Secured IP telephony
2Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Agenda
» ToIP : risks ?
» Security analysis
» Bests practices
» Security in Aastra 5K solution
» Engineering
ToIP : risks
4Secured IP Telephony. © 2008 Aastra Communications, Ltd.
TDM versus ToIP
» TDM = dedicated solution without any link to is/it link.– Generally not seen in the Company’s security Policy.– A little of Applications– High Availability level (>99,99%)
» ToIP– Shared “transport” network: IP-Network– Deep Interaction in the IS/IT solutio:
ToIP is part of the company process ToIP projects are managed by DIS/IT managers
>> ToIP is part of the security policy of all Companies
5Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Call listening-in– Physical access to wiring closet or to PSTN access (with sensor) needed with a
TDM solution (access to wiring closet)– No physical access needed with ToIP
» Service degradation : DoS (Denial of Service) or DDos (Distributed DoS) attacks– Potential vulnerability to virus or worm– New threats from network world (ex : SPIT = SPAM on unified messaging)– TDM solution availability = 99,998% !
» Fraudulent use of resources– Same risks as legacy telephony : rights bypassing / abusive call
Which risks ?
6Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Attacks on access equipment– Phreaking : scan of numbers, toll-free number– Voice messaging equipment– Free telephony,
» Inappropriate use of facilities– Call forward for listening-in and extra-billing, telephony IT resale on black market,
advertising message, play on enterprise image…
» Denial of service– Busy line, call forward on VM,
>> ToIP is concerned too by such attacks
PhreakingExample of attack – legacy telephony
7Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Signaling protocols subject to packet injection and listening (UDP = spoofing),
» Network sniffing : classic network analysis to obtain information» DoS on signaling flow : bad programming and saturation,» Play with protocol request: SIP/Cancel, SIP/bye,» Eavesdropping by capturing RTP flow (i.e with ethereal),» TFTP et DHCP attack : bad configuration to gain access…
>> ToIP is concerned too by such attacks
HackingExample of attack on IP protocol
8Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Phreaking and HackingIn real life
» Attack on VoIP provider to steal minutes
» ~1 M$ of damage» Attack could have been prevented
if « best practices » had been respected.
Security approach
10Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Confidentiality– No illegal listening / illegal access to directory
» Integrity– Service can not be created, changed, or deleted without authorization
» Availability– Protection mechanism guaranty availability of service,
» Proof (Audit)– Log of actions / CDR
Objectives = CIA + P
11Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Equipments
» Confidentiality, Integrity, Availability, and Proof (audit)
Routers
System
Network Servers
Switches
LAN
WAN
CommunDedicated to ToIP
Terminals
Applications
Gateways
Call server IPISDN
Level 2 & 3WAN
Managements
Windows, Unix...
ManagementRemote Access
Interfaces
12Secured IP Telephony. © 2008 Aastra Communications, Ltd.
LAN
LAN
Call Server
Remote management
Remote working, mobility
SOHOIP PhoneCTI
SIP trunk
End to end security (1/2)
LAN WAN
INTERNET
RTC/RNIS
RTC/RNIS
Servers & Applications
Gateway
Legacy phones
WIFI&DECToIP
Signaling
GLOBAL APROACH
13Secured IP Telephony. © 2008 Aastra Communications, Ltd.
End to end security (2/2)
» Same level of protection– On all equipments– On all software layer– End to end
IP
TCP UDP
RTPOperating system
Ethernet ATM
Physical layer
Datalink
Network
Application layer
Transport
Best practices
16Secured IP Telephony. © 2008 Aastra Communications, Ltd.
ToIP Security elements have to be reliable
» Correct end to end integration has impact on security devices :– Risks: security level adapted to security policy– Architecture : easy integration in existing infrastructure
Evolution of existing security devices Integration with existing data infrastructure
– Performances : quality of voice is a key factor – should not be dependant of network load
– Rules : flow control should be easy to implement (firewall, proxy, SBC,..)
