Nicolas FISCHBACH シニアマネジャ, IP エンジニアリング/セキュリティ - COLT Telecom
Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom [email protected] - ...
-
Upload
ariel-weber -
Category
Documents
-
view
216 -
download
0
Transcript of Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom [email protected] - ...
Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom [email protected] - http://www.securite.org/nico/
version 1.0
Voice over IP (VoIP) security
PacS
ec.J
P/c
ore
04
2© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Introduction
» Voice over IP and IP telephony
» Network convergence> Telephone and IT> PoE (Power over Ethernet)
» Mobility and Roaming
» Telco> Switched -> Packet (IP)> Closed world -> Open world
» Vendors and Time to Market
» Security and privacy> IPhreakers> VoIP vs 3G
3© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Architecture : protocols
» Signaling> User location> Session
- Setup- Negotiation- Modification- Closing
» Transport> Encoding, transport, etc.
4© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Architecture : protocols
» SIP> IETF - 5060/5061 (TLS) - “HTTP-like, all in one”> Proprietary extensions> Protocol becoming an architecture> “End-to-end” (between IP PBX)
- Inter-AS MPLS VPNs- Transitive trust
> IM extensions (SIMPLE)
» H.323> Protocol family> H.235 (security), Q.931+H.245 (management), RTP,
CODECs, etc.> ASN.1
5© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Architecture : protocols
» RTP (Real Time Protocol)> 5004/udp> RTCP> No QoS/bandwidth management> Packet reordering> CODECs
- old: G.711 (PSTN/POTS - 64Kb/s)- current: G.729 (8Kb/s)
6© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Architecture : network
» LAN> Ethernet (routers and switches)> xDSL/cable/WiFi> VLANs (data/voice+signaling)
» WAN> Internet> VPN
- Leased line- MPLS
7© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Architecture : network
» QoS (Quality of service)> Bandwidth> Latency (150-400ms) and Jitter (<<150ms)> Packet loss (1-3%)
8© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Architecture : systems
» Systems> SIP Proxy> Call Manager/IP PBX
- User management and reporting (HTTP, etc)- Off-path with IP
> H.323: GK (GateKeeper)> Authentication server (Radius)> Billing servers (CDR/billing)> DNS, TFTP, DHCP servers
9© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Architecture : systems
» Voice Gateway (IP-PSTN)> Gateway Control Protocols> Signaling: SS7 interface
- Media Gateway Controller. Controls the MG (Megaco/H.248). SIP interface
- Signaling Gateway. Interface between MGC and SS7. MxUA, SCTP - ISUP, Q.931
> Transport- Media Gateway: audio conversion
10© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Architecture : firewall/VPN
» Firewall> “Non-stateful” filtering> “Stateful” filtering> Application layer filtering (ALGs)> NAT / “firewall piercing”
- (H.323 : 2xTCP, 4x dynamic UDP - 1719,1720)- (SIP : 5060/udp)
» Encrypted VPN> SSL/TLS> IPsec> Where to encrypt (LAN-LAN, phone-phone, etc) ?
» Impact on QoS
» What is IPv6 going to change ?
11© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Architecture : phones
» IP phones> Softphone or Hardphone ?> “Toaster”
- Updates/patches- Intelligence
> Intelligence removed from the network and put on the end device
> Flows between the phone and other systems- SIP- RTP- (T)FTP- CRL- etc.
12© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Architecture : example
internet
LAN
IP VPN(MPLS)
PSTN
SIP
SIP
POTS
POTS
SIP
IP PBX
VGWGSM
IP PBX
SIP
voice
signaling
13© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Other phone networks
» POTS/PSTN [TDM]
» “Wireless”/DECT phone
» GSM
» Satellite
» Signaling (SS7)
14© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Attacks
» IPhreakers> IP knowledge> Known weaknesses> Evolution 2600Hz -> voicemail/int’l GWs -> IP
telephony> Internal or external threat ?> Targets: home user, enterprise, government, etc ?
» Protocol implementations> PROTOS
» The human element
15© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Attacks : denial of service
» Denial of service> Network> Protocol (SIP INVITE)> Systems / Applications> Phone
» Availability (BC/DR)> Requires: power> Alternatives (Business Continuity/Disaster
Recovery) ?> E911 (laws and technical aspect)> GSM> PSTN-to-GSM
16© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Attacks : fraud
» Call-ID spoofing
» User rights takeover> Fake authentication server
» Effects> Access to voicemail> Value added numbers> Social engineering> Replay
17© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Attacks: interception
» Interception> Discussion> “Who talks with who”
- Network sniffing- Servers (SIP, CDR, etc)
» LAN> Physical access to the LAN> ARP attacks> Unauthenticated devices (phones and servers)> Different layers (MAC address, user, physical port,
etc)
18© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Attack: interception
» Where to intercept ?> Where is the user located ?> Networks crossed ?
» Lawful Intercept> CALEA> ETSI standard > Architecture and risks
19© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Attacks : systems
» Systems> Mostly none is hardened by default> Worms, exploits, Trojan horses
20© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Attacks : phone
» (S)IP phone> Startup
- DHCP, TFTP, etc.
> Physical access- Hidden configuration tabs
> TCP/IP stacks> Firmware/configuration> Trojan horse/rootkit
21© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Defense
» Signaling: SIP> Secure SIP vs SS7 (physical security)
» Transport: Secure RTP (with MiKEY)
» Network: QoS [LLQ] (and rate-limit)
» Firewall: application level filtering
» Phone: signed firmware
» Identification: TLS> Clients by the server> Servers by the client
» 3P: project, security processes and policies
22© 2004 Nicolas FISCHBACH
PacS
ec.J
P/c
ore
04 Conclusion
» Conclusion
» Other presentations> Backbone and Infrastructure Security
- http://www.securite.org/presentations/secip/
> (Distributed) Denial of Service- http://www.securite.org/presentations/ddos/
» Q&A
Image: www.shawnsclipart.com/funkycomputercrowd.html