A Survey of VoIP Security Practices in Higher Education
description
Transcript of A Survey of VoIP Security Practices in Higher Education
![Page 1: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/1.jpg)
A Survey of VoIP Security Practices in Higher
Education
H. Morrow LongDirector, Information Security
Yale University
Educause 2007 Annual Conference Session
Wednesday, October 24, 2007 11:30 a.m. - 12:45 p.m.
Network Security Effective Practices - VoIP: SIP, H.323
![Page 2: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/2.jpg)
2
Introductions
![Page 3: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/3.jpg)
3
Overview
This presentation will discuss a survey and informal poll of the current campus network VoIP security practices and products in higher education on both wired and wireless networks.
![Page 4: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/4.jpg)
4
Agenda
IntroductionWhat is VoIP?VoIP ThreatsVoIP Security ChecklistsVoIP Effective Practices in Higher EdSurvey of VoIP Security in AcademiaDiscussion and Questions
![Page 5: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/5.jpg)
5
VoIP Security Goes Mainstream
In 2006, VoIP Security entered the SANS Top 20 for the first time:
http://www.sans.org/top20/#n1
N1 VoIP Servers and Phones
![Page 6: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/6.jpg)
6
VoIP Security Flaws Go Mainstream
2006 VoIP Security vulnerabilities:AsteriskCVE-2006-2898, CVE-2006-4345, CVE-2006-4346, CVE-2006-5444
Cisco Call ManagerCVE-2006-0368, CVE-2006-3594
VoIP PhonesCVE-2005-3717, CVE-2005-3722, CVE-2005-3723, CVE-2006-0305, CVE-2006-0374, CVE-2006-0834, CVE-2006-5038
![Page 7: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/7.jpg)
7
VoIP Security Flaws Go Mainstream
2007 VoIP Security vulnerabilities:
AsteriskCVE-2007-1306
Cisco Call Manager / IOS / PIXOSCVE-2007-0648, SA24180/cisco-sa-20070214-
fwsm,SA24179/cisco-sa-20070214-pix
VoIP PhonesCVE-2007-1072, CVE-2007-1062, CVE-2007-
1063
![Page 8: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/8.jpg)
8
What is VoIP?
Voice over IP
IP Telephony
Converged Data/Voice Networking
Unified Messaging
![Page 9: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/9.jpg)
9
What is VoIP?
2 Major Protocols: H.323 SIP / SIPS
Popular Internet VoIP Proprietary
• Skype• Vonage
Other Zfone/ZRTP (Phil Zimmerman)
Internet Standards related to VoIP Security: IPSEC SSL/TLS SRTP (RFC3711)
![Page 10: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/10.jpg)
10
H.323 and SIP
The 2 Major (Local and Enterprise) VoIP Protocols: H.323 SIP
Both protocols:Are hard (but not impossible) to firewallWere not designed for security…Use separate signaling and media (content) channelsUse dynamic portsWere not designed to be NAT “friendly” (embed IP addresses inside signaling/control information)
But: H.323 is more like ISO X. protocols (uses ASN.1/PER) and SIP is more like Internet FTP/SMTP/HTTP/NNTP.
![Page 11: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/11.jpg)
11
H.323
Older protocol than SIP, implemented earlierITU Umbrella Standard - built of other H stdsFirst VoIP std to use RTPInteroperates with ISDN PBX systemsUsed by several voice and videoconferencing systemsBuilt into NetMeeting, other commercial and open source programs availableGNU Gatekeeper - accounting/authorization/NAT traversal/H.323 proxy/H.235 security
![Page 12: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/12.jpg)
12
H.235 Security
H.235 provides security for H.323Optionally nine security profiles can be used to apply one or more of six security services (authentication, nonrepudiation, integrity, confidentiality, access control, key management) to H.225, H.245 and RTP traffic.
![Page 13: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/13.jpg)
13
“Skinny” - Cisco H.323
“Skinny” is Cisco’s lightweight proprietary version of H.3323.SCCP is the acronym for Skinny Client Control Protocol.It is a lower overhead control protocol between the client and Call Manager.
