Category Archives: SIP

“Secure SIP Trunking” Webinar next week – April 10, 2008

ingate.jpgHow can you make SIP trunking secure? Is there such a thing as “secure SIP trunking”? Can SIP trunks and VoIP actually be more secure than the PSTN?

All those questions and more will be the subject of a webinar next week sponsored by Ingate Systems (and announced today) in which I will be a participant called “Secure SIP Trunking: What You Need to Know“. The webinar will cover:

  • Security misconceptions, challenges and requirements
  • VoIP vs. PSTN: How SIP Trunks and VoIP can be more secure than traditional telephony
  • The security measures you need; and those you don’t
  • The basics of enterprise security and VoIP: SRTP, TLS and NAT traversal
  • New security technologies
  • Future-proofing your network for new security threats

Now, obviously this webinar is sponsored by Ingate so the solutions offered will involve their products. My role will be to talk about VoIP security in general and issues around securing SIP trunks. It should be an interesting session and you can easily register if you would like to attend. There is no charge.

The webinar will be on Thursday, April 10th, at 2:00pm US Eastern time, 11:00am US Pacific time.

NOTE: VOIPSA does not directly endorse, recommend, or promote products from any vendors. Our mission is to raise the level of discussion around VoIP security issues and so we are glad to participate in any relevant educational efforts such as webinars, conferences or other events. We are participating in this and other events sponsored by Ingate simply because they asked us and the events seemed in line with our overall mission. If you would like VOIPSA participation in an event you are sponsoring, please contact a VOIPSA Board Member about the possibility.

Technorati Tags:
, , , , , , ,

Does VoIP Exist?

This was a question I asked at the recent VON conference in San Jose, CA. Of course we talk a lot here about VoIP Security, but actually if we take a step back, is VoIP itself any longer a meaningfully separate concept? The thing is that technology moves on, and maybe some people care whether they are connected via cable or ADSL, but pretty much, the average Joe is happy that “broadband” is magic that provides fast Internet. Today there’s still talk about “WiFi” as a distinct technology, but WiMax, LTE and mobile broadband (EVDO, UMTS etc) are on the rise, and within a couple of years, we’re all likely to have forgotten which technology we’re using to connect to the Internet.

So my thesis is that IP is so very intrinsic to the nature of all telecoms today, that it’s probably not even worth using “Vo” any longer. Why should I say that? Well firstly, SS7, the mainstay of today’s international telecoms network, in many cases uses IP to carry the signalling traffic, using the protocol family known as Sigtran. In traditional telecoms, media and signalling has long been split, with SS7 connecting the calls, and a parallel network of E1/T1 links carrying the voice calls. The long established estrangement of media and signalling continues into the NGN world, with signalling now mostly meaning SIP, and the media usually RTP, but there is still a world of choice. When SS7 meets SIP we can often find ISUP (the call control protocol most widely used by telecoms incumbents) being tunnelled using protocols like SIP-I and its twin (in the iron mask) SIP-T. In the “legit” SS7 community we find that BICC (Bearer Independent Call Control) allows us to connect calls in a way familiar to all fans of ISUP, and yet the calls themselves don’t need to be 64k bearer channels any more, but can also be the IP-friendly RTP streams.

This is not a fashion, but simply an evolution. Today, when telcos federate, it is largely using traditional TDM lines, and traditional SS7 protocols. But this is changing: it’s very cheap and convenient to interconnect using Sigtran, and there is much talk about how to connect calls using “codec free” operation: that is, to pipe the audio unchanged from end to end, to optimize audio quality and bandwidth usage. The GSM Association are promoting a system called IPX, which will allow mobile carriers to interconnect using IP, such that not only signalling and media are seamlessly interconnected (via a private intranet), but also settlement data will automatically be exchanged, so that every telco knows what they owe to every other party.

If I may press my point further, in many projects the traditional TDM core is being removed in favour of a big SIP router surrounded by a ring of session border controllers (SBCs). One major factor in these projects is that the customers are still today 80/20 connected via traditional E1/T1 or SS7 networks, which means that part of the magic is a media gateway that knows how to talk both SS7 and SIP. So SIP networks have TDM customers, and your Granny may already be using IP without even knowing it.

