Uh-oh, it looks like your Internet Explorer is out of date.
For a better shopping experience, please upgrade now.
The Perfect Reference for the Multitasked SysAdmin
This is the perfect guide if VoIP engineering is not your specialty. It is the perfect introduction to VoIP security, covering exploit tools and how they can be used against VoIP (Voice over IP) systems. It gives the basics of attack methodologies used against the SIP and H.323 protocols as well as VoIP network infrastructure.
* VoIP Isn’t Just Another Data Protocol
IP telephony uses the Internet architecture, similar to any other data application. However, from a security administrator’s point of view, VoIP is different. Understand why.
* What Functionality Is Gained, Degraded, or Enhanced on a VoIP Network?
Find out the issues associated with quality of service, emergency 911 service, and the major benefits of VoIP.
* The Security Considerations of Voice Messaging
Learn about the types of security attacks you need to protect against within your voice messaging system.
* Understand the VoIP Communication Architectures
Understand what PSTN is and what it does as well as the H.323 protocol specification, and SIP Functions and features.
* The Support Protocols of VoIP Environments
Learn the services, features, and security implications of DNS, TFTP, HTTP, SNMP, DHCP, RSVP, SDP, and SKINNY.
* Securing the Whole VoIP Infrastructure
Learn about Denial-of-Service attacks, VoIP service disruption, call hijacking and interception, H.323-specific attacks, and SIP-specific attacks.
* Authorized Access Begins with Authentication
Learn the methods of verifying both the user identity and the device identity in order to secure a VoIP network.
* Understand Skype Security
Skype does not log a history like other VoIP solutions; understand the implications of conducting business over a Skype connection.
* Get the Basics of a VoIP Security Policy
Use a sample VoIP Security Policy to understand the components of a complete policy.
- Provides system administrators with hundreds of tips, tricks, and scripts to complete administration tasks more quickly and efficiently
- Short on theory, history, and technical data that ultimately is not helpful in performing their jobs
- Avoid the time drains associated with securing VoIP
About the Author
Michael Gough is host and webmaster of www.SkypeTips.com, which was launched in January 2005 and receives more than 100,000 hits per month, and www.VideoCallTips.com, which receives more than 30,000 hits per month. Michael writes articles on Skype and related issues. He also explains Skype’s options and instructions to users so that they can practically apply Skype at home and in the workplace. Michael also evaluates products used with Skype and provides feedback to the vendors on features and improvements to help drive the direction of Skype-related products. Michael is also the host and webmaster for www.VideoCallTips.com, a Web site focused on helping people understand how to make video calls to family and friends, and maintains ratings of the many video call solutions available.
Michael’s full-time employment is as a computer security consultant with 18 years’ experience in the computer technology field. Michael works for a Fortune 500 company, where he delivers security consulting services to their clients. Michael also presents for his company at many trade shows and conferences and works with associations and groups, advising agencies like the FBI on Skype security and the Center for Internet Security on wireless security.
Read an Excerpt
How to Cheat at VoIP Security
By Thomas Porter Michael Gough
Syngress Publishing, Inc.Copyright © 2007 Syngress Publishing, Inc.
All right reserved.
Chapter OneIntroduction to VoIP Security
Solutions in this chapter:
* The Switch Leaves the Basement
* What is VoIP?
* VoIP isn't Just Another Data Protocol
* Security Issues in VoIP Networks
* A New Security Model
The business of securing our private data is becoming more important and more relevant each day. The benefits of electronic communication come with proportionate risks. Critical business systems can be and are compromised regularly, and are used for illegal purposes. There are many instances of this: Seisint (Lexis-Nexis research), Choicepoint, Bank of America, PayMaxx, DSW Shoe Warehouses, Ameriprise, and T-Mobile are all recent examples.
* Seisint (Lexis-Nexis research) was hacked, potentially compromising names, addresses, and social security and driver's license information relating to 310,000 people.
* Choicepoint, one of the nation's largest information aggregators, allowed criminals to buy the private identity and credit information of more than 150,000 customer accounts. Besides the harm done to Choicepoint's reputation, in late January, 2006, Choicepoint was fined $15 million by the FTC for this breach. This figure does not include the millions of dollars spent by Choicepoint on the cleanup of this debacle. This settlement makes it clear that the FTC is increasingly willing to escalate security-related enforcement actions.
* Bank of America announced that it had "lost" tapes containing information on over 1.2 million federal employee credit cards, exposing the individuals involved and the government to fraud and misuse.
