Voip security

voip Security

Ridhvesh Shethwala – 15mcei27

Outlines

IntroductionWhat is Voip.?How Voip works.?Protocol used in VoipSecurity attack on Voip systemHow we can prevent it.?ConclusionReference

Network Features PSTN (Voice) VoIP (Voice)

Switch Circuit Switched Packet Switched

Connection Connection Oriented Connection Oriented

Bit Rate Fixed and low<=64kb/s Standard Bit Rate

Bursts Nonexistent Error tolerance User error control Self error Control

Info resending Can not (real time) It Can

Delay Must be low and stable VeryLess Delay

What is voip.?

VoIP (Voice Over Internet Protocol) is an IP network based voice transmission technology, instead of the traditional analog telephone line, it allows people to make telephone calls through broadband internet connections.

In other words, just installing network telephone software on the PCs at each end, people can talk through to each other through the IP network.

With the development of network technology, network IP telephony grew from PC-PC to IP-PSTN, PSTN-IP, PSTN- PSTN and IP-IP, etc.

How Voip works.?

Analog SignalConverting Analog to Digital SignalCompressEncodePacketization Transmitted through IP Network

Decode DecompressConverting Digital to Analog Signal

How Voip works.?

(Cont.)

Protocol used in Voip.

RTPSIPMGCPH.323

RTP

Real-Time Transport Protocol (RTP) is an internet standard protocol, used to transfer real time data, such as audio and video. It can be used for IP telephony.

RTP includes two parts: data and control. The control part is called Real Time Control Protocol (RTCP).

VoIP uses protocols such as real-time protocol (RTP) and H.323 to deliver packets over the internet.

It provides support for real-time applications, includes timing reconstruction, loss detection, security and content identification.

RTP(Cont.)

RTP Header contains information of the payload, such as the source address, size, encoding type, etc.

To transfer RTP packet on the network, we need to use User Datagram Protocol (UDP) to create a UDP header. To transfer UDP packet over IP network, we also need to create an IP header.

RTP Data structure RTP Data in IP packet

RTP(Cont.)

RTP FEATURES:-

To provide end-to-end delivery service for real time data, such as audio and video.

RTP uses time stamps and sequence numbers to implement reliable delivery, flow control and congestion control.

RTP is only a protocol framework, it is open to new multimedia software.

RTP and RTCP provide functionalities to deliver real time data. RTP and RTCP aren’t responsible for synchronization, or something like it which is the higher level task.

RTCP

Real Time Control Protocol carries control information, which is used to manage the QoS.

It provides supports for applications such as real-time conference.

The supports include source identification, multicast-to-unicast translator, and different media streams synchronization.

There are five types of RTCP packets:-I. RR: Receive ReportII. SR: Sender Report. III. SDES: Source Description Items.IV. BYE: used to indicate that participation is

finished.V. APP: application specified functions.

H.323

H.323 is a set of protocols for voice, video, and data conferencing over packet-based networks such as the Internet.

The H.323 protocol stack is designed to operate above the transport layer of the underlying network.

H.323 can be used on top of any packet-based network transport like Ethernet, TCP/UDP/IP, ATM, and Frame Relay to provide real-time multimedia communication. H.323 uses the Internet Protocol (IP) for inter-network conferencing.

H.323(cont.)

Scope of H.323Point-to-point and multipoint conferencing support:

Inter-network interoperability:Heterogeneous client capabilitiesAudio and video codecs:Management and accounting support:Security:Supplementary services

H.323(CONT.)

Authentication under H.323 can be either symmetric encryption- based or subscription-based.

For symmetric encryption-based authentication, prior contact between the communicating entities is not required because the protocol uses Diffie-Hellman key- exchange to generate a shared secret identity between the two entities.

With reference to the H.235 recommendation, a subscription-based authentication requires a prior shared secret identity, and there are three variations of this:

Password-based with symmetric encryption, Password-based with hashing, and Certificate-based with signatures

MGCP

Media Gateway Control Protocol (MGCP) is a protocol used for controlling Voice over IP (VoIP) Gateways from external call control elements.

MGCP is the emerging protocol that is receiving wide interest from both the voice and data industries.

MGCP is a protocol for controlling media gateways from call agents. It superseded the Simple Gateway Control Protocol (SGCP) .

