Embed Size (px)
DESCRIPTION
The fact that VoIP relies on IP infrastructure make it vulnerable to any attack that targets the network. Consequently, whatever may be the nature of the attack, there is a good chance that the attacker is capitalizing on a weakness in the VoIP protocol being used. VoIP is different from other IP services in the sense that its security is normally treated as one of the service properties configurable by the user. This article provides an overview of VoIP security requirement, aimed at empowering public VoIP user With the strategies to mitigate threats.
Citation preview
SECURING VoIP NETWORK: AN OVERVIEW OF APPLIED
APPROACHES AND ANALYSIS
Michael Oche, Rafidah Md Noor Member IEEE, Abubakar Bello Tambawal and Mostofa
Kamal Nasir
ABSTRACT - VoIP is becoming more and more popular and as such a potential target
for hackers. Providing security for VoIP services is therefore pertinent for
telecommunications. Without correct mechanisms to ensure callers’ authentication,
transmission confidentiality and availability of the service, security of the VoIP users is
at risk. The fact that VoIP relies on IP infrastructure make it vulnerable to any attack
that targets the network. Consequently, whatever may be the nature of the attack, there
is a good chance that the attacker is capitalizing on a weakness in the VoIP protocol
being used. VoIP is different from other IP services in the sense that its security is
normally treated as one of the service properties configurable by the user. This article
provides an overview of CISCO VoIP security requirement, aimed at empowering
public VoIP user With the strategies to mitigate threats.
Keywords: AAA, CIA, PSTN, Telephony, VoIP,
2.0 INTRODUCTION
Voice over Internet Protocol (VoIP) is a rapidly growing Internet service. It gained popularity
as a way to cut costs of international telephone connections by transporting voice over public
IP networks [1]. Today it is being implemented in many IP applications, where it enables
direct, and most time free communication over the Internet to users globally. As a
consequence, VoIP technology slowly replaces traditional telephony. There are numerous
attack vectors when dealing with VoIP, and since VoIP depends on the IP infrastructure any
attack that targets the network can be a potential hazard for VoIP. Consequently, whatever
may be the nature of the attack, there is a good possibility that the attacker is capitalizing on a
weakness in the VoIP protocol being used. Providing security for this service is therefore
pertinent for telecommunications. User private information, business negotiation details or
even state secrets could be revealed if not well protected. Without a correct mechanism to
ensure callers’ Authentication, transmission confidentiality and service availability, the
security of VoIP users are at risk. In view of this it is pertinent and imperative to investigate
VOIP security problem and evaluate the service to assure that moving telephony to a new IP-
based platform does not compromise its security [2]. In most cases “advances and trends in
information technology typically surpass the corresponding realistic security requirements” .
This is no different in case of VoIP. Most efforts were till today invested in providing more
advanced services and applications, with less attention paid to security. Another prevailing
problem lies in users' perception of VoIP telephony, the fact that VoIP telephony idea is not
completely new, it follows the exemplification of traditional telephony and it’s seen by the
users as a replacement to traditional telephony. A replacement users presumed should provide
similar security level. But unfortunately, VoIP is different, in the sense that its security is
usually treated as one of the service properties configurable by the user. As such in this paper
we reviewed and analyzed basic CISCO VOIP network security requirements, with the aim
of empowering public VoIP users and equipping them with relevant basic tools or
information on how to better secure their VOIP telephony system.
3.0 LITERATURE ANALYSIS
Voice over Internet Protocol is a somehow a different technology, even though an average
telecommunication user knows it concerns the Internet and is relatively cheaper, he/she
probably may not know any details beyond that. The traditional telephony system since its
introduction in 1878 involved three main stages, first it existed in a form of a first generic
telephone network which required a constant human presence to switch and setup call. Later
in 1891 [3] POTS were introduced. Plain Old Telephone System (POTS) provides for
automated switching thereby completely eliminating the need for human presence. In 1970
POTS were replaced with a more advanced system known as the Public Switched Telephone
Network (PSTN). Unlike POTS the PSTN uses digital signals, voice is no longer transmitted
as an analogue signal as in the case of POTS but as a digital signal. This development made it
possible to offer other services such as fax and other database services. The introduction of
the PSTN system marks the beginning of the digital communication system and to make
communication even more seamless the new PSTN was also compatible with the POTS
system, which uses the lowest transmission bandwidth of 4KHz despite the fact that digital
services are transported on higher frequencies [3]. Beginning from 1990 the higher
bandwidth brought about as a result of digitization find their usefulness in data network
access technology. Many Internet access services, like ISDN and then DSL, ADSL are now
offered via the same access lines that were used for PSTN [4].