* PayMaxx Inc., a Tennessee payroll management company, suffered a security lapse that may have exposed financial data on as many as 100,000 workers.
* DSW Shoe Warehouses revealed that credit card data from about 100 of its stores had been stolen from a company computer over the past three months.
* A hacker even attacked T-Mobile, the cellular telephone network used by actress Paris Hilton, and stole the information stored on Hilton's phone, including private phone numbers of many other celebrities.
These are just a few examples from one month in 2005. Everyone "knows" that information security is important, but what types of damage are we talking about? Certainly, Paris Hilton's phone book is not critical information (except, perhaps to her). Table 1.1 lists the types of losses resulting from attacks on data networks.
The aforementioned bullet points are based on data network examples. VoIP networks simply haven't existed long enough to provide many real-world examples of information breaches. But they will.
The practice of information security has become more complex than ever. By Gartner's estimates, one in five companies has a wireless LAN that the ClO doesn't know about, and 60 percent of WLANs don't have their basic security functions enabled. Organizations that interconnect with partners are beginning to take into account the security environment of those partners. For the unprepared, security breaches and lapses are beginning to attract lawsuits. "It's going to be the next asbestos," predicts one observer.
The daily challenges a business faces—new staff, less staff, more networked applications, more business partner connections, and an even more hostile Internet environment—should not be allowed to create more opportunities for intruders. The fact is, all aspects of commerce are perilous, and professional security administrators realize that no significant gain is possible without accepting significant risk. The goal is to intelligently, and economically, balance these risks.
This book is based on the premise that in order to secure VoIP systems and applications, you must first understand them. In addition, efficient and economical deployment of security controls requires that you understand those controls, their limitations, and their interactions with one another and other components that constitute the VoIP and supporting infrastructure.
The Switch Leaves the Basement
Telephone networks were designed for voice transmission. Data networks were not. Recently—within the last three to five years—PBX functionality has moved logically (and even physically) from the closet or fenced room in the basement into the data networking space, both from physical connectivity and management standpoints. Additionally, the components of the converged infrastructure (gateways, gatekeepers, media servers, IP PBXes, etc.) are no longer esoteric variants of VxWorks, Oryx-Pecos, or other proprietary UNIXs, whose operating systems are not well enough known or distributed to be common hacking targets; but instead run on well-known, commonly exploited Windows and Linux OSes. SS7, which hardly any data networking people understand, is slowly being replaced by SIGTRAN (which is basically SS7 over IP), H.323 (which no one understands [??]), and SIP (which is many things to many people), running over TCP/IP networks. By the way, hackers understand TCP/IR
Most people, if they even think about it, consider the traditional public switched telephone network (PSTN) secure. On the PSTN the eavesdropper requires physical access to the telephone line or switch and an appropriate hardware bugging device.
Toll fraud occurs more frequently than most people realize (one source estimates damages at $4 billion per year) primarily due to improperly configured remote access policies (DISA—Direct Inward System Access) and voicemail; however, strong authentication codes and passwords, active call detail record accounting, and physical security controls reduce the risk of damage due to toll fraud to reasonable levels. Although it is theoretically possible to "hack" SS7, only sophisticated techniques and direct access to the signaling channel make this possible.
Unlike most standards in data networking—for example, TCP/IP has been relatively stable for more than 20 years now—there is a high degree of inconsistency in support and implementation of VoIP-related standards, due in part to the rapid evolution in the standards themselves, and due in part to vendors attempting to lock in customers to nonstandard protocol implementations. The consequence of this is that, in some cases, immature (vulnerable) applications reach the market. Vendors are oftentimes only familiar with their specific application's protocol implementation, and when designing a security solution, aren't always concerned about interoperability. This is actually quite ironic because these same vendors tout standards to foster interoperability.
An additional difference between VoIP and more common protocols is that both major VoIP protocols separate signaling and media on different channels. These channels run over dynamic IP address/port combinations. This has significant security implications that will be detailed later in this book. If you combine this fact (separate signaling and data channels) with the reality that users naturally expect to be able to simply make both inbound and outbound calls, then you should begin to realize that VoIP is more challenging to secure technically than common protocols that initiate with outbound client requests.
VoIP is difficult to firewall. Additionally, since IP addressing information is cascaded within the signaling stream of H.323 and within SIP control packets, encryption of these streams—an obvious security measure—wreaks havoc with NAT implementations. IPv4 was not invented with real-time communications and NAT in mind.