In a VoIP system, MGCP can be used with SIP or H.323. SIP or H.323 will provide the call control functionality and MGCP can be used to manage media establishment in media gateways.

MGCP(cont.)

Characteristics of MGCP: -- A master/slave protocol.-- Assumes limited intelligence at the edge (endpoints) and intelligence at the core (call agent).-- between call agents and media gateways.-- Differs from SIP and H.323 which are peer-to-peer protocols.-- Interoperates with SIP and H.323.

MGCP(cont.)

MGCP provides: Call preservation—calls are maintained during failover and failback

Dial plan simplification—no dial peer configuration is required on the gateway

Hook flash transfer Tone on hold MGCP supports encryption of voice traffic. MGCP supports Q Interface Signalling Protocol (QSIG) functionality.

SIPThe Session Initiation Protocol is a text-based signaling communications protocol, which is used to creation, management and terminations of each session.

It is responsible for smooth transmission of data packets over the network. It considers the request made by the user to make a call and then establishes connection between two or multiple users. When the call is complete, it destroys the session.

SIP(CONT.)

SIP can be used for two party (unicast) or multi party (multicast) sessions. It works in along with other application layer protocols that identify and carry the session media.

The protocol itself provides reliability and does not depend on TCP for reliability. Also, it depends on the Session Description Protocol (SDP) which is responsible for the negotiation for the codec identification

SIP(CONT.)

SIP Messages:- REGISTER – Registers a user with a SIP server

INVITE – Used to invite to participate in a Call session

ACK – Acknowledge an INVITE request CANCEL – Cancel a pending request OPTIONS – Lists the information about the capabilities of the caller

BYE – Terminates a connection

SIP(CONT.)

Services Provided by the SIP Locate User Session Establishment Session Setup Negotiation Modify Session Teardown/End Session

Security Aspects of VoIP

Security Aspects in VoIP

Server authentication:Since VoIP users typically communicate with each other through some VoIP infrastructure that involves servers (gatekeepers, multicast units, gateways), users need to know if they are talking with the proper server and/or with the correct service provider. This applies to both fixed and mobile users.

Security Aspects in VoIP (cont.)

Voice confidentialityThis is realized through encryption of the voice packets and protects against eavesdropping. In general, the media packets of multimedia applications are encrypted as well as voice data. Advanced protection of media packets also includes authentication/integrity protection of the payloads.


Call authorization:This is the decision-making process to determine if the user/terminal is actually permitted to use a service feature or a network resource (QoS, bandwidth, codec, etc.). Most often authentication and authorization functions are used together to make an access control decision. Authentication and authorization help to thwart attacks like masquerade, misuse and fraud, manipulation and denial-of-service.


Key Management: This includes not only all tasks that are necessary for securely distributing keying material to users and servers, but also tasks like updating expired keys and replacing lost keys. Key management may be a separate task from the VoIP application (password provisioning) or may be integrated with signalling when security profiles with security capabilities are being dynamically negotiated and session-based keys are to be distributed.


Masquerading:A masquerade is the pretense of an entity to be another entity. Masquerading can lead to charging fraud, breach of privacy, and breach of integrity. This attack can be carried out by hijacking a link after authentication has been performed, or by eavesdropping and subsequent replaying of authentication information. Using a masquerade attack, an attacker can gain unauthorized access to VoIP services. An attacker can steal the identity of a real user and obtain access by masquerading as the real user.


Eavesdropping:

Eavesdropping attacks describe a method by which an attacker is able to monitor the entire signaling and/or data stream between two or more VoIP endpoints, but cannot or does not alter the data itself.


Interception and Modification:

These classes of attacks describe a method by which an attacker can see the entire signaling and data stream between two endpoints, and can also modify the traffic as an intermediary in the conversation.


Denial of Service:A denial of service (DoS) attack is an attack that is conducted to deliberately cause loss of availability of a service. We identify DoS attacks at several levels; transport-level, server level, signaling level.

Transport level: An IP-level DoS attack may be carried out by flooding a target, e.g. by ping of death or Smurf attack.

Server level: Servers may be rendered unusable by modifying stored information in order to prevent authorized users from accessing the service.