![Page 14: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/14.jpg)
14
SIP - Session Initiation Protocol
Overtaking H.323 on LANS - many clients.Created 1996. SIP 2.0 defined in RFC 2543 (1999)-- refined in RFC 3261 (2002).Lightweight, text-based protocol run on top of UDP or TCP (e.g. port 5060- mod P2P model.Uses HTTP “style” status codes & email addresses.Interoperates with XMPP IM (Japper)STUN & newer TURN enable SIP through NAT using public Internet servers.Uses other protocols: SDR, RTP, MGCP, RTSP.Can be stateful/less, client/server or P2P.
![Page 15: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/15.jpg)
15
SIP/RTP Architecture
VoIP User-Agent
RTP SIP
SRTP TLS
UDP and TCP
IP
Data Link Layer
Credit: Practical VoIP Security, Syngress
![Page 16: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/16.jpg)
16
SIPS - Secure SIP
Secure SIP is a security mechanism defined by SIP RFC 3261 (2002) defines Secure SIP -- a security mechanism using TLS to send SIP messages over an (Transport Layer Security) encrypted channel.Fairly new, competes with IPSEC, VPNs, SRTP -- often referred to as SIP with TLS -- used when IPSEC is overkill or SIP proxies must be used.
![Page 17: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/17.jpg)
17
SRTP
Adds message encryption, authentication, integrity and replay protection to to RTP Sister to SRTCP (Secure RTP Control Proto)SRTP/SRTCP encryption, authentication and integrity are independent and can be disabled (“Null” encryption).Single Cipher (AES), 2 modes (counter & feedback modes)External Key mgt (ZRTP, Mikey, …)
Credit: http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol
![Page 18: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/18.jpg)
18
SRTP Interoperability
Hard IP Phones Avaya, Cisco, Ericsson (&TLS), Siemens, Linksys,
Snom (&TLS)
Soft IP phones Gizmo, Kphone, Snom360 (&TLS), minisip (&TLS)
Hard IP PBX - Alcatel and EricssonSoft-IP-PBX - Asterisk (SIP & H323) and pbxnsipSBC (Session Border Ctrlr) / SIP Firewall Covergence (& SIP & H323) InGate (SIP aware firewall)
Credit: http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol
![Page 19: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/19.jpg)
19
Zfone/ZRTP
Created/driven by (Phil Zimmerman)2nd attempt (PGPfhone)Designed to work with current SIP phone programs (via plug-ins).Zfone is the program.ZRTP is an extension to RTP (Real-time Transport Protocol) providing secure real-time transport to secure sessions (SIP, H.323, etc.) already established. Keys are transmitted and managed outside the std signaling. Protection against MitM (man in the Middle) attacks.
![Page 20: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/20.jpg)
20
Skype
Peer to Peer ModelSupernodes route traffic for other callsCan be blocked and bandwidth managedOutlawed at some institutionsProprietary strong encryptionNon-CALEA compliance?
