Practical VoIP Security

rn off SNMP if you can. If not, ensure that community strings are com- plex. 24. Use IPSec or Secure Shell (SSH) for all remote management and auditing access. www.syngress.com 538 Chapter 17 • Recommendations 372_PRAC_VoIP_17.qxd 3/2/06 1:00 PM Page 538 25. Forge strong relationships with your ISPs to defend against external DoS attacks. 26. VoIP components should reside on a separate voice VLAN. 27. VoIP VLAN ports that are not in use should be disabled. 28. If VoIP phones contain a built-in data network port, disable the port when not in use, and if it is use, the port must be configured on the appropriate data VLAN. 29. Approval prior to the use of any IP softphone agent software must be authorized. 30. Personal installation and use of private softphones are prohibited. 31. All softphones must utilize a separate dedicated NIC for VoIP VLAN access. 32. Ensure that all IP phones and softphones are both: VLAN aware and reside in the voice VLAN. 33. All VoIP security perimeter firewalls should be dedicated to VoIP traffic to reduce transmission latency caused by processing latency. 34. The network time protocol (NTP port 123) should be blocked at the secu- rity perimeter. Local NTP clients should receive clock information from a local Stratum 2, 3, or 4 clock source. 35. All HTTP connections to VoIP security perimeter firewalls for administra- tive/management purposes must be tunneled through a VPN or use secure HTTPS. 36. Critical VoIP servers must be secured in compliance with applicable guide- lines. 37. All remote administrative connections to critical VoIP servers must be encrypted. 38. All VoIP traffic that is sent over a public IP network (i.e., Internet,) is encrypted. 39. Ensure that the server hosting the voice-mail service is properly hardened and secured. 40. If wireless VoIP (VoWLAN) is used, all of the aforementioned requirements apply. www.syngress.com Recommendations • Chapter 17 539 372_PRAC_VoIP_17.qxd 3/2/06 1:00 PM Page 539 41. No VoIP systems IP phones, softphones, VoIP-related server hardware and software, or networks will be put into operation without certification that they have complied in every manner with the aforementioned recommendations. Solutions Fast Track Reuse Existing Security Infrastructure Wisely
A security policy provides the framework, justification, and metrics for all other security-related development.
A policy that is not consistently enforced is worse than having no policy at all.
The most important step in security policy practices is communicating the policy contents to everyday users—these “human firewalls” are the best security investment an organization can make.
Upgrading a data network to a data and VoIP network is an ideal time to reexamine and revamp the security state of your support infrastructure.
Require more than one type of authentication for access into critical areas.
Remember to lock doors and windows.
Turn off all unnecessary services and listening daemons.
The risk of implementing the service pack or security patch should ALWAYS be LESS than the risk of not implementing it.
If you make the effort to generate log files, then review them regularly. Logged data are a great resource for understanding the day-to-day operation of your infrastructure.
If possible, dedicate your support infrastructure components to either data or VoIP networks, but not both.
Ensure that multiple DHCP servers do not coexist in the same broadcast domain.
Ensure that SNMP community strings are not set to default values.
Replace telnet with SSH at every opportunity. www.syngress.com 540 Chapter 17 • Recommendations 372_PRAC_VoIP_17.qxd 3/2/06 1:00 PM Page 540
Delay, jitter, and packet loss are the major network variables that impact VoIP quality.
Always segregate management traffic on a dedicated, secure management network. Confirm User Identity
Authentication is made up of three factors:“something you have” (a key or certificate),“something you know” (a password or secret handshake), and/or “something you are” (a fingerprint or iris pattern).Authentication mechanisms validate users by one or a combination of these.
The 802.1x protocol defines port-based network access control that is used to provide authenticated network access.
EAP (Extensible Authentication Protocol) is a general authentication protocol that provides a framework for multiple authentication methods.
Most of the more recent EAP types are made up of two components: an outer and an inner authentication type.
The three components of an 802.1x infrastructure are the supplicant (client), the authenticator (NAS), and the authentication server (normally a RADIUS server).
802.11i is also known as WPA2.
Within the PKI framework, who you are is defined by the private keys you possess.
The fact that the same key is used for both encryption and decryption determines a symmetric exchange.
PKI relies on a public/private key combination.
Public and private keys are mathematical entities that are related. One key is used to encrypt information, and only the related key can decrypt that same information; however, if you know one of the keys, it is computationally unfeasible to calculate the other.
The private key is also used to digitally sign the sent message so that the sender’s identity is guaranteed. www.syngress.com Recommendations • Chapter 17 541 372_PRAC_VoIP_17.qxd 3/2/06 1:00 PM Page 541
Information security is often defined as a number of layers.The basis for this is the idea that every time and place a logical or physical impediment can be created that might reasonably stop an attacker (without hindering normal users’ access to network resources) it should be done.
A basic security rule is that endpoints cannot be trusted until the identity of the endpoint is confirmed or authenticated.
In the case of VoIP, a method for authentication of IP phones is the hardware or MAC address. Active Security Monitoring
A network intrusion detection system (NIDS) is designed to alert administrators when malicious or illegitimate traffic is detected.
A networkk-based IDSs can monitor an entire large network with only a few well-situated nodes or devices and impose little overhead on a network.
NIDSs are normally classified according to the methods they use for attack detection; either as signature-based, or anomaly detection.
NIDS should be located where they can most effectively monitor critical traffic.
Communication between the IDS components (sensors and management console) should be encrypted using strong authentication.
A host-based IDS (HIDS) consists of applications that operate on information collected from individual computer systems.
Tripwire is the reference model for many of the follow-on HIDS.
Most HIDS software establishes a “digital inventory” of files and their attributes in a known state and use that inventory as a baseline for monitoring any system changes.
The key to successful log analysis is to adopt the proper tools for your environment to automatically parse, visualize, and report summarized log data. www.syngress.com 542 Chapter 17 • Recommendations 372_PRAC_VoIP_17.qxd 3/2/06 1:00 PM Page 542
Syslog messages use UDP/514 for transport.