So does VoIP exist? When IP is such a fundamental tool in what we know as “legacy” telco networks, perhaps it does not. Consequently does VoIP Security exist? Well as we’ve often discussed here at the VoIPSA blog before, when you start moving voice traffic over your IP network, then you have all the voice system vulnerabilities plus all the IP vulnerabilities that just arrived at your doorstep. Perhaps actually the truth is that nearly all voice is already VoIP, so VoIP security is not just an enterprise concern, but is actually a core issue for every telco on the planet.

Hacking ZyXEL Gateways

An interesting paper recently published by Adrian Pastor of ProCheckup discusses vulnerabilities and attacks against ZyXEL gateways, including (yikes) Remote wardriving/attacking internal networks over the Internet, among others:

  • Privilege escalation from “user‟ to “admin‟ account
  • SNMP read and SNMP write access enabled by default
  • Persistent XSS via SNMP
  • Poor session management allows hijacking of admin sessions
  • Authentication vulnerable to replay and password cracking attacks
  • Disclosure of credentials

    • Considering the code reuse among various products made by most vendors of these residential gateways, not to mention the widespread deployment by service providers, I think it would be quite interesting for VOIPSA folks to expand on Adrian Pastor’s work and pursue this type of testing on some of the VoIP gateway products that ZyXEL offers, specifically the Analog Telephone Adapter, Station Gateway and Integrated Access Device to start. Also, the web interface of embedded devices like these are especially problemmatic from a security perspective, and it’s well worth a look at another one of Adrian Pastor’s papers over at OWASP.

    “So what” you might say about the security of these types of devices? Well, SANS diary notes some strange things afoot at the Circle K with Dlink, and there is the recent BT Home Hub CVE-2008-1334 vulnerability. More routers and details at GNU Citizen’s router hacking challenge.

    Info on how to listen remotely to today’s RUCUS session at IETF

    ietflogo-1.jpgIf you are interested in listening in to today’s session here at IETF about “Reducing Unwanted Communications Using SIP” (RUCUS) which I’ve mentioned previously, I’ve posted information about how to participate in IETF remotely. The RUCUS session takes place from 1300-1500 US Eastern time today.

    Streaming audio should be available on ietf71-ch4.

    Jabber group chat should be available as well, but I don’t know yet in which chat room it will be. There isn’t yet a chat room on the IETF server for ‘rucus’. I’ll update this post once I know where the chat room is.

    UPDATE: A request is in to create the ‘rucus@jabber.ietf.org’ room. If that room isn’t created in time, we’ll use the SIPPING room at ‘sipping@jabber.ietf.org’. We’ll announce on the streaming audio which one we are using.

