Professional Documents
Culture Documents
1406MGR27017
T28GHY620110
UTW510200RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83090K2 18JD6200NS12
D39HA83090K2
BE4ET2763JH7
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
M18HGDOI0912D3
DS2091018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M18HGDOI0912
328MGD
17
BE4ET2763JH7
328MGDS20910
1406MGR27017
TW510200RQ1
M18HGDOI0912 D39HA83090K2 18JD6200NS12
T28GHY620110
UT
BE4ET2763JH7
1101406MGR27017
UTW510200RQ1
M18HGDOI0912D39HA83090K2
18JD6200NS12328MGDS20910
T28GHY620
63JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M18HGDOI0912
328MGDS2091018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET276
090K2 18JD6200NS12328MGDS20910
1406MGR27017
T28GHY620110
UTW510200RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83
90K2
BE4ET2763JH7
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
M18HGDOI0912D39HA830
018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M18HGDOI0912
328MGDS20910
1406MGR27017
0RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83090K2 18JD6200NS12328MGDS20910
T28GHY620110
UTW510200
JH7
M18HGDOI0912D39HA83090K2
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
BE4ET2763J
18HGDOI0912
328MGDS2091018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M1
1406MGR27017
328MGDS20910
HY620110
UTW510200RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83090K2 18JD6200NS12
T28GH
BE4ET2763JH7
M18HGDOI0912D39HA83090K2
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200
A83090K2M18HGDOI0912
328MGDS2091018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
MGDS20910
1406MGR27017
T28GHY620110
UTW510200RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83090K2 18JD6200NS12
D39HA83090K2
BE4ET2763JH7
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
M18HGDOI0912D3
DS2091018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M18HGDOI0912
328MGD
17
BE4ET2763JH7
328MGDS20910
1406MGR27017
TW510200RQ1
M18HGDOI0912 D39HA83090K2 18JD6200NS12
T28GHY620110
UT
BE4ET2763JH7
1101406MGR27017
UTW510200RQ1
M18HGDOI0912D39HA83090K2
18JD6200NS12328MGDS20910
T28GHY620
63JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M18HGDOI0912
328MGDS2091018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET276
090K2 18JD6200NS12328MGDS20910
1406MGR27017
T28GHY620110
UTW510200RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83
90K2
BE4ET2763JH7
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
M18HGDOI0912D39HA830
018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M18HGDOI0912
328MGDS20910
D39HA83090K2 18JD6200NS12
328MGDS20910
1406MGR27017
0RQ1 BE4ET2763JH7
M18HGDOI0912
T28GHY620110
UTW510200
By: Juan Oliva
JH7
D39HA83090K2
BE4ET2763J
M18HGDOI0912
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
Editor:
Paul Estrella
18HGDOI0912
328MGDS20910
18JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
D39HA83090K2M1
1406MGR27017
BE4ET2763JH7
328MGDS20910
HY620110
UTW510200RQ1
M18HGDOI0912 D39HA83090K2 18JD6200NS12
T28GH
Translation:
Elvita Crespo
Security in
Voice Over IP Implementations
The current availability of Voice over IP solutions (VoIP by its acronym), has
allowed thousands of companies worldwide to adopt this technology. As the
main tool in "unified communications" environments, it has allowed the
integration of telephony with data processing systems and through that, to a
universe of applications that have combined, extended, or created new
functionality.
There are many existing standards that have allowed the generation of this
convergence with a dramatic impact on the availability and cost reduction.
However, being VoIP a digital technology where the IP protocol is the
foundation, it is not exempt from being exposed to the vulnerabilities found in
network environments.
Nowadays, there is little awareness and documentation about existing and
emerging security issues, which has a major contrast with the levels of
economic loss to which a business is exposed in an implementation of this type.
For this reason, it is necessary to set up the right security for the selected
platform and its environment, as usually there is not only a single point or vector
of attack, and the VoIP platform is not the only software service in a company.
It is important to have a general overview, to acquire knowledge, and above all,
to know about all the elements that interact with the platform. Not only the
hardware and software elements, but also to know about people, network
administrators, integrators, and specialists, as they are the ones who maintain
and implement the safety rules at different levels.
This document provides an overall picture of the guidelines and considerations
that should be taken into account in order to provide security in VoIP platforms.