>> Secrurity has to be transparent for telephony services
17Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Converged network & security Respect of best practices
» Electrical protection adapted to ToIP security prerequisites– UPS and battery
– Emergency generator
» LAN/WAN design adapted to ToIP security prerequisites in term of availability– Core network redundancy (power supply,
CPU)
– L2 redundancy: STP, rapid STP, multiple STP, 802.3ad + proprietary
– VRRP, Routing
– critical provider accesses
18Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Voice flow insulation– VLAN creation : broadcast limitation and voice flow isolation
– Definition of rules for InterVLAN filtering On router or L3 switch (ACL, Vlan ACL) On firewall
» Some network services become critical :– Ex : switches, DHCP server(s), TFTP/FTP server(s)
» Limit and control resources access– Call server
– Applications
– Deactivation of unused services
Converged network & security Respect of best practices
19Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Converged network & security Example : VLAN ACL
» Objective :– Prevent from ICMP et TCP flooding
DoS attacks
» Current generation of switches allow to define ACL (Access Control List) à inside VLAN (VLAN ACL)
» IP Phones talks to each other only with UDP
» ACL Example of implementation in ToIP phone VLAN:
– Block TCP and ICMP btw IP Phones
LAN
ACL in ToIP VLAN:Only UDP is permitted btw phones
Attack : ICMP flooding in voice VLAN
20Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Objective :– Prevent attack that can saturate
switch CAM by ARP requests with different MAC@ flooding CAM overflow attack
» Current generation of switches allow to limit @MAC# by port
» Example : limit to 2 MAC@ by port– MAC @ phone– MAC @ PC
LAN
Switch port that allows only 2 MAC@ by port
Attack : ARP flooding (different MAC@) with frame creation tool
Converged network & security Example : limitation of MAC@ # by port
21Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Objective :– Prevent rogue DHCP server on
network
» Current generation of switches allows to forbid some ports to deliver DHCP Offer
» Example – Interdiction to send DHCP offer on
Phone Port
LAN
Port that allows DHCP offer
Attack : rogue DHCP server on LAN
Data DHCP Server
Voice DHCP Server
Ports that blocks DHCP Offer
Converged network & security Example : limitation of rogue DHCP server
22Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Filtering by protocole/ports and/or IP@
– InterVLAN routing rules on L3 device
– ACL on switch– Statefull firewall
» Number of MAC@ limited by port» All traffic expect RTP is
forbidden btw Phones» DHCP protection» Authentication and encryption
SSL, sRTP, TLS» IDS / IPS (Intrusion Detection/
Prevention/ Intrusion system
Converged network & security LAN Design
Logical function(Layer 3 Switches, Routers and/or firewalls)
Filtering and communication between VLANs
IDPS
FW
@MAC Filtering and limiting – Ø DHCP offer
Authentication & ciphering
L2
L2 VLANs Call Server & gateways
L2
L2 VLANs Telephony Applications
L2
L2 VLANs Data Application
L2
L2 VLANs Phone
L2
L2 VLANs PC and Data endpoint
L2
L2 VLANs Admin
23Secured IP Telephony. © 2008 Aastra Communications, Ltd.
LAN
LAN
Call Server
Remote worker, Mobility
SOHOIP PhoneCTI
SIP Trunk
Converged network & security High level architecture
LAN WAN
INTERNET
RTC/RNIS
RTC/RNIS
Servers & Applications
Gateway
Legacy phones
WIFI&DECToIP
Signaling
Firewall
Encryption
Remote management
Remote worker
Firewall
Secure CTI
Hardened servers
VPNVLANs
VLANs
VLANsSecure mobility
24Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Protect ToIP ressources :– Voice app & Call Server in
DeMilitarized Zone (DMZ)
– Filtering rules
» Virtual Private Network (VPN) managed by enterprise or provider– Encryption
– Authentication
– Proof
» QoS
LAN commun (VLAN)
DMZ Téléphonie
Remote sites
ToIP
ToIP+Data
Voice applications
Voice DMZ
VLANs
VPNQoS
FW
LAN
Converged network & security WAN Design
25Secured IP Telephony. © 2008 Aastra Communications, Ltd.
LAN commun (VLAN)
DMZ Téléphonie
Remote sites
ToIP
ToIP+Data
Voice applications
Voice DMZ
VLANs
VPNQoS
» Secure access to enterprise resources (firewall, VPN concentrator, UTM)
» Virtual Private Network (VPN) managed by enterprise or provider
– Encryption– Authentication– Proof
» QoS should be a Main Concern (especially with ADSL access)
IPSec client to site+ Softphone
FW
IPSec site to site+ IP Phone
Converged network & security Remote workers
26Secured IP Telephony. © 2008 Aastra Communications, Ltd.
LAN commun (VLAN)
DMZ Téléphonie
Remote sites
ToIP
ToIP+Data
Voice applications
Voice DMZ
VLANs
VPNQoS
IPSec client to site
FW
» Secure access to enterprise resources (firewall, VPN concentrator, UTM)
» Virtual Private Network (VPN) managed by enterprise or provider– Encryption
– Authentication
– Proof
» Use secure protocols (ex : HTTPs)
Converged network & security Remote management
Security in Aastra solution
28Secured IP Telephony. © 2008 Aastra Communications, Ltd.
