voip threats & counter measures

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1

VoIP Threats and Countermeasures

Interop NY – Sept 19, 2006Gregory M. [email protected]

2Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net

VoIP Security ThreatsSecurity Threat Ramifications

Unauthorized access to PBX or voice mail system

All voice communications fail

DoS attack on PBX, IP Phone or gateway

Hacker listens to voice mails, accesses call logs, company directories, etc.

Toll fraudHacker utilizes PBX for

long-distance calling, increasing costs

Eavesdropping or man-in-the-middle

attack

Voice conversations unknowingly intercepted

and altered

Worms/trojans/viruses on IP phones, PBX

Infected PBX and/or phones rendered useless,

spread problems throughout network

IP phone spam Lost productivity and annoyance

Top Security Concerns

0%10%20%30%40%50%60%70%

IP PBX DoSAttack

IP PBXHacking

Back Door toCorp Network

VoiceIntercept on

WAN

All LANsegments haveVoice access

Maj

or C

once

rn

•IP PBX DoS attacks

•IP PBX hacking

•Back door to corporate network

•Voice intercept on WAN

•All LAN segments have voice access


VoIP Service Issue

Ramifications

Poor quality voice –clicks, echo, noise

Unable to communicate with others

Less productivity

Failure to connect/get

service/make calls

Customer dissatisfaction

Calls get dropped intermittently

Customer dissatisfaction

Calls not completed during high traffic times


Voice Quality and Service Issues

Latency

Jitter

Packet loss


Multi-vendor equipment to get best in class solution

Interoperability Issue Ramifications

Need for constant attention, upgrades and service disruption

New and evolving protocols

Service disruption due to configuration, testing and ongoing

maintenance of systems

Proprietary implementations of

protocols by vendors

Interoperability issues among

Vendors, resulting in poor quality

Dropped calls, or inability to set up call

• Best in Class Multi-vendor components

• Evolving protocols

• Service Provider interoperability

Multi-vendor solution components

Interoperability Issues


Security through Firewall ALGs

VoIP Security Challenge • Traditional firewall solutions open a range of ports for VoIP support

• Exposes the network to possible security risks as open ports can be exploited

SIP, H.323, and MGCP ALGs minimize network security risk • ALGs dynamically open/close media ports for call duration based on

negotations observed in signaling• NAT, route, or transparent deployment

EndPoint

Call Processing Server

Signaling

Media EndPoint

Call Processing Server

Signaling

Media

Dynamicpinholes

Wide Range of Ports;Undue Exposure

PORT RANGE VoIP Aware - ALG


Address TranslationThe Unintelligent Way, Application Blind

ApplicationServer

MediaServer

VoIP Service Provider

SIP/Phone10.10.10.117

Cable/DSLModem198.134.45.2

MGCP IAD10.0.0.1

POTS Phone

Voice Over Broadband (Cable, DSL)

IP Network

Some NAT/Firewalls NAT IP but not SIP & SDP

Internet Protocol

Source: 194.90.133.115

Destination: 194.90.133.116

User Datagram Protocol

Source port: 61455

Destination port: 5060

Session Initiation Protocol

Request-Line: INVITE sip:[email protected] SIP/2.0

Via: SIP/2.0/UDP 10.10.10.117:5060

From: sip:[email protected]

To: sip:[email protected]

Contact: <sip:[email protected]:5060>

Session Description Protocol Version (v): 0

Owner Address: 10.10.10.117

Connection Address: 10.10.10.117

Media Port: 20304

Media Proto: RTP/AVP

Internet Protocol

Source: 194.90.133.115



Source port: 61455




Via: SIP/2.0/UDP 10.10.10.117:5060







Media Port: 20304


Internet Protocol

Source: 194.90.133.115



Source port: 61455




Via: SIP/2.0/UDP 10.10.10.117:5060







Media Port: 20304


RouterData FW/NAT194.90.133.115

Softswitch

MediaGateway


Address TranslationApplication Aware NAT

Softswitch

MediaGateway

ApplicationServer

MediaServer


SIP/Phone10.10.10.117

Voice Over Broadband (Cable, DSL)

