• No results found

Voice over IP Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Voice over IP Security"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

Voice over IP Security

Patrick Park

Cisco Press

Cisco Press

800 East 96th Street

(2)

vii

Contents

Introduction xvii

Part I VoIP Security Fundamentals 3 Chapter 1 Working with VoIP 5

VoIP Benefits 6 VoIP Disadvantages 8 Sources of Vulnerability 10

IP-Based Network Infrastructure 10 Open or Public Networks 11 Open VoIP Protocol 11 Exposed Interface 11

Real-Time Communications 11 Mobility 11

Lack of Security Features and Devices 11 Voice and Data Integration 12

Vulnerable Components 12 Myths Versus Reality 14

Legacy Versus VoIP Systems 14

Protecting Networks Using Strict Authentication and Encryption 14 Protecting Networks Using a Data Security Infrastructure 15 Summary 15

End Notes 16 References 16

Chapter 2 VoIP Threat Taxonomy 19

Threats Against Availability 20 Call Flooding 20

Malformed Messages (Protocol Fuzzing) 22 Spoofed Messages 24

Call Teardown 25 Toll Fraud 26 Call Hijacking 26

(3)

V I I I

Threats Against Confidentiality 30 Eavesdropping Media 30 Call Pattern Tracking 32 Data Mining 33

Reconstruction 34 Threats Against Integrity 34

Message Alteration 35 Call Rerouting 35 Call Black Holing 36 Media Alteration 37

Media Injection 37 Media Degrading 38 Threats Against Social Context 38

Misrepresentation 39 Call Spam (SPIT) 39 IM Spam (SPIM) 40 Presence Spam (SPPP) 41 Phishing 42 Summary 43 End Notes 44 References 44

Chapter 3 Security Profiles in VoIP Protocols 47

H.323 48 Overview 48

Components 49 Basic Call Flow 50 Security Profiles 52

H.235 Annex D (Baseline Security) 54 H.235 Annex E (Signature Security) 55 H.235 Annex F (Hybrid Security) 56 SIP 57

(4)

ix

Security Profiles 67

Digest Authentication 68 Identity Authentication 69

Secure/Multipurpose Internet Mail Extensions (S/MIME) 70 Secure RTP 71

TLS 71 IPSec 73 MGCP 74

Overview 74

Basic Call Flow 75 Security Profiles 75 Summary 78

End Notes 79 References 80

Chapter 4 Cryptography 83

Symmetric (Private) Key Cryptography 84 DES 85 3DES 87 AES 89 SubBytes 89 ShiftRows 90 MixColumns 91 AddRoundKey 92

Asymmetric (Public) Key Cryptography 92 RSA 93

Digital Signature 95 Hashing 96

Hash Function (MD5) 97 SHA 98

Message Authentication Code 99 MAC Versus Digital Signature 100 Key Management 100

Key Distribution 101 Summary 103

(5)

X

Chapters VoIP Network Elements 107

Security Devices 108 VoIP-Aware Firewall 108 NAT 109

Session Border Controller 113 Lawful Interception Server 114 Service Devices 116

Customer Premise Equipment 116 Call Processing Servers 117

PAP Versus CHAP 119

RADIUS Versus TACACS+ 120 Summary 120

End Notes 121 References 122

Part II VoIP Security Best Practices 125

Chapter 6 Analysis and Simulation of Current Threats 127

(6)

xi VoIP Spam 165 Voice Spam 165 IM Spam 167 Presence Spam 167 Mitigation 168 Content Filtering 168 Turing Test 168 Reputation System 169 Address Obfuscation 170 Limited-Use Address 171

Consent-Based Black/White List 171 Summary 172

End Notes 173 References 173

Chapter 7 Protection with VoIP Protocol 175

Authentication 175

User-to-Proxy Authentication 176 User-to-User Authentication 179 Encryption 182

Message Encryption (S/MIME) 183 S/MIME Certificates 184 S/MIME Key Exchange 185 Formatting S/MIME Bodies 186 Media Encryption 188

Key Derivation 188

SRTP Packet Processing 190 SRTPTest 191

Transport and Network Layer Security 193 Transport Layer Security 194

IPSec (Tunneling) 195 Threat Model and Prevention 195

Registration Hijacking 195 Impersonating a Server 196 Tearing Down Sessions 196

Denial-of-Service and Amplification 197 Limitations 198

Digest Authentication Limitations 198 S/MIME Limitations 198

(7)

XII

Summary 200 End Notes 200 References 201

Chapter 8 Protection with Session Border Controller 203

Border Issues 204

Between Access and Core Networks 206 Between Core and Peer Networks 207 Access and Peer SBCs 208

SBC Functionality 208

Network Topology Hiding 208 Example of Topology Hiding 209 DoS Protection 213

Policy-Driven Access Control 213 Hardware Architecture 215 Overload Prevention 216