WWW.ELASTIX.ORG
SecurityT28GHY620110
in Voice Over IP Implementations
1406MGR27017
2328MGDS20910
UTW510200RQ1
GR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
3JH7
18HGDOI0912 D39HA83090K2 18JD6200NS12
0RQ1
Current state of security in VoIP systems
Q1
H7
Some threats are not very different from those that currently exist in a data
S20910
T28GHY6201101406MGR27017
UTW510200RQ1
network, such as SQL injection at the level of Web applications, DoS (denial of
7 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
service) in services like RDP or http, and session theft, or password cracking1 in
OI0912 D39HA83090K2 18JD6200NS12SSH and web systems.
90K2
18JD6200NS12328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7
BE4ET2763JH7
UTW510200RQ1
A number of these services are part of a Voice over IP platform nowadays, so
0RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83090K2
18JD6200NS12
they just drag this kind of problems, or we could also say that they "increase the
interest of an attacker." We are not just talking about getting access to a
database or server, but the possibility of making a fair amount of phone calls that
could translate into thousands of dollars.
2328MGDS20910
T28GHY6201101406MGR27017
UTW510200RQ1
GR27017 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
3JH7
18HGDOI0912 D39HA83090K2 18JD6200NS12
However, if we refer exclusively to Voice over IP, we find that SIP is the signaling
0RQ1
Q1
H7
protocol that has been more widely accepted in the industry, and upon which
we can point out some potential threats.
S20910
T28GHY6201101406MGR27017
UTW510200RQ1
7 T28GHY620110
BE4ET2763JH7 BE4ET2763JH7
UTW510200RQ1
OI0912 D39HA83090K2 18JD6200NS12Eavesdropping
90K2
1406MGR27017
18JD6200NS12328MGDS20910
T28GHY620110
It is a technique
usedUTW510200RQ1
to capture calls. This is plainly more related to espionage,
018JD6200NS12
1406MGR27017 T28GHY620110
BE4ET2763JH7
BE4ET2763JH7
UTW510200RQ1
and it is a collateral status of an attack known as "Man-in-the-middle". If the
0RQ1 BE4ET2763JH7
M18HGDOI0912 D39HA83090K2
18JD6200NS12
attack is successful,
it is possible to capture communications.
This is based on what is known as ARP table poisoning, which consists of
sending fake ARP messages in order to associate the attacker's MAC address
with the IP address of the attacked target, posing as, for example, a router or a
PBX.
Once achieved, it is possible not only to capture conversations based on RTP
protocol, but also any other information passing through services that are not
encrypted.
UDP
PACKETS
One is the one that uses the so-called SIP methods. The most common is
called INVITE FLOOD, which generates so many requests to the VoIP
platform that the system eventually ends up serving the attacker only. This
causes that valid users can no longer use the service, in addition to
generating excessive system processing and memory usage.
The other one produces Internet bandwidth flood, better known as UDP
FLOOD. This one also generates a lot of packages, but having the goal of
consuming all the bandwidth contracted by the victim. It is particularly
aimed at operators or companies that commercialize voice traffic.
These types of attacks are difficult to handle, since perimeter security devices
such as Firewalls, UTMs (Unified Threat Management) or IPSs (Intrusion
prevention system), cannot repel this attack with traditional blocking, on the
contrary, it is necessary to use specialized equipment to divert them.
WWW.ELASTIX.ORG
Caller ID Spoofing
It is the ability to modify the Caller ID to impersonate an individual or a company,
such as a bank. In the past, implementing such attacks required a rather
complex and expensive telephony infrastructure. Today it is no longer the case,
since the vast majority of VoIP platforms will allow the overwriting of this phone
field.
WWW.ELASTIX.ORG
To "discover" these flaws simply take a look at sites like exploit-db http://www.exploit-db.com - or Packet Storm - http://packetstormsecurity.com and search for some of the most representative brands. Based on this, you
cannot sell any as the safest solution.
An important topic to be mentioned is related to remediation or corrections,
which are usually much more expensive. The simplest thing that could happen
is that they are only addressed as a firmware version update, which may involve
an investment at the license level. The other side of the coin is even more
complex and includes a complete change of equipment. In this case, we may
face the dilemma of either buying a box again or staying vulnerable.
WWW.ELASTIX.ORG
Another important example is the ability for a customer to make a phone call
and be automatically served, only by clicking on the company website from a
browser2. All these elements provide added value, not only to the company, but
also to customers, who always expect an immediate response.
UDP
PACKETS
The module also allows to "audit", which shows all failed and allowed accesses
to the management interface, which is useful to keep access track.
Another feature, called weak keys, takes a tour of the passwords of all configured
extensions, verifying if these meet strong password policies.
