voip threats & counter measures
TRANSCRIPT
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
VoIP Threats and Countermeasures
Interop NY – Sept 19, 2006Gregory M. [email protected]
2Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
VoIP Security ThreatsSecurity Threat Ramifications
Unauthorized access to PBX or voice mail system
All voice communications fail
DoS attack on PBX, IP Phone or gateway
Hacker listens to voice mails, accesses call logs, company directories, etc.
Toll fraudHacker utilizes PBX for
long-distance calling, increasing costs
Eavesdropping or man-in-the-middle
attack
Voice conversations unknowingly intercepted
and altered
Worms/trojans/viruses on IP phones, PBX
Infected PBX and/or phones rendered useless,
spread problems throughout network
IP phone spam Lost productivity and annoyance
Top Security Concerns
0%10%20%30%40%50%60%70%
IP PBX DoSAttack
IP PBXHacking
Back Door toCorp Network
VoiceIntercept on
WAN
All LANsegments haveVoice access
Maj
or C
once
rn
•IP PBX DoS attacks
•IP PBX hacking
•Back door to corporate network
•Voice intercept on WAN
•All LAN segments have voice access
3Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
VoIP Service Issue
Ramifications
Poor quality voice –clicks, echo, noise
Unable to communicate with others
Less productivity
Failure to connect/get
service/make calls
Customer dissatisfaction
Calls get dropped intermittently
Customer dissatisfaction
Calls not completed during high traffic times
Unable to communicate with others
Voice Quality and Service Issues
Latency
Jitter
Packet loss
4Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Multi-vendor equipment to get best in class solution
Interoperability Issue Ramifications
Need for constant attention, upgrades and service disruption
New and evolving protocols
Service disruption due to configuration, testing and ongoing
maintenance of systems
Proprietary implementations of
protocols by vendors
Interoperability issues among
Vendors, resulting in poor quality
Dropped calls, or inability to set up call
• Best in Class Multi-vendor components
• Evolving protocols
• Service Provider interoperability
Multi-vendor solution components
Interoperability Issues
5Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security through Firewall ALGs
VoIP Security Challenge • Traditional firewall solutions open a range of ports for VoIP support
• Exposes the network to possible security risks as open ports can be exploited
SIP, H.323, and MGCP ALGs minimize network security risk • ALGs dynamically open/close media ports for call duration based on
negotations observed in signaling• NAT, route, or transparent deployment
EndPoint
Call Processing Server
Signaling
Media EndPoint
Call Processing Server
Signaling
Media
Dynamicpinholes
Wide Range of Ports;Undue Exposure
PORT RANGE VoIP Aware - ALG
6Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Address TranslationThe Unintelligent Way, Application Blind
ApplicationServer
MediaServer
VoIP Service Provider
SIP/Phone10.10.10.117
Cable/DSLModem198.134.45.2
MGCP IAD10.0.0.1
POTS Phone
Voice Over Broadband (Cable, DSL)
IP Network
Some NAT/Firewalls NAT IP but not SIP & SDP
Internet Protocol
Source: 194.90.133.115
Destination: 194.90.133.116
User Datagram Protocol
Source port: 61455
Destination port: 5060
Session Initiation Protocol
Request-Line: INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.10.10.117:5060
From: sip:[email protected]
To: sip:[email protected]
Contact: <sip:[email protected]:5060>
Session Description Protocol Version (v): 0
Owner Address: 10.10.10.117
Connection Address: 10.10.10.117
Media Port: 20304
Media Proto: RTP/AVP
Internet Protocol
Source: 194.90.133.115
Destination: 194.90.133.116
User Datagram Protocol
Source port: 61455
Destination port: 5060
Session Initiation Protocol
Request-Line: INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.10.10.117:5060
From: sip:[email protected]
To: sip:[email protected]
Contact: <sip:[email protected]:5060>
Session Description Protocol Version (v): 0
Owner Address: 10.10.10.117
Connection Address: 10.10.10.117
Media Port: 20304
Media Proto: RTP/AVP
Internet Protocol
Source: 194.90.133.115
Destination: 194.90.133.116
User Datagram Protocol
Source port: 61455
Destination port: 5060
Session Initiation Protocol
Request-Line: INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.10.10.117:5060
From: sip:[email protected]
To: sip:[email protected]
Contact: <sip:[email protected]:5060>
