VoIP Security

Overview
BleedingVoIP Security Series
Security Vendors
Security Feeds
security packet network cisco nortel service attack point systems server attacks phone packets protocol phones voice control manager sequence jitter signaling protocols networks received layer enterprise unistim vendors introduce maximum

Joomla Modul

Syndicate

Risks in the Enterprise Deconstructed conclusion
Written by Jacek Materna   
Monday, 21 April 2008
voip-security.png

Risk G - Don't trust those you don't know

In today's enterprise, physical locality is passee. The location of a person has become rather transparent. No longer do we care from where we come from, what matters is that we need access and we do it over IP. The majority of remote users connect over a secure pipe such as a VPN, whereby they create tunnel that allows their endpoint to suddenly "belong" or be located inside the enterprise. I always think of it as a wormhole into a distant place, a place that is normally fortified by layer upon layer of defenses to prevent public access. What I find most intersting in particular is the use of these wormholes to allow for remote users to suddenly have their VoIP softphone connect to the enterprise from any location on the planet and place calls via a company PBX. Let's hope that everthing coming through this wormhole is checked and checked again for potential risks.

One would ask, is it feasible that an attacker would gain proper credentials to a enterprise VPN, let alone have access to a softphone with valid credentials? Of coarse it is, in today's world of "everything requires a password and username" many of users could adopt the myname, myname1 username password combo. when logging into a VPN. A clever enough attacker could exploit this fact. Now how about the softphone itself? Let's just say that the majority of softphones deployed today from the leading vendors have major issues related to actually securing legitimate access to a PBX - there are many ways around them.

Possible Remedies

  • Introduce an application layer VoIP aware firewall, SBC, Voice IPS that has an updateable database of signatures that could protect against application layer attacks specific to the VoIP protocol traveling via the VPN into your enterprise network.
  • Use secondary authentication methods with the VPN, username/passwords are not recommended anymore.
  • Segment traffic coming from remote users to self-contained VLAN's. Althought this approach can be hacked, you need to be clever and have the right conditions; so it is suggested.
Feasibility Analysis
  • The feasibility of the above point is directly related to how paranoid you, or your security entourage is. While the likelyhood of attack taking place on your voicemail cluster via some unknown vulnerability at the call server is small, remember it takes only one incident. Again back to my point that a good VoIP security strategy is only as strong as its weakest link.
  • New crypto-card, retina scanners might sounds paranoid, but given today's price points they could be an interesting possabilities to research.
  • VLAN management is de-facto standard on almost all network appliances relating to traffc. Use them.
 
Risk H - VoWifi

Imagine a scenario. You have your entprise PBX deployed serving staff and trunking out to the public world. You a have VPN's setup that enables your mobile users to quickly connect and use the local PBX to place calls as if they were physically present there. Now imagine everyone with an iPhone, Blackberry, BlackJack  having the ability to seamlessly switch from their GSM or 3G tower to your local PBX when entering the building. These users are the ulitmate mobile user, and the ulitmate risk. These devices are coming and their adoption rate is growing exponentially. Do not be surprised to see dual-mode Wifi phones becoming standard from all providers withing the next few years. 

From the security perspective imagine how best to deal with these new threats? These supposed small and smart devices that are suddently let into your network could introduce an entirely new attack vector. Before you allow Wifi users to connect to your PBX you must lockdown everything, I mean everything, from connection time to IP addressing time to Call server authentication time. If done properly even today's systems allow you to lower to the security risk of provisioning VoWifi to levels equivalent to having IP phones in your office over a hard-line.

Possible Remedies

  • Introduce 802.1x, that forces endpoints to authenticate via EAP before joining the network. Without the proper credentials an attackers packets would no go very far.
  • First point from above (Risk G).
  • Introduce an Network Access Control system (NAC) that is dual-mode allowing for pre-admission and post-admission protection.
Feasibility Analysis
  • 802.1x can be found across a variety of vendor offerings. I suggest you look into it as the price points today are excellent.
  • The feasibility of the deploying a dedicated security appliance is directly related to how paranoid you, or your security entourage is. While the likelyhood of attack taking place on your voicemail cluster via some unknown vulnerability at the call server is small, remember it takes only one incident. Again back to my point that a good VoIP security strategy is only as strong as its weakest link.
  • Not many vendors offer VoIP aware NAC's, so I would be weary of deploying anything out there as it would provide very limited if negligable security protection against VoIP threats - they are coming however.

Feel free to This e-mail address is being protected from spam bots, you need JavaScript enabled to view it and stayed tuned for more BleedingVoIP Security Series.

This article is subject to copyrights against its respective writer. Feel free to contact them if you wish to use the article in some intermediate form.

 




Digg!Del.icio.us!Google!Facebook!Technorati!Newsvine!Free social bookmarking plugins and extensions for Joomla! websites!
 
Next >