisites– UPS and battery
– Emergency generator
» LAN/WAN design adapted to ToIP security prerequisites in term of availability– Core network redundancy (power supply,
CPU)
– L2 redundancy: STP, rapid STP, multiple STP, 802.3ad + proprietary
– VRRP, Routing
– critical provider accesses
![Page 17: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/17.jpg)
18Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Voice flow insulation– VLAN creation : broadcast limitation and voice flow isolation
– Definition of rules for InterVLAN filtering On router or L3 switch (ACL, Vlan ACL) On firewall
» Some network services become critical :– Ex : switches, DHCP server(s), TFTP/FTP server(s)
» Limit and control resources access– Call server
– Applications
– Deactivation of unused services
Converged network & security Respect of best practices
![Page 18: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/18.jpg)
19Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Converged network & security Example : VLAN ACL
» Objective :– Prevent from ICMP et TCP flooding
DoS attacks
» Current generation of switches allow to define ACL (Access Control List) à inside VLAN (VLAN ACL)
» IP Phones talks to each other only with UDP
» ACL Example of implementation in ToIP phone VLAN:
– Block TCP and ICMP btw IP Phones
LAN
ACL in ToIP VLAN:Only UDP is permitted btw phones
Attack : ICMP flooding in voice VLAN
![Page 19: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/19.jpg)
20Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Objective :– Prevent attack that can saturate
switch CAM by ARP requests with different MAC@ flooding CAM overflow attack
» Current generation of switches allow to limit @MAC# by port
» Example : limit to 2 MAC@ by port– MAC @ phone– MAC @ PC
LAN
Switch port that allows only 2 MAC@ by port
Attack : ARP flooding (different MAC@) with frame creation tool
Converged network & security Example : limitation of MAC@ # by port
![Page 20: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/20.jpg)
21Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Objective :– Prevent rogue DHCP server on
network
» Current generation of switches allows to forbid some ports to deliver DHCP Offer
» Example – Interdiction to send DHCP offer on
Phone Port
LAN
Port that allows DHCP offer
Attack : rogue DHCP server on LAN
Data DHCP Server
Voice DHCP Server
Ports that blocks DHCP Offer
Converged network & security Example : limitation of rogue DHCP server
![Page 21: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/21.jpg)
22Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Filtering by protocole/ports and/or IP@
– InterVLAN routing rules on L3 device
– ACL on switch– Statefull firewall
» Number of MAC@ limited by port» All traffic expect RTP is
forbidden btw Phones» DHCP protection» Authentication and encryption
SSL, sRTP, TLS» IDS / IPS (Intrusion Detection/
Prevention/ Intrusion system
Converged network & security LAN Design
Logical function(Layer 3 Switches, Routers and/or firewalls)
Filtering and communication between VLANs
IDPS
FW
@MAC Filtering and limiting – Ø DHCP offer
Authentication & ciphering
L2
L2 VLANs Call Server & gateways
L2
L2 VLANs Telephony Applications
L2
L2 VLANs Data Application
L2
L2 VLANs Phone
L2
L2 VLANs PC and Data endpoint
L2
L2 VLANs Admin
![Page 22: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/22.jpg)
23Secured IP Telephony. © 2008 Aastra Communications, Ltd.
LAN
LAN
Call Server
Remote worker, Mobility
SOHOIP PhoneCTI
SIP Trunk
Converged network & security High level architecture
LAN WAN
INTERNET
RTC/RNIS
RTC/RNIS
Servers & Applications
Gateway
Legacy phones
WIFI&DECToIP
Signaling
Firewall
Encryption
Remote management
Remote worker
Firewall
Secure CTI
Hardened servers
VPNVLANs
VLANs
VLANsSecure mobility
![Page 23: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/23.jpg)
24Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Protect ToIP ressources :– Voice app & Call Server in
DeMilitarized Zone (DMZ)
– Filtering rules
» Virtual Private Network (VPN) managed by enterprise or provider– Encryption
– Authentication
– Proof
» QoS
LAN commun (VLAN)
DMZ Téléphonie
Remote sites
ToIP
ToIP+Data
Voice applications
Voice DMZ
VLANs
VPNQoS
FW
LAN
Converged network & security WAN Design
![Page 24: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/24.jpg)
25Secured IP Telephony. © 2008 Aastra Communications, Ltd.