2 A process that combines several technologies, including WebRTC, VoIP and a VoIP distro.
WWW.ELASTIX.ORG
REMOTE
EXTENSIONS
PSTN
These scenarios are not unique, and the easy access to technology makes them
to become increasingly complex. However, currently there are tools and
infrastructure models that can be implemented to provide assurance.
A significant challenge is the positioning of a perimeter firewall, especially when
its management is not borne by the customer. Make it clear from the start: It is
not impossible to run Elastix properly behind a firewall, but great deal of
coordination and tuning is necessary.
More importantly, the firewall should not be considered as an element that
guarantees security by 100%. That would be a big mistake. You need to go
much further than that, and one of the options available is to implement
software that proactively reacts to attacks from the start.
Two solutions that work quite well are Fail2ban and Snort, it is advisable to
consider them in the design stage of the implementation.
WWW.ELASTIX.ORG
Responsibilities
Establishing obligations is a very delicate aspect as there are different people
involved in the implementation process, particularly in the platform
maintenance. Each person requires coordination and establishment of roles and
responsibilities.
Two basic roles in an implementation are:
Integrator or Specialist Role
It is the professional who provides the solution and who performs the
deployment after proper analysis, which should be done together with the
customer.
Some of their responsibilities are:
. Identifying customer needs.
. Establishing proper platform positioning based on the requirements.
. Implementing the functionality requested by the customer.
. Knowledge of risks inherent to the platform.
Customer Role
This is probably the most important role, since this person is the one who will
ultimately maintain the system, but even more, this person will set the initial
requirement, choose the supplier, set the budget for the implementation, and
the one who should make decisions prior to implementation.
It is a role that, in an ideal scenario, will include the company CEO, IT5 manager
and systems administrator. He should have sufficient knowledge to preserve the
operation of the platform.
Some of their responsibilities are:
. Knowing internal (LAN) and external (internet) risks.
. Keeping secure passwords.
. Establishing security as priority versus flexibility.
. Consulting a specialized company, whether through a support contract or
specific services.
. Requesting the telephony carrier to set outbound limits to the PSTN.
. Training their technical staff in the implemented solutions.
. Frequently training their technical staff in security topics.
5 Information Technology
WWW.ELASTIX.ORG
Future Challenges
The challenges towards the future stand on the side of mobility and easy access
to resources.
Companies and end users are increasingly involved with user-friendly tools,
such as Hangouts or Skype.
But under all of this, there is always the question of: How to solve the security
problem?
A simple answer would be "come up with security mechanisms for each
scenario."
An important example is the communication security, meaning remote links
and connections between branches, which should aim at hindering the access
to voice packets and preventing illegal sniffing. Tools such as TLS (Transport
Layer Security) and SRTP (Secure Real-time Transport Protocol) though they
sound very complex, are standard protocols supported in Elastix. Its successful
implementation can ensure the confidentiality of communications in
environments where it is top priority to minimize this risk.
USER A
USER B
TUNNEL
TUNNEL
TUNNEL
IP PHONE
WWW.ELASTIX.ORG
About Author
Juan Oliva Cordova
@jroliva
http://jroliva.wordpress.com/
Computer Security and IP Telephony
consultant with over 10 years
experience in the field. He is very
involved in projects regarding hacking
testings, vulnerability analysis and
exploitation, among other tasks of
computer security. He also develops
implementation and assurance of IP
telephony platforms based on Elastix,
Call Center, Cloud Solutions and
Hosted PBX projects.
Part of the challenge also includes the expansion of security measures in parallel
with the release and development of software and hardware solutions.
Technology has advanced so fast that it has not allowed to adequately convey
implementation needs at the infrastructure and knowledge level. It is becoming
indispensable to have a suitable technology adviser, either in-house or by
expert companies.
This allows an organization to focus on its core business, which in most cases is
not technology, but rather using it to achieve goals.
Undoubtedly, ongoing training is vital. Today the professional has more
responsibility and it is clear that having skills or knowledge in security is an
added value that makes a significant difference when performing a
deployment.
The Elastix team, for example, is well aware of this need, which is why they have
designed a security course as part of their training program. The objective is to
complement, since best practices are communicated from the point of platform
installation.
Conclusions
It is clear that along with technological advances, vulnerabilities will continue to
appear. However, essential protection mechanisms are also developed, the
challenge will always be in the order of knowledge, analysis, and application, so
that we may determine a solution for every need.
WWW.ELASTIX.ORG