Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 215 times |
Download: | 2 times |
Network and VoIP Security –More Important Than Ever
Mark D. CollierChief Technology OfficerSecureLogix [email protected]
General Security Trends Good news
Bad news
Going forward
Network-Based Security
Managed Security Services
Internal Application/VoIP Security
OutlineOutline
Basic security measures, such as anti-virus, firewalls, and anti-spyware, are ubiquitously deployed
Average losses due to security breaches are up, but down significantly from 2001 and 2002 (*)
The number of incidents is down (*)
Incidents are being reported at a greater rate (*)
General Security TrendsSome Good News
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security TrendsSome Good News
(*) Source – 2007 Computer Crime and Security Survey
General Security TrendsSome Good News
Security Trends
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security TrendsSome Good News
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security TrendsSome Good News
Security Trends
General Security TrendsSome Bad News
(*) Source – 2007 Computer Crime and Security Survey
Signature based-detection systems are being pushed to the limit
The platforms, network, and applications are getting more and more complex
Attacks are becoming increasing complex
Perimeter security has many issues
Security funding is a small part of IT spending – no more than 10% and often less than 5% (*)
Targeted attacks are increasing (*)
General Security TrendsSome Bad News
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
Security Trends
(*) Source – 2007 Computer Crime and Security Survey
General Security TrendsSome Bad News
Security Trends
General Security TrendsSome Bad News
(*) Source – 2007 Computer Crime and Security Survey
Increased deployment of Intrusion Detection and Prevention Systems (IDSs and IPSs)
Possible increase the in use of Network Admission Control (NAC)
Network-Based Security solutions are available
Managed Security Services solutions are available
Increased focus on internal application security
New applications such as Voice Over IP (VoIP) moving onto the data network
General Security TrendsGoing Forward
Security Trends
Enterprise customers are deploying firewalls, IDSs/IPSs, AV, anti-SPAM on network edge
Some disadvantages: Expensive
Multiple vendors and difficult to manage
Does not scale well
Network-based SecurityIntroduction
Network-basedSecurity
ClientEnterprise
ClientEnterprise
3rd Party Network
Primary Provider IP Network
Edge Edge
Network-based security embeds security capability in the network
Some advantages: Leverages security capability in the network
Centralized management
Scales better
Network-based SecurityIntroduction
Network-basedSecurity
ClientEnterprise
ClientEnterprise
3rd Party Network
Edge Edge
AT&T IP NetworkVPN, Firewall, IDS, Anti-Virus, etc.
Firewall, IDS, Anti-Virus, etc.
Leverages security expertise
Greatly assists with threat reconnaissance
Broad network visibility allows greater awareness and warning of attacks
The impact of major Worm attacks are seen well in advance of when they are a threat to an enterprise
The only real solution to DoS and DDoS attacks
A great defense in depth approach
Still may need network defense and internal security
Network-based SecurityAdvantages
Network-basedSecurity
Network-based SecurityEarly Detection of Attacks
Network-basedSecurity
Reconnaissance Scanning System Access Damage Track Coverage
Preventive Phase(Defense)
Reactive Phase (Defense)
Web-Based Information Collection
SocialEngineering
Broad Network Mapping
TargetedScan
Service Vulnerability Exploitation
PasswordGuessing
DDOS Zombie Code Installation
System FileDelete
Log File Changes
Use of Stolen Accounts for Attack
AT&T Security ServicePrimary Emphasis
Network-based SecurityDoS and DDoS Attacks
Network-basedSecurity
TARGETEDServer
AT&T IP Backbone
EnterpriseServer
Network-based SecurityAT&T Offerings
Network-basedSecurity
Polic
y M
anag
emen
t
Iden
tity
Man
agem
ent
Intru
sion
Man
agem
ent
Perim
eter
Secur
ity
Secur
eCon
nect
ivity
Mon
itorin
g
& M
gmt
Inci
dent
Man
agem
ent
Network-Based Security Platform
AT&T Internet Protect®
AT&T DDoS Defense AT&T My Internet Protect AT&T Private Intranet Protect AT&T Network-Based Firewalls AT&T Secure E-Mail Gateway AT&T Web Security Services
