MGDS20910

1406MGR27017
T28GHY620110
UTW510200RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83090K2 18JD6200NS12
D39HA83090K2
BE4ET2763JH7
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
M18HGDOI0912D3
DS2091018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M18HGDOI0912
328MGD
17
BE4ET2763JH7
328MGDS20910
1406MGR27017
TW510200RQ1
M18HGDOI0912 D39HA83090K2 18JD6200NS12
T28GHY620110
UT
BE4ET2763JH7
1101406MGR27017
UTW510200RQ1
M18HGDOI0912D39HA83090K2
18JD6200NS12328MGDS20910
T28GHY620
63JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M18HGDOI0912
328MGDS2091018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET276
090K2 18JD6200NS12328MGDS20910
1406MGR27017
T28GHY620110
UTW510200RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83
90K2
BE4ET2763JH7
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
M18HGDOI0912D39HA830
018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M18HGDOI0912
328MGDS20910
1406MGR27017
0RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83090K2 18JD6200NS12328MGDS20910
T28GHY620110
UTW510200
JH7
M18HGDOI0912D39HA83090K2
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
BE4ET2763J
18HGDOI0912
328MGDS2091018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M1
1406MGR27017
328MGDS20910
HY620110
UTW510200RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83090K2 18JD6200NS12
T28GH
BE4ET2763JH7
M18HGDOI0912D39HA83090K2
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200
A83090K2M18HGDOI0912
328MGDS2091018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
MGDS20910
1406MGR27017
T28GHY620110
UTW510200RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83090K2 18JD6200NS12
D39HA83090K2
BE4ET2763JH7
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
M18HGDOI0912D3
DS2091018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M18HGDOI0912
328MGD
17
BE4ET2763JH7
328MGDS20910
1406MGR27017
TW510200RQ1
M18HGDOI0912 D39HA83090K2 18JD6200NS12
T28GHY620110
UT
BE4ET2763JH7
1101406MGR27017
UTW510200RQ1
M18HGDOI0912D39HA83090K2
18JD6200NS12328MGDS20910
T28GHY620
63JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M18HGDOI0912
328MGDS2091018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET276
090K2 18JD6200NS12328MGDS20910
1406MGR27017
T28GHY620110
UTW510200RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83
90K2
BE4ET2763JH7
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
M18HGDOI0912D39HA830
018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M18HGDOI0912
328MGDS20910
D39HA83090K2 18JD6200NS12
328MGDS20910
1406MGR27017
0RQ1 BE4ET2763JH7
M18HGDOI0912
T28GHY620110
UTW510200
By: Juan Oliva
JH7
D39HA83090K2
BE4ET2763J
M18HGDOI0912
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
Editor:
Paul Estrella
18HGDOI0912
328MGDS20910
18JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M1
1406MGR27017
BE4ET2763JH7
328MGDS20910
HY620110
UTW510200RQ1
M18HGDOI0912 D39HA83090K2 18JD6200NS12
T28GH
Translation:
Elvita Crespo

Security in
Voice Over IP Implementations

Challenges and opportunities for Open Source solutions

The current availability of Voice over IP solutions (VoIP by its acronym), has
allowed thousands of companies worldwide to adopt this technology. As the
main tool in "unified communications" environments, it has allowed the
integration of telephony with data processing systems and through that, to a
universe of applications that have combined, extended, or created new
functionality.
There are many existing standards that have allowed the generation of this
convergence with a dramatic impact on the availability and cost reduction.
However, being VoIP a digital technology where the IP protocol is the
foundation, it is not exempt from being exposed to the vulnerabilities found in
network environments.
Nowadays, there is little awareness and documentation about existing and
emerging security issues, which has a major contrast with the levels of
economic loss to which a business is exposed in an implementation of this type.
For this reason, it is necessary to set up the right security for the selected
platform and its environment, as usually there is not only a single point or vector
of attack, and the VoIP platform is not the only software service in a company.
It is important to have a general overview, to acquire knowledge, and above all,
to know about all the elements that interact with the platform. Not only the
hardware and software elements, but also to know about people, network
administrators, integrators, and specialists, as they are the ones who maintain
and implement the safety rules at different levels.
This document provides an overall picture of the guidelines and considerations
that should be taken into account in order to provide security in VoIP platforms.

