Monthly Archives: October 2010

VOIPSA 2.0

It’s been over 5 years since the Voice over IP Security Alliance was born.  A small group of us originally aimed to fill a very large gap in the voip security landscape. Namely that outside of IETF meetings, the thought leaders in the carrier, vendor, and security industries didn’t really have many other vehicles to discuss and address security issues in VoIP.  VOIPSA was and is meant to bring those people together by promoting security research, testing methodologies, tools, and most importantly, discussion.

The need for VOIPSA is greater than ever, and we need fresh input to evolve to the next phase.  My professional interests have changed recently so that I will no longer have the time to devote as Chairman.

It gives me great pleasure (and relief) to announce that Dan York has graciously agreed to step up as our new Chairman and fearless leader. I am also pleased to announce that Jonathan Zar has agreed to continue on in the meantime as Secretary.  Dan and Jonathan have been instrumental since the beginning of VOIPSA in setting up the organization with me and evangelizing many of the issues that still plague VoIP deployments today.  Many of you already know Dan from his podcasts, his conference speaking, and his prolific blogging on Voipsa.org, and Jonathan from his industry leadership and venture expertise.

You’ll be hearing from Dan and Jonathan in the near future on the vision and next steps at relaunching VOIPSA.  Thank you to everyone I’ve worked with over the last 5+ years who have given selflessly of their time and effort to VOIPSA.

-dave

David Endler
david.endler@voipsa.org

Firesheep – a new tool for capturing data on unsecured WiFi

This isn’t about VoIP, per se, but it is about the threat we’ve long talked about of transmitting data over insecure WiFi networks. At the Toorcon 12 conference this week, Eric Butler and Ian Gallagher released a Firefox add-on called “Firesheep” (view their Toorcon slides) that scans an insecure WiFi network for login credentials passed as cookies and then, with a single click, lets you login to those accounts. Some of the reports:

TechCrunch followed up with a post about how to protect yourself – by forcing SSL connections:

Although as noted in the comments, that doesn’t always work.

While this Firefox add-on is focused on the security of social networks, there are many other services out that there are sending data unprotected over networks.

In the end, we need more SSL (or “TLS” to those who understand the difference) – and other end-to-end technologies – to give us a safer Internet. Sadly, it will probably take proof-of-concept apps like this to make people pay attention.

Wall St. Journal – Denial of Service attacks on phones responsible for $70 million fraud losses

wsj.jpgHave you received a barrage of phone calls to your number? If so, you may be in the process of being victimized, according to a Wall St. Journal article over the weekend called “Preventing a Hack Attack.” The article outlines how a cyber-theft ring that was broken up last week used automated dialing programs to tie up users’ phone lines while the attackers were raiding bank and brokerage accounts to the tune of around $70 million in losses.

Per the article, the attack had two components. First a malware program went out through email messages and attachments. Once a user clicked on it, the trojan searched the local computer for usernames and passwords for brokerage or online banking accounts and sent that info back to the attackers. Second:

At the same time, victims’ phones were tied up with a barrage of phone calls, according to the federal complaints, preventing them from contacting their bank or brokerage. Busy signals also prevented fraud monitors at the institutions from contacting victims, according to FBI officials who were interviewed before the announcement of the arrests.

The telephone bombardments lasted as long as a week, sometimes forcing victims to disconnect their lines or switch phone numbers, which bought the suspects time to raid their accounts.

The reality today is that our VoIP infrastructure makes these kind of automated attacks trivial to carry off – and they will only continue to grow as an attack mechanism. The equipment to carry off those attacks can simply be open source software running on servers or even virtualized into a cloud (or distributed on a botnet). Connections to VoIP providers which can then get you PSTN access are both trivial and incredibly cheap.

The article’s recommendations about how to protect yourself were the typical basic steps… use secure passwords, change them often, ideally use a separate computer for online banking (I highly doubt people will do that), use anti-virus, don’t open untrusted attachments, etc. For protection against malware, those are all certainly viable strategies.

