RE: Voice over IP applications vulnerabilites/attacks ?

From: Paul D. Scallan, Jr. (depo@kaufmanandassociates.com)
Date: 01/02/03

  • Next message: Chris Tobkin: "Re: Voice over IP applications vulnerabilities/attacks?" 
    From: "Paul D. Scallan, Jr." <depo@kaufmanandassociates.com>
To: "'Keith Stewart'" <kstewart@cisco.com>
Date: Thu, 2 Jan 2003 16:33:29 -0600

    My reply was essentially......have good network security design at the
    enterprise level before you even start to introduce, develop and deploy
    VOIP apps. This is in agreement with Keith's statement also. However,
    some of the phones and phone systems themselves have had problems which
    are being addressed. I might take this moment to state that I did not
    mention any vendor in specific; however, find it odd that Keith replied
    to mine with vendor specific notations. Although, credit due, there are
    many vendors that have phones and phone systems with problems.

    Keith is right....the VOIP circuit has been relatively left alone on the
    intrusion/attack venue. The problem with a lot of PBX work with VOIP
    applications is bad installation planning. A lot of techs and admins
    and managers out there do not stop to consider that a VOIP-phone is not
    a hardwire phone.....meaning it is potenitally as vulnerable as if you
    put a web server, ftp server (with full anon priv.) and a mail server
    (with anon relaying enabled) on a ds3 connection with no firewalling or
    proxy services being used. Meaning....hardware is purchased and slapped
    onto an static public IP address behind a router (but still within the
    sub-net of a corporate network....). This is tatamount to inviting
    disaster into your very valuable corporate network). Why take a chance?
    But this is only so (as Keith and I stated) if your basic network
    security structure is mal-conceived from the get-go and implemented as
    such.

    My basic point in my original e-mail: Don't worry about VOIP-specific
    software and hardware security devices......just concentrate on your
    core network security layout with a very keen eye on the effect of VOIP
    apps behind same. Like Keith said Security 101....best practice.

    PAUL D. SCALLAN, JR.
    IT/IS/Production Manager - Paralegal
    KAUFMAN & ASSOCIATES, INC.,
    VOICERITE! and SCALLAN SERVICES
    The Moss Building
    109 East Vermilion, Suite 200
    Lafayette, Louisiana 70501
    337-237-4434 (main)
    800-503-2274 (toll-free)
    337-234-0715 (facsimile)
    337-247-4486 (24 hour mobile)
    depo@kaufmanandassociates.com
    http://www.kaufmanandassociates.com
    http://www.voicerite.net
    http://www.scallanservices.com
     

    -----Original Message-----
    From: Keith Stewart [mailto:kstewart@cisco.com]
    Sent: Thursday, January 02, 2003 4:04 PM
    To: Paul D. Scallan, Jr.
    Cc: 'Avi Chesla'; focus-ids@securityfocus.com
    Subject: RE: Voice over IP applications vulnerabilites/attacks ?
    Importance: High

    <VendorHat = on>

    Cisco produced a White Paper on IP Telephony Security as a part of its
    SAFE
    Security Blueprints.

    www.cisco.com/go/safe/

    It's more directed at the secure network design side of the question
    than
    the actual intrusions/attacks side. A lot of it boils down to Security
    101
    - people are going to try and attack your systems, so put some
    appropriate
    security policies in place to try and mitigate the risk. The good thing

    with the SAFE docs is the recommendations have all been heavily tested,
    and
    the docs include the Cisco configs for the recommendations.

    <VendorHat = off>

    As far as actual attacks against the systems, AFAIK, there's been no
    significant reported attack against an IP Telephony installation. In a
    large part, that's because existing installations are typically
    self-contained enterprise or SMB installations, and thus the entire
    system
    is protected from external aggressors by your enterprise firewalls (i.e.
    no
    conduits in/out for VoIP ports, phones on un-NATed address spaces,
    etc.),
    and because VoIP protocols are still relatively unknown by people
    outside
    the industry (i.e the most commonly deployed protocol is still H.323,
    and
    323 messages are ASN.1 encoded - security through obfuscation,
    anyone?). But as there's more and more deployments, and the protocols
    are
    around longer, it becomes more and more important to make sure security
    is
    designed into a VoIP deployment.

