Security_in_VoIP_Implementations.pdf

T28GHY620110 UTW510200RQ1 M18HGDOI0912 18JD6200NS12 328MGDS20910 1406MGR27017 BE4ET2763JH7 D39HA83090K2 D39HA83090K2 328MGDS20910 1406MGR27017 BE4ET2763JH7 BE4ET2763JH7 M18HGDOI0912 18JD6200NS12 T28GHY620110 UTW510200RQ1

T28GHY620110 UTW510200RQ1 M18HGDOI0912 18JD6200NS12

M18HGDOI0912 18JD6200NS12 T28GHY620110 UTW510200RQ1BE4ET2763JH7 D39HA83090K2 328MGDS20910 1406MGR27017

328MGDS20910 1406MGR27017 BE4ET2763JH7 D39HA83090K2 D39HA83090K2 328MGDS20910 1406MGR27017 BE4ET2763JH7 BE4ET2763JH7 M18HGDOI0912 18JD6200NS12 T28GHY620110 UTW510200RQ1

















































T28GHY620110 UTW510200RQ1 M18HGDOI0912 18JD6200NS12 328MGDS20910 1406MGR27017 BE4ET2763JH7 D39HA83090K2 D39HA83090K2 328MGDS20910 1406MGR27017 BE4ET2763JH7 BE4ET2763JH7 M18HGDOI0912 18JD6200NS12 T28GHY620110 UTW510200RQ1




















































Security inVoice Over IP Implementations

Challenges and opportunities for Open Source solutions

Copyright © 2014 Elastix WWW.ELASTIX.ORG

The current availability of Voice over IP solutions (VoIP by its acronym), has allowed thousands of companies worldwide to adopt this technology. As the main tool in "unified communications" environments, it has allowed the integration of telephony with data processing systems and through that, to a universe of applications that have combined, extended, or created new functionality.

There are many existing standards that have allowed the generation of this convergence with a dramatic impact on the availability and cost reduction.

However, being VoIP a digital technology where the IP protocol is the foundation, it is not exempt from being exposed to the vulnerabilities found in network environments.

Nowadays, there is little awareness and documentation about existing and emerging security issues, which has a major contrast with the levels of economic loss to which a business is exposed in an implementation of this type.

For this reason, it is necessary to set up the right security for the selected platform and its environment, as usually there is not only a single point or vector of attack, and the VoIP platform is not the only software service in a company.

It is important to have a general overview, to acquire knowledge, and above all, to know about all the elements that interact with the platform. Not only the hardware and software elements, but also to know about people, network administrators, integrators, and specialists, as they are the ones who maintain and implement the safety rules at different levels.

This document provides an overall picture of the guidelines and considerations that should be taken into account in order to provide security in VoIP platforms.

By: Juan OlivaEditor: Paul EstrellaTranslation: Elvita Crespo








M18HGDOI0912 18JD6200NS12 T28GHY620110 UTW510200RQ1 D39HA83090K2 328MGDS20910 1406MGR27017 BE4ET2763JH7 BE4ET2763JH7 M18HGDOI0912 18JD6200NS12 T28GHY620110 UTW510200RQ1





































Current state of security in VoIP systems


Some threats are not very different from those that currently exist in a data network, such as SQL injection at the level of Web applications, DoS (denial of service) in services like RDP or http, and session theft, or password cracking1 in SSH and web systems.

A number of these services are part of a Voice over IP platform nowadays, so they just drag this kind of problems, or we could also say that they "increase the interest of an attacker." We are not just talking about getting access to a database or server, but the possibility of making a fair amount of phone calls that could translate into thousands of dollars.

However, if we refer exclusively to Voice over IP, we find that SIP is the signaling protocol that has been more widely accepted in the industry, and upon which we can point out some potential threats.

EavesdroppingIt is a technique used to capture calls. This is plainly more related to espionage, and it is a collateral status of an attack known as "Man-in-the-middle". If the attack is successful, it is possible to capture communications.

This is based on what is known as ARP table poisoning, which consists of sending fake ARP messages in order to associate the attacker's MAC address with the IP address of the attacked target, posing as, for example, a router or a PBX.

Once achieved, it is possible not only to capture conversations based on RTP protocol, but also any other information passing through services that are not encrypted.

Denial of Service (DoS) attacks in VoIPThey are usually scripts, whose objective is to generate packet flooding. From this perspective, there are two types existing for this attack:

One is the one that uses the so-called SIP methods. The most common is called INVITE FLOOD, which generates so many requests to the VoIP platform that the system eventually ends up serving the attacker only. This causes that valid users can no longer use the service, in addition to generating excessive system processing and memory usage.

The other one produces Internet bandwidth flood, better known as UDP FLOOD. This one also generates a lot of packages, but having the goal of consuming all the bandwidth contracted by the victim. It is particularly aimed at operators or companies that commercialize voice traffic.

These types of attacks are difficult to handle, since perimeter security devices such as Firewalls, UTMs (Unified Threat Management) or IPSs (Intrusion prevention system), cannot repel this attack with traditional blocking, on the contrary, it is necessary to use specialized equipment to divert them.