Registration Timer Control 217 Ping Control 220 Load Balancing 220 NAT Traversal 222 Lawful Interception 224 Other Functions 226 Protocol Conversion 226 Transcoding 226 Number Translation 227 QoS Marking 228 Service Architecture Design 228

High Availability 229 Active-Standby 230 Active-Active 231 Network Connectivity 232 Service Policy Analysis 234 Virtualization 237

Optimization of Traffic Flow 239 Deployment Location 239 Media Control 240 Summary 245

(8)

Protection with Enterprise Network Devices 249 Firewall 249

ASA and PIX Firewalls 251 Routed Mode 251 Transparent Mode 252 TLS Proxy Feature 253 Configuration Example 254 FWSM Firewall 256 Routed Mode 256 Transparent Mode 256 Configuration Example 257 Limitations 258

Unified Communications Manager Express 259 Access Control 259

Phone Registration Control 261 Secure GUI Management 263 Class of Restriction 264 After-Hours Call Blocking 266 Unified Communications Manager 267

Security Features and Certificates 267 Integrity and Authentication 269

Image Authentication 270 Device Authentication 270 File Authentication 270 Signaling Authentication 271 Digest Authentication 271 Authorization 272 Encryption 273 Signaling Encryption 273 Media Encryption 274

Configuration File Encryption 275 Configuration Guideline 275

Access Devices 277 IP Phone 278 Switch 278

Mitigate MAC CAM Flooding 278 Prevent Port Access 279

(9)

xiv VLAN ACL 282 Deployment Example 284 Summary 286 End Notes 287 References 287

P a r t III Lawful Interception (CALEA) 289 Chapter 10 Lawful Interception Fundamentals 291

Definition and Background 292

Requirements from Law Enforcement Agents 293 Reference Model from an Architectural Perspective 294

AF (Access Function) 295 DF (Delivery Function) 295 CF (Collection Function) 296

SPAF (Service Provider Administration Function) 297 LEAF (Law Enforcement Administration Function) 297 Request and Response Interfaces 297

Operational Considerations 300

Detection by the Target Subscriber 300

Address Information for Call Content Interception 301 Content Encryption 302

Unauthorized Creation and Detection 303 Call Forwarding or Transfer 303

Capacity 304 Summary 304 End Notes 305

Chapter 11 Lawful Interception Implementation 307

Intercept Request Interface 308 SIP P-DCS Header 309

Intercept Process Flow for Outbound Call 310 Intercept Process Flow for Inbound Call 311 Cisco Sil 313

Device Interfaces 314

Intercept Process Flow for Standard Call 316 Intercept Process Flow for Forwarding Call 319 Intercept Process Flow for Conference Call 322 Predesign Considerations 325

(10)

XV

Call Data and Content Connection Interfaces 329 Call Content Connection Interface 330 Call Data Connection Interface 333

CDC Messages 333

Interface Between MD and LEA 339 Summary 341

End Notes 342 References 342

References

Download now ( PDF - 10 Page - 2.90 MB )

Related documents

CBC PTA Documented team cooperation and collaboration from conceptual design through project completion. (30%)

Team Spreadsheet: Completed Project Team Contact Spreadsheet, using the downloadable MS Excel format template and saved using file naming protocol (ex. Team

The role of the stoma nurse, and the importance of

The role of the stoma nurse interaction in improving quality of life in the first year of stoma-forming surgery is further supported by Marquis et al (2003), who found

The impact of electrode resistance on the biogalvanic characterisation technique

Figures 5 (a) and (b), shows the data from a biogalvanic measurement on healthy and diseased human colon tissue with corresponding model fits using the numerical model. Figures  5

Fiscal Federalism and Spatial Interactions among Governments

Meanwhile, on scatter plots, positive correlation between Kentucky and its average neighbor holds for CPI-converted state and local total expenditures per capita on elementary

Performance Evaluation of the Effect of Waste Paper on Groundnut Shell Briquette

Combustion characteristics investigated were ignition time, burning time, calorific values, burning rate, specific fuel consumption, fuel efficiency and water boiling time.. The

Fostering low-carbon strategies and energy efficiency in specific MED territories: cities, islands and rural areas (Axis 2) Terms of Reference

To raise capacity for better management of energy in public buildings at transnational level is the share of regional; sub regional and local energy efficiency plans including

Multiple Graphs on One page, the easy way (PDF) and the hard way (RTF)

By using the Output Delivery System (ODS) it is possible (and relatively simple) to export your graphs to either a Portable Document Format (PDF) file or a Rich Text Formatted

MT-Toolbox:improvedampliconsequencingusingmoleculetags SOFTWAREOpenAccess

Comparisons of ConSeqs generated by ClustalW, MUSCLE, and the read stacking method show that ConSeqs de- rived from stacked reads are only slightly less accurate (Additional file