![Page 21: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/21.jpg)
21
More VoIP Terminology
“Presence” (R U there?)Convergence (Data + Voice = Synergy)Voice MessagingUnified Messaging Systems
![Page 22: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/22.jpg)
22
More VoIP Acronyms
ACD Automatic Call Distribution(Call Ctr)IVR Interactive Voice ResponseICE Interactive Connectivity EstablishmentRSVP Resource Reservation Protocol RTSPReal Time Streaming Protocol SDP Session Discovery ProtocolSTUN Simple Traversal of UDP through NATTLS Transport Layer Security (ala SSLv3)TURN Traversal Using Relay NATTTS Text-to-speech server
![Page 23: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/23.jpg)
23
Non-Cyber Security-related VoIP Issues
911 - where does 911 ring?E-911 - need to provide location information?Emergency access - during network or power outages
• Use Power-over-Ethernet (PoE AKA IEEE 802.3af) cabling
• Provide at least the minimal # of land lines per # rooms (e.g. or as required by law)
![Page 24: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/24.jpg)
24
PBX System Components
PSTNEndpoints (Phones, Faxes, Modems.)Lines (e.g. Station lines)TrunksRemote PBXesAdjuncts (VM, ACD, IVR, …)CDR (Call Detail Recording)Voice/PBX Firewalls
![Page 25: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/25.jpg)
25
VoIP System Components
Media Gateways -- e.g. to PSTN/PBXesEndpoints (User Agents): softphones, IM/Video/VoIP/ATA (Analog Telephone Adatper) Media Servers (VM, ACD, IVR, TTS,VC)H.323 GatekeepersSIP Registration, Redirect ServersSIP Proxy Servers Firewalls/ALGs
![Page 26: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/26.jpg)
26
VoIP Threats
VoIP Networks have many of the same threats to security, privacy and reliability as data networks do, but they also bring in the problems of the telephone system and have some special threats all their own.
Converged networks can combine threats from the data and VoIP world -- making the new network less secure (in the opinion of some).
Data network people are afraid VoIP infrastrucutre will weaken the security of their data network and the voice/telecom people feel the same about data / IP networks.
![Page 27: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/27.jpg)
27
Other VoIP Architectures
SkypeIAXH.248Microsoft Live Communication Server 2005 (MLCS) TLS between client and server Mutual TLS server-to-server
![Page 28: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/28.jpg)
28
VoIP vs. PSTN
Remember that “POTS” telephones have little security -- ordinary phone conversations are not encrypted and can be tapped or eavesdropped.You can actually have better security using VoIP IF you use strong encryption (and a good implementation).
![Page 29: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/29.jpg)
29
VoIP Threats
DDoS / DoS Attacks ICMP Flood (eg ‘pings’) to Phone or Call Mgr
Unauthorized AccessToll FraudVoicemail hackingEavesdropping (Call and/or Control)Call HijackingApplication Level Attacks
Credit: Juniper Networks
![Page 30: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/30.jpg)
30
IP Network Threats
Ethernet, IP and DNS address spoofingARP and DNS Cache PoisoningQuantity-based packet floodingStack DoS attacksVLAN “jumping”QoS / prioritization attacks
![Page 31: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/31.jpg)
31
Organizing VoIP Threats
Standard IP Network Threats(to the CIA triad)
C - ConfidentialityI - IntegrityA - Availability
![Page 32: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/32.jpg)
32
Organizing VoIP Threats
Advanced IP Network Issues/challenges
(triple A)A - AuthenticationA - AuthorizationA - Accounting
![Page 33: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/33.jpg)
33
Application-Specific VoIP Threats
“Phone” spoofing - registering a SIP client with someone else's identifier (no auth.). a successful attack would cause the similarly
registered phone to ring when someone called the legitimate owner of the number.
Credit: Jeremy George, Yale University
![Page 34: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/34.jpg)
34
Threat to Confidentiality
Programs exist to listen to SIP and other VoIP streams (and record them).It is possible to capture packets on switched networks (by overflowing ARP tables, poisoning ARP caches, etc.).Encryption should be used but has side- effects: : on latency, on sound qulaity (packetization and compression chunking can lead to clipped staccato speech).
![Page 35: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/35.jpg)
35
Application-Specific VoIP Threats
Caller-ID / ANI “Spoofing” (faking source #) Trivial to do -- don’t trust Caller-ID -- OK to
screen w/
Credit: Jeremy George, Yale University
![Page 36: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/36.jpg)
36
Threat to Integrity
It is possible to ‘hijack’ sessions.It is possible to modify voice over IP streams.Once again, use encryption (or at least cryptographic integrity checks) to prevent this.
![Page 37: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/37.jpg)
37
Application-Specific VoIP Threats
MitM “spoofing” CALEA is a ‘legit’ application of this. DoS attacks are known immediately by
communicating parties Call content is neither overheard nor compromised. Some proxies have logic in them that identifies a
likely DoS attack and discard those packets (ask your vendor!).