The syslog protocol provides a transport to allow a machine to send event notification messages across IP networks to event message collectors, also known as syslog servers.
Syslog messages (ASCII-based) may be sent to local logs, a local console, a remote syslog server, or a remote syslog relay.
The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the exchange of management information between network devices.
An SNMP network normally consists of three key components: managed devices, agents, and network-management systems.
If you must use SNMP, immediately change the values of the default read/write community strings.
Penetration/vulnerability tests are useful tools for determining the current security posture of an organization.
Penetration tests (pen-tests) usually refer to tests against perimeter defenses, whereas vulnerability testing refers to tests against specific systems (host, applications, or networks).
The results of a penetration/vulnerability test reflect the security status only during the testing period. Even minor administrative and architectural changes to the environment performed only moments after a penetration test can alter the system’s security profile. Logically Segregate VoIP from Data Traffic
Separate voice and data traffic via VLANs.
VLANs provide security and make smaller broadcast domains by creating logically separated subnets.
Disable unused ports and put them in a unique unused VLAN.This is a simple but effective means to prevent unauthorized access. www.syngress.com Recommendations • Chapter 17 543 372_PRAC_VoIP_17.qxd 3/2/06 1:00 PM Page 543
For a good discussion of L2 access controls see: www.cisco.com/en/US/products/hw/switches/ps708/products_white_pap er09186a008013159f.shtml.
QoS and traffic shaping VoIP have strict performance requirements.
VoIP quality is negatively affected by increased latency, jitter, and packet loss.
QoS can provide some security against DoS attacks.
Network address translation (NAT) is a method for rewriting the source and/or destination addresses of IP packet.
NAT also rewrites TCP and UDP checksums based on a pseudo-header
Hosts behind a NAT device do not have true end-to-end Internet connectivity and cannot directly participate in Internet protocols that require initiation of TCP connections from outside the NAT device, or protocols that split signaling and media into separate channels.
The key to the incompatibility of NAT and the IPsec AH mode is the presence of the Integrity Check Value (ICV).
NAT provides a security function by segregating private hosts from the publicly routed Internet.
Firewall mechanisms include packet filtering, stateful inspection, application-layer gateways, and deep packet inspection.
Packet-filtering firewalls inspect only a few header fields in order to make processing decisions.
Application-layer gateways provide intermediary services for hosts that reside on different networks, while maintaining complete details of the TCP connection state and sequencing.
Deep packet inspection analyzes the entire packet, and may buffer, assemble, and inspect several related packets as part of a session. www.syngress.com 544 Chapter 17 • Recommendations 372_PRAC_VoIP_17.qxd 3/2/06 1:00 PM Page 544
H.323 calls are difficult to firewall because IP addresses and ports are embedded in each previous packet stream, because packets are ASN.1 PER encoded, and because media and signaling take place on different channels—some of which are dynamically created.
When used as a VoIP application, SIP is difficult to firewall because NAT often hides the “real” IP address of endpoints, and because, media and signaling take place on different channels—some of which are dynamically created.
Access control lists (ACLs) are tablelike data structures.
A general rule-of-thumb is that outbound ACLs are more efficient than inbound ACLs.
ACLs provide extremely granular control of traffic streams if configured correctly. www.syngress.com Recommendations • Chapter 17 545 372_PRAC_VoIP_17.qxd 3/2/06 1:00 PM Page 545 Q: What’s the difference between a network intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS)? A: A NIDS inspects all inbound and outbound network activity and identifies patterns of packet data that may indicate a network or system attack.A HIDS, on the other hand, normally resides as an application on the server that it monitors. Q: What is the Windows equivalent of syslog? A: Windows doesn’t really have a native equivalent.The eventlog service enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. Q: I’ve setup to log to syslog, but it’s not working. What should I do? A: Make sure you have an entry in your syslog.conf file to save the apropriate messages. Don’t forget to send a SIGHUP to your syslogd so that it re-reads its conf file.Also, remember that syslogd does not create log files.You need to create the file before syslogd will log to it (i.e.: touch /var/log/myfile). Q: If you have multiple security devices reporting to a remote syslog server, what is the best way to parse or separate the logs? A: Log parsing is difficult to do in an efficient, scalable manner.A number of commercial products claim to parse various formats and store the informa- tion in a backend database.There are numerous open source log parsing pro- jects at Freshmeat or SourceForge.Also simple shell, awk, or perl scripts can be used. www.syngress.com 546 Chapter 17 • Recommendations Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 372_PRAC_VoIP_17.qxd 3/2/06 1:00 PM Page 546 Q: Should my company be running its own honeypot or honeynet? A: Probably not. Most organizations still have problems completing and main- taining basic security controls. Honeypots and honeynets are primarily learning tools. Most honeynets are run in academia, the military, and