3.1 THE ARCHTECTURE
The acronym VoIP represents, Voice over Internet protocol which implies that voice packet
is transported using Internet Protocol (IP), it’s a packet switching system. VoIP is different
from the PSTN which is a circuit switched. Unlike the PSTN which irrespective of the
amount of information to be sent, reserved a full transmission bandwidth. VoIP, on the other
hand, is packet switched. Information that is to be sent is divided into packets and
transmitted. Only meaningful information is put into packets. Additionally each packet may
travel with a different route (dynamic routing) in a transport network, as there is no single
reserved path (circuit). As a consequence packet arriving at the destination may come in a
different sequence, than they were sent. Also, as there is no guaranteed bandwidth, some
packets may be lost. These packets are simply transported using the Internet Protocol (IP).
Voice transportation using the IP works just the same way, as in any other application like
WWW or email. The internet's tariffing system is based on a philosophy different from that
of the PSTN. Tariffing is independent of geographical distance between the sender and
receiver. Therefore, transmitting data between any two points costs the client the same
amount, but in the case of traditional PSTN its different (calls are charged based on distance).
Figure 1 shows four scenarios that related to the IP Network PSTN. Figure 1.1 shows
scenario 1, the first VoIP applications, the application permits voice communication between
two users of the Internet, and it has grown so popular to an extent that it is now used in many
Instant Messaging (IM) clients, like Skype, Messenger, etc. Voice transmission over IP works
just as any other Internet service and fully converged with other IM applications. The next
step of VoIP development came with the calls from Internet users to PSTN fixed subscribers
figure 1.2 scenario 2. The main advantage of such a telecommunication solution is that
information traveled through the Internet as long as possible and are forwarded to the PSTN
at the very end – as close to the subscriber as possible. Thanks to this, even international calls
are treated as local calls by PSTN provider. The total cost is considerably diminished [5].
Figure 1: VoIP/PSTN basic scenarios [5].
The last two scenarios (figure 1.3 and figure 1.4) might be used by providers when the need
arises (whenever circumstance requires its implementation). Unquestionably, there are allot
more complicated scenario cases in used, but they would merely be a variation of the four
presented in Figure1.
3.2 PROTOCOLS AND CONCEPTS
While introducing VoIP one has to mention some basic elements and concepts of a VoIP
system. As can be seen in Figure 2 there are four basic elements of a VoIP System [5].
� Terminal – In a VoIP environment it refers to the end point of communication
devices , usually where the calls are being terminated. A terminal could either be
software base or hardware based and could also involve some automatic interaction
such as voice mails.
� Server – server is the focal point of a VoIP system. Registration of terminals and data
information such as location and IP is stored here. Also the server performs some
other operations such as setup call routing mechanism, authorization and accounting
operation.
� Gateway – Is the outmost edge of the VoIP network. It ensures the interoperability of
the VoIP network with other networks such as converting voice calls and fax calls
amidst PSTN and IP network..
� Conference Bridge – For multi point communication. Allows for the functionality of
several communication points. Because of the high resource requirement of the
conference bridge it is isolated from the server just as shown in figure 2.
Figure 2: VoIP basic architecture
4.0 SECURITY REQUIREMENTS ANALYSIS
Risk assessment of Voice over IP in public networks should start with analysis of security
expectations. One should state what requirements are imposed on the system. Of course
before such an analysis may be performed, definitions of the basic and most widespread
security requirements should be given.
4.1 GENERAL REQUIREMENTS
There are many different ways to classify the security requirements. One of them is the CIA
triad, which concerns three most basic security problems – Confidentiality, Integrity and
Availability [6]. These three issues describe properties of the communication process that
happens between two parties. They are usually also considered superior requirements and all
the others, mentioned in the following subsections are just requirements that help to meet
those three major ones, by covering more specific problems. CIA are basic system security
requirements, but it does not mean they are simple.
Confidentiality: - usually mean: “restrictions on the accessibility and dissemination of
information” Which in case of VoIP (or generally telephony) means limited access to the
information exchanged between two or more communication endpoints. It is usually
accomplished by encryption of the transmitted information [6].