Encryption is the best proection against MitM spoofing.
Credit: Jeremy George, Yale University
![Page 38: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/38.jpg)
38
Threats to Availability
Quality of Service (QoS) problems: Latency - time for traffic to go from source
to destination (one-way and round-trip).150ms is Max RTT for PSTN. VoIP at 400ms is at outer limit of tolerable range.
Jitter - variability in latency and out-of-order packet arrival times. Buffering can help here.
Packet Loss - results in gaps in communication.
![Page 39: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/39.jpg)
39
Application-Specific VoIP Threats
“Special DoS (Denial of Service) attacks high volume flood of SIP INVITEs high volume flood of SIP REGISTER commands Control Packet / Call Data Floods Packet Replay / Injection / Modification
Credit: Jeremy George, Yale University
![Page 40: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/40.jpg)
40
Application-Specific VoIP Threats
“BID attacks on SIPS” Get SIPS devices to downgrade to
ordinary SIP
Credit: Jeremy George, Yale University
![Page 41: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/41.jpg)
41
Application-Specific VoIP Threats
Rogue SIP Proxies Impersonate a proxy to a User-Agent
Credit: Practical VoIP Security, Syngress
![Page 42: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/42.jpg)
42
VoIP Security Checklist
Practical VoIP Security “high level short list”:Create, publish and enforce security policies.Practice rigorous physical security.Verify user identities.Actively monitor logs, firewalls & IDSes.Logically segregate data & voice traffic.Harden Oses.Encrypt whenever and whatever you can.
![Page 43: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/43.jpg)
43
VoIP Security Checklist
Juniper Best Pracices Security Measures1. Maintain Current Patch Levels 2. Install a Good Anti-Virus System and Update it Regularly3. Apply State-of-the-Art Intrusion Detection and Prevention Systems4. Install Application-Layer Gateways between Trusted and Untrusted
Zones. 5. Enforce SIP security by means of Authentication, Authorization and IPSec6. Establish Policy-Based Security Zones to Isolate VoIP Segments. 7. Run VoIP Traffic on VPNs to Minimize Eavesdropping Risk on Critical
Segments. 8. Use VLANs to Prioritize and Protect Voice Traffic from Data Network
Attacks9. Apply Encryption Selectively10 Protect Against UDP Flooding11. Develop a Holistic Security Program
![Page 44: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/44.jpg)
44
Meta Group Checklist
IP Telephony-Specific Security FeaturesThe Call Control Server
Harden/Strip down OS.Use secure OS.Authenticate & authorize all user & device access to servers.Require strong authentication for all configuration and software upgrades.Should support app level signaling message auth.Should support call setup info encryption.
![Page 45: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/45.jpg)
45
Meta Group Checklist
IP Telephony-Specific Security FeaturesThe Voice Gateway:
Require strong authentication for all configuration and software upgrades .Provide DoS protection on IP inteface.Should be configured to route calls only via the call control server.Secure OS w/anti-virus AND host-based IDS.Should support call setup info and media (voice content) encryption.Should support a media (voice content) protocol authentication on a per-packet basis.
![Page 46: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/46.jpg)
46
Meta Group Checklist
IP Telephony-Specific Security FeaturesThe IP Phone:
Must authenticate itself to the call control server or a proxy server upon initial registrationMust support strong authentication for any remote configuration and software upgrades .Should support a configurable access control list to control any incoming traffic (e.g. H.323/SIP, RTP, HTTP, FTP, DHCP)..When supporting an additional Ethernet port for PC connectivity, should have this implemented via a switching function combined with VLAN functionality.Should support encryption of both call setup info and media as needed. Using encryption can add an additional end-to-end delay on each media packet.