govern- ment. Q: I’m looking for a utility that enables me to change community names on multiple devices from a single management console. Where can I find one? A: Because the methodology for setting community strings is not standardized, every type of device/agent version may have a different mechanism for han- dling this chore.Therefore, there are no “single console” products for setting community strings. For this to be feasible, you would have to be able to dif- ferentiate every agent type, and know how that particular vendor/system/agent handles it. Q: What is RMON? A: The Remote Network Monitoring MIB is a SNMP MIB for remote man- agement of networks.Although other MIBs usually are created to support a network device whose primary function is other than management, RMON was created to provide management of a network. RMON is one of the many SNMP based MIBs that are on the IETF Standards track. Q: What are red-teams or blue-teams? A: In penetration testing, a red-team approach means that the testers adopt a stealthy posture—that is, they take on the role of untrusted attacker attempting to sneak into the network. Blue-team signifies an approach where the tester is an insider, and test tool collateral “noise” is not an issue. www.syngress.com Recommendations • Chapter 17 547 372_PRAC_VoIP_17.qxd 3/2/06 1:00 PM Page 547 372_PRAC_VoIP_17.qxd 3/2/06 1:00 PM Page 548 549 Index 802.1 standard. See IEEE 802.1 standard A AAA (authentication, authorization, and accounting), 296, 317, 503 access control lists (ACLs), 403–405 ACK SIP signaling command, 159 ACLs (access control lists), 403–405 active security monitoring host-based intrusion detection systems, 355–356 network intrusion detection systems, 346–355 overview, 344–345, 528 penetration/vulnerability testing, 360–366 system logging, 356–359 address resolution protocol (ARP) caching addresses, 251 overview, 250 spoofing, 251–256, 336 Admission Confirm (ACF) message, 133 Admission Reject (ARJ) message, 133 Admission Request (ARQ) message, 133 Advanced Encryption Standard (AES), 314 AES (Advanced Encryption Standard), 314 AGI (Asterisk Gateway Interface), 27 AH (Authentication Header) protocol, 388–391 AIM (America Online Instant Messenger). See instant messaging (IM) ALGs (application-layer gateways), 11, 75, 76, 393–394, 505 Alliance for Telecommunications Industry Solutions (ATIS), 117 analog lines, 62, 63 Analog Telephony Adapter (ATA), 75, 295 analog-to-digital conversion, 97, 98 ANI (Automatic Number Identification), 107, 108, 117, 256 Application layer, OSI, 150, 151 application-layer gateways (ALGs), 11, 75, 76, 393–394, 505 application proxies, 21, 76 application servers (AS), 503–504 ARP (address resolution protocol) caching addresses, 251 overview, 250 spoofing, 251–256, 336 AS (application servers), 503–504 ASN.1 notation, 130–131, 141 Asterisk Gateway Interface (AGI), 27 Asterisk Manager API, 27–28 Asterisk PBX software billing, 35–38 call parking feature, 41–42 conferencing feature, 44–45 dial plan, 34–35 Do Not Disturb feature, 47–48 DUNDi routing protocol, 40 and Open Source, 66–67 overview, 26–27 voice mail and, 49–51 ATA (Analog Telephony Adapter), 75, 295 ATIS (Alliance for Telecommunications Industry Solutions), 117 AT&T, 110–111 attended transfers, 46 authentication. See also IEEE 802.1 standard EAP types, 319–327 inner types, 324–326 and Internet mail (See S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol) outer types, 319–323 overview, 310–313 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 549 550 Index passwords as, 324 servers, 315–316 Authentication Header (AH) protocol, 388–391 authenticators, defined, 315 authorization, 82–83 Automatic Number Identification (ANI), 107, 108, 117, 256 B Bank of America, 3 Bellovin, Steve, 392 BGCF (Breakout Gateway Control Function), 505 billing and Asterisk PBX system, 35–38 open source solutions, 38 overview, 35 postpaid, 37–38 prepaid, 37–38 biometric devices, 280 blind transfer, 46 blueboxing, 103–104 bots, 242 Breakout Gateway Control Function (BGCF), 505 buddy lists, 174 busy call forwarding, 46 BYE SIP signaling command, 160 C cabling, 93–95 cache poisoning, 251–256 CALEA (Communications Assistance for Law Enforcement Act) certification, 478 compliance and enforcement, 478–479 core IP system issues, 478 defined, 461 and FCC, 471–477 overview, 461–464 regulatory basics, 464–477 role of consultants, 477–478 and Telecommunications Industry Association, 470–471 timeline, 463 and VoIP networks, 401 and XBox, 462 Call Detail Recording (CDR), 71 call forwarding, 46 call interception, 248–256 call parking, 41–42 call recording, 43 Call/Session Control Function (CSCF), 502–503, 505, 506, 507–510 call sniffers, 14 call-waiting indication, 49 Caller ID, 108, 256 CANCEL SIP signaling command, 160 CAs. See certification authorities (CAs) CCITT. See ITU-T signaling systems CCS (Common Channel Signaling), 107 Centrex, 60, 71 CERT, 244 certificate revocation lists (CRLs), 331, 332, 333 certification authorities (CAs), 331, 418–420 certification paths, 334–335 Challenge Handshake Authentication Protocol (CHAP), 321, 326. See also MS-CHAP authentication type challenge/response tokens, 280 CHAP (Challenge Handshake Authentication Protocol), 321, 326. See also MS-CHAP authentication type Choicepoint, 2 CIA triad (confidentiality, integrity, and availability), 13 circuit-switched networks vs. packet-routed networks, 51–52 Cisco Systems. See Skinny protocol 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 550 Index 551 CLASS (Custom Local Area Signaling Services), 107, 117 Client error (4xx) SIP response code, 160, 161–162 client/server architecture, 158–159 closed-circuit video cameras, 279–280 codecs G.700 series, 127 Common Channel Signaling (CCS), 107 Communications Assistance for Law Enforcement