Session Description Protocol Version (v): 0
Owner Address: 10.10.10.117
Connection Address: 10.10.10.117
Media Port: 20304
Media Proto: RTP/AVP
RouterData FW/NAT194.90.133.115
Softswitch
MediaGateway
7Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Address TranslationApplication Aware NAT
Softswitch
MediaGateway
ApplicationServer
MediaServer
VoIP Service Provider
SIP/Phone10.10.10.117
Voice Over Broadband (Cable, DSL)
IP Network
Need perform application-level NAT
RouterData FW/NAT194.90.81.144
VF-4000 session border controller
Internet Protocol
Source: 194.90.133.115
Destination: 194.90.133.116
User Datagram Protocol
Source port: 61455
Destination port: 5060
Session Initiation Protocol
Request-Line: INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.10.10.117:5060
From: sip:[email protected]
To: sip:[email protected]
Contact: <sip:[email protected]:5060>
Session Description Protocol Version (v): 0
Owner Address: 10.10.10.117
Connection Address: 10.10.10.117
Media Port: 20304
Media Proto: RTP/AVP
Internet Protocol
Source: 194.90.133.115
Destination: 194.90.133.116
User Datagram Protocol
Source port: 61455
Destination port: 5060
Session Initiation Protocol
Request-Line: INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.10.10.117:5060
From: sip:[email protected]
To: sip:[email protected]
Contact: <sip:[email protected]:5060>
Session Description Protocol Version (v): 0
Owner Address: 10.10.10.117
Connection Address: 10.10.10.117
Media Port: 20304
Media Proto: RTP/AVP
Internet Protocol
Source: 194.90.133.115
Destination: 194.90.133.116
User Datagram Protocol
Source port: 61455
Destination port: 5060
Session Initiation Protocol
Request-Line: INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 10.10.10.117:5060
From: sip:[email protected]
To: sip:[email protected]
Contact: <sip:[email protected]:5060>
Session Description Protocol Version (v): 0
Owner Address: 10.10.10.117
Connection Address: 10.10.10.117
Media Port: 20304
Media Proto: RTP/AVP
194.90.81.144
194.90.81.144:54101
54101
@194.90.81.144:54101
194.90.81.144194.90.81.144
62101
8Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Network IsolationCall Processing Subnet
Internal Data Network
DMZ
Large Central Site
Secure and Assured Infrastructure
PSTN
Redundant security devices for failover and
high availabilityRouter - QoS policy and
scheduling
Scalable VPN supporting thousands of connections
ALG technology to extend corporate VoIP
MPLS TE passed to provider MPLS network
Zone architecture for intra/inter zones with
policy enforcement
PoE Switch Internal VoIPEnd-PointNetwork
9Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Voice Eavesdropping Prevention
VoIP Security Challenge
• Protecting VoIP calls from Eavesdropping
• Ensuring privacy of VoIP conversations
Encrypted VoIP Solution
• Encrypt VoIP connections with site-to-site VPN (AES) to
• prevent eavesdropping
• Hide Signaling
Corporate Network
Branch Office
IP PBXIP PBX
VPN Tunnel
10Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Unauthorized Use PreventionVoIP Security Challenge • Toll fraud and Unauthorized use• “Man in the middle” or SIP based DoS
attacks • Intercepting signaling in transit to
“sniff” callsSecure VoIP Solution• Block or throttle illegitimate calls at
the source, to ensure legitimate signaling and media can pass
• Policy-based access control for SIP, H.323, and MGCP
• Ensures appropriate access controls are applied to the signaling and media
User: Jane Jones
User: IP Addressxxx.x.x.xxx
User: John Doe
User Repository
11Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
IPS for VoIP
Stateful signature and Protocol Anomaly detection for SIP protocolProtocol Anomaly for H.323IPS decode for the SIP VoIP protocol • Anomalies definitions library which will serve to flag
potential attacks and allows to block this traffic or send alerts
• Blocking if deployed “inline”, alerting if deployed “passively”Market Significance• Addresses VoIP attacks at layers 4 thru 7, including
application layer vulnerabilities as they are discovered
12Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Session Border Controllers (SBC)Carriers and service providers are increasingly providing VoIP as a new and enhanced service
• WW VoIP Carrier Equipment = $1.7B in 2004 (+ 36% over 2003)
• $5.9B by 2008
SBCs are primarily deployed at the network edge to facilitate the secure & reliable flow of real-time IP traffic across network boundaries.