Misrepresentation:The term misrepresentation is generically used to mean false or misleading communication. Misrepresentation includes the delivery of information which is false as to the identity, authority or rights of another party or false as to the content of information communicated.

Security Solution in VoIP

Confidentiality: Confidentiality can be achieved by using different encryptions techniques, which provide user authentication. For ex: a hash record key with a shared secret is used between the parties to prevent malicious users from call monitoring. Such measures should be taken to get confidentiality.

Integrity: To protect the source of data we use Integrity that provides user authentication. It is used for origin integrity, and without integrity control, any non-trusted system has the ability to modify the different contents without any notice.

Security Solution in VoIP(cont.)

HTTP Digest Authentication: SIP uses HTTP Digest Authentication method to authenticate data, such as password. HTTP Digest authentication offers one-way message authentication and replay protection, but it doesn’t protect message integrity and confidentiality.

By transmitting an MD5 or SHA-1 digest of the secret password and a random challenge string, HTTP Digest can protect password.

Although HTTP digest authentication has the advantage that the identity of the user is encrypted, and transmitted in cipher text, but if the password is short or weak, by intercepting the hash value, the password can be decrypted easily.


S/MIME: (Secure/Multi-Purpose Internet Mail Extension) MIME bodies are inserted into SIP messages. MIME defines mechanisms for integrity protection and encryption of the MIME contents.

SIP can use S/MIME to enable mechanisms like public key distribution, authentication and integrity protection, confidentiality of SIP signaling data. S/MIME relies heavily on the certification of the end user.

Moreover self certification is vulnerable to man-in-the-middle attack, so either the certificates from known public certification authorities (CAs) or private CAs should be used, so the S/MIME mechanism is seriously limited.


FirewallFirewalls are usually used to protect trusted network from un-trusted network. Firewalls usually work on IP and TCP/UDP layer, it determines what types of traffic is allowed and which system are allowed to communicate. Firewall doesn’t monitor the application layer. Since SIP needs to open ports dynamically, this enhances the complexity of firewall, as the firewall must open and close ports dynamically.


Some Other Ways To Protect:-To prevent message alteration established secured communication channel between communicating parties. To prevent media alteration and degradation use SRTP protocol.

Use secured devices for communication and switching of voice as well as data.

Use Strong authentication and password at device level.

Change defaults passwords and enable SIP authentication. Use the devices which support SRTP cipher technique.


Use VLAN with 802.1x in internet to split data and voice traffic.

Disable Telnet in the phone configuration, allow only to administrators. To avoid message tampering and voice pharming attack use encrypted transmitted data using encryption mechanisms like IPsec, TLS and S/MIME.


for a secure session in VOIP we should take following measures:

Use and maintain anti-virus and anti-spyware programs.

Do not open unknown attachments of mails which have unknown or fake IDs.

Verify the authenticity and security of downloaded files and new software. Configure your web browser(s) properly by enabling/disabling the necessary cookies.

Active firewall session in your network and always place your back-up securely.

Create strong passwords and change them regularly and do not disclose such information publicly.

Conclusion

VoIP system is low cost and less configuration than PSTN Network. VoIP is Emerging Technology and contain some loop hopes so there are some attacks can possible on it. As in future VoIP Replace the PSTN system it need better security. Using some of Secure protocols like SRTP and some advance Encryption standards, using firewall, end-to-end encryption we can make it secure.

References

Cisco, “Overview of the Session Initiation Protocol”, September, (2002)

David Gurle, Olivier Hersent, “Media Gateway to Media Controller Protocols”,August,(2003).

Rohit Dhamankar Intrusion Prevention: The Future of VoIP Security White paper (2010)

Porter T “Threats to VoIP Communication Systems, Syngress Force Emerging Threat Analysis” ,pg. 3-25. (2006).

Mark Collier, Chief Technology Officer Secure Logix Corporation, "Basic Vulnerability Issues for SIP Security.pdf”,1 March (2005).

VoIP Security and Privacy Threat Taxonomy "Public Release 1.0 24 October 2005" (access 29 Jan 2012)

THANK YOU…!!!

Date post:	19-Feb-2017
Category:	Engineering
Upload:	shethwala-ridhvesh
View:	298 times
Download:	1 times

Voip security

Engineering