Act. See CALEA (Communications Assistance for Law Enforcement Act) consultation holds, 46 consultative transfers, 46 converged networks, 6. See also VoIP new security paradigm for, 16–17 security issues, 13–16 cost-savings routing, 39 CRLs (certificate revocation lists), 331, 332, 333 cryptography. See PKI (public key infrastructure) CSCF (Call/Session Control Function), 502–503, 505, 506, 507–510 Custom Local Area Signaling Services (CLASS), 107, 117 CVE (Common Vulnerabilities and Exposures), 244 D DACs (digital access cross-connect systems), 99, 101, 102 Data Link layer, OSI, 151 day-of-week routing, 39 denial-of-service (DoS) attacks as difficult threat, 14 overview, 240–245 and UDP, 163–164 device authentication, 310 DHCP (Dynamic Host Configuration Protocol) defined, 221 operations, 222–223 protocol overview, 221–222 security issues, 224 server overview, 294–296 types of packets used, 222 dial plans, PBX and Asterisk, 34–35 designing for private telephone systems, 32–33 numbering plans, 27–31 DIAMETER protocol, 317 dictionary attacks, 327 DID (Direct Inward Dialing) numbers, 33 digital access cross-connect systems (DACs), 99, 101, 102 digital lines, 63 digital-to-analog conversion, 97, 98 Direct Inward Dialing (DID) numbers, 33 Direct Inward System Access (DISA), 45–46 DISA (Direct Inward System Access), 45–46 disaster routing, 39–40 distributed denial-of-service (DDoS) attacks, 240. See also denial-of- service (DoS) attacks (Distributed Universal Number Discovery (DUNDi) routing protocol, 40 DND (Do Not Disturb), 47–48 DNS (Domain Name System) architecture, 207–212 client operations, 209–211 defined, 206 poisoning, 249 protocol overview, 206–207 recursive lookups, 209–211 root servers, 208 security issues, 212 server operations, 211–212 server overview, 294–296 server zone transfers, 211–212 Do Not Disturb (DND), 47–48 DoS (denial-of-service) attacks 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 551 552 Index as difficult threat, 14 overview, 240–245 and UDP, 163–164 DPI (Deep Packet Inspection), 394–396 DSIP (Session Initiation Protocol) and URIs, 154 user agent component, 155 user aspects, 152–153 DSW Shoe Warehouses, 3 Dual-Tone Multi-Frequency (DTMF), 104 dumb cards, 280 DUNDi (Distributed Universal Number Discovery) routing protocol, 40 Dynamic Host Configuration Protocol. See DHCP (Dynamic Host Configuration Protocol) E e-mail. See S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol E.164 International Numbering Plan, 30 E911 compliance and enforcement, 486 core IP system issues, 485 defined, 479 E911 (enhanced 911) overview, 479–480 regulatory basics, 480–485 role of consultants, 485 EAP (Extensible Authentication Protocol), 314, 319–327 EAP-FAST authentication type, 321, 323 EAP-MD-5 authentication type, 321, 323 EAP-PEAP authentication type, 321, 322 EAP-TLS authentication type, 321, 322 EAP-TTLS authentication type, 321, 322–323 eavesdropping, 248–256 eBay, 185 802.1 standard. See IEEE 802.1 standard Encapsulating Security Payload (ESP) protocol, 388–391 encryption, 535 and NAT, 388–391 sample VoIP security policy, 301–302 encryption, wireless Wi-Fi Protected Access, 81–82 Wired Equivalent Privacy, 80–81 endpoints, 76–79, 124, 125, 245 enhanced 911. See E911 ESP (Encapsulating Security Payload) protocol, 388–391 European Union, 486–493 Extensible Authentication Protocol. See EAP (Extensible Authentication Protocol) F FCC (Federal Communications Commission), 471–477 FDM. See Frequency-Division Multiplexing (FDM) Federal Communications Commission (FCC), 471–477 Field-Programmable Gate Arrays (FPGAs), 395 Find-Me PBX feature, 48 firewalls bypassing by using VPNs, 390–403 H.323 issues, 396–398 history, 392–396 overview, 75 SIP issues, 399–400 stateful inspection, 393 and VoIP, 5 VoIP-aware, 396–403 Foreign eXchange Office (FXO) port, 295 Foreign eXchange Subscriber (FXS) port, 295 FPGAs (Field-Programmable Gate Arrays), 395 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 552 Index 553 FQDNs (fully-qualified domain names), 208–209 Frequency-Division Multiplexing (FDM), 94 fully-qualified domain names (FQDNs), 208–209 FXO (Foreign eXchange Office) port, 295 FXS (Foreign eXchange Subscriber) port, 295 G gap analysis, 268, 269–274 Gatekeeper Confirm (GCF) message, 133 Gatekeeper Reject (GRJ) message, 133 Gatekeeper Request (GRQ) message, 133, 134 gatekeepers as H.323 entity, 73–74, 124, 125–126 messages, 133–134 gateways application-layer, 75 as H.323 entity, 124, 125 media, 75 Media Gateway Control Protocol, 190–191 overview, 75 voice, 75 Geer, Dan, 274 Generic Token Card (GTC) authentication type, 323, 326 GLBA (Gramm-Leach-Bliley Act) compliance and enforcement, 450–451 core IP system issues, 449 defined, 441 overview, 441–442 regulatory basics, 442–449 role of consultants, 447–449 Title V, 442–446 Global failure (6xx) SIP response code, 160, 162 government regulation CALEA, 461–479 E911, 479–486 European Union, 486–493 Gramm-Leach-Bliley Act, 441–451 HIPAA, 451–461 overview, 432–434 Sarbanes-Oxley Act, 434–441 Gramm-Leach-Bliley Act. See GLBA (Gramm-Leach-Bliley Act) ground start, 62 GTC (Generic Token Card), 323, 326 H H.225/Q.931 defined, 127 overview, 129–134 port, 128 H.225.0/RAS defined, 127 port, 128 H.235 defined, 127, 128 profiles, 138–141 scope, 138 security mechanisms, 137–141 vs. SIP-related protocols, 412 H.245 call control messages, 134–136 defined, 127 ports, 128, 135 H.248 call flow, 193–194 design, 191–192 history, 190–191 messaging sequence, 193–194 overview, 189 security issues, 194 H.323 call setup and control, 396–398 defined, 9 firewall issues, 396–398 as gatekeeper, 73–74 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 553 554 Index as one of two VoIP protocols, 8, 412 ports, 134, 135 as signaling protocol, 8, 412 vs. SIP, 8, 412 specification, 