UDPPACKETS

Security in Voice Over IP Implementations

1 Process to attempt to guess user’s passwords.

SIP brute force Attack


It is the most common attack developed towards VoIP platforms. It is about guessing the passwords of the SIP entities created on the server. Once the credentials are stolen, it can authenticate against the VoIP server or platform to generate calls.

The ability to “guess” passwords is performed by tools that automate this process. One example is SIPVicious suite, which runs a process known as enumeration of entities, to later run the password cracking process by using dictionaries in plain text files. This kind of attack is very similar to the one performed against the SSH service.

VoIP Spam (SPIT - Spam over Internet Telephony)This is not a vulnerability itself, but rather privacy intrusions when receiving unsolicited calls trying to sell a product, as has been happening for many years now with email. This is one of the most common uses for call dialers.

Caller ID Spoo�ng It is the ability to modify the Caller ID to impersonate an individual or a company, such as a bank. In the past, implementing such attacks required a rather complex and expensive telephony infrastructure. Today it is no longer the case, since the vast majority of VoIP platforms will allow the overwriting of this phone field.

Security in proprietary solutionsProprietary solutions have a wide range of products for every need, which often represent trends in technology and services in the market and later become customer needs.

The reality is that many of these solutions are implemented as black boxes for the customer or certified integrator. This responds to a "solution control policy", since the less you can see inside, the less chance there is of finding vulnerabilities or security flaws.

However, in this market field, no one is free from having flaws, even the best safes can present problems. In proprietary Voice over IP platforms, you may find buffer overflow vulnerabilities (poor control of data copied on memory), remote command execution, and denial of service, these being faults more common than you can imagine.



UDPPACKETS

To "discover" these flaws simply take a look at sites like exploit-db - http://www.exploit-db.com - or Packet Storm - http://packetstormsecurity.com - and search for some of the most representative brands. Based on this, you cannot sell any as the safest solution.

An important topic to be mentioned is related to remediation or corrections, which are usually much more expensive. The simplest thing that could happen is that they are only addressed as a firmware version update, which may involve an investment at the license level. The other side of the coin is even more complex and includes a complete change of equipment. In this case, we may face the dilemma of either buying a box again or staying vulnerable.

Security in Open Source solutions – opportunities Open Source solutions are not free from security reports. The advantage is that on one hand, there are companies that are behind the development, and on the other hand, there are supporting developer communities.

Here it is important to mention that, unlike proprietary solutions, where 90% of the development, revision, and correction is performed in-house, the Open Source distributions have a significant number of people in different parts of the world, under different work environments, that add to the work of the main developer, allowing these solutions to be developed at a faster rate, which includes improvements and fixes.

Several open source solutions have benefited from this situation, and they have now evolved into benchmarks in certain sectors of software industry, and clear competitors in others. It is not surprising that over 90% of supercomputers in the world use Linux. Solutions such as Asterisk, Drupal, Firefox, Zimbra, Endian, Zentyal are a clear example that this business model works and that it is sustainable.

Another important topic regarding Open Source solutions is that they are under the scrutiny of independent developers, their community, and the general public, so that hidden software intended for data collection or any other purpose not related to the purpose promoted by the lead developer is detected.

Elastix as another tool of enterprise information systems

Elastix is an open source unified communications solution based on Linux and Asterisk, with features that go beyond a conventional PBX. The platform contains tools that provide unified messaging, virtual fax, corporate instant messaging system, among others.

A unified communications system as Elastix is not an isolated element in a company, but a part of its process flow in such a way that it establishes an ideal condition of convergence. A clear example is the development of systems for querying data from a telephone line which, combined with Text-to-Speech engines, automates and makes service processes more agile, thus optimizing resources.



UDPPACKETS

Another important example is the ability for a customer to make a phone call and be automatically served, only by clicking on the company website from a browser2. All these elements provide added value, not only to the company, but also to customers, who always expect an immediate response.

What does Elastix bring at the security level?Elastix, starting from version 2.0, includes a security module, which is an important tool that includes a complete Firewall manager to configure ports and services.

For many, the handling and management of firewall iptables at the core level in Linux based distributions can be a headache, mainly because the application provides many features. However, the addition of this option allows the administration of access ports in a friendlier and more concrete way, especially in scenarios where we need to filter by source (a web interface for example) or when we have to enable the SIP and RTP ports and deny everything else.

The module also allows to "audit", which shows all failed and allowed accesses to the management interface, which is useful to keep access track.

Another feature, called weak keys, takes a tour of the passwords of all configured extensions, verifying if these meet strong password policies.

2 A process that combines several technologies, including WebRTC, VoIP and a VoIP distro.


How to complement security?


Infrastructure, training, best practicesImplementing security in VoIP platforms often raises complex questions because in reality it all depends on the need for accessibility and services we need to incorporate.

Some scenarios include::Elastix to the PSTN3, local extensions and remote administration.Elastix to the PSTN, local extensions, remote administration, and VoIP4 provider for outbound calls.Elastix to the PSTN, local extensions, remote administration, VoIP provider for outbound calls, and inbound calls with DID.Elastix to the PSTN, local extensions, remote administration, VoIP provider for outbound calls, inbound calls with DID, and remote extensions.