• Number of service providers purchasing SBCs went from 31% in ’03 to 81% in ’04 (Infonetics)
SBCs enable VoIP and real time IP services for:• Carrier-to-carrier peering
• Carrier-to-enterprise service
• Carrier-to-consumer service
SBCs address the issues of: • Address translation
• Service assurance (QoS)
• Regulatory compliance (E-911, CALEA)
13Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Primary VoIP Border Issues
Enterprise
VoIP Service Provider
IP PBX Services
OtherCarrier
SOHO/Residential
Softswitch
MediaGateway Application
ServerMediaServer
OSS SoftswitchMedia
Gateway
10.1 10.1 20.1
SIP/H.323 Phones H.323/SIPEndpoints
IP PBX Router
SIP/H.323 Phones
DataFW/NAT
Cable/DSLModem
MGCP IAD
POTS Phone WirelessIP Phone
MobilePhone
Wireless/Mobile
Base Station
Wireless/Mobile
Internetor IP NW
Hosted IP Centrex Voice Over Broadband (Cable, DSL)
IP Network
SME
RouterClass 5Switch
POTS
Wholesale VoIP
Carrier to Enterprise Carrier to SOHO/Residential
Carrier to Carrier
Peering
SS7 INNetwork SecurityDoS attacksService theftFraudTopology hiding
Address TranslationConversion of private/public
IP addresses Firewalls challenged by small
signaling/media packetsVoIP protocols not
understood by firewall
Service Assurance Quality of serviceAdmission enforcementLack of reportingFirewall/NAT issuesVPN/VLAN mappings
Regulatory ComplianceE-911Lawful interceptCALEA support
14Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
VF-Series Four Key SBC Applications
Enterprise
VoIP Service Provider
IP PBX Services
OtherCarrier
SOHO/Residential
Softswitch
MediaGateway Application
ServerMediaServer
OSS SoftswitchMedia
Gateway
10.1 10.1 20.1
SIP/H.323 Phones H.323/SIPEndpoints
IP PBX Router
SIP/H.323 Phones
DataFW/NAT
Cable/DSLModem
MGCP IAD
POTS Phone WirelessIP Phone
MobilePhone
Wireless/Mobile
Base Station
Wireless/Mobile
Internetor IP NW
Hosted IP Centrex Voice Over Broadband (Cable, DSL)
IP Network
SME
RouterClass 5Switch
POTS
SS7 INNetwork
Network Protection
Carrier Peering
Hosted NAT TraversalHosted VPN/VLAN
15Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
DoS Protection – Signalling & Media
IP NetworkSIP/Phone
10.0.0.1
RouterData FW/NAT
HQ VoIP Infrastructure
SBC
MediaGateway PBXA PBXB DNS
Desktops at HQ
RegisterPhone num
1234
Excess Signaling Discarded
Network at risk due to signaling DoS attacks
Malfunctioning Endpoints or Malicious Attack
Media RateLimited to Codec Bandwidth
16Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Defense Against VoIP Security Threats
VoIP Security Threat Ramifications Defense Technology
Unauthorized access to PBX or voice mail system
All voice communications fail•FW with SIP attack protection
•IDP with SIP sigs/protocol anom
•SBC with rate limiting
DoS attack on PBX, IP Phone or gateway
Hacker listens to voice mails, accesses call logs, company directories, etc.
Zones, ALGs, policy-based access control
Toll fraudHacker utilizes PBX for
long-distance calling, increasing costs
VPNs, encryption (IPSec or other)
VPNs, encryption (IPSec or other)
Eavesdropping or man-in-the-middle
attack
Voice conversations unknowingly intercepted and altered
Worms/trojans/viruses on IP phones, PBX
Infected PBX and/or phones rendered useless, spread
problems throughout network
IDP with SIP protocol anomaly and stateful
signatures
IP phone spam Lost productivity and annoyance
ALGs, SIP attack prevention, SIP source IP limitations,
UDP Flood Protection
17Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
VoIP Service Issue Ramifications Technology
Poor quality voice –clicks, echo, noise
Unable to communicate with others
Less productivity
Bandwidth optimization, Traffic Engineering using MPLSFailure to connect/get
service/make calls
Customer dissatisfaction QoS on the entire network
High performance network devices
Calls get dropped intermittently
Customer dissatisfaction QoS on the entire network Traffic engineering using MPLS
High Availability/Failover
Calls not completed during high traffic
times
Unable to communicate with others
Improve Bandwidth utilization, compression, WAN optimization,
MPLS traffic engineering
Improving Quality of Voice Service
18Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Interoperability Issue
Ramifications Solution
Multi-vendor equipment to get best in class
solution
Need for constant attention, upgrades and service disruption
Strong alliances between vendors to test new solutions. Active
Participation in industry forumsNew and evolving
protocols
Service disruption due to configuration, testing and
ongoing maintenance of system
Strong certification program for new products and single software
train
Changes in Service Provider network
impacts voice serviceCustomer dissatisfaction because
of service disruption
Leadership in Service Provider products and alliances to ensure
smooth operation
Addressing Interoperability Issues