Copyright 2014 Elastix

WWW.ELASTIX.ORG

SecurityT28GHY620110
in Voice Over IP Implementations
1406MGR27017
2328MGDS20910
UTW510200RQ1
GR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
3JH7
18HGDOI0912 D39HA83090K2 18JD6200NS12
0RQ1
Current state of security in VoIP systems
Q1
H7

Some threats are not very different from those that currently exist in a data

S20910
T28GHY6201101406MGR27017
UTW510200RQ1
network, such as SQL injection at the level of Web applications, DoS (denial of
7 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
service) in services like RDP or http, and session theft, or password cracking1 in
OI0912 D39HA83090K2 18JD6200NS12SSH and web systems.
90K2
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7
BE4ET2763JH7
UTW510200RQ1
A number of these services are part of a Voice over IP platform nowadays, so
0RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83090K2
18JD6200NS12

they just drag this kind of problems, or we could also say that they "increase the
interest of an attacker." We are not just talking about getting access to a
database or server, but the possibility of making a fair amount of phone calls that
could translate into thousands of dollars.
2328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1

GR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
3JH7
18HGDOI0912 D39HA83090K2 18JD6200NS12
However, if we refer exclusively to Voice over IP, we find that SIP is the signaling

0RQ1
Q1
H7

protocol that has been more widely accepted in the industry, and upon which
we can point out some potential threats.

S20910
T28GHY6201101406MGR27017
UTW510200RQ1
7 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
OI0912 D39HA83090K2 18JD6200NS12Eavesdropping
90K2
1406MGR27017
18JD6200NS12328MGDS20910
T28GHY620110
It is a technique
usedUTW510200RQ1
to capture calls. This is plainly more related to espionage,
018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7
BE4ET2763JH7
UTW510200RQ1
and it is a collateral status of an attack known as "Man-in-the-middle". If the
0RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83090K2
18JD6200NS12
attack is successful,
it is possible to capture communications.
This is based on what is known as ARP table poisoning, which consists of
sending fake ARP messages in order to associate the attacker's MAC address
with the IP address of the attacked target, posing as, for example, a router or a
PBX.
Once achieved, it is possible not only to capture conversations based on RTP
protocol, but also any other information passing through services that are not
encrypted.

Denial of Service (DoS) attacks in VoIP

They are usually scripts, whose objective is to generate packet flooding. From
this perspective, there are two types existing for this attack:

UDP
PACKETS

One is the one that uses the so-called SIP methods. The most common is
called INVITE FLOOD, which generates so many requests to the VoIP
platform that the system eventually ends up serving the attacker only. This
causes that valid users can no longer use the service, in addition to
generating excessive system processing and memory usage.
The other one produces Internet bandwidth flood, better known as UDP
FLOOD. This one also generates a lot of packages, but having the goal of
consuming all the bandwidth contracted by the victim. It is particularly
aimed at operators or companies that commercialize voice traffic.
These types of attacks are difficult to handle, since perimeter security devices
such as Firewalls, UTMs (Unified Threat Management) or IPSs (Intrusion
prevention system), cannot repel this attack with traditional blocking, on the
contrary, it is necessary to use specialized equipment to divert them.

1 Process to attempt to guess users passwords.

Copyright 2014 Elastix

WWW.ELASTIX.ORG

Security in Voice Over IP Implementations

SIP brute force Attack

It is the most common attack developed towards VoIP platforms. It is about
guessing the passwords of the SIP entities created on the server. Once the
credentials are stolen, it can authenticate against the VoIP server or platform to
generate calls.
The ability to guess passwords is performed by tools that automate this
process. One example is SIPVicious suite, which runs a process known as
enumeration of entities, to later run the password cracking process by using
dictionaries in plain text files. This kind of attack is very similar to the one
performed against the SSH service.

VoIP Spam (SPIT - Spam over Internet Telephony)

This is not a vulnerability itself, but rather privacy intrusions when receiving
unsolicited calls trying to sell a product, as has been happening for many years
now with email. This is one of the most common uses for call dialers.

Caller ID Spoofing
It is the ability to modify the Caller ID to impersonate an individual or a company,
such as a bank. In the past, implementing such attacks required a rather
complex and expensive telephony infrastructure. Today it is no longer the case,
since the vast majority of VoIP platforms will allow the overwriting of this phone
field.

Security in proprietary solutions

Proprietary solutions have a wide range of products for every need, which often
represent trends in technology and services in the market and later become
customer needs.
The reality is that many of these solutions are implemented as black boxes for
the customer or certified integrator. This responds to a "solution control policy",
since the less you can see inside, the less chance there is of finding
vulnerabilities or security flaws.
However, in this market field, no one is free from having flaws, even the best
safes can present problems. In proprietary Voice over IP platforms, you may find
buffer overflow vulnerabilities (poor control of data copied on memory), remote
command execution, and denial of service, these being faults more common
than you can imagine.