LAN commun (VLAN)
DMZ Téléphonie
Remote sites
ToIP
ToIP+Data
Voice applications
Voice DMZ
VLANs
VPNQoS
» Secure access to enterprise resources (firewall, VPN concentrator, UTM)
» Virtual Private Network (VPN) managed by enterprise or provider
– Encryption– Authentication– Proof
» QoS should be a Main Concern (especially with ADSL access)
IPSec client to site+ Softphone
FW
IPSec site to site+ IP Phone
Converged network & security Remote workers
![Page 25: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/25.jpg)
26Secured IP Telephony. © 2008 Aastra Communications, Ltd.
LAN commun (VLAN)
DMZ Téléphonie
Remote sites
ToIP
ToIP+Data
Voice applications
Voice DMZ
VLANs
VPNQoS
IPSec client to site
FW
» Secure access to enterprise resources (firewall, VPN concentrator, UTM)
» Virtual Private Network (VPN) managed by enterprise or provider– Encryption
– Authentication
– Proof
» Use secure protocols (ex : HTTPs)
Converged network & security Remote management
![Page 26: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/26.jpg)
Security in Aastra solution
![Page 27: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/27.jpg)
28Secured IP Telephony. © 2008 Aastra Communications, Ltd.
SSO
SIP Digest (MD5 )
Aastra 5000 Security Management everywhere
Active DirectoryActive
Directory
Radius(AAA)
Radius(AAA)
802.1x (EAP-MD5)
Win Session (NTLM, Kerberos)
HTTPS (TLS)
Server L
AN
Firew
all
IDS
/IPS
BEST PRACTICES
En
dp
oin
tsA
pp
lica
tio
ns
Man
ag
emen
t
Protected application
OS Hardening
HA Encryption
![Page 28: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/28.jpg)
30Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Aastra 5000 Securisation, High Disponibility
» Aastra 5000 CS: Service without any interruption
– Secured hardware Stratus®– Spatiale Redundancy with communications not cut
» Aastra IPBX/MGW– Specific and secured Hardware– Power Supply Safety using battery– CPU and power supply Redundancy
» « Local Survivability » on Aastra IPBX/MGW (services kept)
– Short or external numbering– Vocal Guides vocaux, announcements, – Transfers, Callbacks, Alternate, multi – lines,
monitoring of extensions – Profile of the user
WAN
Signalisation
Switch
IPBX/MGW
Poste IP/SIP
A5000CS Primaire
A5000CSSecondaireA5KCCA5KCC
![Page 29: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/29.jpg)
31Secured IP Telephony. © 2008 Aastra Communications, Ltd.