These scenarios are not unique, and the easy access to technology makes them to become increasingly complex. However, currently there are tools and infrastructure models that can be implemented to provide assurance.

A significant challenge is the positioning of a perimeter firewall, especially when its management is not borne by the customer. Make it clear from the start: It is not impossible to run Elastix properly behind a firewall, but great deal of coordination and tuning is necessary.

More importantly, the firewall should not be considered as an element that guarantees security by 100%. That would be a big mistake. You need to go much further than that, and one of the options available is to implement software that proactively reacts to attacks from the start.

Two solutions that work quite well are Fail2ban and Snort, it is advisable to consider them in the design stage of the implementation.

.

.

.

.

PSTN

REMOTEEXTENSIONS

LOCAL IP PHONES AND LOCAL SOFTPHONES

IP PBX / REMOTE EXTENSIONS- VOIP EXTENSIONS- INTERNET SERVICES- IVRs- SCALABILITY

3 Public Switched Telephone Network4 Voice over IP



ResponsibilitiesEstablishing obligations is a very delicate aspect as there are different people involved in the implementation process, particularly in the platform maintenance. Each person requires coordination and establishment of roles and responsibilities.

Two basic roles in an implementation are:

Integrator or Specialist RoleIt is the professional who provides the solution and who performs the deployment after proper analysis, which should be done together with the customer.

Some of their responsibilities are:Identifying customer needs.Establishing proper platform positioning based on the requirements.Implementing the functionality requested by the customer.Knowledge of risks inherent to the platform.

Customer RoleThis is probably the most important role, since this person is the one who will ultimately maintain the system, but even more, this person will set the initial requirement, choose the supplier, set the budget for the implementation, and the one who should make decisions prior to implementation.

It is a role that, in an ideal scenario, will include the company CEO, IT5 manager and systems administrator. He should have sufficient knowledge to preserve the operation of the platform.

Some of their responsibilities are:Knowing internal (LAN) and external (internet) risks.Keeping secure passwords.Establishing security as priority versus flexibility.Consulting a specialized company, whether through a support contract or specific services.Requesting the telephony carrier to set outbound limits to the PSTN.Training their technical staff in the implemented solutions.Frequently training their technical staff in security topics.

.

.

.

.

.

.

.

.

.

.

.

5 Information Technology



The challenges towards the future stand on the side of mobility and easy access to resources.

Companies and end users are increasingly involved with user-friendly tools, such as Hangouts or Skype.

But under all of this, there is always the question of: How to solve the security problem?

A simple answer would be "come up with security mechanisms for each scenario."

An important example is the communication security, meaning remote links and connections between branches, which should aim at hindering the access to voice packets and preventing illegal sniffing. Tools such as TLS (Transport Layer Security) and SRTP (Secure Real-time Transport Protocol) though they sound very complex, are standard protocols supported in Elastix. Its successful implementation can ensure the confidentiality of communications in environments where it is top priority to minimize this risk.

Another example relates to collaborative environments such as telework, where remote extensions are a key necessity. For this case, the implementation of virtual private networks or "VPNs", provide a lot of flexibility, since there is currently a wide range of computers, laptops, phone handsets and mobile devices available that incorporate VPN client software.

This solution not only allows us to securely connect to our private network, but also, in the case of VoIP implementations, eliminates issues associated with NAT Traversal.

USER A USER B

IP PHONE

TUNNEL

TUNNEL

TUNNEL


Future Challenges


Part of the challenge also includes the expansion of security measures in parallel with the release and development of software and hardware solutions. Technology has advanced so fast that it has not allowed to adequately convey implementation needs at the infrastructure and knowledge level. It is becoming indispensable to have a suitable technology adviser, either in-house or by expert companies.

This allows an organization to focus on its core business, which in most cases is not technology, but rather using it to achieve goals.

Undoubtedly, ongoing training is vital. Today the professional has more responsibility and it is clear that having skills or knowledge in security is an added value that makes a significant difference when performing a deployment.

The Elastix team, for example, is well aware of this need, which is why they have designed a security course as part of their training program. The objective is to complement, since best practices are communicated from the point of platform installation.

ConclusionsIt is clear that along with technological advances, vulnerabilities will continue to appear. However, essential protection mechanisms are also developed, the challenge will always be in the order of knowledge, analysis, and application, so that we may determine a solution for every need.

Become a part of the select groupof Elastix Certified Professionals

Elastix Security Master®

About AuthorJuan Oliva Cordova @jroliva http://jroliva.wordpress.com/

Computer Security and IP Telephony consultant with over 10 years experience in the field. He is very involved in projects regarding hacking testings, vulnerability analysis and exploitation, among other tasks of computer security. He also develops implementation and assurance of IP telephony platforms based on Elastix, Call Center, Cloud Solutions and Hosted PBX projects.


Security_in_VoIP_Implementations.pdf

Documents

Transcript of Security_in_VoIP_Implementations.pdf