Copyright 2014 Elastix

WWW.ELASTIX.ORG

Security in Voice Over IP Implementations

To "discover" these flaws simply take a look at sites like exploit-db http://www.exploit-db.com - or Packet Storm - http://packetstormsecurity.com and search for some of the most representative brands. Based on this, you
cannot sell any as the safest solution.
An important topic to be mentioned is related to remediation or corrections,
which are usually much more expensive. The simplest thing that could happen
is that they are only addressed as a firmware version update, which may involve
an investment at the license level. The other side of the coin is even more
complex and includes a complete change of equipment. In this case, we may
face the dilemma of either buying a box again or staying vulnerable.

Security in Open Source solutions opportunities

Open Source solutions are not free from security reports. The advantage is that
on one hand, there are companies that are behind the development, and on the
other hand, there are supporting developer communities.
Here it is important to mention that, unlike proprietary solutions, where 90% of
the development, revision, and correction is performed in-house, the Open
Source distributions have a significant number of people in different parts of the
world, under different work environments, that add to the work of the main
developer, allowing these solutions to be developed at a faster rate, which
includes improvements and fixes.
Several open source solutions have benefited from this situation, and they have
now evolved into benchmarks in certain sectors of software industry, and clear
competitors in others. It is not surprising that over 90% of supercomputers in the
world use Linux. Solutions such as Asterisk, Drupal, Firefox, Zimbra, Endian,
Zentyal are a clear example that this business model works and that it is
sustainable.
Another important topic regarding Open Source solutions is that they are under
the scrutiny of independent developers, their community, and the general
public, so that hidden software intended for data collection or any other
purpose not related to the purpose promoted by the lead developer is
detected.

Elastix as another tool of enterprise information systems

UDP
PACKETS

Elastix is an open source unified communications solution based on Linux and

Asterisk, with features that go beyond a conventional PBX. The platform
contains tools that provide unified messaging, virtual fax, corporate instant
messaging system, among others.
A unified communications system as Elastix is not an isolated element in a
company, but a part of its process flow in such a way that it establishes an ideal
condition of convergence. A clear example is the development of systems for
querying data from a telephone line which, combined with Text-to-Speech
engines, automates and makes service processes more agile, thus optimizing
resources.

Copyright 2014 Elastix

WWW.ELASTIX.ORG

Security in Voice Over IP Implementations

Another important example is the ability for a customer to make a phone call
and be automatically served, only by clicking on the company website from a
browser2. All these elements provide added value, not only to the company, but
also to customers, who always expect an immediate response.

What does Elastix bring at the security level?

Elastix, starting from version 2.0, includes a security module, which is an
important tool that includes a complete Firewall manager to configure ports
and services.
For many, the handling and management of firewall iptables at the core level in
Linux based distributions can be a headache, mainly because the application
provides many features. However, the addition of this option allows the
administration of access ports in a friendlier and more concrete way, especially
in scenarios where we need to filter by source (a web interface for example) or
when we have to enable the SIP and RTP ports and deny everything else.

UDP
PACKETS

The module also allows to "audit", which shows all failed and allowed accesses
to the management interface, which is useful to keep access track.
Another feature, called weak keys, takes a tour of the passwords of all configured
extensions, verifying if these meet strong password policies.

2 A process that combines several technologies, including WebRTC, VoIP and a VoIP distro.

Copyright 2014 Elastix

WWW.ELASTIX.ORG

Security in Voice Over IP Implementations

How to complement security?

Infrastructure, training, best practices
Implementing security in VoIP platforms often raises complex questions
because in reality it all depends on the need for accessibility and services we
need to incorporate.
Some scenarios include::
. Elastix to the PSTN3, local extensions and remote administration.
. Elastix to the PSTN, local extensions, remote administration, and VoIP4
provider for outbound calls.
. Elastix to the PSTN, local extensions, remote administration, VoIP provider
for outbound calls, and inbound calls with DID.
. Elastix to the PSTN, local extensions, remote administration, VoIP provider
for outbound calls, inbound calls with DID, and remote extensions.

REMOTE
EXTENSIONS

PSTN

IP PBX / REMOTE EXTENSIONS

- VOIP EXTENSIONS
- INTERNET SERVICES
- IVRs
- SCALABILITY
LOCAL IP PHONES AND LOCAL SOFTPHONES

These scenarios are not unique, and the easy access to technology makes them
to become increasingly complex. However, currently there are tools and
infrastructure models that can be implemented to provide assurance.
A significant challenge is the positioning of a perimeter firewall, especially when
its management is not borne by the customer. Make it clear from the start: It is
not impossible to run Elastix properly behind a firewall, but great deal of
coordination and tuning is necessary.
More importantly, the firewall should not be considered as an element that
guarantees security by 100%. That would be a big mistake. You need to go
much further than that, and one of the options available is to implement
software that proactively reacts to attacks from the start.
Two solutions that work quite well are Fail2ban and Snort, it is advisable to
consider them in the design stage of the implementation.