SSO
SIP Digest (MD5 )
Aastra 5000 Security Management everywhere
Active DirectoryActive
Directory
Radius(AAA)
Radius(AAA)
802.1x (EAP-MD5)
Win Session (NTLM, Kerberos)
HTTPS (TLS)
Server L
AN
Firew
all
IDS
/IPS
BEST PRACTICES
En
dp
oin
tsA
pp
lica
tio
ns
Man
ag
emen
t
Protected application
OS Hardening
HA Encryption
30Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Aastra 5000 Securisation, High Disponibility
» Aastra 5000 CS: Service without any interruption
– Secured hardware Stratus®– Spatiale Redundancy with communications not cut
» Aastra IPBX/MGW– Specific and secured Hardware– Power Supply Safety using battery– CPU and power supply Redundancy
» « Local Survivability » on Aastra IPBX/MGW (services kept)
– Short or external numbering– Vocal Guides vocaux, announcements, – Transfers, Callbacks, Alternate, multi – lines,
monitoring of extensions – Profile of the user
WAN
Signalisation
Switch
IPBX/MGW
Poste IP/SIP
A5000CS Primaire
A5000CSSecondaireA5KCCA5KCC
31Secured IP Telephony. © 2008 Aastra Communications, Ltd.
WAN
A5000 ServerIP Phone – secured by gtw
Gateway X Series
Provider
1. Nominal mode : Managed by main Call Servers
2. WAN Failure
3. Subscription to Local gateway
Availability of ToIP service Local call Handling on gateway (ex : WAN failure) : Dual Homing
Provider
Remote siteMax 500 IP Phone on gtw
4. Dual Homing Mode : call server function on gateway
Main siteR5.1B
32Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Same level of services (except access to centralized resources):– Short or external numbering
– Vocal guide, music,
– Call forward, call back, alternate, multi line, supervision
– User profile
» No break of communications during failover (except if call transits through the WAN)
» No restart of the gtw in case of remote disconnection.» Integrated CDR buffer to save CDR (tickets) and send them to CDR Server» Configuration synchronization A5k towards gateway :
– Periodic downloading of the configuration each day for each set
R5.1B
Availability of ToIP service Local call Handling on gateway : Dual Homing
33Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» L2 tagging (802.1p/q) and L3 (ToS field Diffserv) available on all Phone
» Call Admission Control embedded in Aastra software on all Call Server & Gateway/iPBX range– QoS does not prevent of IP link overloading– Aastra CAC allows to prevent overloading on WAN links with limited
bandwidth Codec negociation in relation to load of links In case of overload, fallback mechanism : : rerouting by voice carrier for
instance (RTC/RNIS)
Availability of ToIP service Local call Handling on gateway :
34Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Secured IP PhonesEmbedded features (1/2)
» Authentication to A5k software : phone # & PIN code for log-in log-out
» Authentication to network access 802.1X or MAC@
» Integrated switch – Voice flow tagged in Voice VLAN– Data flow tagged in data VLAN
» Optional Communication (Voice) encryption on SIP 675xi & 53xxIP or I7xx
R5.1B
R5.2
35Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Self admin on 67xxi & 53xxIP : – Password – Automatic log-out after idle state
» User profile is on AM7450
» firmware OS is specific : no known virus
» Secure firmware update
Secured IP PhonesEmbedded features (2/2)
36Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Objective :– Secured access to LAN via IP Phone authentication (EAP-MD5)
– Relay of 802.1x requests from PC connected to integrated switch
Secured IP Phones Focus 802.1x
1 auth. Request EAP-MD5 (802.1x)
2Check
Login+mdp
3Rights
Authorization 4
OK 56 OK = auth. connection
(DHCP, RTP…)
Transparent relay + EAP-Logoff
Authentication server (Radius)
LDAP
37Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Secured communicationsToIP encryption
» VoIP encryption– Encryption based on AES 128 bits – From A5k Server, encrypted diffusion of
to : Gateways IP Phone I7xx (for each beginning of call) IP Phone 53xxIP
– Key defined by administrator on A5k server
– Systematic encryption, codec negotiation based on CAC & support of encryption on devices
– Indication of encrypted state of communication on terminal
R5.2
Btw gateways
IP Phone & Gateway
BTW IP PHONES
A5000
38Secured IP Telephony. © 2008 Aastra Communications, Ltd.