    Keith

    At 12:02 PM 1/2/2003 -0600, Paul D. Scallan, Jr. wrote:
    >I am going to assume that you are talking VOIP in the "phone to phone"
    >sense (although the following can apply to any application of VOIP).
    >
    >I think you will find that certain phones themselves are prone to
    >certain vulnerabilities. See:
    >http://www.eweek.com/article2/0%2C3959%2C373289%2C00.asp Mostly the
    >problem with the phones themselves are: they contain remote-accessible

    >code which can be exploited to cause a denial of service, and possibly
    >leak information and the phones are also weak in ways that facilitate
    >man-in-the-middle attacks directed at intercepting telephone traffic.
    >
    >Also, There are three main vulnerabilities to IP networks and these
    >result from its benefits. While in the traditional voice network one
    >has to tap into a specific circuit to eavesdrop, in an IP network any
    >equipment connected to the corporate LAN can identify, store and
    >playback the VoIP packets that traverse that LAN. The use of shared
    >media by VoIP systems opens the door to some uncertainty as to the
    >source of a call, and may require authentication. The anonymity of an
    >unprotected, unauthenticated IP network makes it susceptible to hostile

    >use, such as prank calls, sending computer viruses or flooding the
    >network. Despite the above, the vulnerability of an authenticated,
    >protected VoIP network to internal abuse does not markedly differ from
    >traditional telephone networks. Since there is no such thing as a
    >secure IP network, only secure computing - one must secure the
    >telephones, conversations, computers, and servers. Set up a chain of
    >trust for authentication (encryption), control access (passwords and
    >firewalls), encrypt for privacy, and employ call accounting software to

    >establish accountability. One can achieve some measure of security by
    >strategically allocating sub-nets, and choosing to use IP Switches
    >instead of IP Hubs. However, security considerations should not
    >override routing and traffic accommodations. Firewalls can and should
    >be used to protect segments of a network from hostile traffic. This
    >does not relieve each network device from protecting itself and
    >filtering out undesired communications. Physical and network access to
    >any VoIP server that is used to authenticate users, that controls
    >access to the public telephone network, or that contains potentially
    >confidential information should be locked down and treated with the
    >same security precautions as any server with a confidential database.
    >
    >Further, another good article:
    >http://www.eetimes.com/story/OEG20021014S0072
    >
    >
    >PAUL D. SCALLAN, JR.
    >IT/IS/Production Manager - Paralegal
    >KAUFMAN & ASSOCIATES, INC.,
    >VOICERITE! and SCALLAN SERVICES
    >The Moss Building
    >109 East Vermilion, Suite 200
    >Lafayette, Louisiana 70501
    >337-237-4434 (main)
    >800-503-2274 (toll-free)
    >337-234-0715 (facsimile)
    >337-247-4486 (24 hour mobile)
    >depo@kaufmanandassociates.com http://www.kaufmanandassociates.com
    >http://www.voicerite.net
    >http://www.scallanservices.com
    >
    >
    >
    >-----Original Message-----
    >From: Avi Chesla [mailto:avic@V-Secure.com]
    >Sent: Thursday, January 02, 2003 11:14 AM
    >To: 'focus-ids@securityfocus.com'
    >Subject: Voice over IP applications vulnerabilites/attacks ?
    >
    >
    >Hi,
    >
    >Is anyone familiar with Voice over IP vulnerabilities/Intrusions,
    >floods etc ?
    >
    >I heard Checkpoint has some new protection capabilities concerning the
    >issue.
    >
    >
    >Avi

    Relevant Pages

    • SQL Voice Over IP Exposed!
      ... VOIP can Lower telecom costs and help with network ... consolidation -- and cause security problems if not handled right. ... "The idiosyncrasies of voice data may strain your security system to ...
      (comp.dcom.telecom)
    • RE: Voice over IP applications vulnerabilites/attacks ?
      ... Cisco produced a White Paper on IP Telephony Security as a part of its SAFE ... It's more directed at the secure network design side of the question than ... conduits in/out for VoIP ports, phones on un-NATed address spaces, etc.), ...
      (Focus-IDS)
    • RE: Question on VoIP security
      ... > I am currently facing an Intranet VoIP project (will be restricted to ... > 1 organization's Intranet, geographically disperse), from the security ... network, but treat the security side of it as you would any data port. ... just got a little easier as the phones are all going to have the same ...
      (Security-Basics)
    • RE: VoIP Assessment
      ... > quality of the calls under different network situations. ... > organizations may outsource this to a number of various VoIP hardware ... > 5) Validate that server-based IP PBXs are secure ... and is not solved by conducting a network security ...
      (Pen-Test)
    • RE: Voice over IP applications vulnerabilites/attacks ?
      ... I am going to assume that you are talking VOIP in the "phone to phone" ... I think you will find that certain phones themselves are prone to ... There are three main vulnerabilities to IP networks and these ... While in the traditional voice network one has ...
      (Focus-IDS)