VoIP Security

Published on March 2017 | Categories: Documents | Downloads: 51 | Comments: 0 | Views: 358
of 6
Download PDF   Embed   Report

Comments

Content

VoIP: Security Analysis
Introduction Convergence of voice and data in the enterprise has become widely adopted as organizations move from a legacy environment with separate circuit-switched voice and packet-switched data to next generation solutions where voice and data co-exist on a single network through voice over IP (VoIP), and subsequently to unified communications. However, Enterprises wishing to exploit the advantages of switching voice calls to the IP network must understand that maintaining security of those packets is an integral part of the overall VoIP deployment. This paper analyses the VoIP specific security threats using the principle of CIA (Confidentiality, Integrity and Availability). The countermeasure to mitigate these threats is also discussed. At last, the paper proposes some common practice to secure VoIP networks alongwith with a case study on security analysis of Skype’s VoIP implementation.

Why VoIP? The table below captures the key advantages of implementing VoIP in enterprises.
· Reduction in Capital expenditure by leveraging the existing data network (Intranet and Internet) in place, and avoiding the need of having separate PSTNs (public switched telephone networks) · Centralization of Infrastructure- All of an organization's voice and data traffic is integrated into one physical network, bypassing the need for separate PBX tie lines · For small enterprises, reduction in costs of having landlines and phones is achieved by switching to IP Softphones (Skype, Lync, etc) · Lower operating costs for international calls and faxes over IP networks compared to conventional long-distance calls Scalability · It's easy to add, move, or change phone connections to accommodate a growing and increasingly mobile workforce. · With a VoIP system, you can still use your conventional phone and a VoIP converter or VoIP telephone adapter. · VoIP need not use IP phone sets but can also be operated from pure software applications (Softphones) · Legacy phone system assigns a phone number with a dedicated line, so you generally cannot move your home phone to another place if you want to use the same phone number · VoIP provides number mobility: The phone device can use the same number virtually everywhere as long as it has internet connectivity · VoIP protocols (such as Session Initiation Protocol [SIP], H.323) run on the application layer and are able to integrate or collaborate with other applications such as email, web browser, instant messenger, socialnetworking applications, and so on. · Typical examples are voicemail delivery via email, click-to-call service on a website, voice call button on an email, presence information on a contact list, and so on. Benefits of VoIP

Cost Savings

Flexibility

Phone Portability

Rich Services and Integration with other applications

Security Threats of VoIP This section discusses various threats to confidentiality, integrity and availability of VoIP systems, alongwith the possible countermeasures for these threats. Security Component Under Consideration Key Issues Countermeasures

 Confidentiality 

Eavesdropping of phone conversation Unauthorized access attack

  

Encryption of Voice messages Deploying IPsec Using SRTP to provide confidentiality, message Authentication and Replay protection Impossible to track fake Caller Id.(Under Research) Installing tools like Sivus which provide vulnerability Scanning Stronger Authentication Schemes

   

Integrity

Caller Identification Spoofing Registration Hijacking Proxy Impersonation Call redirection or Hijacking

 



 Availability  

VoIP Signaling malfunction Flooding VoIP media Components Physical damage to Hardware





Implement a VoIP firewall to monitor streams and filter abnormal packets Strong Authentication mechanisms

Skype: Security Analysis of VoIP Component

Eavesdropping – Skype’s encryption of communications is secure enough to prevent casual Eavesdropping. Strong Integrity Checks –    It prevents binary modification If a virus infects a binary, it changes its checksum. If someone puts a breakpoint or removes some code parts itwill be detected (Making the code Non- Debuggable).

Caller Impersonation – Unless a user's credentials (username and password) have been compromised, it is nearly impossible to impersonate another user. Anonymity – Skype should not be relied on for strong anonymity. Although it uses encryption to protect its network traffic, if this traffic is captured, it is trivial for the certificate owners (Skype and its parent company EBay) to decrypt the traffic. Additionally, Skype takes no measures to hide its presence on the system it's running on. It is easy for a forensic analyst to discover the presence of Skype and to enumerate a user's contact list among other details. Black Box Plus Point – The Skype application is very much an opaque black box. The code itself is not open source; it is distributed as a binary only, which uses packing and other methods to defeat reverse engineering. Skype will detect when certain debuggers are running in the operating system and cease to function in an attempt to protect itself from prying eyes. It can be very difficult to know exactly what Skype is doing on your system Skype Security Verdict –Skype uses strong encryption of not only communications content but also of signaling traffic as well, making its communication difficult to decipher.For networks that are subject to strict legal or administrative regulations, Skype should be banned to prevent unauthorized communications. For other Open networks, Skype is a blessing from above and the best application out there till date. So all in all its Thumbs Up for Skype.

VoIP - Best Practices: 1. Develop appropriate network architecture–     Separate voice and data onlogically different networks (If Feasible). Use strongauthentication and access control on the voice gatewaysystem. Use IPsec or Secure Shell (SSH) for remote management and auditing access. Stateful packet filters can track the state of connections and provide the functionality of denying packets.

2. VoIP-ready firewalls and other appropriate protection mechanisms should be employed – VoIP-ready firewalls are essential components in the VoIP network and should be used. If permitted, state of-the-art intrusion detection and prevention systems should also be installed. 3. Do not use “Softphone” system – “Softphone” system implies systems which implement VoIP using an ordinary PC with a headset and special software. Readers are advised to avoid use of Softphone systems. Worms, viruses and other malicious software are extraordinarily common on PCs connected to the internet and very difficult to defend against. 4. Tighten physical security control – Even if encryption is used, physical access to VoIP servers and gateways may allow an attacker to do traffic analysis or compromise the systems. Adequate physical security should be in place to restrict access to VoIP components. 5. Maintain current patch levels – Vulnerability in the operation system, software, and servers are the targets of attackers. 6. Apply encryption selectively – Encryption is necessary to defeat eavesdropping attack. Transport layer security and IPsec are two main encryption methods. TLS is an alternative to IPsec and is based off the SSL protocol. Many different algorithms can be used such as DES, 3DES, AES, RC4 and RC5. The simpler encryption results in better performance.

References 1. 2. 3. 4. “VoIP Security Vulnerabilities”- Paper by SANS Institute InfoSec Reading Room “The Business Case of Enterprise VoIP”- White Paper by Intel http://www.um-labs.com/docs/voip_security_threats.pdf “VoIP: The Evolving Solution and the Evolving Threat”- White Paper by Internet Security Systems 5. http://skype.com/security/ 6. http://skype.com/business/security/

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close