    Technorati Tags:
    , , , ,


    buy viagra
    buy viagra online
    viagra online
    discount viagra
    order viagra
    cheap viagra
    generic viagra
    generica viagra
    viagra buy
    viagra price
    order viagra online
    viagra generic
    viagra pill
    where buy viagra
    buy viagra cheap
    viagra order
    get viagra
    buy online viagra
    online viagra
    viagra sale online
    where to buy viagra
    cheapest viagra
    purchase viagra
    cheap viagra online
    viagra buy online
    buying viagra
    buy viagra on
    generic viagra canada
    prescription viagra
    buy viagra norway
    generic viagra pack
    buy viagra in nevada
    buy viagra now online
    viagra online buy
    find viagra online
    buy cheap viagra online
    cheap generic viagra
    buy cheap viagra
    generic viagra online
    viagra sale
    generic viagra cheap
    buy viagra on line
    where buy generic viagra
    viagra online bestellen
    viagra prescription online
    generic online viagra
    low price viagra
    cheapest viagra price
    buy generic viagra
    viagra uk
    viagra online prescription
    cheap est viagra
    viagra soft tab
    viagra discount
    viagra cheap
    where to buy viagra on line
    buying viagra online
    buy viagra now
    purchase viagra online
    viagra pharmacy
    natural viagra
    buy viagra in canada
    viagra paypal
    viagra on line
    viagra 100mg
    viagra without prescription
    cheapest place to buy viagra online
    generic Cialis
    buy cialis
    buy cialis online
    cialis online
    online cialis
    order cialis
    cheap cialis
    discount Cialis
    generic cialis price
    cialis prescription
    buy cialis generic
    cialis online discount
    cheapest cialis
    buy discount cialis
    purchase cheap cialis online
    order cialis online
    cialis for sale
    cialis price
    purchase cialis
    cialis online pharmacy
    buy Cheap Cialis
    cialis story
    generic cialis online
    best cialis price
    cheapest cialis generic
    order generic cialis
    low cost cialis
    buy cialis generic online
    levitra
    buy levitra
    cheap levitra
    levitra online
    buy levitra online
    order levitra
    order levitra online
    cialis levitra
    generic levitra
    online levitra
    buy cheap levitra
    discount levitra
    levitra sale
    buy generic levitra
    levitra online pharmacy
    levitra price
    purchase levitra
    cheap levitra online
    levitra story
    levitra on line
    levitra prescription
    levitra cheap
    best price for levitra
    buy xanax
    buy phentermine
    buy lasix
    tramadol
    buy tramadol
    buy tramadol online
    tramadol online
    cheap tramadol
    order tramadol
    tramadol hcl
    ultram tramadol
    tramadol prescription
    online tramadol
    tramadol sale
    purchase tramadol
    buy cheap tramadol
    order tramadol online
    overnight tramadol
    tramadol cheap
    tramadol pharmacy
    discount tramadol
    tramadol hydrochloride
    tramadol 50mg
    cheap tramadol online
    generic tramadol
    buy clomid
    buy prozac
    buy cipro
    buy diflucan
    buy acomplia
    buy lexapro
    buy flagyl
    buy propecia
    order propecia
    cheap propecia
    propecia online
    order propecia online
    buy propecia online
    generic propecia
    compare propecia
    propecia without prescription
    propecia prescription
    propecia pill
    discount propecia
    online propecia
    cheapest propecia
    get propecia
    propecia order
    propecia price
    propecia uk
    propecia cost
    propecia sale
    purchase propecia
    buy cheap propecia
    propecia sale online
    buy online propecia
    online pharmacy propecia
    online prescription propecia
    buy generic propecia
    buying propecia
    buy propecia now
    buy fosamax
    buy kamagra
    buy clomid online
    buy prozac online
    buy cipro online
    buy diflucan online
    buy acomplia online
    buy lexapro online
    buy flagyl online

    Web page for RUCUS BOF at IETF 71 now at new URL

    ietflogo-1.jpgAs I mentioned previously (here and here), the “RUCUS” BOF about voice spam at IETF 71 in Philadelphia is one of great interest with its focus on voice spam, a.k.a. “SPam for Internet Telephony” or “SPIT”. Unfortunately BOF co-chair Hannes Tschofenig ran into a problem with his domain and had to move the page to a new URL: http://www.shingou.info/bof-rucus.html

    If you saved the URL or sent it on to someone, you’ll need to update to using the new URL. If you didn’t visit the RUCUS page before, please do check it out – and feel free to join the RUCUS mailing list. Of course, if you can, please do join us in person in Philadelphia!

    Technorati Tags:
    , , , , ,

    Slides about Peer-to-peer SIP (P2PSIP) security now available

    ietflogo-1.jpgWant to learn more about the voip security aspects of peer-to-peer SIP? As I mentioned in the VOIPSEC mailing list last week, researchers from Huawei and the University of California recently released an Internet-Draft called “P2PSIP Security Analysis and Evaluation” which dives into an analysis of security issues in P2PSIP. It’s a good overview and one I’d strongly recommend to folks. (Note – you may want to read “P2PSIP Concepts” first to understand the language being used.)

    Beyond the Internet-Draft, though, the researchers announced yesterday that their slides are now available (PPT) that go into the issues. These are being prepared from presentation at the upcoming IETF 71 meeting March 10-14 in Philadelphia, so if you are attending the event you’ll be able to hear the presentation yourself.

    Peer-to-peer SIP is a fascinating area of current research and it’s good to see work like this being put into exploring the security aspects. Note – the researchers are looking for feedback so if you have comments on what you read, their contact information is in the Internet-Draft.

    Technorati Tags:
    , , , , , , ,

    Join the new RUCUS mailing list if you want to look at ways to end SPIT!

    ietflogo.jpgAs mentioned previously, there is a new session planned for IETF 71 in March called “Reducing Unwanted Communications Using SIP“, a.k.a. “RUCUS”.

    The RUCUS mailing list is now open for subscriptions and we encourage anyone interested in looking at how we address the issue of voice spam, aka “Spam for Internet Telephony” aka “SPIT” to join into the conversation.