124–126 subprotocols, 126–137 H.323-specific attacks, 256–257 Health Insurance Portability and Accountability Act. See HIPAA (Health Insurance Portability and Accountability Act) HIDs (host-based intrusion detection systems), 355–356 HIPAA (Health Insurance Portability and Accountability Act) compliance and enforcement, 460–461 core IP system issues, 459–460 defined, 451 overview, 451 Privacy Rule, 452 regulatory basics, 451–460 role of consultants, 459 Security Rule, 452–459 honeynets, 354–355 honeypots, 354–355 host-based intrusion detection systems (HIDs), 355–356 Hosted IP-telephony services, 60, 71 HTTP (Hypertext Transfer Protocol) client requests, 216–217 overview, 215–216 security issues, 218 server response, 217 Hypertext Transfer Protocol (HTTP) client requests, 216–217 overview, 215–216 security issues, 218 server response, 217 I IAX (Inter-Asterisk Exchange) protocol call flow, 195–197 defined, 66 design, 195 messaging sequence, 195–197 overview, 195 security issues, 197 vs. Session Initiation Protocol, 195 and Skype, 186 ICE (Interactive Connectivity Establishment) protocol, 10, 403 ICQ. See instant messaging (IM) IEEE 802.1 standard defined, 82, 313 and EAP authentication, 315–318 and IEEE 802.11i, 313, 314 overview, 82–83, 313–315 IEEE 802.3af standard, 84 IEEE 802.11i (WPA2), 313, 314 IM. See instant messaging (IM) IMS (IP Multimedia Subsystem) communication flow, 505–506 defined, 500 early vulnerabilities, 512–513 overview, 500–505 security architecture, 506–510 security issues, 510–513 Informational (1xx) SIP response code, 160, 161 instant messaging (IM) clients as user agents, 78 overview, 172–174 security issues, 175–176 and SIMPLE, 172, 174–175 Skype features, 173, 174, 184 Integrated Services Digital Network (ISDN), 63, 106 Inter-Asterisk Exchange (IAX) protocol, 66, 186 Interactive Connectivity Establishment (ICE) protocol, 10, 403 interactive media service, 73 Interactive Voice Response (IVR) servers, 70 International Telecommunications Union. See ITU-T signaling systems Internet Engineering Task Force (IETF) 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 554 Index 555 defined, 148 and ICE, 403 and PKI, 327 and SIP, 148, 412–424 Internet mail. See S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol Intgelligent Network (IN) model, 105 INVITE SIP signaling command, 159 IP addresses, and NAT, 382–391 IP-Centrex, 60, 71 IP Multimedia Subsystem. See IMS (IP Multimedia Subsystem) IP-PBX systems, 60, 64 IP routers, 80 IP switches, 80 IP telephony, 6, 10, 72. See also VoIP IPsec protocol, 388–391 ISDN. See Integrated Services Digital Network (ISDN) ISDN User Part (ISUP), SS7, 107, 109, 117 ITU-T signaling systems ITU-T SS7 standard, 106–110 numbering plans, 30 overview, 106–107 security issues, 114–117 IVR. See Interactive Voice Response (IVR) servers J jitter, 380 K KTS (Key Telephone Systems), 60, 71 L law enforcement. See CALEA (Communications Assistance for Law Enforcement Act) LDAP (Lightweight Directory Access Protocol), 296–297 LEAP authentication type, 321, 323 Lexus-Nexus, 2 Lightweight Directory Access Protocol (LDAP), 296–297 lines, PBX, 62–64 Linux platform additional security tweaks, 287–289 eliminating unnesessary services, 282–283 logging, 283–284 permission tightening, 285–286 location service, defined, 157 logging and NIDs, 353 overview, 356 syslog protocol, 356–358 loop start, 62, 63 M MAC (Media Access Control), 250, 335–336 mail, Internet. See S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol Mbone, 149 MCUs (multipoint control units), as H.323 entity, 124, 126 MD5 (Message-Digest algorithm 5), 321, 326 Media Access Control (MAC). See MAC (Media Access Control) Media Gateway Control Protocol (MGCP), 166, 167–168, 190–191. See also H.248 media gateways. See gateways Media Resource Function (MRF), 504 media servers call or resource control, 73–74 interactive media service, 73 overview, 72–73 Megaco. See H.248; MGCP (Media Gateway Control Protocol) 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 555 556 Index Message-Digest algorithm 5 (MD-5), 321, 326 Message Transfer Parts (MTP), SS7, 107, 109 messaging, voice. See voice mail MGCP (Media Gateway Control Protocol). See also H.248 defined, 166 and H.248, 190–191 overview, 167–168 Microsoft Challenge Handshake Authentication Protocol (MS- CHAP), 324–325, 326 Microsoft Office Communicator (MOC), 197 Microsoft Office Live Communications Server (MLCS), 197–201 Microsoft Windows Messenger (MWM), 197 MIKEY (Multimedia Internet Keying), 421 MIME. See S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol MLCS. See Microsoft Office Live Communications Server (MLCS) modified-setup PDUs, 398–399 MRF (Media Resource Function), 504 MS-CHAP authentication type, 321, 324–325, 326 MSN Messenger. See instant messaging (IM) MTP (Message Transfer Parts), SS7, 107, 109 Multicast Backbone, 149 Multimedia Internet Keying (MIKEY), 421 music-on-hold feature, 41 N NAS (Network Access Server), 315, 316, 317–318 NAT. See Network Address Translation (NAT) Neighbor Discovery (NP) protocol, 250 Network Access Server (NAS), 315, 316, 317–318 Network Address Translation (NAT) bypassing by using VPNs, 390–403 common modes of operation, 385–388 and encryption, 388–391 how it works, 383–391 and IAX protocol design, 195 and IPsec, 388–391 overview, 382 as topology shield, 391 Network Interconnection Interoperability Forum (NIIF), 117 network intrusion detection systems. See NIDs (network intrusion detection systems) Network layer, OSI, 151 network-management systems (NMSs), 358–359 networks circuit-switched vs. packet-routed, 51–52 management tools, 299–300 reviewing pre-VoIP security infrastructure, 264–302 telephone vs. data, 4–6 time synchronization, 297 VoIP vs. private, 51–52 NIDs (network intrusion detection systems) components, 