WAN
A5000 ServerIP Phone – secured by gtw
Gateway X Series
Provider
1. Nominal mode : Managed by main Call Servers
2. WAN Failure
3. Subscription to Local gateway
Availability of ToIP service Local call Handling on gateway (ex : WAN failure) : Dual Homing
Provider
Remote siteMax 500 IP Phone on gtw
4. Dual Homing Mode : call server function on gateway
Main siteR5.1B
![Page 30: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/30.jpg)
32Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Same level of services (except access to centralized resources):– Short or external numbering
– Vocal guide, music,
– Call forward, call back, alternate, multi line, supervision
– User profile
» No break of communications during failover (except if call transits through the WAN)
» No restart of the gtw in case of remote disconnection.» Integrated CDR buffer to save CDR (tickets) and send them to CDR Server» Configuration synchronization A5k towards gateway :
– Periodic downloading of the configuration each day for each set
R5.1B
Availability of ToIP service Local call Handling on gateway : Dual Homing
![Page 31: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/31.jpg)
33Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» L2 tagging (802.1p/q) and L3 (ToS field Diffserv) available on all Phone
» Call Admission Control embedded in Aastra software on all Call Server & Gateway/iPBX range– QoS does not prevent of IP link overloading– Aastra CAC allows to prevent overloading on WAN links with limited
bandwidth Codec negociation in relation to load of links In case of overload, fallback mechanism : : rerouting by voice carrier for
instance (RTC/RNIS)
Availability of ToIP service Local call Handling on gateway :
![Page 32: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/32.jpg)
34Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Secured IP PhonesEmbedded features (1/2)
» Authentication to A5k software : phone # & PIN code for log-in log-out
» Authentication to network access 802.1X or MAC@
» Integrated switch – Voice flow tagged in Voice VLAN– Data flow tagged in data VLAN
» Optional Communication (Voice) encryption on SIP 675xi & 53xxIP or I7xx
R5.1B
R5.2
![Page 33: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/33.jpg)
35Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Self admin on 67xxi & 53xxIP : – Password – Automatic log-out after idle state
» User profile is on AM7450
» firmware OS is specific : no known virus
» Secure firmware update
Secured IP PhonesEmbedded features (2/2)
![Page 34: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/34.jpg)
36Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Objective :– Secured access to LAN via IP Phone authentication (EAP-MD5)
– Relay of 802.1x requests from PC connected to integrated switch
Secured IP Phones Focus 802.1x
1 auth. Request EAP-MD5 (802.1x)
2Check
Login+mdp
3Rights
Authorization 4
OK 56 OK = auth. connection
(DHCP, RTP…)
Transparent relay + EAP-Logoff
Authentication server (Radius)
LDAP
![Page 35: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/35.jpg)
37Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Secured communicationsToIP encryption
» VoIP encryption– Encryption based on AES 128 bits – From A5k Server, encrypted diffusion of
to : Gateways IP Phone I7xx (for each beginning of call) IP Phone 53xxIP
– Key defined by administrator on A5k server
– Systematic encryption, codec negotiation based on CAC & support of encryption on devices
– Indication of encrypted state of communication on terminal
R5.2
Btw gateways
IP Phone & Gateway
BTW IP PHONES
A5000
![Page 36: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/36.jpg)
38Secured IP Telephony. © 2008 Aastra Communications, Ltd.
HTTPS TLS
Secured management
» Integrated Web Manager = Aastra Management Portal
– Secured access by login/pwd– Different rights
Rights for iPbx configuration Rights for directory management
(web based) Rights to managed user phones
– Log of accesses
» Aastra Management 7450 (AM7450):
– Right management / administrator– Management flows are encrypted– Gateway and server are
authentified
![Page 37: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/37.jpg)
39Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Configuration management : – Backup / Restore of user profiles on
AM7450– Automated backup/restore of CS and
GTX configurations– Automated backup of CS and GTX
logs & inventory of active elements– Configuration audit – numbering plan– Inventory of IP Phone, directory #,
M7450 R2.1
Secured Management
M7450 R2.1
![Page 38: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/38.jpg)
41Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Aastra 5000 - OS
» Linux Community» OS Linux customised and ruggedized (OS hardening), no direct
access on it» The not-used services are not avaiable: only few accessible
(open) ports
![Page 39: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/39.jpg)
42Secured IP Telephony. © 2008 Aastra Communications, Ltd.
A5k software
» User profile:– Class of service– ex: discrete listening rights, call forwards,..– Access discrimination– Multi – tenant with filtering btw society (multicompany)– User pwd
» Call logging :– Via CDR & CDR app server– performance analysis– Cut off of com after certain time (parameter)– Business code
![Page 40: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/40.jpg)
43Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Le logiciel
» Secured acess to whole Aastra Communication Portal app via SSO (Single Sign On)
» User authentication via Windows Active Directory login/mdp
» Unified user and pwd management through Windows Server
» Native security and mobility– Windows Login/pswd – Virtual desking or free seating (login-logout)
from Aastra IP Phones
Aastra Communication PortalSecured acess
![Page 41: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/41.jpg)
44Secured IP Telephony. © 2008 Aastra Communications, Ltd.
