There’s a good discussion going on right now (September 2014) in the VoiceOps mailing list about how you can mitigate SIP threats by configuring the policies and settings on your session border controller (SBC). It started out with a detailed question from Robert Nystrom asking about how to configure an Acme Packet SBC in the most secure manner and asking about how best to configure access control lists (ACLs). Several answers can be seen in the VoiceOps archive from folks such as Ryan Delgrosso, Mark Lindsey, Jim Gast and Patrick McNeil, offering commentary and suggestions about how best to proceed.
This list is for discussions related to managing voice networks, both traditional and IP.
The VOIP Operators’ Group (VOG) charter is to facilitate the creation, maintenance, and operations of Voice over Internet Protocol (VOIP) related networks, products, and services.
Similar to the North American Network Operators’ Group (NANOG), The Voice Operators’ Group seeks to assist in the creation of a robust, stable and growing VOIP ecosystem.
While the topics are definitely not all about security, I would encourage you to join the list if you do anything with the operation of VoIP networks – or if you are just curious to learn more about such networks.
Communications Service Providers and Threat Intelligence Sharing
Panel Discussion: Anatomy of a VoIP DMZ
VoIP Theft: Werewolf or Hydra
Who are You Really Calling? How DNSSEC Can Help
There will also be a “VoIP Security Birds-of-a-feather (BOF)” session tomorrow evening where we’ll be sharing information about VoIP security issues and learning from each other about what issues people are seeing.
Sponsored by the SIP Forum, SIPNOC is an educational event that brings together primarily technical and operations staff from a wide range of telecommunications and VoIP service providers. It is not a trade show, i.e. there is no exhibit hall. It is just focused on providing educational sessions and networking opportunities.
Are you a vendor of SIP software or hardware devices? If so, do you support SRTP or SIP over TLS? If you do – or are thinking about doing so – why don’t you join Olle Johansson for some interoperability testing at SIPit 29, October 24-28, in Monaco?
Olle raised just that suggestion today in the VOIPSEC mailing list and said that he will be there focused on testing VoIP security (and also IPv6). As he said:
Customers need at least first hop TLS and SRTP to work as expected. They also need interoperability between devices. To get interoperability, everyone needs to work with it. It just doesn’t happen by accident. SIPit has been organised twice a year for 15 years in order to get the amount of interoperability we have today in SIP.
If you develop SIP software or devices – register for SIPit now. If you are a customer and have seen issues in this area, remind your vendors to participate. The more we are, the more time we can spend on VoIP protocol security.
The SIPit test events are outstanding places to go and test your software or hardware. For the relatively small fee and your time and travel, you have access to an incredible test bed in the form of all the other vendors participating. Where else will you get to interact with designers and engineers from all the major vendors and not only test your software/hardware, but also re-test your equipment if you try some fixes while you are there.
This week at the SIPNOC event near DC, an attendee asked if I knew of any hosted services that would scan the external interface of a network to see if the VoIP services were secure. He sells SIP connectivity to small businesses, many of whom typically have purchased an IP-PBX from somewhere like a retail store and have minimal IT expertise. He wondered if there was a service he could refer these small businesses to so that they could check the security of their system. Basically something for VoIP along the lines of hosted services like “Shields Up” that will check the security of your firewall.
I didn’t know of such a service, but posted the question to the VOIPSEC mailing list. A couple of people contacted me privately about some services in the works, but then someone did pass along a link to a public service available now:
Now, I’ve not used this service but I’m certainly aware of Sandro Gauci and a number of the different tools he has been working on, including SIPVicious and VOIPPACK. After watching his short video and seeing the sample report, this definitely looks like an interesting service.
Of course, with any hosted service my security paranoia is heightened and I want to know what will be done with my data. Will the scan of my IP-PBX be recorded on the Voipscanner.com servers? Will a copy of my report be saved there? Basically… can I trust the site? In looking through the terms of service after you click the graphic to “apply” for access I didn’t see any wording around this… but it’s also Friday and I’m tired… I could have missed it.
Anyway, this service is out there and for those of you comfortable with using such a service it may be useful for you. If you know of other similar services I’d also love to hear about them.
Tomorrow I will be in Herndon, Virginia, outside of Washington, DC, at “SIPNOC: The SIP Network Operators Conference“. I will be speaking in two sessions (details here), one of which is a panel about “SIP Adoption and Network Security” and will include two other panelists from Acme Packet and Sipera Systems.
The panel discussion is planned to be about what are the primary security issues related to wider deployment of SIP at the network operator / service provider level, and what can we do about them. The discussion will be in a room full of people from various large operators / service providers.
I have my list of topics I intend to raise, but I’m curious about what you all might say… if you were to stand up in front of a room of network operators to talk about how they could improve the security of their SIP networks… or what the major issues are that you see… what would you say?
If you have thoughts, please do leave them as comments here. As I am on the panel representing VOIPSA, I’m certainly glad to incorporate comments from the wider community.
P.S. If you are at SIPNOC this week, please do say hello!
Jalkut said the “cyber attack choked our servers and resulted in a significant loss of service to customers – in most cases an inability to make and receive calls.” But the attack did not impact customers’ Internet or data services.
He goes to say that they have implemented further monitoring and protection, particularly in their session border controllers.
At this point TelePacific indicates they have engaged the FBI to assist in tracking down the external sources of the attack. TelePacific also indicates that they plan to more information during upcoming industry forums and I look forward to hearing more about this. From the bare details provided thus far, it certainly sounds like an attack focused on their SIP infrastructure – and it would be good for the rest of the industry to hear about and learn from.
P.S. Kudos to TelePacific, too, for what appears to be a solid use of Twitter as a way to keep customers and others informed of what was going on during the outage.
Over on the Tekelec blog today, Dorgham Sisalem writes on “DNS and SIP: Threats and Protection“, an area of discussion that, quite frankly, hasn’t really received much attention. DNS plays a vital role in VoIP and unified communications, and so the security around DNS and SIP definitely deserves consideration. The post is not too long, so rather than summarize, I’ll just point you over there…
If you will be in Miami at ITEXPO February 2-4 you are welcome to attend a free “SIP Trunking And Security” session I (Dan York) will be doing as part of Ingate Systems’ SIP Trunking Workshops. The SIP trunking workshops are free to all attendees even if you only register for an exhibit pass.
My session will be 11:15-12:30 on Wednesday, February 3rd, and if you do attend please feel free to come up and introduce yourself (or drop me a note in advance to let me know to look out for you). I’ll be bringing my recording gear, too, and the talk will eventually go out in my Blue Box Podcast feed so you will be able to hear it later.
P.S. If you are attending ITEXPO and your company makes a product or provides a service related to VoIP security, please feel free to let me know and perhaps we can schedule an interview to go out as a Blue Box Special Edition.