Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C...
-
Upload
fernando-sermon -
Category
Documents
-
view
216 -
download
0
Transcript of Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C...
Security in Security in VoIP NetworksVoIP Networks
Juan C PelaezJuan C PelaezFlorida Atlantic UniversityFlorida Atlantic University
What is VoIP?What is VoIP?
VoIP (Voice over Internet Protocol),VoIP (Voice over Internet Protocol),
sometimes referred to as Internetsometimes referred to as Internet
telephony, is a method of digitizingtelephony, is a method of digitizing
voice, encapsulating the digitized voicevoice, encapsulating the digitized voice
into packets and transmitting thoseinto packets and transmitting those
packets over a packet switched IPpackets over a packet switched IP
network.network.
VoIP enables people to use the Internet as the transmission medium for telephone calls. For users who have free, or fixed-price, Internet access, Internet telephony software essentially provides free telephone calls anywhere in the world. To date, however, Internet telephony does not offer the same quality (easy target of security attacks) of telephone service as direct telephone connections.
Overview of VoIP(1)Overview of VoIP(1)
Overview of VoIP(2)Overview of VoIP(2)
VoIP: yet another Internet service (Telephone, Radio, Video) over IP
Services: email/web/calendar integration,
emergency services, call scheduling, Interactive Voice Response (IVR), instant messaging, personal mobility…
VoIP ProtocolsMost implementations use H.323 protocol– Same protocol that is used for IP video.– Uses TCP for call setup– Traffic is actually carried on RTP (Real Time Protocol) which runs on top of UDP.SIP defines a distributed architecture for
creating multimedia applications, including VoIPVoIP = Transport + QoS + Signaling
Transport : RTP QoS : RTCP (Real-Time Transport Protocol) Signaling: H.323, SIP, MGCP/Megaco
Internet telephonyprotocol stack
H.323 Signaling and Media H.323 Signaling and Media ChannelsChannels
H.225.0/RAS Channel RAS(Registration, Admission & Status) control between Endpoints
(terminals, gateways, MCUs) and its Gatekeeper
H.225.0 Call Signaling Channel Call remote endpoint Establish H.245 address
H.245 Control Channel Open control channel; Terminal capability negotiation Open/close logical channels Establish UDP ports for A/V
RTP/RTCP Logical Channels for Media Stream Carry media (audio, video, data, etc.) data within logical channels
H.323 VoIP ComponentsH.323 VoIP Components
H.323 defines four logical componentsH.323 defines four logical components Terminals, Terminals, Gateways, Gateways, Gatekeepers and Gatekeepers and Multipoint Control Units (MCUs).Multipoint Control Units (MCUs).
Terminals, gateways and MCUs are Terminals, gateways and MCUs are known as endpoints.known as endpoints.
Call ControlCall SetupMedia Exchange
CallSignaling(RAS)
Call ProcessingPSTNPSTN
IP telephony IP telephony Public Switched Telephone Network
Gateway
IP PBX
VoIP requires….VoIP requires….
HandsetsHandsets
SoftphonesSoftphones
GatewaysGateways
GatekeepersGatekeepers
Conference BridgeConference Bridge
IP PBXIP PBX
H.323, SIP, MGCP/MegacoH.323, SIP, MGCP/Megaco
SOFTPHONES
IP PBXPSTN
GATEWAYMCU
PSTN
Gatekeeper
VoIP requires….(Cont.)VoIP requires….(Cont.)
Security Threats and Defense Security Threats and Defense MechanismsMechanisms
Denial-of-service (DOS)Denial-of-service (DOS)
- Separation of the voice and data - Separation of the voice and data segments using VPNssegments using VPNs
Call interception (Invasion of privacy)Call interception (Invasion of privacy)
- Encrypt VOIP traffic where possible- Encrypt VOIP traffic where possible
- Lawful interception- Lawful interception
Call Interception - ExampleCall Interception - Example
Security Threats and Defense Security Threats and Defense Mechanisms(2)Mechanisms(2)
Theft of service (Traditional fraud)Theft of service (Traditional fraud)- Getting free service or free features- Getting free service or free features- Use strong authentication- Use strong authentication- Call-processing Manager will not allow - Call-processing Manager will not allow unknown phones to be configuredunknown phones to be configured
Signal protocol tamperingSignal protocol tampering-capture the packets that set up the call. -capture the packets that set up the call. -user could manipulate fields in the data stream -user could manipulate fields in the data stream and make VOIP calls without using a VOIP and make VOIP calls without using a VOIP phone. phone.
Other Security Threats and Other Security Threats and Defense MechanismsDefense Mechanisms
Masquerading/Man-in-the-middle attacks Endpoint authentication
Spoofing/connection hijacking User/message authentication and integrity
Message manipulationMessage authentication
Virus and Trojan-horse applications
-Host based virus scanning Repudiation
- Call-processing manager
Scope of H.235Scope of H.235
AV applications Terminal control and management
RTCP
H.225.0Terminal
To GK
Signaling
(RAS)
H.225.0Call
Signaling(Q.931)
H.245Call
Control
Transport Security(TLS)
Audio
G.xxx
Video
H.26x
Encryption
Auth.RTP
Unreliable Transport/UDP, IPX Reliable Trans./TCP
Network Layer/IP, Network Security/IPsec
Link Layer
Physical Layer
Challenges for IP Telephony
NAT/Firewall Traversal Problem NAT= Network Address translation
IP Telephony uses UDP as transmissionprotocolIP Telephony uses dynamic port addressFor these protocols to pass the firewall, the specific static and the range of dynamic ports must be opened for all traffic.IP addresses are embedded in the payloadNAT only handles outgoing connections
NAT/Firewall Traversal Issue
X
Signaling & Control
In-boundMedia andRTP
Out-boundMedia Capabilitiesand RTP
Transient Ports
Firewall/NAT Solutions (1)Firewall/NAT Solutions (1)
Proxies (Multimedia Gateway)Proxies (Multimedia Gateway)- Designed to handle real-time - Designed to handle real-time communicationscommunications GatewaysGateways - Converts from IP to PSTN voice- Converts from IP to PSTN voiceApplication Level Gateways (ALG)Application Level Gateways (ALG)- Firewalls programmed to understand IP - Firewalls programmed to understand IP ProtocolsProtocolsDemilitarized Zone (DMZ)Demilitarized Zone (DMZ)- Overcomes problem by placing a MCU - Overcomes problem by placing a MCU
Multimedia Gateway (Proxy)Multimedia Gateway (Proxy)
Virtual Private Network (VPN)Virtual Private Network (VPN)A secure connection between two points A secure connection between two points across the Internetacross the Internet
TunnelingTunnelingThe process by which VPNs transfer The process by which VPNs transfer information by encapsulating traffic in IP information by encapsulating traffic in IP packets and sending the packets over packets and sending the packets over the Internetthe Internet
Firewall/NAT Solutions (2)Firewall/NAT Solutions (2)
ConclusionConclusion
VoIP just adds - more assets, more threat VoIP just adds - more assets, more threat locations, more vulnerabilities – to the data locations, more vulnerabilities – to the data network, because of new equipment, protocols, network, because of new equipment, protocols, and processes on the data networkand processes on the data network
To increase security and performance it’s To increase security and performance it’s recommended to use VPNs to separate VoIP recommended to use VPNs to separate VoIP from data traffic. from data traffic.
Instead of using VPN segmentation, users may Instead of using VPN segmentation, users may consider using a multimedia gateway or reverse consider using a multimedia gateway or reverse proxy. proxy.