    We would ask you to please read the group description prior to joining so that you understand what we are trying to do. The primary goal of this session in March in Philadelphia is to look to understand the architecture necessary to address the issue and identify the pieces of that architecture that may already be there or may need to be put in place.

    Technorati Tags:
    , , , , , , , ,

    Cisco’s Slew of Vulnerabilities

    Yesterday, Cisco released an advisory detailing a number of vulnerabilities which covered most recent versions of their IP phones, essentially the “Unified IP Phone” set of products, running both firmwares for SCCP and SIP. The covered vulnerabilities include a DNS Response Parsing Overflow, a Large ICMP Echo Request DoS, an HTTP Server DoS, an SSH Server DoS, a SIP MIME Boundary Overflow, a Telnet Server Overflow, and a SIP Proxy Response Overflow. Essentially, a wide range of vulnerabilities covering a number of the devices’ services and functionality.

    While it’s good that Cisco is actively taking steps to improve their products and are actually informing customers and the security community about the device’s security issues via security advisories, the scope and number of vulnerabilities involved in this one advisory seems to still be fairly indicative of the state of security for new VoIP products hitting the market, especially user agents and client devices. It would seem that as the rush continues for VoIP innovation and a quick to market product, much of these products’ security assessment due-diligence, not to mention many of their security features, are still being left in the dust…  Or at best, left for a firmware or software update post-launch.

    Blue Box Podcast Special Edition #23 – An Interview with Bob Bradley of Sonus Networks

    MD_bluebox157-2.jpgBlue Box Special Edition #23 is now available for download. In this podcast I sat down with Bob Bradley from Sonus Networks to talk about their products and solutions, how they secure customers networks and how they are different from other similar products in the market. I believe you’ll find it an interesting and useful introduction to the company.

    Technorati Tags:
    , , ,

    End-to-end VoIP security using DTLS-SRTP? (A new proposal…)

    ietflogo.jpgAs we’ve discussed both here and on Blue Box, the issue of securing the keys for Secure RTP is one of the remaining challenges to have secure voice transmission in the open standards world of SIP. Out of the large number of proposals to secure the key exchange, “DTLS” emerged as the choice of the IETF… but it still had the issue that an endpoint needed to be sure of the authenticity of the other endpoint’s certificate. SIP Identity (RFC 4474) and a draft “Identity-Media” from Dan Wing addressed the authenticity issue but broke in some common network configurations. Now Kai Fisher has put out an Internet Draft called “End-to-End Security for DTLS-SRTP” that proposes a mechanism to address that. In the post to the SIP mailing list, Kai explains the motivation:

    I have submitted a draft proposing a solution to secure a DTLS-SRTP handshake and hence SRTP end-to-end (in terms of end-domain to end-domain). As discussed during the last IETF meetings and analyzed by Dan’s Identity-Media draft, current solutions like SIP Identity do not protect the authenticity of the fingerprint end-to-end in certain inter-domain scenarios. For example, a modification of SDP m-/c-lines or the From header field by intermediaries breaks the SIP-Identity or Identity-Media signature and causes a re-signing by a domain different to the originating one. The draft proposes a solution for such scenarios without the need to re-sign during domain traversal and which preserves the original identity information.

    The abstract to the draft provides more info:

    The end-to-end security properties of DTLS-SRTP depend on the authenticity of the certificate fingerprint exchanged in the signalling channel. In current approaches the authenticity is protected by SIP-Identity or SIP-Identity-Media. These types of signatures are broken if intermediaries like Session Border Controllers in other domains change specific information of the SIP header or the SIP body. The end-to-end security property between the originating and terminating domain is lost if these intermediaries re-sign the SIP message and create a new identity signature using their own domain credentials.

    This document defines a new signature type ‘Fingerprint-Identity’ which is exchanged in the signalling channel. Fingerprint-Identity covers only those elements of a SIP message necessary to authenticate the certificate fingerprint and to secure media end-to-end. It is independent from SIP-Identity and SIP-Identity-Media and can be applied in parallel to them.

    More details can, of course, be found in the draft. As noted in the post to the SIP mailing list, Kai is looking for feedback. This is an important issue to get done – and to get done correctly – so we strongly urge people to take a look at the document and provide feedback if you see ways the proposal can be improved.

    Technorati Tags:
    , , , , , , ,