Slides from webinar offered by Acme Packet and the SIP School on securing unified communications borders with Acme Packet. To watch recorded webinar or download slides, visit : http://tiny.cc/securingUC
2. The SIP School
⢠Founded in April 2000
⢠5500+ Students
⢠Provide the Industry recognised SSCAŽ SIP Certification
program, endorsed by the TIA + more.
⢠eLearning in modular format
⢠Unique as content evolves as SIP evolves
⢠Connected with Acme Packet to provide SIP foundation
training
⢠http://www.thesipschool.com / Discount codes later.
⢠Now letâs start by looking at the challenges in securing
unified communications.
2
3. The Unified Communications
security challenge
Adopt enterprise-wide IP communications to
improve collaboration and productivity...
âŚ. All without increasing your risk profile
3
4. Unified Communications services
are a prominent target
October 2010 - SIPVicious port 5060 scans
lead to âŹ11 million loss
March 2011 â Romania - Former employee
held - Forged VoIP pins created
May 2011 - Hudson County, New Jersey Man
Pleads Guilty to $4.4 Million VoIP Fraud
Scheme
November 2011 - Philippine phone phreakers
arrested after defrauding AT&T out of $2
Million to fund terrorists
4
5. UC services are an easy target
⢠IP networks are inherently insecure
â Developed without security in mind
⢠Organizations rely on IP networks to conduct business
â Multimodal communications difficult to control
⢠Confidential information freely exchanged by users that
donât understand how it is transmitted
5
6. Cybercrime is organized
⢠Knowledge, tools and techniques are shared openly
⢠May have goals motivated by politics or profit
⢠Commoditized sale of both the tools and results of the trade
â Computing time on a botnet
â âFakeâ calling cards
â Long distance calling with disposable phones
â Number hijacking
â Toll / international bypass
6
8. How are UC services established?
Items in red might reveal sensitive information
INVITE sip:15559191212@serviceprovider.com SIP/2.0
Via: SIP/2.0/UDP 10.1.3.3:5060;branch=z9hG4bKb27061747269636b
From: âJConnorâ <sip:15554141337@10.1.3.3:5060>;tag=18de4db33f
To: "15559191212" <sip:15559191212@serviceprovider.com>
Call-ID: 19424e0d9187654209ed34db33f
CSeq: 1 INVITE
Max-Forwards: 70
User-Agent: BigTelcoVendor/R16.4.1.1 SIP
Supported: 100rel,timer,replaces,join,histinfo signaling
Allow: INVITE,CANCEL,BYE,ACK,NOTIFY,REFER,OPTIONS,INFO,PUBLISH
Contact: âJConnor" <sip:15554141337@10.1.3.3:5060;transport=udp>
Content-Type: application/sdp
Content-Length: 165
v=0
o=- 1 1 IN IP4 10.1.3.3
s=-
c=IN IP4 10.1.3.3 SDP
b=AS:64
t=0 0 Media
m=audio 19001 RTP/AVP 0 127 description
a=rtpmap:0 PCMU/8000
a=rtpmap:127 telephone-event/8000
8
9. How are your services targeted?
Voice or video devices, chat, session recording, web
integrated real-time communications applications
Application
CODECs (DSP)
Presentation
Session SIP, H323, MGCP, H248, TLS (signaling); RTP, RTCP (media)