Managed Security Services (MSS) are a viable alternative to in-house security staffing
Leverage experienced staff, who are familiar with security processes and products
Often can be more cost effective
Eliminates the need to retain and train staff
Security assessments/audits are commonly outsourced
Managed Security ServicesIntroduction
Managed SecurityServices
Managed Security ServicesEnterprise Penetration
(*) Source – 2007 Computer Crime and Security Survey
Managed SecurityServices
(*) Source – 2007 Computer Crime and Security Survey
Managed Security ServicesAssessments/Audits
Managed SecurityServices
Managed Security ServicesAT&T Offerings
Network-basedSecurity
Premises-Based Firewalls
Managed Intrusion Detection
Endpoint Security Service
Token Authentication
Despite availability of network-based security, managed services, and customer-premise edge security, securing applications is still important
Voice Over IP (VoIP) is one internal application that must be secured
Application/VoIP SecurityVoIP SecurityIntroduction
An enterprise website often contains a lot of information that is useful to a hacker: Organizational structure and corporate locations
Help and technical support
Job listings
Phone numbers and extensions
Public Website ResearchIntroduction
Gathering InformationFootprinting
Public Website Research Countermeasures
It is difficult to control what is on your enterprise website, but it is a good idea to be aware of what is on it
Try to limit amount of detail in job postings
Remove technical detail from help desk web pages
Gathering InformationFootprinting
Google is incredibly good at finding details on the web: Vendor press releases and case studies
Resumes of VoIP personnel
Mailing lists and user group postings
Web-based VoIP logins
Google HackingIntroduction
Gathering InformationFootprinting
Determine what your exposure is
Be sure to remove any VoIP phones which are visible to the Internet
Disable the web servers on your IP phones
There are services that can helpyou monitor your exposure: www.cyveilance.com
ww.baytsp.com
Google HackingCountermeasures
Gathering InformationFootprinting
Consists of various techniques used to find hosts: Ping sweeps
ARP pings
TCP ping scans
SNMP sweeps
After hosts are found, the type of device can be determined
Classifies host/device by operating system
Once hosts are found, tools can be used to find available network services
Host/DeviceDiscovery and Identification
Gathering InformationScanning
Host/Device DiscoveryPing Sweeps/ARP Pings
Gathering InformationScanning
Use firewalls and Intrusion Prevention Systems (IPSs) to block ping and TCP sweeps
VLANs can help isolate ARP pings
Ping sweeps can be blocked at the perimeter firewall
Use secure (SNMPv3) version of SNMP
Change SNMP public strings
Host/Device DiscoveryCountermeasures
Gathering InformationScanning
Involves testing open ports and services on hosts/devices to gather more information
Includes running tools to determine if open services have known vulnerabilities
Also involves scanning for VoIP-unique information such as phone numbers
Includes gathering information from TFTP servers and SNMP
EnumerationIntroduction
Gathering InformationEnumeration
Vulnerability TestingTools
Gathering InformationEnumeration
Vulnerability TestingCountermeasures
Gathering InformationEnumeration
The best solution is to upgrade your applications and make sure you continually apply patches
Some firewalls and IPSs can detect and mitigate vulnerability scans
TFTP EnumerationIntroduction
Almost all phones we tested use TFTP to download their configuration files
The TFTP server is rarely well protected
If you know or can guess the name of a configuration or firmware file, you can download it without even specifying a password
The files are downloaded in the clear and can be easily sniffed
Configuration files have usernames, passwords, IP addresses, etc. in them
Gathering InformationEnumeration
TFTP EnumerationCountermeasures
Gathering InformationEnumeration
It is difficult not to use TFTP, since it is so commonly used by VoIP vendors
Some vendors offer more secure alternatives
Firewalls can be used to restrict access to TFTP servers to valid devices