346–348 defined, 346 features, 353–354 and honeypots, 354–355 limitations, 354 maintenance, 353 overview, 346–348, 528 placement, 349–352 types, 348–349 NIIF (Network Interconnection Interoperability Forum), 117 NMSs (network-management systems), 358–359 no answer call forwarding, 46 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 556 Index 557 North American Numbering Plan (NANP), 30, 31 NOTIFY SIP signaling command, 160 NTP. See time synchronization numbering plans, 27–31 O Open Source, 38, 66–67 Open System Interconnect. See OSI reference model OPTIONS SIP signaling command, 160 OSI reference model list of layers, 150–151 overview, 149–151 P P2P (peer-to-peer) architecture, 159, 171–172 P2P (point to point) technology, and Skype, 186 packet-routed networks vs. circuit-switched networks, 51–52 packet sniffers, 165 packets deep inspection, 394–396 medium-depth inspection, 393–394 modified-setup PDUs, 398–399 shallow inspection, 392–393 PAP (Password Authentication Protocol), 321, 326 parking calls, 41–42 Password Authentication Protocol (PAP), 326 passwords breaking, 327 as form of authentication, 324 and Sarbanes-Oxley, 438 significance, 281 PayMaxx, 3 PBX (private branch exchange) adjunct servers, 68–70 administration, 27–28 alternatives, 71–72 analog stage, 25–26 Asterisk software, 66–67 billing, 35–38 call forwarding features, 46 call parking feature, 41–42 call recording, 43 call-waiting indication feature, 49 conferencing feature, 43–45 consultation hold feature, 46 dial plans, 28–35 digital stage, 25–26 Direct Inward System Access feature, 45–46 features, 65–67 Find-Me feature, 48 history, 25–26 manual switchboard stage, 25 music-on-hold feature, 41 and open source, 66–67 overview, 60, 61–62 private numbering plans, 31–33 routing calls, 38–40 security issues, 67, 68, 69–70, 71 station lines, 62–64 traditional systems, 61–71 transfer features, 46 trunks, 64–65 typical functions, 24–49 VoIP stage, 25–26 wireless extensions, 71 PDUs (Protocol Data Units), 132, 398–399, 413 PEAPv1/EAP-GTC authentication type, 321, 323 peer-to-peer architecture, 159, 171–172 penetration tests, defined, 361. See also vulnerability tests pharming, 248 phone jacks, 63 phone phreaks, 103–104 photo ID cards, 280 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 557 558 Index phreaks. See phone phreaks Physical layer, OSI, 151 physical security, 277–281, 301 PISN. See Private Integrated Services Network (PISN) PKI (public key infrastructure). See also S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol architectural model, 330–332 basic certificate fields, 332–333 certification paths, 334–335 and IETF, 327 and MLCS security, 200–201 overview, 327–330 and TLS, 417–420 POE. See Power-over-Ethernet (POE) policies, security characteristics, 274–275 developing, 265–277 gap analysis, 268, 269–274 VoIP sample, 300–302 port security, 202, 302, 336 POTS (Plain Old Telephone Service), 63 Poulsen, Kevin, 104 Power-over-Ethernet (POE), 84 power-supply infrastructure, 83–85 power surges, 85 presence, defined, 8 Presentation layer, OSI, 150 private branch exchange. See PBX (private branch exchange) Private Integrated Services Network (PISN), 105–106 private keys, 328–330 private numbering plans, 31–33 PROTOS suite, 132 proxy servers, 76, 156, 169–170 PSTN (Public Switched Telephone Network) cable plant, 93–95 call flow, 111–114 how it works, 93–111 operational and regulatory issues, 110–111 overview, 60, 92–93 protocol security, 114–117 security issues, 4–6 signal transmission, 95–102 switching and signaling, 102–110 PTT (Public Telephone and Telegraph) organizations, 110–111 public key infrastructure. See PKI (public key infrastructure) public keys, 328–330. See also PKI (public key infrastructure) Public Switched Telephone Network (PSTN). See PSTN (Public Switched Telephone Network) Public Telephone and Telegraph (PTT) organizations, 110–111 Q Q.931, 127, 128, 129–134 QoS, 380–382 Q.SIG, 106, 117, 130 R RADIUS (Remote Authentication Dial In User Service) protocol, 296–297, 315, 317, 318 RAs (registration authorities), 331 Real-Time Control Protocol (RTCP), 127, 128, 136–137 Real Time Protocol (RTP). See RTP (Real Time Protocol) Real-Time Streaming Protocol (RTSP), 10, 166, 168 recursive lookups, 209–211 redirect servers, 74–75, 156–157, 170–171 Redirection (3xx) SIP response code, 160, 161 REGISTER SIP signaling command, 159 registration authorities (RAs), 331 Registration Confirm (RCF) message, 133 Registration Reject (RRJ) message, 133 Registration Request (RRQ) message, 133 registration servers, 74 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 558 Index 559 regulation, 536 See also government regulation Requests for Comment (RFCs), 148, 149 Reseource Reservation Protocol. See RSVP (Resource Reservation Protocol) RFC 2543, 148 RFC 3261, 148 RFCs (Requests for Comments), 148, 149 routing calls, PBX, 38–40 RSVP (Resource Reservation Protocol) defined, 10, 225 message types, 225–226 operations, 226–227 overview, 225 security issues, 227–228 RTCP (Real Time Control Protocol), 127, 128, 136–137 RTP (Real Time Protocol) defined, 127, 166 and IP Multimedia Subsystem, 500 overview, 136–137, 167 ports, 128 RTSP (Real-Time Streaming Protocol), 10, 166, 168 S SAI (Serving Area Interface), 93 Sarbanes-Oxley Act certification, 440–441 compliance and enforcement, 440–441 core IP system issues, 440 overview, 434 regulatory basics, 434–440 role of consultants, 437–439 Section 404, 434–436 SBCs (Session Border Controllers), 400–401 SCCP (Signaling Connection Control Part), SS7, 108, 109 SCCP (Skinny Client Control Protocol). See Skinny protocol SCPs (Service Control Points), 109 SCTP (Stream Control Transmission Protocol), 8–9, 109 sdescriptions, 421 SDP (Session Description Protocol) defined, 10, 166, 228 and IP Multimedia