For protection against a DoS on your phone number? Not so much. That kind of protection requires more systemic steps within the larger infrastructure – and is at odds with the fundamental aspect of the PSTN where anyone can call anyone else.

Welcome to our brave new world…

VoIP Firewall: Telephony vs Security world

During that period i started to deeply understand and evaluate matters related to the protection of VoIP related infrastructure against attacks and the diffused technologies for signaling and VoIP encryption.

I investigated the concept of “SIP Firewalls” and “VoIP Firewalls” and found that in this area there’s a lot of confusion and misunderstanding among the IT/Telephony and IT Security users given the fact that the VoIP telephony and IT Security world usually speak a different language.

I understood that there is a clear increasing interest by IT security world in VoIP protection even if most of the VoIP security product out there are more oriented to Telephony specialist than to Security specialist.

Security products or telephony products?

The market is very fragmented and it’s plenty of

  • Telephony Gateway doing something about Security
  • Telephony PBX with some Security feature
  • Security Gateway doing something about Telephony

It must be clearly identified whether a specific kind of device/product it’s something “doing more things about security” or “doing more things about telephony” .

That’s especially important because it must be understood whether a product can be used by who works in security or by who works in telephony, also because the knowledge required to approach a security product it’s different to approach a voip product.

I know plenty of VoIP specialist that doesn’t know about UTM, IPS, DPI and VPN technologies.

I know plenty of Security specialist that doesn’t know about SIP, RTP, VoIP protocols and architectures.

Finding out specialist of VoIP and Security together it’s a rare thing.

So it’s relevant to look at the full feature set and at the USP (Unique Selling Points) of various products to identify whether a product it’s something for the Telephony part of the world or for the Security part of the world.

We must expect that a Security product require very little understanding of Telephony while a Telephony product require very little understanding of Security.

What SIP/VoIP Firewall do?

When we glue together the terms “VoIP/SIP” and “Firewall” we generally have different understanding depending on the world from where we come.

Especially different kind of users consider valuable completely different kind of product features that can be identified as follow:

Telephony world

  • Networking and NAT related issue resolution
  • SIP compatibility among different vendors
  • Quality of Service and traffic prioritization
  • Easier VoIP trunking

Security world

  • SIP security protocol inspection
  • Closing doors by letting only minimum traffic to goes in/out firewalls (ip filtering)
  • Denial of Service prevention
  • SIP signaling and voice encryption

That said it’s clear that the expectation of what a “SIP Firewall” should deliver it’s perceived very differently among different sectors.

Telephony world care about making things works and dealing all networking/NAT/compatibility pain of VoIP, especially because of the need to integrate very old and big PBX with new extensions.

Security world care about protecting the server behind their firewalls against intrusion and information integrity/confidentiality (eavesdropping for phone calls).

Organization issues

From the organization point of view it’s also highly relevant to understand the different duties and behaviour related to Security department and IT/telephony department.

Security guys are the ones who manage the security control the firewalls and have the authority of defining what exit to the internet and that can get inside the different levels of corporate perimeters (such as DMZ and internal networks). When someone from within the organization need to expose a service to the internet they are the one saying yes/no and at which conditions.

Requests to expose internet services could come from the IT department for some server but also the accounting department for SAP and even the marketing department for some website.

When request come for telephony equipment the security always get worried.

That’s because the typical firewall setup use NAT and the Telephony guys know that putting a VoIP server behind a NAT, even controlled by a firewall could be very problematic for what’s related to the SIP protocol handling.

So Telephony guys ask to Security guys to have their gateway placed outside the firewall.

Aaaaaaaaaaargh! The Security guy will say! That’s not possible! The traffic flow must be under our control! Otherwise how could we protect the VoIP infrastructure from attacks delivered via SIP protocol and Denial of Service?

So the relationship between Security world and telephony world in a large organization can be very problematic.