1 Authentication Login/pwd Windows
2Check
Login+pwd
3Windows Session
is open
ACP is launchedLogin : BobTel : 5656
4
NTLM Auth 5
7 VTI request for number 5656
Windows Server
6 Search of user : Bob & app/rights
Aastra 5000
ACP
7 Access OK1* 802.1x (optional) +Auth Login/pwd
A5000
*requests not detailed on schemes
Aastra Communication PortalSecured acess
![Page 42: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/42.jpg)
45Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Antivirus support on Aastra applications : highly advised– Respect prerequisite (c.f. LCI)
» ACP– Scan and updates authorized during idle state (night)– Scan of logs not permitted
» UCP– Directory D:/ not scaned– Updates during idle state
Aastra applicationsAntivirus support
![Page 43: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/43.jpg)
46Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» MD5 authentication of Aastra SIP Phone» Digest Access Authentication (RFC2617) via MD5 on trunk SIP:
– Crossed authentication VoIP provider<->Aastra 5k
» Embedded Session Border Controler (SBC) for support of NATed environments
SIP and security
FW WAN
Voice ISP
Session Border Controler
Aastra Com Server
Auth. MD5
Auth. MD5
![Page 44: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/44.jpg)
47Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Security and wireless solutions
» Aastra DECToIP– Radio DECT technology natively secured
(authentication, encryption)– Qos integrated in RFP : L2 (802.1p/q) & L3
(Diffserv)
» Wifi Terminal Aastra 312i– WPA2 support with PSK authentication (Pre Shared
Key) for better performances– QoS has to be implemented on ntw infrastructure
(example mapping SSID / VLAN)– Light AP solution needed
![Page 45: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/45.jpg)
48Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Checkphone partnership
» Check of integrity of communications :– Detection of illegal use of telephony
resources– Differential analysis btw
configurations Example : gain of privileges
» Analysis and filtering : IDPS proble on TDM & IP/SIP trunks
![Page 46: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/46.jpg)
Engineering rules
![Page 47: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/47.jpg)
50Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» QoS on LAN : its implementation depends on network load– 802.1p/q tagging– Guaranteed bandwidth for voice flow– Use of different waiting queues of switches: voice flow acheminated in priority
» QoS on WAN : recommended– L3 taggin upon Diffserv model & ToS (type of service) field of IP header– L2&L3 QoS have to be coherent– L2&L3 QoS Mapping & MPLS class of service (ex : mapping VLAN <-> class of
service)
» Aastra Call Admission Control :– Load limited “a priori” on links, fall back mechanism in case of congestion– Embedded on all Aastra equipments
QoS
![Page 48: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/48.jpg)
51Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» SNEC (Succession Network Engineering Configuration)
» Complete Engineering tool used during presales phase
– Traffic modelisation– Quality of voice– Bandwidth and network planning– End to end validation
» Version 2 integrates new features :– VPN : IPSec, L2TP, PPTP– xDSL links
SNEC tool
![Page 49: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/49.jpg)
52Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» No impact on voice communication (delay…)
» Some constraints linked to treatments
VoIP encrypted Performances
![Page 50: Secured IP telephony. 2Secured IP Telephony. © 2008 Aastra Communications, Ltd. Agenda »ToIP : risks ? »Security analysis »Bests practices »Security in](https://reader037.vdocuments.us/reader037/viewer/2022103023/56649de35503460f94ada69e/html5/thumbnails/50.jpg)
55Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Port (TCP/UDP) used in Aastra solutions– http://support.nexspan.net/mkg/mcdfr/
» SNEC Tool (bandwidth, jitter, delay,…) – SNEC http://support.nexspan.net/mkg/mcdfr/
» Technical information (supported antivirus, configuration) :http://support.nexspan.net/support/lci/lci.php?l=fr
» Patches management
http://support.nexspan.net/extra/Support/patch/index.php?lang=fr&target
Tools