SNMP EnumerationIntroduction
SNMP is enabled by default on most IP PBXs and IP phones
Simple SNMP sweeps will garner lots of useful information
If you know the device type, you can use snmpwalk with the appropriate OID
You can find the OID using Solarwinds MIB
Default “passwords”, called community strings, are common
Gathering InformationEnumeration
Disable SNMP on any devices where it is not needed
Change default public and private community strings
Try to use SNMPv3, which supports authentication
SNMP EnumerationCountermeasures
Gathering InformationEnumeration
The VoIP network and supporting infrastructure are vulnerable to attacks
VoIP media/audio is particularly susceptible to any DoS attack which introduces latency and jitter
Attacks include: Flooding attacks
Network availability attacks
Supporting infrastructure attacks
Network Infrastructure DoSAttacking The NetworkNetwork DoS
Flooding attacks generate so many packets at a target, that it is overwhelmed and can’t process legitimate requests
Flooding AttacksIntroduction
Attacking The NetworkNetwork DoS
Layer 2 and 3 QoS mechanisms are commonly used to give priority to VoIP media (and signaling)
Use rate limiting in network switches
Use anti-DoS/DDoS products
Some vendors have DoS support in their products (in newer versions of software)
Flooding AttacksCountermeasures
Attacking The NetworkNetwork DoS
This type of attack involves an attacker trying to crash the underlying operating system: Fuzzing involves sending malformed packets, which exploit a
weakness in software
Packet fragmentation
Buffer overflows
Network Availability AttacksAttacking The NetworkNetwork DoS
A network IPS is an inline device that detects and blocks attacks
Some firewalls also offer this capability
Host based IPS software also provides this capability
Network Availability Attacks Countermeasures
Attacking The NetworkNetwork DoS
VoIP systems rely heavily on supporting services such as DHCP, DNS, TFTP, etc.
DHCP exhaustion is an example, where a hacker uses up all the IP addresses, denying service to VoIP phones
DNS cache poisoning involves tricking a DNS server into using a fake DNS response
Supporting Infrastructure AttacksAttacking The NetworkNetwork DoS
Configure DHCP servers not to lease addresses to unknown MAC addresses
DNS servers should be configured to analyze info from non-authoritative servers and dropping any response not related to queries
Supporting Infrastructure AttacksCountermeasures
Attacking The NetworkNetwork DoS
VoIP configuration files, signaling, and media are vulnerable to eavesdropping
Attacks include: TFTP configuration file sniffing (already discussed)
Number harvesting and call pattern tracking
Conversation eavesdropping
By sniffing signaling, it is possible to build a directory of numbers and track calling patterns
voipong automates the process of logging all calls
Wireshark is very good at sniffing VoIP signaling
Network EavesdroppingIntroduction
Attacking The NetworkEavesdropping
Conversation RecordingWireshark
Attacking The NetworkEavesdropping
Other tools include: vomit
Voipong
voipcrack (not public)
DTMF decoder
Conversation RecordingOther Tools
Attacking The NetworkEavesdropping
Use encryption: Many vendors offer encryption for signaling
Use the Transport Layer Security (TLS) for signaling
Many vendors offer encryption for media
Use Secure Real-time Transport Protocol (SRTP)
Use ZRTP
Use proprietary encryption if you have to
Network EavesdroppingCountermeasures
Attacking The NetworkEavesdropping
The VoIP network is vulnerable to Man-In-The-Middle (MITM) attacks, allowing: Eavesdropping on the conversation
Causing a DoS condition
Altering the conversation by omitting, replaying, or inserting media
Redirecting calls
Network InterceptionIntroduction
Attacking The NetworkNet/App Interception
The most common network-level MITM attack is ARP poisoning
Involves tricking a host into thinking the MAC address of the attacker is the intended address
There are a number of tools available to support ARP poisoning: Cain and Abel
ettercap
Dsniff
hunt
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
Network InterceptionARP Poisoning
Attacking The NetworkNet/App Interception
Network InterceptionCountermeasures
Attacking The NetworkNet/App Interception