Subsystem, 167, 505 operations, 229–230 overview, 166, 228 Security Descriptions, 421 security issues, 230 specifications, 228–229 Secure/Multipurpose Internet Mail Extensions protocol (S/MIME), 414–417 Secure Real-Time Transfer Protocol. See SRTP (Secure Real-Time Transfer Protocol) Secure Shell (SSH), 298–299 Secure Socket Layer (SSL), 200 security active monitoring, 344–366 additional server tweaks, 287–293 änd Skype, 189 breaches, 2–4 as competitive advantage, 266 converged network issues, 13–16 developing effective policies, 265–277 DHCP issues, 224 and DNS, 212 H.248 issues, 194 and HTTP, 218 and IAX protocol, 197 instant messaging issues, 175–176 PBX issues, 67, 68, 69–70, 71 performing gap analysis, 268, 269–274 perimeter protection, 279–280 physical, 277–281 PSTN issues, 114–117 reviewing pre-VoIP infrastructure, 264–302 role of VLANs, 375–380 RSVP issues, 227–228 sample VoIP policy, 300–302 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 559 560 Index SDP issues, 230 server hardening, 281–294 service packs and patches, 293–294 and Skinny protocol, 231–232 SS7 and other ITU-T signaling, 114–117 supporting services, 294–299 and TFTP, 213, 215 token systems, 280 VoIP issues, 13–16, 55 Security Gateways (SEGs), 506, 507 security patches, 293–294 SEGs (Security Gateways), 506, 507 Seisint, 2 Server error (5xx) SIP response code, 160, 162 servers adjunct, 68–70 for authentication, 315–318 in client/server architecture, 158–159 eliminating unnesessary services, 282–283 hardening, 281–294 logging, 283–284 permission tightening, 284–286 as proxies, 76, 156, 169–170 redirect, 156–157, 170–171 as registrars, 156, 169 SIP, 155–157 stateful vs. stateless, 157 Service Control Points (SCPs), 109 service packs, 293–294 Service Switching Points (SSPs), 109 Service Transport Points (STPs), 109 Serving Area Interface (SAI), 93 Session Border Controllers (SBCs), 400–401 Session Description Protocol. See SDP (Session Description Protocol) Session Initiation Protocol (SIP). See SIP (Session Initiation Protocol) Session layer, OSI, 150 Setup-PDUs, 132, 398–399 shallow packet inspection, 392–393 signal transmission analog, 95–96 digital, 96–102 SS7 standard, 106–110 T1, 96–102 table of hierarchies, 100 Signaling Connection Control Part (SCCP), SS7, 108, 109 Simple Network Management Protocol. See SNMP (Simple Network Management Protocol) SIMPLE (SIP for Instant Messaging and Presence Leveraging Extensions), 172, 174–175, 198, 199–200 Simple Traversal of UDP through NATs (STUN) protocol, 10, 401–402 SIP (Session Initiation Protocol). See also SIMPLE (SIP for Instant Messaging and Presence Leveraging Extensions) as application-layer control framework, 8 architecture, 154–172 components, 155–157 defined, 9 encryption vs. nonencrypted data, 165 firewall issues, 399–400 how it works, 168–172 vs. IAX, 195 and IP Multimedia Subsystem, 500 and Mbone, 149 as one of two VoIP protocols, 8 and OSI Application layer, 151 overview, 146–151 protocol suites from IETF, 412–424 protocols used with, 162–168 and PSTN call flow, 112–114 and registration, 156, 169 response codes, 160, 161–162 security vulnerabilities, 510–512 server component, 155–157 session management, 153 session setup, 153 signaling commands, 159–160 as signaling protocol, 8, 9 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 560 Index 561 and S/MIME protocol, 414–417 and TLS, 164, 165 and UDP, 162–163 SIP-specific attacks, 257 skill-based routing, 40 Skinny protocol defined, 230 operations, 231 overview, 230 security issues, 231–232 specifications, 230–231 Skype call flow, 186–189 defined, 184 history, 185 how it works, 186–189 messaging sequence, 186–189 overview, 184–186 protocol design, 186 security issues, 189 smart cards, 280 S/MIME (Secure/Multipurpose Internet Mail Extensions) protocol, 414–417 sniffers, 14 SNMP (Simple Network Management Protocol) and active monitoring, 358–359 architecture, 219–221 defined, 218 network components, 358–359 operations, 220 overview, 218 security issues, 297–298 softphones, 76–77, 301, 379–380 softswitch, 73 SONET rings, 95 source number routing, 39 SOX. See Sarbanes-Oxley Act spoofing ANI, 108, 256 and ARP, 251–256, 336 SRTP (Secure Real-Time Transfer Protocol) confidentiality services, 422 defined, 420 message authentication, 422–423 and Multimedia Internet Keying, 421 overview, 420–421 replay protection, 423–424 SS7 (signaling system 7), 106–110 SSH (Secure Shell), 298–299 SSL (Secure Socket Layer), 200 SSPs (Service Switching Points), 109 stateful inspection firewalls, 393 stateful servers, 157 stateless servers, 157 STPs (Service Transport Points), 109 Stream Control Transmission Protocol (SCTP), 8–9 Strowger,Almon, 104 STUN (Simple Traversal of UDP through NATs) protocol, 10, 401–402 SUBSCRIBE SIP signaling command, 160 Success (2xx) SIP response code, 160, 161 supplicants, defined, 315 SXS (Step by Step) system, 104 syslog protocol, 356–358 system logging. See logging T T-Mobile, 3 T1 transmission, 96–102 T1 trunks, 65 TCAP (Translation Capabilities Applications Part), SS7, 108, 109 TCP Wrappers, 289 TDM. See Time-Division Multiplexing (TDM) Telephone User Part (TUP), SS7, 107, 109 Telnet, 298–299 Temporal Kewy Integrity Protocol (TKIP), 314 TFTP (Trivial File Transfer Protocol), 212–215 three-way calling, 48 tie lines, 64 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 561 562 Index Time-Division Multiplexing (TDM), 96–98 time-of-day routing, 39 time synchronization, 297 TKIP (Temporal Kewy Integrity Protocol), 314 TLD (top-level domain servers), 208 TLS (Transport Layer Security) protocol defined, 10, 417 and EAP, 321, 322 as IETF encryption solution, 417–420 and MCLS, 200 overview, 164, 319, 417 and PKI, 417–420 and SIP, 164, 165 token systems, 280 toll fraud, 103–104, 255 top-level domain servers (TLD), 208 