Session Delivery
Targets TCP, UDP, SCTP
Transport
IPv4, IPv6, NAT, IPsec
Network
Data link technology that supports the transport of IP
Data Link
Physical Physical technology that supports the transport of data link
frames
The OSI Model Layers
Exploits focused at the middle layers of the OSI model tend to get around
traditional security implementations since the whole point is to allow services
9
10. The penetration campaign
Reconnaissance Enumeration Attack
Gaining Maintaining Covering
access access tracks
Port scanning
Attack, gain and maintain access,
Information gathering OS fingerprinting
and cover tracks
Service detection
⢠Initial phases of an organized attack can easily go undetected
⢠Stopping or making the early phases of an attack difficult can
avoid service outage or fraud
10
11. What are the threats?
Threat Potential Result
Reconnaissance scan Preparation for targeted denial of service,
fraud, or theft of service
Session overloads Denial of service
Protocol fuzzing Denial of service
SPAM over Internet Targeted denial of service, fraud, breach of
Telephony (SPIT) privacy
Call Interception or Targeted denial of service, breach of
Session Hijacking privacy, fraud, theft
Eavesdropping Breach of privacy, fraud, theft
Media injection Denial of service, fraud, theft
11
12. Which threats are seen the most?
Overload
Resource consumption Attackers
Internal
Availability disruption A A
DoS/DDoS
A
Internet
Unintentional
Overload
SIP Provider
OR Internal Network
12
13. Which threats are seen the most?
Theft of services / fraud
Large phone bills Attackers
Internal
A
Investigation costs A
A
Internet
SIP Provider
OR Internal Network
Premium
Rate Center
13
14. Which threats are seen the most?
SPAM / SPIT
Nuisance Attackers
Internal
A A
Social Engineering A
Internet
SIP Provider
OR Internal Network
A A
A
Internal
Threat
14
15. Not as muchâŚ
âMan in the middleâ
Session-hijacking
Attacker Internal
Media injection A Remote
Control
Eavesdropping
Internet
SIP Provider
OR Internal Network
A
Internal
Threat
15
16. A simple example using SIPVicious
I just went to your website and got the phone numbers for HR, Support, Investor
Relations, etc., and they all seem to end with 1xxxâŚ
Scan the IP range registered to your company as reported by ARIN
root@bt:/pentest/voip/sipvicious# ./svmap.py -p5060-5061 192.168.133.0/24
| SIP Device | User Agent | Fingerprint |
--------------------------------------------------------------------------------
| 192.168.133.128:5060 | Asterisk PBX | Asterisk / SJphone/1.60.289a (SJ Labs) |
Enumerate extensions âŚ
root@bt:/pentest/voip/sipvicious# ./svwar.py -e1000-9999 192.168.133.128
------------------------------
| 1005 | reqauth |
| 1004 | reqauth |
| 1003 | reqauth |
| 1002 | noauth |
| 1001 | reqauth |
We got one extension without a password! It must be misconfigured.
Look for numeric passwords for another extension âŚ
root@bt:/pentest/voip/sipvicious# ./svcrack.py -u1001 -r1000-999999
192.168.133.128
| Extension | Password |
------------------------ Now just register a couple of soft phones and make free calls!
| 1001 | 1234 |
16
17. BUT, wasnât analog TDM safer? NO!
We still saw:
⢠Eavesdropping
⢠Media injection
⢠Caller impersonation
⢠Toll fraud
⢠Physical attacks
17
18. How does Acme Packet secure
Unified Communications services?
19. Net-Net E-SBCs control and secure
network borders
Service Provider
IP telephony
Conferencing
CRM
Tele-presence
Contact center
Enterprise
Easy Assured
Strong security
interoperability reliability
⢠Network ⢠SIP ⢠Quality user
border interoperability experience
protection ⢠Protocol ⢠Resilient
⢠Privacy interworking services
19
20. Net-SAFEâ˘
Session-Aware Filtering & Enforcement
⢠Hardware & Software DoS/DDoS prevention
⢠Hardware-accelerated encryption & authentication
⢠Dynamic and Static Access control lists
⢠Protocol enforcement and interoperability
⢠Topology hiding and NAT
⢠Session overload protection (upstream/downstream)
⢠Regulatory compliance / legal intercept to recorder
⢠Fraud prevention / endpoint trust management
⢠Routing, high availability and load balancing
HW DoS policy SW DoS Routing / Session
Management Destination
+ ACLs policy Availability
Endpoint Trust Threshold
Management Management
Discard
20
21. confidentiality
security
Confidentiality
integrity availability
Ensure that
information is not
disclosed to
unauthorized parties
22. Remove identifying data
From: JConnor @ my desk
To: Customer
Obscure the internal structure of your network Via: My PBX
Route: PBX, SBC
and services so attackers donât know what or Phone: Brand X Desk Phone,
software version x.y.z.1
how to attack Send Audio: To my phone
Vendor Specific: Location
⢠Back to Back User Agent (B2BUA)
- terminates and re-originates all
sessions so we can manipulate them
⢠Topology Hiding â modify or strip
signaling message parts that might
reveal your internal network or
telephony topology From: CorpUser @ SBC
To: Customer
Via: SBC
Route: SBC
Send Audio: To SBC
22
23. Authorize and encrypt for privacy and
control
Enterprise
Signaling or media traffic going across an
untrusted network should be encrypted to
avoid eavesdropping or hijacking, and assure
message integrity
A
⢠Fast hardware-accelerated
Private network
Internet
encryption
⢠Encryption specified on Campus Branch
boundary by boundary basis Legitimate session
TLS-encrypted session
⢠Can ensure non-repudiation Sniffing
23
24. confidentiality
security
Integrity
integrity availability
Data and systems
are not modified or
used maliciously or
accidentally
25. Assure message integrity
Verify the integrity of signaling and media that
UAS/UAC Session
enters your network to prevent service disruption Control
Function
Routing
Protocol
⢠Attacks are dropped at the Manipulation
network processor and wonât Policing
Engine
impact the CPU or memory
Parser Host Based
⢠Signaling is decomposed and Software
analyzed for validity against RFC
Traffic
Manager
requirements Classifier Media
Control
Network Function
Signaling Encryption
Network Processor
Network
Interface Embedded
Software
Media
E-SBC
25
26. Prevent fraudulent calls
Monitor violations of call thresholds to spot misbehaving hosts, and analyze call
detail records to detect fraud patterns
⢠Routing rules can refuse traffic to
premium or fraudulent rate centers
attacker
⢠SNMP traps to management station
indicate potential abuse
⢠Call Detail Record (CDR) feeds can be management
station
sent âoff boxâ for analysis including
metrics for call quality
26
27. confidentiality
security
Availability integrity availability
Reliability and
accessibility of data
and resources to
authorized
individuals in a
timely manner
28. Denial of Service (DoS) protection
Assume hosts are untrusted until they verify their identity through
authentication and/or other actions. Establish thresholds to protect against
compromised or unintentionally misbehaving hosts
⢠Initial trust level and message thresholds
Trusted
enforced
⢠Depending on their actions, hosts will be
promoted to trusted status or demoted to Untrusted
untrusted or denied status
⢠Queues based on trust level make sure
services are available even while under Deny
DoS attack
Dynamic Trust
Levels
28
29. Manage service capacities
Understand the capacities of your services and limit access so they do not
become overwhelmed
⢠Thresholds per session agent Sessions = 500
â Sessions 50%
Burst-rate = 10 cps
Sustained = 8 cps
â Burst rate
Sessions = 300
â Sustained rate Burst-rate = 5 cps
30%
â Status Sustained = 4 cps
⢠Variable load balancing Sessions = 200
Burst-rate = 4 cps
20% Sustained = 3 cps
29
30. Make UC services resilient
Implement hardware and/or site redundancy to minimize the impact of physical
attacks to building, power, network, etc.