Some countermeasures for ARP poisoning are: Static OS mappings
Switch port security
Proper use of VLANs
Signaling encryption/authentication
ARP poisoning detection tools, such as arpwatch
VoIP systems are vulnerable to application attacks against the various VoIP protocols
Attacks include: Fuzzing attacks
Flood-based DoS
Signaling and media manipulation
Attacking The ApplicationAttacking The Application
Fuzzing describes attacks where malformed packets are sent to a VoIP system in an attempt to crash it
Research has shown that VoIP systems, especially those employing SIP, are vulnerable to fuzzing attacks
There are many public domain tools available for fuzzing: Protos suite
Asteroid
Fuzzy Packet
NastySIP
Scapy
FuzzingIntroduction
Attacking The ApplicationFuzzing
SipBomber
SFTF
SIP Proxy
SIPp
SIPsak
There are some commercial tools available: Beyond Security BeStorm
Codenomicon
MuSecurity Mu-4000 Security Analyzer
Security Innovation Hydra
Sipera Systems LAVA tools
FuzzingCommercial Tools
Attacking The ApplicationFuzzing
Make sure your vendor has tested their systems for fuzzing attacks
Consider running your own tests
An VoIP-aware IPS can monitor for and block fuzzing attacks
FuzzingCountermeasures
Attacking The ApplicationFuzzing
Several tools are available to generate floods at the application layer: rtpflood – generates a flood of RTP packets
inviteflood – generates a flood of SIP INVITE packets
SiVuS – a tool which a GUI that enables a variety of flood-based attacks
Virtually every device we tested was susceptible to these attacks
Attacking The ApplicationFlood-Based DoSFlood-Based DoS
There are several countermeasures you can use for flood-based DoS: Use VLANs to separate networks
Use TCP and TLS for SIP connections
Use rate limiting in switches
Enable authentication for requests
Use SIP firewalls/IPSs to monitor and block attacks
Flood-Based DoSCountermeasures
Attacking The ApplicationFlood-Based DoS
Proxy
User
Proxy
Attacker
HijackedMedia
HijackedSession
User
Registration ManipulationAttacking The Application Sig/Media Manipulation
Attacker SendsBYE Messages
To UAs
Attacker
Proxy Proxy
User User
Session TeardownAttacking The Application Sig/Media Manipulation
Attacker Sendscheck-sync Messages
To UA
Attacker
Proxy Proxy
User User
IP Phone RebootAttacking The Application Sig/Media Manipulation
Attacker SeesPackets And
Inserts/Mixes InNew Audio
Attacker
Proxy Proxy
User User
Audio Insertion/MixingAttacking The Application Sig/Media Manipulation
Some countermeasures for signaling and media manipulation include: Use digest authentication where possible
Use TCP and TLS where possible
Use SIP-aware firewalls/IPSs to monitor for and block attacks
Use audio encryption to prevent RTP injection/mixing
Attacking The Application Sig/Media ManipulationSignaling/Media Manipulation
Countermeasures
Voice SPAM refers to bulk, automatically generated, unsolicited phone calls
Similar to telemarketing, but occurring at the frequency of email SPAM
Not an issue yet, but will become prevalent when: The network makes it very inexpensive or free to generate calls
Attackers have access to VoIP networks that allow generation of a large number of calls
It is easy to set up a voice SPAM operation, using Asterisk, tools like “spitter”, and free VoIP access
Voice SPAMIntroduction
Social AttacksVoice SPAM
Some potential countermeasures for voice SPAM are: Authenticated identity movements, which may help to identify callers
Legal measures
Network-based filtering
Enterprise voice SPAM filters: Black lists/white lists
Approval systems
Audio content filtering
Turing tests
Voice SPAMCountermeasures
Social AttacksVoice SPAM
VoIP PhishingIntroduction
Similar to email phishing, but with a phone number delivered though email or voice
When the victim dials the number, the recording requests entry of personal information
Social AttacksPhishing
VoIP PhishingCountermeasures
Traditional email spam/phishing countermeasures come in to play here.
Educating users is a key
Social AttacksPhishing
Final Thoughts
General network security is improving in some ways, but new threats are emerging
Network-based security and managed security services can be used to improve enterprise security
Don’t neglect internal security and key applications
Final Thoughts