In addition to the vulnerabilities and difficulties that we have summarized, converged networks offer an array of new vectors for traditional exploits and malware. This is due in part to the unique performance requirements of the voice fraction of converged networks, and in part to the fact that more intelligence (particularly in the case of SIP) is moved from the guarded center to the edge of the network. Increased network points of access equals increased network complexity—and complexity is the bane of security engineers. In addition, SIP may become particularly attractive as hacking target, due to its HTTP based underpinnings, and the ease with which ASCII encoded packets can be manipulated.
Are these new problems? Not really. Information systems have long been at some risk from malicious actions or inadvertent user errors, and from natural and man-made disasters. In recent years, systems have become more susceptible to these threats because computers have become more interconnected and, thus, more interdependent, and these systems have become accessible to a larger number of individuals. In addition, the number of individuals with computer skills is increasing, more automated tools are available, and intrusion, or hacking, techniques are becoming more widely known via the Internet and other media.
Converged VoIP and data networks inherit all the security weaknesses of the IP protocol—including spoofing, sniffing, denial of service attacks, replay attacks, and message integrity attacks. All the legacy application servers that serve as adjuncts in converged networks (DNS, SNMR TFTR etc.) will also be targets of attack as they have been on data networks. Viruses and worms will become a real threat to the entire telecommunication infrastructure.
Hacking will converge as well.
Unfortunately, even though the overwhelming majority of VoIP calls will occur uneventfully between two or more trusted individuals—in much the same way that most data sessions take place securely today—the public will focus on extraordinary examples of "the call that went bad." Our challenge is to restrict these incidents to the best of our abilities.
What Is VoIP?
Although VoIP, IP Telephony, and Converged Networks all have slightly different definitions, they often are used interchangeably. In this book, we will do the same. When using any of these terms, we are talking about the structures and processes that result from design and implementation of a common networking infrastructure that accommodates data, voice, and multimedia communications. Today, it is all about voice. There are plenty of examples of streaming video, but the enthusiasm today is to replace circuit-switched voice with packet-switched voice within the enterprise and at home across broadband connections.
Why is this happening now? IP telephony adoption is ramping up dramatically for a number of reasons: traditional PBXs and related telco equipment that was upgraded as organizations prepared for Y2K is beginning to reach end-of-life; IP switches are cheaper and potentially offer more features than traditional PBXs; data system administrators and their networks have become more mature, and thus, can support the quality of service that VoIP services require; and VoIP technology (particularly the products) have gotten better. VoIP is attractive to organizations and to broadband end-users as they attempt to derive more value from an infrastructure that is already paid for.
What does converging voice and data on the same physical infrastructure promise? First, we may actually lower costs after all, due to the economies of supporting one network instead of two. Organizations also will save money on toll bypass, intralata regional toll (also known as local toll) charges, and all the "extra" services that POTS providers currently bill for.
VoIP, from a management and maintenance point of view, is less expensive than two separate telecommunications infrastructures. Implementation can be expensive and painful, but is repaid in the form of lower operating costs and easier administration. The pace and quality of IP application development is increasing in step with VoIP adoption. Features that were unavailable on traditional systems, such as "click-to-talk" with presence awareness, can rapidly be modified and deployed. Even voice encryption, which in the past was limited to select organizations, can now be used by anyone in a VoIP environment.
An often overlooked benefit of converging data and voice is that organizational directories often are updated and consolidated as part of the VoIP deployment process. This not only enables economies in and of itself but also makes features such as Push Directories possible. Push is the capability of an application using the WML protocol to send content to the telephone. IP transforms the everyday telephone into an applications-enabled appliance. The addition of push enables phone displays and/or audio to support a variety of applications (Web browsing, time reporting, emergency alerts, travel reservations, account code entry, announcements, branding via screensaver, inventory lookups, scheduling, etc.).
Excerpted from How to Cheat at VoIP Security by Thomas Porter Michael Gough Copyright © 2007 by Syngress Publishing, Inc.. Excerpted by permission of Syngress Publishing, Inc.. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of ContentsChapter 1: Introduction to VoIP Security
Chapter 2: The Hardware Infrastructure
Chapter 3: Architectures
Chapter 4: Support Protocols
Chapter 5: VoIP Threats
Chapter 6: Confirming User Identity
Chapter 7: Security Monitoring
Chapter 8: Segregating Network Traffic
Chapter 9: VoIP IETF Encryption Solutions
Chapter 10: Skype Security
Chapter 11: Skype Firewall Setup
Appendix A: Sample VoIP Security Policy