Now add the fact that the Security department may require to protect the confidentiality of mobile and landline phone calls, something that’s considered a really sensitive matter and cannot be delegated to the IT/Telephony.

Who have to handle the VoIP encryption project? The Telephony department know about VoIP but only a few about Security or but the Security department know about security/crypto but only few about VoIP.

So the matter can be complicated, even more if the infrastructure and hardware/software setup include multiple different technologies and/or particular telephony services (such as multiple trunking, IVR, Queue, Call forwarding, etc, etc) that are out-of-the-scope respect to the need of protecting phone call.

Now, let’s see what’s on the market?

Let’s make some review of what’s on the market.

I will just refer the major and more known products by splitting products in 3 different categories (It’s oversimplified but effective) :

  • VoIP firewalls with voice encryption
  • VoIP PBX with VoIP encryption
  • Firewalls with SIP protection

The first two sets are products dedicated to Telephony world where a specific telephony related knowledge is required while the Firewall, now referred as UTM (Unified Threat Management) are systems requiring specific IT security knowledge.

VoIP firewall with voice encryption

The described below VoIP firewall does all the typical VoIP firewall features related to NAT/Networking, Quality of Service and SIP compatibility, but provide also an external interface to connection VoIP clients with voice encryption protocol with SIP/TLS and SRTP.

UM LABS SIP Security Controller

Ingate Firewalls

SIPera UC-SEC SIP firewall

If the specific infrastructure is using and old and outdated PBX software that may be difficult to be upgraded, then as a workaround a SIP firewall it’s needed.

If a specific infrastructure is using modern PBX software with basic security features, then a SIP firewall it’s not usually needed.

VoIP PBX with Voice Encryption

There are several PBX and SBC (Session Border Controller) that speak the VoIP encryption technologies of SIP/TLS and SRTP and among them the most known are:

Asterisk 1.8

FreeSWITCH 1.0.3

Cisco VoIP PBX and SBC

All those VoIP equipments already support signaling and voice encryption without any need of adding different piece to the puzzle and those PBX can be connected to existing PBX acting as a gateway between secure users and existing users on old internal PBX.

For what apply to the protection against brute forcing and extension enumeration (finding your VoIP phone account on PBX) most now PBX support some native protection features while additional protection can be always provided with the pluggable anti-brute-force and anti-user-enumeration module such as ossec (For Asterisk and for FreeSWITCH) or Fail2ban .

Firewalls with SIP protection

Within the environment of firewalls we can find two different kind of SIP related features:

  • SIP Security Inspection: For enforcing SIP protocol inspection and direct attack protection
  • SIP ALG: For fixing NAT and SIP related networking issues

We are interested only in the device that provide a wide level of protection and will not refer Firewalls that just do SIP ALG for NAT adaptation.

While SIP protection is provided by Sonicwall, Checkpoint and Fortinet i think would say that Cisco is the most advanced one as it’s the only Firewall that support natively also VoIP encryption by leveraging the concept of VPN to VoIP.

Cisco ASA Firewall SIP/TLS Proxy and Phone Proxy (For SIP/TLS + SRTP)

Fortinet Fortigate Voice Over IP Protection over and SIP Security configuration manual

Checkpoint Firewall VoIP protection (Inspect SIP/TLS with this SIP protocol enforcement )

Sonicwall Firewall VoIP protection Base and Advanced

Sounds confused? Get a short comparison.

Maybe yes, because if you are not specifically VoIP knowledgable or very Security knowledeable it may be different to understand which product fit a specific scenario.

I tried below to make a comparison of various feature set of VoIP Firewalls, Firewalls and VoIP PBX with security features.

NOTICE: The following analysis has been done by looking at websites and configuration manuals of various vendor without deep testing in laboratory!