HTTPS TLS
Secured management
» Integrated Web Manager = Aastra Management Portal
– Secured access by login/pwd– Different rights
Rights for iPbx configuration Rights for directory management
(web based) Rights to managed user phones
– Log of accesses
» Aastra Management 7450 (AM7450):
– Right management / administrator– Management flows are encrypted– Gateway and server are
authentified
39Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Configuration management : – Backup / Restore of user profiles on
AM7450– Automated backup/restore of CS and
GTX configurations– Automated backup of CS and GTX
logs & inventory of active elements– Configuration audit – numbering plan– Inventory of IP Phone, directory #,
M7450 R2.1
Secured Management
M7450 R2.1
41Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Aastra 5000 - OS
» Linux Community» OS Linux customised and ruggedized (OS hardening), no direct
access on it» The not-used services are not avaiable: only few accessible
(open) ports
42Secured IP Telephony. © 2008 Aastra Communications, Ltd.
A5k software
» User profile:– Class of service– ex: discrete listening rights, call forwards,..– Access discrimination– Multi – tenant with filtering btw society (multicompany)– User pwd
» Call logging :– Via CDR & CDR app server– performance analysis– Cut off of com after certain time (parameter)– Business code
43Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Le logiciel
» Secured acess to whole Aastra Communication Portal app via SSO (Single Sign On)
» User authentication via Windows Active Directory login/mdp
» Unified user and pwd management through Windows Server
» Native security and mobility– Windows Login/pswd – Virtual desking or free seating (login-logout)
from Aastra IP Phones
Aastra Communication PortalSecured acess
44Secured IP Telephony. © 2008 Aastra Communications, Ltd.
1 Authentication Login/pwd Windows
2Check
Login+pwd
3Windows Session
is open
ACP is launchedLogin : BobTel : 5656
4
NTLM Auth 5
7 VTI request for number 5656
Windows Server
6 Search of user : Bob & app/rights
Aastra 5000
ACP
7 Access OK1* 802.1x (optional) +Auth Login/pwd
A5000
*requests not detailed on schemes
Aastra Communication PortalSecured acess
45Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Antivirus support on Aastra applications : highly advised– Respect prerequisite (c.f. LCI)
» ACP– Scan and updates authorized during idle state (night)– Scan of logs not permitted
» UCP– Directory D:/ not scaned– Updates during idle state
Aastra applicationsAntivirus support
46Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» MD5 authentication of Aastra SIP Phone» Digest Access Authentication (RFC2617) via MD5 on trunk SIP:
– Crossed authentication VoIP provider<->Aastra 5k
» Embedded Session Border Controler (SBC) for support of NATed environments
SIP and security
FW WAN
Voice ISP
Session Border Controler
Aastra Com Server
Auth. MD5
Auth. MD5
47Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Security and wireless solutions
» Aastra DECToIP– Radio DECT technology natively secured
(authentication, encryption)– Qos integrated in RFP : L2 (802.1p/q) & L3
(Diffserv)
» Wifi Terminal Aastra 312i– WPA2 support with PSK authentication (Pre Shared
Key) for better performances– QoS has to be implemented on ntw infrastructure
(example mapping SSID / VLAN)– Light AP solution needed
48Secured IP Telephony. © 2008 Aastra Communications, Ltd.
Checkphone partnership
» Check of integrity of communications :– Detection of illegal use of telephony
resources– Differential analysis btw
configurations Example : gain of privileges
» Analysis and filtering : IDPS proble on TDM & IP/SIP trunks
Engineering rules
50Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» QoS on LAN : its implementation depends on network load– 802.1p/q tagging– Guaranteed bandwidth for voice flow– Use of different waiting queues of switches: voice flow acheminated in priority
» QoS on WAN : recommended– L3 taggin upon Diffserv model & ToS (type of service) field of IP header– L2&L3 QoS have to be coherent– L2&L3 QoS Mapping & MPLS class of service (ex : mapping VLAN <-> class of
service)
» Aastra Call Admission Control :– Load limited “a priori” on links, fall back mechanism in case of congestion– Embedded on all Aastra equipments
QoS
51Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» SNEC (Succession Network Engineering Configuration)
» Complete Engineering tool used during presales phase
– Traffic modelisation– Quality of voice– Bandwidth and network planning– End to end validation
» Version 2 integrates new features :– VPN : IPSec, L2TP, PPTP– xDSL links
SNEC tool
52Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» No impact on voice communication (delay…)
» Some constraints linked to treatments
VoIP encrypted Performances
55Secured IP Telephony. © 2008 Aastra Communications, Ltd.
» Port (TCP/UDP) used in Aastra solutions– http://support.nexspan.net/mkg/mcdfr/
» SNEC Tool (bandwidth, jitter, delay,…) – SNEC http://support.nexspan.net/mkg/mcdfr/
» Technical information (supported antivirus, configuration) :http://support.nexspan.net/support/lci/lci.php?l=fr
» Patches management
http://support.nexspan.net/extra/Support/patch/index.php?lang=fr&target
Tools
Top Related