![Page 47: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/47.jpg)
47
VoIP Security Checklist
Detailed and Specfic list:Use a separate VLAN with 802.1p/q QoS w/priority VLAN tagging for the VoIP network.Use a private (RFC1918) IP network for the VoIP LAN.Use NAT and/or proxies to hide internal addresses.Use a firewall (packet filtering or ALG) to protect & connect the VoIP network to the data IP network.Use an IDS or IPS to examine the traffic allowed through the firewall (may be built into the firewall).Use TLS to protect SIP and SRTP to protect RTP.Use NAC, 802.1X & RADIUS auth & SIP-aware FW.
![Page 48: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/48.jpg)
48
Listservs & Newsgroups
EDUCAUSE Security Discussion Listservhttp://www.educause.edu/SecurityDiscussionGroup/979
VOIPSA Best Practices Working Grouphttp://www.voipsa.org/Activities/bestpractices.phpVOIPSA Best Practices WG List http://voipsa.org/mailman/listinfo/bestpractices_voipsa.org
NIST Publication Mailing listhttp://csrc.nist.gov/compubs-mail.html
![Page 49: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/49.jpg)
49
VoIP Security Effective Practices in Higher Ed
One anonymous school:Uses separate VLAN, L2 switches and RFC1918 IP addresses for VoIP network.Provides separate connections (and bandwidth) to each building with VoIP.Softphones can participate from regular campus LAN (aren’t required to use a 2nd NIC on the VoIP network).
![Page 50: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/50.jpg)
50
VoIP Security Effective Practices in Higher Ed
A 2nd anonymous school:
Has enterprise polycom gateways (a bunch of them) that have priority in QOS on the routers..Allows traffic via ports inbound on the above routers for this ‘legit’ traffic. Doesn’t restrict H.323.Blocks SIP and Vonage because they don’t open the inbound ports.Packet8 and other SIP applications which use STUN work fine (because of tunneling).Skype is a problem (paritcularly Supernodes at times).
![Page 51: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/51.jpg)
51
Survey
http://www.surveymonkey.com/s.asp?u=822993567486
![Page 52: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/52.jpg)
52
VoIP Higher Ed Security Survey
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
Official VoIP Technologies
H.323-CiscoH.323-OtherSIP-CiscoSIP-OtherVonageSkypezPhoneOther-Nortel
![Page 53: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/53.jpg)
53
VoIP Higher Ed Security Survey
00.5
11.5
22.5
33.5
4
Official VoIP Technologies
H.323-CiscoH.323-OtherSIP-CiscoSIP-OtherVonageSkypezPhoneOther-Nortel
![Page 54: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/54.jpg)
54
VoIP Higher Ed Security Survey
0
20
40
60
80
Do you use any VoIP Security techniques?
YesNo
![Page 55: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/55.jpg)
55
VoIP Higher Ed Security Survey
0%
10%
20%
30%
40%
50%
60%
What VoIP Vendor Products or Open Source Solutions do you use?
3ComAlcatelAvayaCiscoCovergenceEricssonMitelNECNortelShoretelSiemensSphereQuintumVegaStreamVerticalVonagePBXnSIPAsterixGNU-GatekeeperzPhoneOther-Aastra
![Page 56: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/56.jpg)
56
VoIP Higher Ed Security Survey
Which VoIP Security mechanisms do you use?
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
Use SRTP for encryption
Use SRTP for authentication
IPSEC transport or VPN use required for VoIP phoneuse (for auth and encryption)
Lock VoIP phone info/config with password or PIN
Require network registration of VoIP phones
Require manual authorization of VoIP phones
Blocking of Internet access to unauthorized H
Blocking of Internet access to unauthorized SIP
Blocking of Internet access to Vonage
Blocking of Internet access to Skype
Prevent Skype users from becoming Supernodes
Denying internal VoIP access to unauthorized phones
Use of separate VoIP VLAN for segregation from dataIP network
![Page 57: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/57.jpg)
57
VoIP Higher Ed Security Survey
Which VoIP Security mechanisms do you use?