Product SIP/TLS SIP protocol sanitization SIP aware IP Firewall SRTP Voice Encryption SIP Brute Force Protection SIP Enumeration Protection DOS (flooding) protection
Cisco ASA Firewall YES YES YES YES YES (connection-limit) YES YES
Checkpoint Firewall YES YES YES NO NO NO YES
Fortinet Fortigate Firewall NO YES YES NO YES (rate-limit) YES (rate-limit) YES
Sonicwall UTM Firewall NO YES YES NO NO NO YES
UM LABS SIP Security Controller YES YES YES YES YES YES YES
SIPERA UC-SEC YES YES YES YES YES YES YES
Ingate SIP Firewall YES YES YES YES YES YES YES
Cisco IOS/CallManager PBX YES YES* N/A YES YES (connection-limit) YES YES (IP/FW/IDS IOS)
Asterisk PBX YES YES* N/A YES YES** YES YES**
FreeSWITCH PBX YES YES* N/A YES YES** YES YES**

* By default are quite strict at protocol compliance given their wide diffusion on the market

** With additional tool such as Fail2ban and OSSEC

*** When authentication is properly setup (all users must authenticate to do any actions in speaking with the PBX) there’s automatic call hijacking protection

Please note that modern PBX with security features already provide most of the required SIP protection, it’s obviously a matter of configuring it properly (for example enabling only authenticated SIP registration/calls, only over SIP/TLS encrypted channels with SRTP encrypted media flow).

Ok, but what do i need? It depends!

It’s not straightforward to say what kind of protection do you need, and mostly depend on what do you want to do and what do you already have in-house.

The two common scenario we can expect is:

a) The need is to expose to internet one PBX in order to establish a VoIP trunk with another PBX

In such case you may have two situation that will tell you whether to implement or not some custom Security Gateway by answering such questions:

  • Does your corporate PBX it’s old, legacy, not updated since a lot of time?
    • You need a VoIP firewall
    • OR
    • You can add a VoIP PBX with VoIP Encryption properly configured and add some little security add-on and configure it as a Gateway
  • Does your corporate PBX is a modern PBX with SIP/TLS along with strict authentication checking?
    • You could need to have a Firewall with SIP/TLS inspection feature (Cisco or Checkpoint)

b) The need is to implement VoIP encrypted calls for roaming users outside corporate perimeter

In such case you must first ask yourself some questions:

  • Does your existing VoIP equipment is compatible with the Security protocols used to provide Secure VoIP (SIP/TLS + SRTP) to roaming users?
    • You need a Firewall with SIP/TLS feature
    • OR
    • You can keep your VoIP PBX with VoIP Encryption properly configured and add some little security add-on (anti-bruteforcing, local firewall)
  • Does your existing VoIP equipment is not compatible with the Security protocols used to provide Secure VoIP (SIP/TLS + SRTP) to roaming users?
    • You need a VoIP Firewall

However in all case, if you already have a Checkpoint Firewall or a Cisco ASA, i suggest to however let them does the activity of SIP inspection and dynamic firewall port opening.

What to expect in future?

My conclusion is that the IT Security world is now starting considering serious VoIP security related issues and that there is a growing adoption of signaling and media encryption for Large Enterprise users.

While Private and Government users still need to use ZRTP, because of it’s unique end-to-end encryption feature, Enterprises are adopting SIP/TLS and SRTP given the end-to-site security model requirements.

What we can expect to see in the near future is the upcoming introduction of SRTP features into the big player of Firewall market with a concept of Voice VPN exactly like Cisco has already done with it’s own Cisco ASA.

At the same time every day more PBX start implementing security features for signaling and media encryption.

My feeling is that in the near future the VoIP Firewall market will became much more Telephony market oriented, as the Firewalls will start see improvements in their VoIP protection features along with Voice VPN functionalities.

At that time the security guys will have the VoIP security features included in their already installed Firewalls with a software upgrade and will not care anymore about VoIP Firewall.

What reasonably we should expect is also to see in upcoming year are Hardened PBX distributions that will include by default advanced security features, suitable for security departments.

Fabio Pietrosanti (naif) – http://fabio.pietrosanti.it