High Availability Multi-site failover
⢠No loss of active sessions ⢠Multiple SIP trunks improve network
⢠Active / Standby failover in 40ms resiliency in disaster recovery scenarios
⢠Checkpointing configuration, media ⢠SBC enables fast failover without
& signaling state operator intervention
⢠Preserves CDRs on failover
X sessions
30
32. Trust zones provide flexibility
Use the SBC to create a virtual firewall DMZ architecture to create multiple
zones with different trust levels
Low Trust
Routing
Internet Core /
SIP or H.323 I Backbone
Sig n Sig SIP or H.323
media t media
e
Partner r High Trust
SIP or H.323 Sig Sig
w
media o media
r
Sig k Sig
Outsourcer I
Internal
media
n
media SIP or H.323
SIP or H.323
g
Medium Trust
Medium Trust
32
33. Security for SIP trunking applications
SIP / MPLS Provider,
Internet, or any Untrusted
Network
Run data firewalls and Acme
Packet SBCs in parallel to manage
data and communications services
in the optimal location
DMZ
Acme Packet SBC
HA Pair
Data Network or UC Network or VLAN
VLAN
33
34. Security for remote worker access
Data centers
Send remote users to the SBC instead of your
VPN concentrator for message verification,
throttling, and best performance without the VPN
need for a VPN client
TLS/SRTP to SBC
vs VPN Tunnel
⢠SIP message integrity verification
⢠SBC can cache client registration,
responding to regular client keep-alives
⢠Confidentiality through signaling and Internet
media encryption
⢠Easier connectivity & traversal through
local firewalls vs. VPN solutions - VPN
especially while travelling
Teleworker Teleworker
34
36. âWhy do I need a SBC when the
service provider has one?â
⢠Integrity: The Service Provider SBC
is there to protect themselves from
Service Provider
you
⢠Availability: Routing to SIP gateways
and service providers
⢠Interop / Confidentiality: SIP
normalization and topology hiding
⢠Quality of Service: Call routing can Customer 1,2,3 âŚ.
be dynamically be driven by call
quality
36
37. âWhat do I tell my security
department?â
⢠1,525 customers in 107 countriesâ
the industry standard
⢠Processes calls through both
general IP and UC specific attacks
⢠Acme Packet Net-Net SBC certified
by the U.S. DISA JITC at Ft.
Huachuca, AZ for information
assurance and interoperability in
DoD networks
⢠Can work in a firewall DMZ if best
practices are followed
37
39. Donât forget to think holisticallyâŚ
Physical security â locks, badges, lighting, emergency exits
Data security - 802.1x, LLDP, firewalls, ACLs, VLAN strategy,
internal encryption, administrative interfaces, QoS marking and
measurement
Host security - Anti-virus, control of third party apps and
endpoints, patching and configuration of end devices, asset
acquisition and disposal
Disaster recovery â redundant hardware, services, network
Compensating controls - CDR analysis to prevent or detect insider
abuse, logging, video surveillance; internal scans or penetration
testing
Internal controls - hiring policies and security reviews
Employee training programs â best practices guidelines and clear
expectations; educate employees to recognize social engineering
39
40. Additional resources
Acme Packet services, training, sales, or partners
http://www.acmepacket.com/
The SIP School
http://www.thesipschool.com/
Back | Track Linux VoIP wiki pages
http://www.backtrack-linux.org/wiki/index.php/Pentesting_VOIP
Voice Over IP Security Alliance (VOIPSA)
http://voipsa.org
The SIP Forum
http://www.sipforum.org/
Your service provider
40
42. Thank you
⢠sales@acmepacket.com
⢠info@thesipschool.com
⢠The SIP School Discount Code = APDC2204
⢠Link to webinar recording will be e-mailed to all registered
participants
42