IP Network

Need perform application-level NAT

RouterData FW/NAT194.90.81.144

VF-4000 session border controller

Internet Protocol

Source: 194.90.133.115



Source port: 61455




Via: SIP/2.0/UDP 10.10.10.117:5060







Media Port: 20304


Internet Protocol

Source: 194.90.133.115



Source port: 61455




Via: SIP/2.0/UDP 10.10.10.117:5060







Media Port: 20304


Internet Protocol

Source: 194.90.133.115



Source port: 61455




Via: SIP/2.0/UDP 10.10.10.117:5060







Media Port: 20304


194.90.81.144

194.90.81.144:54101

54101

@194.90.81.144:54101

194.90.81.144194.90.81.144

62101


Network IsolationCall Processing Subnet

Internal Data Network

DMZ

Large Central Site

Secure and Assured Infrastructure

PSTN

Redundant security devices for failover and

high availabilityRouter - QoS policy and

scheduling

Scalable VPN supporting thousands of connections

ALG technology to extend corporate VoIP

MPLS TE passed to provider MPLS network

Zone architecture for intra/inter zones with

policy enforcement

PoE Switch Internal VoIPEnd-PointNetwork


Voice Eavesdropping Prevention

VoIP Security Challenge

• Protecting VoIP calls from Eavesdropping

• Ensuring privacy of VoIP conversations

Encrypted VoIP Solution

• Encrypt VoIP connections with site-to-site VPN (AES) to

• prevent eavesdropping

• Hide Signaling

Corporate Network

Branch Office

IP PBXIP PBX

VPN Tunnel


Unauthorized Use PreventionVoIP Security Challenge • Toll fraud and Unauthorized use• “Man in the middle” or SIP based DoS

attacks • Intercepting signaling in transit to

“sniff” callsSecure VoIP Solution• Block or throttle illegitimate calls at

the source, to ensure legitimate signaling and media can pass

• Policy-based access control for SIP, H.323, and MGCP

• Ensures appropriate access controls are applied to the signaling and media

User: Jane Jones

User: IP Addressxxx.x.x.xxx

User: John Doe

User Repository


IPS for VoIP

Stateful signature and Protocol Anomaly detection for SIP protocolProtocol Anomaly for H.323IPS decode for the SIP VoIP protocol • Anomalies definitions library which will serve to flag

potential attacks and allows to block this traffic or send alerts

• Blocking if deployed “inline”, alerting if deployed “passively”Market Significance• Addresses VoIP attacks at layers 4 thru 7, including

application layer vulnerabilities as they are discovered


Session Border Controllers (SBC)Carriers and service providers are increasingly providing VoIP as a new and enhanced service

• WW VoIP Carrier Equipment = $1.7B in 2004 (+ 36% over 2003)

• $5.9B by 2008

SBCs are primarily deployed at the network edge to facilitate the secure & reliable flow of real-time IP traffic across network boundaries.

• Number of service providers purchasing SBCs went from 31% in ’03 to 81% in ’04 (Infonetics)

SBCs enable VoIP and real time IP services for:• Carrier-to-carrier peering

• Carrier-to-enterprise service

• Carrier-to-consumer service

SBCs address the issues of: • Address translation

• Service assurance (QoS)

• Regulatory compliance (E-911, CALEA)


Primary VoIP Border Issues

Enterprise


IP PBX Services

OtherCarrier

SOHO/Residential

Softswitch

MediaGateway Application

ServerMediaServer

OSS SoftswitchMedia

Gateway

10.1 10.1 20.1

SIP/H.323 Phones H.323/SIPEndpoints

IP PBX Router

SIP/H.323 Phones

DataFW/NAT

Cable/DSLModem

MGCP IAD

POTS Phone WirelessIP Phone

MobilePhone

Wireless/Mobile

Base Station

Wireless/Mobile

Internetor IP NW

Hosted IP Centrex Voice Over Broadband (Cable, DSL)

