Más contenido relacionado La actualidad más candente (20) Similar a SIP Trunking & Security in an Enterprise Network (20) SIP Trunking & Security in an Enterprise Network1. SIP Trunking & Security
in an Enterprise Network
Dan York, CISSP
VOIPSA Best Practices Chair
September 17, 2008
3. Privacy Availability
Compliance Confidence
Mobility Cost Avoidance
Business Continuity
© 2008 VOIPSA and Owners as Marked
8. TDM security is relatively simple...
PSTN
Gateways
TDM
Switch
Physical
Voicemail Wiring
© 2008 VOIPSA and Owners as Marked
9. VoIP security is more complex
Operating Desktop PSTN
E-mail
Systems PCs Gateways
Systems
Network Web
Firewalls
Switches Servers
Standards
Voice over PDAs
Wireless
Instant IP Devices
Messaging
Directories
Internet
Databases
Physical
Voicemail
Wiring
© 2008 VOIPSA and Owners as Marked
10. VoIP can be more
secure than the PSTN
if it is properly deployed.
© 2008 VOIPSA and Owners as Marked
12. Security concerns in telephony are not new…
Image courtesy of the Computer History Museum
© 2008 VOIPSA and Owners as Marked
13. Nor are our attempts to protect against threats…
Image courtesy of Mike Sandman – http://www.sandman.com/
© 2008 VOIPSA and Owners as Marked
14. Security Aspects of IP Telephony
Media /
Voice
Manage TCP/IP Call
ment Network Control
PSTN
Policy
© 2008 VOIPSA and Owners as Marked
15. Media
Eavesdropping
Degraded Voice Quality
Encryption
Virtual LANs (VLANs)
Packet Filtering
© 2008 VOIPSA and Owners as Marked
16. Signaling
Denial of Service
Impersonation
Toll Fraud
Encryption
Encrypted Phone Software
Proper Programming
© 2008 VOIPSA and Owners as Marked
17. Management
Web Interfaces
APIs!
Phones!
Encryption
Change Default Passwords!
Patches? We don’t need...
© 2008 VOIPSA and Owners as Marked
20. Internet LAN
© 2008 VOIPSA and Owners as Marked
22. The Challenge of SIP Trunking
PSTN
SIP Service
Provider
Internet
IP-PBX
LAN
© 2008 VOIPSA and Owners as Marked
23. SIP Trunking
PSTN
SIP Service
Provider
Carrier
Network
IP-PBX
LAN
© 2008 VOIPSA and Owners as Marked
24. The Challenge of SIP Trunking
PSTN
SIP Service
Provider
Internet
IP-PBX
LAN
© 2008 VOIPSA and Owners as Marked
25. SIP Trunking - Business Continuity
PSTN
SIP Service
Provider
SIP Service
Internet Provider
IP-PBX
LAN
© 2008 VOIPSA and Owners as Marked
26. SIP Trunking - Business Continuity
PSTN
SIP Service
Provider
SIP Service
Internet Provider
IP-PBX
SIP Service
LAN Provider
© 2008 VOIPSA and Owners as Marked
29. Moving Voice Applications into “the Cloud”
Application
Platform
Internet /
WAN
IP-PBX
LAN PSTN
© 2008 VOIPSA and Owners as Marked
30. Moving Telephony into “the Cloud”
Hosted
“IP-PBX”
Internet /
WAN
Firewall
LAN PSTN
© 2008 VOIPSA and Owners as Marked
31. Can you trust “the Cloud”
to be there?
© 2008 VOIPSA and Owners as Marked
32. Questions for SIP Trunk Providers or Cloud
Computing Platforms?
• What kind of availability guarantees / Service Level Agreements (SLAs)
does the platform vendor provide?
• What kind of geographic redundancy is built into the underlying network?
• What kind of network redundancy is built into the underlying network?
• What kind of physical redundancy is built into the data centers?
• What kind of monitoring does the vendor perform?
• What kind of scalability is in the cloud computing platform?
• What kind of security, both network and physical, is part of the computing
platform?
• Finally, what will the vendor do if there is downtime? Will the downtime
be reflected in your bill?
© 2008 VOIPSA and Owners as Marked
34. What about SPIT? (“SPam over Internet Telephony”)
• What does a traditional telemarketer need?
• Makes for great headlines, but not yet a significant threat
• Fear is script/tool that:
– Iterates through calling SIP addresses:
• 111@sip.company.com, 112@sip.company.com, …
• Opens an audio stream if call is answered (by person or voicemail)
– Steals VoIP credentials and uses account to make calls
• Reality is that today such direct connections
are generally not allowed
• This will change as companies make greater use
of SIP trunking and/or directly connect IP-PBX
systems to the Internet (and allow incoming calls
SPAM
from any other IP endpoint)
• Until that time, PSTN is de facto firewall
© 2008 VOIPSA and Owners as Marked
36. What is the Industry Doing to Help?
Security Vendors VoIP Vendors
“The Sky Is Falling!” “Don’t Worry, Trust Us!”
(Buy our products!) (Buy our products!)
© 2008 VOIPSA and Owners as Marked
37. Voice Over IP Security Alliance (VOIPSA)
• www.voipsa.org – 100 members from VoIP and security industries
• VOIPSEC mailing list – www.voipsa.org/VOIPSEC/
• “Voice of VOIPSA” Blog – www.voipsa.org/blog
• Blue Box: The VoIP Security Podcast – www.blueboxpodcast.com
• VoIP Security Threat Taxonomy
• Best Practices Project underway now
Security
Research
Market and Social Classification Best Practices Outreach
Objectives and Taxonomy of for VoIP Communication
Constraints Security Threats
Security of Findings
Security
System
Testing
LEGEND Published Active Now Ongoing
© 2008 VOIPSA and Owners as Marked
40. Tools, tools, tools...
• UDP Flooder • Asteroid
• IAX Flooder • enumIAX
• IAX Enumerator • iWar
• ohrwurm RTP Fuzzer • StegRTP
• RTP Flooder • VoiPong
• INVITE Flooder • Web Interface for SIP Trace
• AuthTool • SIPScan
• BYE Teardown • SIPCrack
• Redirect Poison • SiVuS
• Registration Hijacker • SIPVicious Tool Suite
• Registration Eraser • SIPBomber
• RTP InsertSound • SIPsak
• RTP MixSound • SIP bot
• SPITTER
© 2008 VOIPSA and Owners as Marked
41. Security Links
• VoIP Security Alliance - http://www.voipsa.org/
– Threat Taxonomy - http://www.voipsa.org/Activities/taxonomy.php
– VOIPSEC email list - http://www.voipsa.org/VOIPSEC/
– Weblog - http://www.voipsa.org/blog/
– Security Tools list - http://www.voipsa.org/Resources/tools.php
– Blue Box: The VoIP Security Podcast - http://www.blueboxpodcast.com
• NIST SP800-58, “Security Considerations for VoIP Systems”
– http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
• Network Security Tools
– http://sectools.org/
• Hacking Exposed VoIP site and tools
– http://www.hackingvoip.com/
© 2008 VOIPSA and Owners as Marked
42. VoIP can be more
secure than the PSTN
if it is properly deployed.
© 2008 VOIPSA and Owners as Marked
43. Q&eh?
www.voipsa.org
Dan York - dyork@voxeo.com