0%
10%20%
30%
40%
50%60%
70%
Use of separate VoIP subnet addresses forsegregation from data IP network
Use of firewall (or IP packet filter such as router ACLs)between VoIP network and data IP network
Use of a special VoIP or SIP-aware firewall betweenVoIP network and data IP network
Use other forms of access control to block/filter IPtraffic to VoIP servers
Use other forms of access control to block/filter IPtraffic to VoIP hard phones
IP access to the enterprise VoIP servers is restrictedand controlled (blocked or filtered)
Softphones are not allowed
Use other forms of access control to block/filter IPtraffic to softphones
NAT all VoIP traffic outbound to the Internet
VoIP server management traffic is encrypted
VoIP server management traffic uses a separate LAN
VoIP servers are dedicated to telephony services
Provide separate dedicated bandwidth for VoIP trafficinternally
![Page 58: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/58.jpg)
Which VoIP Security mechanisms do[n’t] you use?
Use H.235 for H.323 security profiles (for H.225, H.245 and RTP traffic).Use SIPS (Secure SIP - RFC3261 - SIP over TLS).Don't allow SRTP with null cipher (e.g. don't allow use of SRTP for just authentication).Use zRTP for key management.Use Mikey for key mgt/exchange.Use SDES for key exchange.Use SRTCP for authentication.Use SRTCP for encryption.IPSEC to secure MGC (Media Gateways/Controllers) communication.Use of separate physical LAN(s) for VoIP for segregation from data IP network.
VoIP Higher Ed Security Survey
![Page 59: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/59.jpg)
59
Use of IPS between VoIP network and data IP network.Use of IDS between VoIP network and data IP network.Use NAC (network access control) such as 802.1X and RADIUS to authenticate hard phones.Softphones require the use of the separate VoIP network (physical LAN, VLAN, subnet address, etc.) from the data IP network.Softphones are allowed with IPSEC transport mode.Softphones are allowed with IPSEC VPNs.Use NAC (network access control) such as 802.1X and RADIUS to authenticate hard phones.Allow NAT traversal via STUN or TURN Internet proxies.Provide separate dedicated bandwidth for VoIP traffic to the Internet.
VoIP Higher Ed Security Survey
Which VoIP Security mechanisms do[n’t] you use?
![Page 60: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/60.jpg)
60
Survey
http://www.surveymonkey.com/s.asp?u=822993567486
![Page 61: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/61.jpg)
61
Wrap-Up
Question & Answer
Session Evaluation & Feedback
![Page 62: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/62.jpg)
62
Contact Info
H. Morrow Long
Security.yale.edu
![Page 63: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/63.jpg)
63
Credits:
Cisco - Configuring SIP High Availability Applications, http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/vvfax_c/callc_c/sip_c/sipha_c/hachap2.htm
Jeremy George, Yale University, ““SIP.edu Cookbook - Security Considerations”http://mit.edu/sip/sip.edu/security.shtml
Deb Shinder, 2006/12/1 “Make a SIP-based VoIP network more secure”, http://articles.techrepublic.com.com/5100-1035_11-6145231.html?part=rss&tag=feed&subj=tr
Deb Shinder, 2007/1/7 “Take a multi-layered approach to VoIP security”, http://articles.techrepublic.com.com/5100-1035_11-6145231.html?part=rss&tag=feed&subj=tr
Jose J. Valdes, Jr., Colorado State University “Voice over Internet Protocol (VoIP) Security”, Net@Edu Conference, ICS – Wireless Group Meeting, Tempe, Arizona, February 6, 2005
![Page 64: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/64.jpg)
64
Credits:
Practical VoIP Security by Larry Chaffin, Jan Kanclirz, Jr., Thomas Porter, Choon Shim, Andy Zmolek, Syngress, March 2006
Wikipedia (pages on H.323, SIP, SRTP, ZRTP), Zfone, etc.)
![Page 65: A Survey of VoIP Security Practices in Higher Education](https://reader035.fdocuments.us/reader035/viewer/2022062518/56814309550346895daf5a03/html5/thumbnails/65.jpg)
This has been a chalk outline™ production.