IP Network

SME

RouterClass 5Switch

POTS

Wholesale VoIP

Carrier to Enterprise Carrier to SOHO/Residential

Carrier to Carrier

Peering

SS7 INNetwork SecurityDoS attacksService theftFraudTopology hiding

Address TranslationConversion of private/public

IP addresses Firewalls challenged by small

signaling/media packetsVoIP protocols not

understood by firewall

Service Assurance Quality of serviceAdmission enforcementLack of reportingFirewall/NAT issuesVPN/VLAN mappings

Regulatory ComplianceE-911Lawful interceptCALEA support


VF-Series Four Key SBC Applications

Enterprise


IP PBX Services

OtherCarrier

SOHO/Residential

Softswitch

MediaGateway Application

ServerMediaServer

OSS SoftswitchMedia

Gateway

10.1 10.1 20.1

SIP/H.323 Phones H.323/SIPEndpoints

IP PBX Router

SIP/H.323 Phones

DataFW/NAT

Cable/DSLModem

MGCP IAD

POTS Phone WirelessIP Phone

MobilePhone

Wireless/Mobile

Base Station

Wireless/Mobile

Internetor IP NW

Hosted IP Centrex Voice Over Broadband (Cable, DSL)

IP Network

SME

RouterClass 5Switch

POTS

SS7 INNetwork

Network Protection

Carrier Peering

Hosted NAT TraversalHosted VPN/VLAN


DoS Protection – Signalling & Media

IP NetworkSIP/Phone

10.0.0.1

RouterData FW/NAT

[email protected]

HQ VoIP Infrastructure

SBC

MediaGateway PBXA PBXB DNS

Desktops at HQ

RegisterPhone num

1234

Excess Signaling Discarded

Network at risk due to signaling DoS attacks

Malfunctioning Endpoints or Malicious Attack

Media RateLimited to Codec Bandwidth


Defense Against VoIP Security Threats

VoIP Security Threat Ramifications Defense Technology

Unauthorized access to PBX or voice mail system

All voice communications fail•FW with SIP attack protection

•IDP with SIP sigs/protocol anom

•SBC with rate limiting

DoS attack on PBX, IP Phone or gateway

Hacker listens to voice mails, accesses call logs, company directories, etc.

Zones, ALGs, policy-based access control

Toll fraudHacker utilizes PBX for

long-distance calling, increasing costs

VPNs, encryption (IPSec or other)

VPNs, encryption (IPSec or other)

Eavesdropping or man-in-the-middle

attack

Voice conversations unknowingly intercepted and altered

Worms/trojans/viruses on IP phones, PBX

Infected PBX and/or phones rendered useless, spread

problems throughout network

IDP with SIP protocol anomaly and stateful

signatures

IP phone spam Lost productivity and annoyance

ALGs, SIP attack prevention, SIP source IP limitations,

UDP Flood Protection


VoIP Service Issue Ramifications Technology

Poor quality voice –clicks, echo, noise


Less productivity

Bandwidth optimization, Traffic Engineering using MPLSFailure to connect/get

service/make calls

Customer dissatisfaction QoS on the entire network

High performance network devices

Calls get dropped intermittently

Customer dissatisfaction QoS on the entire network Traffic engineering using MPLS

High Availability/Failover

Calls not completed during high traffic

times


Improve Bandwidth utilization, compression, WAN optimization,

MPLS traffic engineering

Improving Quality of Voice Service


Interoperability Issue

Ramifications Solution

Multi-vendor equipment to get best in class

solution

Need for constant attention, upgrades and service disruption

Strong alliances between vendors to test new solutions. Active

Participation in industry forumsNew and evolving

protocols

Service disruption due to configuration, testing and

ongoing maintenance of system

Strong certification program for new products and single software

train

Changes in Service Provider network

impacts voice serviceCustomer dissatisfaction because

of service disruption

Leadership in Service Provider products and alliances to ensure

smooth operation

Addressing Interoperability Issues

voip threats & counter measures

Documents