Integrity: - usually regards insertion, deletion or modification of information. In VoIP
telephony, two integrity issues appear – data and signaling. Data integrity regards the
exchanged content and signaling integrity considers all the protocol information necessary for
transmission handling. Compromising signaling integrity may result in compromising almost
every other security requirement [4]. That is why the “correctness, completeness, wholeness,
soundness and compliance with the intention of the creators of the data” has to be ensured.
Availability: - is one of the most important security requirements that needs to be ensured. If
the service is not available most of the time, the technology will not be considered feasible,
reliable and trustworthy by the users. The availability of a system is usually measured in a
time unit - system's uptime. In traditional telephony this uptime is at least 99,999% [6].
Providing such a low downtime on an IP based platform is an extremely challenging
problem. If Availability is not guaranteed, the system will suffers from degradation or
interruption in its Service to the customer as a consequence of failures of one or more of its
part. Since VoIP requires a real-time transmission, already lowered quality may make the
conversation impossible to be carried out.
4.2 AUTHENTICATION, AUTHORIZATION, ACCOUNTING
While CIA requirements describe the properties of a communication process, the AAA
regards mostly user-system interaction. It stands for Authentication, Authorization and
Accounting [7], [8]. The AAA requirements are also complicated, but not as ambiguous as
CIA.
Authentication: regards checking identity. There are many possible system subjects that may
be authenticated. It may be the provider, end-user, or any other intermediate device. Because
of that there are two basic types of authentication in VoIP:
� End-to-end, where only the communication end points authenticate to one another, the
devices in between, or provider do not take part in the process and they are not aware of
end-users identity, as most of the communication details are hidden,
� Hop-to-hop, which is safer and easier to implement, as devices in between also
authenticate the users and one another and have access to all the communication details.
However, there is an issue of trusting those devices, as we share our authentication
information with them.
Authentication is necessary to correctly set up the communication between endpoints. It
usually includes identification of the users and verifying the integrity of messages containing
authentication information [7].
Authorization: Once the end-user has been identified, his/her rights in the system have to be
determined. Authorization process is necessary to check if a user (or some administrator) is
allowed to perform a requested operation or access requested data. For example, it is used by
providers in VoIP authorization, to find out what tariff plan should be used for a given user,
what data may be accessed by him/her, etc. It is also a crucial process of accessing VoIP
server (IP-PBX) [8]. Unauthorized access and modification of configuration data may result
in compromising many other security requirements.
Accounting: is regarded as the activity, practice, or profession of maintaining the business
records of a person or organization and preparing forms and reports for tax or other financial
purposes. It is a process necessary for creating billing invoices for clients1. Because of that it
is a very important issue for the provider – as it wants to be paid for the service; and for the
client, as he/she does not want to pay more than necessary [8].
5.0 METHOD OF SECURING CISCO VoIP NETWORK SYSTEM
Cisco maintains a set of best practices collected in a solution reference network design
(SRND) document that provides guidelines for deployment and installation of the unified
Call Manager. Much of Cisco’s IP telephone infrastructure relies on a Cisco Call Manager
(CCM) which is a software-based call-processing component of the Cisco IP telephony
solution. Skinny Client Control Protocol (SCCP) is Cisco’s proprietary signaling protocol
used between CCM and phones. Below are Cisco approaches to mitigating security threats
[9].
5.1 CISCO DISCOVERY PROTOCOL (CDP) SNIFFING
If an attacker is an insider or already has partial access to one internal network, there are
varieties of passive host discovery techniques specific to a Cisco VoIP deployment that he
can perform. Cisco Discovery Protocol (CDP) is a proprietary layer 2 network management
protocol built into most Cisco networking devices, including VoIP phones. CDP is used
particularly in a callmanager environment to discover and remove IP phones dynamically, for
dynamic allocation of VLANs to IP phones’ and other management functions. CDP packets
are broadcast on the local Ethernet segment and contain a wealth of useful reconnaissance,
information transmitted in plaintext about Cisco devices, including IP address, software
versions, and VLAN assignments. Most network sniffers can easily decode CDP traffic.
Cisco recommends turning off CDP on Cisco devices especially where the environment is
mostly static. However, in a VoIP environment CDP can offer so much management
functionality that keeping enabled where absolutely needed might be an acceptable trade-off.
But from a strict security perspective, however CDP can provide attackers with a wealth of
data about one network and should be disabled. Also Cisco switches and routers have
security feature called DHCP snooping that will cause the device to act as a DHCP
firewall/proxy between trusted and untrusted network interfaces [9].