3 Public Switched Telephone Network

4 Voice over IP

Copyright 2014 Elastix

WWW.ELASTIX.ORG

Security in Voice Over IP Implementations

Responsibilities
Establishing obligations is a very delicate aspect as there are different people
involved in the implementation process, particularly in the platform
maintenance. Each person requires coordination and establishment of roles and
responsibilities.
Two basic roles in an implementation are:
Integrator or Specialist Role
It is the professional who provides the solution and who performs the
deployment after proper analysis, which should be done together with the
customer.
Some of their responsibilities are:
. Identifying customer needs.
. Establishing proper platform positioning based on the requirements.
. Implementing the functionality requested by the customer.
. Knowledge of risks inherent to the platform.
Customer Role
This is probably the most important role, since this person is the one who will
ultimately maintain the system, but even more, this person will set the initial
requirement, choose the supplier, set the budget for the implementation, and
the one who should make decisions prior to implementation.
It is a role that, in an ideal scenario, will include the company CEO, IT5 manager
and systems administrator. He should have sufficient knowledge to preserve the
operation of the platform.
Some of their responsibilities are:
. Knowing internal (LAN) and external (internet) risks.
. Keeping secure passwords.
. Establishing security as priority versus flexibility.
. Consulting a specialized company, whether through a support contract or
specific services.
. Requesting the telephony carrier to set outbound limits to the PSTN.
. Training their technical staff in the implemented solutions.
. Frequently training their technical staff in security topics.

5 Information Technology

Copyright 2014 Elastix

WWW.ELASTIX.ORG

Security in Voice Over IP Implementations

Future Challenges
The challenges towards the future stand on the side of mobility and easy access
to resources.
Companies and end users are increasingly involved with user-friendly tools,
such as Hangouts or Skype.
But under all of this, there is always the question of: How to solve the security
problem?
A simple answer would be "come up with security mechanisms for each
scenario."
An important example is the communication security, meaning remote links
and connections between branches, which should aim at hindering the access
to voice packets and preventing illegal sniffing. Tools such as TLS (Transport
Layer Security) and SRTP (Secure Real-time Transport Protocol) though they
sound very complex, are standard protocols supported in Elastix. Its successful
implementation can ensure the confidentiality of communications in
environments where it is top priority to minimize this risk.
USER A

USER B

Another example relates to collaborative environments such as telework, where

remote extensions are a key necessity. For this case, the implementation of
virtual private networks or "VPNs", provide a lot of flexibility, since there is
currently a wide range of computers, laptops, phone handsets and mobile
devices available that incorporate VPN client software.
This solution not only allows us to securely connect to our private network, but
also, in the case of VoIP implementations, eliminates issues associated with NAT
Traversal.

TUNNEL
TUNNEL
TUNNEL
IP PHONE

Copyright 2014 Elastix

WWW.ELASTIX.ORG

Security in Voice Over IP Implementations

About Author
Juan Oliva Cordova
@jroliva
http://jroliva.wordpress.com/
Computer Security and IP Telephony
consultant with over 10 years
experience in the field. He is very
involved in projects regarding hacking
testings, vulnerability analysis and
exploitation, among other tasks of
computer security. He also develops
implementation and assurance of IP
telephony platforms based on Elastix,
Call Center, Cloud Solutions and
Hosted PBX projects.

Part of the challenge also includes the expansion of security measures in parallel
with the release and development of software and hardware solutions.
Technology has advanced so fast that it has not allowed to adequately convey
implementation needs at the infrastructure and knowledge level. It is becoming
indispensable to have a suitable technology adviser, either in-house or by
expert companies.
This allows an organization to focus on its core business, which in most cases is
not technology, but rather using it to achieve goals.
Undoubtedly, ongoing training is vital. Today the professional has more
responsibility and it is clear that having skills or knowledge in security is an
added value that makes a significant difference when performing a
deployment.
The Elastix team, for example, is well aware of this need, which is why they have
designed a security course as part of their training program. The objective is to
complement, since best practices are communicated from the point of platform
installation.

Conclusions
It is clear that along with technological advances, vulnerabilities will continue to
appear. However, essential protection mechanisms are also developed, the
challenge will always be in the order of knowledge, analysis, and application, so
that we may determine a solution for every need.

Elastix Security Master

Become a part of the select group

of Elastix Certified Professionals

Copyright 2014 Elastix

WWW.ELASTIX.ORG