Touch Tones, 104 traffic shaping, 380–382 Translation Capabilities Applications Part (TCAP), SS7, 108, 109 Transport layer, OSI, 151 Transport Layer Security. See TLS (Transport Layer Security) protocol Traversal Using Relay NAT (TURN) protocol, 10, 402 Tripwire software, 289–293 Trivial File Transfer Protocol (TFTP), 212–215 trunks, PBX, 64–65 TTLS (Tunneled Transport Layer Security). See EAP-TTLS authentication type TUP (Telephone User Part), SS7, 107, 109 TURN (Traversal Using Relay NAT) protocol, 10, 402 U UDP (User Datagram Protocol) and denial-of-service attacks, 163–164 and SIP, 162–163 vs.TCP, 162–163 unattended transfers, 46 uninterruptible power supply (UPS), 84–85 UNIX, 4 UPS. See uninterruptible power supply (UPS) URIs (Universal Resource Identifiers), 148, 154 U.S. Federal Communications Commission (FCC), 471–477 user agents defined, 155 as endpoints, 76–79 and location service, 157 overview, 155 and peer-to-peer architecture, 159, 171–172 and SIP architecture, 168–172 and SIP servers, 155–157 and stateful mode, 157 User Datagram Protocol (UDP) and denial-of-service attacks, 163–164 and SIP, 162–163 vs.TCP, 162–163 user identity. See authentication V video cameras, closed circuit, 279–280 virtual private networks (VPNs), 64, 390–403 VLANs overview, 375–378 sample VoIP security policy, 301 security issues, 378 separation, 530 and softphones, 379–380 Voice Firewalls, 71 voice gateways. See gateways voice mail, 49, 69–70 VoIP 911 issues, 54–55 architectural overview, 72–86 benefits, 7–8 and business telephony equipment, 60 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 562 Index 563 combined functionality, 53 cost issues, 52–53 functionality degraded, 54–55 functionality enhanced, 55 functionality gained, 52–53 how it works, 10–12 vs. IP telephony, 10–12 list of data and service threats, 15–16 list of vulnerabilities, 240 mobility issues, 53 new security paradigm for, 16–17 power issues, 83–85 vs. private telephone networks, 51–52 protocol issues, 5 protocol overview, 8–10 QoS issues, 54 recent improvements, 6–7 rich-media conferencing issues, 53 role in PBX history, 25–26 sample security policy, 300–302 and Sarbanes-Oxley, 434–441 security issues, 13–16, 55 service disruption, 240–248 threat taxonomy, 15–16, 248 threats, 240–257 wiring and scalability issues, 53 VOIPong, 14 VoWLAN (Voice over Wireless LAN), 314 VPNs (virtual private networks), 64, 390–403 vulnerability tests assessment, 363–364 defined, 361 discovery, 362–363 exploitation, 364 methods, 362–366 overview, 360–362 reporting results, 364–366 scanning, 363–364 W Wavelength Division Multiplexing (WDM), 98–99 WDM. See Wavelength Division Multiplexing (WDM) WEP. See Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA) key features, 314, 315 overview, 81–82 vs. WEP, 81–82, 314 Windows platform eliminating unnesessary services, 283 logging, 284 permission tightening, 284–285 wire closets, 281 Wired Equivalent Privacy (WEP) key features, 314, 315 overview, 80–81 security issues, 314 vs. WPA, 81–82, 314 wireless infrastructure authentication, 82–83 encryption, 80–82 IEEE 802.1 standard, 82–83 overview, 80–83 Wi-Fi Protected Access, 81–82 Wired Equivalent Privacy, 80–81 wireless PBX, 71 wireless VoIP clients, 79 WMM (Wi-Fi Multimedia), 314 WPA. See Wi-Fi Protected Access (WPA) WPA2 (IEEE 802.11i), 313, 314, 315 X X.509 PRIX, 416 XBox, 462 Y Yahoo Messenger. See instant messaging (IM) Z zone transfers, 211–212 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 563 Securing IM and P2P Applications for the Enterprise Paul Piccard, Marcus H. Sachs As an IT Professional, you know that the majority of the workstations on your net- work now contain IM and P2P applications that you did not select, test, install, or configure. As a result, malicious hackers, as well as virus and worm writers are targeting these inadequately secured applications for attack This book will teach you how to take back control of your workstations and reap the benefits provided by these applications while protecting your network from the inherent dangers. ISBN: 1-59749-017-2 Price: $49.95 US $69.95 CAN Cisco PIX Firewalls: Configure, Manage, & Troubleshoot Charles Riley, Umer Khan, Michael Sweeney Cisco PIX Firewall is the world's most used network firewall, protecting internal networks from unwanted intrusions and attacks. Virtual Private Networks (VPNs) are the means by which authorized users are allowed through PIX Firewalls. Network engineers and security specialists must constantly balance the need for air-tight security (Firewalls) with the need for on-demand access (VPNs). In this book, Umer Khan, author of the #1 best selling PIX Firewall book, provides a concise, to-the-point blueprint for fully integrating these two essential pieces of any enterprise network. It is fully current with the newest PIX Software Version 7 and is appropriate for the new CSPFA exam covering PIX Software Version 7. ISBN: 1-59749-004-0 Price: $49.95 U.S. $69.95 CAN Skype Me! From Single User to Small Enterprise and Beyond Michael Gough This first-ever book on Skype takes you from the basics of getting Skype up and running on all platforms, through advanced features included in SkypeIn, SkypeOut, and Skype for Business. The book teaches you everything from installing a headset to configuring a firewall to setting up Skype as telephone Base to developing your own customized applications using the Skype Application Programming Interface. ISBN: 1-59749-032-6 Price: $34.95 US $48.95 CAN AVAILABLE NOW order @ www.syngress.com AVAILABLE NOW order @ www.syngress.com AVAILABLE NOW order @ www.syngress.com Syn•gress (sin-gres): noun, sing. Freedom from risk or danger; safety. See security. Syngress: The Definition of a Serious Security Library 372_PRAC_VoIP_Index.qxd 3/2/06 1:13 PM Page 564