5.2 PROTECTING A VoIP NETWORK WITH SECURITY APPLIANCES
Security appliances such as firewalls and VPN termination devices also can be used to protect
voice networks. However the, one challenge of protecting voice networks with a firewall is
that the administrator is unsure what UDP ports will be used to transmit the RTT voice
packets. For example in a Cisco environment a UDP port for an RTP stream typically is an
even number port selected from the range of 16,384 to 32, 767. Opening this entire range of
potential ports could open unnecessary security hole. But Cisco firewalls that is the PIX and
Adaptive security appliance (ASA) firewalls solve this problem because it can dynamically
inspect call setup protocol traffic e.g. H.323 traffic to learn the UDP port to be used for RTP
flows. The firewall then temporarily opens those UDP ports for the duration of the RTP
connection [10].
5.3 HARDENING VOICE ENDPOINTS AND APPLICATION SERVERS
Recall that a Cisco IP phone makes a collection of configuration information freely available
by pointing a web browser to the IP address of Cisco IP phone. This potential weakness can
be mitigated by changing the web access parameter from enabled to disabled. Also to prevent
man-in-the-middle attack, one can change the gratuitous ARP setting from enable to disable.
By disabling the gratuitous ARP feature, one is preventing a Cisco IP phone from believing
unsolicited address resolution protocol (ARP) replies, which potentially could have come
from an attacker claiming to be the next-hop gateway for the Cisco IP phone. Aside from
voice end points, other popular attack target on voice networks includes application servers,
such as Cisco UCM server. Also Cisco had already provided a hardened version of the
operating system that runs on a UCM server to take care of this problem [10].
5.4 PROTECTING A VoIP WITH AUXILIARY LANS
Part of Cisco’s SRND recommends segmenting the voice and data networks with logically
separate VLANs. This will help restrict access to the phones and critical servers. A
fundamental approach to protecting voice traffic from attackers is to place it in a VLAN
separated from data traffic. This voice VLAN is often called an auxiliary VLAN. VLAN
separation alone protects voice traffic from a variety of layer 2 attacks. For example, an
attacker would be unable to launch a man-in-the-middle attack against the IP phone’s next-
hop gateway. Such an attack will be mitigated, because the attacker’s PC would be connected
to a data VLAN while the IP phone was connected to the auxiliary VLAN.
Many models of Cisco IP phones include an extra Ethernet port to which a PC can attach.
The attached PC communicates through the Cisco IP phone can transmit traffic in a separate
VLAN (that is a data VLAN for the PC traffic and an auxiliary VLAN for the phone’s voice
traffic) while still connecting to a single Cisco Catalyst switch port [10].
6.0 CISCO HARDENING RECOMMENDATIONS
� Enabling port security on Cisco switches to help mitigate ARP spoofing. Port
security is a mechanism that allows one to allocate a legitimate MAC address of
known server and devise ahead of time specific to each port on the switch. Thus one
can block access to an Ethernet, fast Ethernet, or Gigabit Ethernet port when the
MAC address detected is not on the preassigned list. This will help prevent ARP
spoofing attack.
� Dynamically restrict Ethernet port access with 802-1x port Authentication. This
enabling 802.1x port authentication protects against physical attacks whereby
someone walking around inside the organization plugs a laptop into an empty
network jack in order to sniff traffic.
� Enabling DHCP snooping to prevent DHCP spoofing. DHCP snooping is a feature
that blocks DHCP responses from ports that don’t have DHCP servers associated
with them. This prevents attack by man-in-the-middle that masquerades as a valid
DHCP server in order reroute traffic to his machine. Also traffic entries should be put
in the DHCP-snooping binding table to be used with the dynamic ARP inspection
and IP source guard that do not use DHCP.
� Configure IP source guard on catalyst switches. The IP source guard (IPSG) feature
uses DCHP snooping to prevent IP snooping on the network by closely watching all
DHCP IP allocations. The switch then allows only the valid IP address that has been
allocated by the DHCP server on that particular port. This feature mitigates the
ability of an attacker trying to spoof an IP address on the local segment.
� Change the default native VLAN value to thwart VLAN hopping. Most switches
come installed with a default native VLAN ID of VLAN 1. Because attackers can
sometimes perform VLAN hopping attacks if they know the VLAN IDs ahead of
time, it is usually a good idea to never use VLAN1 for any traffic. Also change the
default native VLAN ID for all traffic going through the switch, from VLAN1 to
something hard to guess [11].
Table 1. Summaries of CISCO mitigating methods.
ATTACK
MITIGATION
DESCRIPTION
Using auxiliary
VLANs
Auxiliary LANs transport voice traffic in a different VLAN from data
traffic. This improves voice transmission quality and assist in securing
voice traffic from layer two attacks.
Using firewalls Effective use of firewalls could prevent potential harmful traffic from
entering a voice network while dynamically opening suitable UDP port
number of distinctive RTP flows.
Employing IPSec-
protected VPNs
Employing IPSec-protected VPNs to mitigate against voice signal and
media packet interception or modification.
Disabling web
access
To prevent attackers from using the web access to CISCO IP phone to
acquire knowledge of other servers such as the DHCP server, DNS and
UCM server IP addresses, by Disenabling the web access to the Cisco
IP phones, which by default is usually enabled.
Disabling
gratuitous ARP
Disenabling gratuitous ARP (GARP) can check against man-in-the-
middle attack. This will prevent an attacker from sending unsolicited
ARP replies to a Cisco IP phone’s next-hop gateway in the attacker’s
PC MAC address
Disabling
unneeded services
Unneeded services such as TFTP service on a UCM server that is not
acting as a TFTP server should be disabled to close any potential
security holes that might exist in a system.
Figure 3 Summaries Threat Taxonomy.
7.0 CONCLUSION /FUTURE WORK
There are many security requirements, but from among them in this paper only a few most
important ones have been chosen to describe VoIP Cisco networks: The bottom line of the
security solutions analysis is that, although there are some attacks that are extremely difficult
to handle, most may be eliminated with the use of existing security measures. Correct
deployment of available security solutions can make VoIP a service with security level very
close to those known from the PSTN, while keeping all its advantages, like advanced services
such as user control, flexibility and lower costs. However, the biggest problem of VoIP
system is that those security solutions are actually seldom deployed. This problem regards
most of all, end users. The truth is that most of the users do not have any idea about security
threats and countermeasures in IP networks, and to make it even worse, they do not want to
know. More serious threats to VoIP system may be realized due to weak end-devices
protection or lack of encryption. Both are caused by users' lack of expertise and knowledge. It
is, however, difficult to expect the user to be a specialist in VoIP technology just to make a
phone call. Any service or application that is being offered in public network should be
simple and the security taken care of by the provider. In the future researchers need to
research on better VoIP security measure that does not involve the end user participation in
the security process.
ACKNOWLEDGEMENTS
The authors would like to thank the High Impact Research of Ministry of Higher Education of Malaysia
(UM.C/HIR/MOHE/FCSIT/09) for their support.
REFERENCES
[1] A. D. Keromytis, "A Comprehensive Survey of Voice over IP Security Research,"
Communications Surveys & Tutorials, IEEE, vol. 14, pp. 514-537, 2012.
[2] D. R. Kuhn, et al., "Security considerations for voice over IP systems," NIST special
publication, pp. 800-58, 2005.
[3] K. B. Otterstedt, "Risk analysis on VoIP systems," MSc thesis, University of Iceland, 2011.
[4] Digital subscriber line. Available: http://en.wikipedia.org/wiki/Digital_subscriber_line
[5] S. Niccolini, et al., "IP Telephony Cookbook," ed: TERENA, 2004.
[6] D. Butcher, et al., "Security Challenge and Defense in VoIP Infrastructures," Systems, Man,
and Cybernetics, Part C: Applications and Reviews, IEEE Transactions on, vol. 37, pp. 1152-
1162, 2007.
[7] D. Sisalem, et al., "Denial of service attacks targeting a SIP VoIP infrastructure: attack
scenarios and prevention mechanisms," Network, IEEE, vol. 20, pp. 26-31, 2006.
[8] C. Rensing, et al., "AAA: a survey and a policy-based architecture and framework," Network,
IEEE, vol. 16, pp. 22-27, 2002.
[9] D. Endler and M. Collier, Hacking Exposed VoIP: Tata McGraw-Hill Education, 2007.
[10] M. Watkins and K. Wallace, "CCNA Security Official Exam Certification Guide (Exam 640-
553)," 2008.
[11] I. Dacosta, et al., "Security Analysis of an IP Phone: Cisco 7960G," in Principles, Systems and
Applications of IP Telecommunications. Services and Security for Next Generation Networks.
vol. 5310, H. Schulzrinne, et al., Eds., ed: Springer Berlin Heidelberg, 2008, pp. 236-255.
