RE: Voice over IP applications vulnerabilites/attacks ?

["Paul D. Scallan, Jr." <depo () kaufmanandassociates com>]

My reply was essentially......have good network security design at the
enterprise level before you even start to introduce, develop and deploy
VOIP apps.  This is in agreement with Keith's statement also.  However,
some of the phones and phone systems themselves have had problems which
are being addressed.  I might take this moment to state that I did not
mention any vendor in specific; however, find it odd that Keith replied
to mine with vendor specific notations.  Although, credit due, there are
many vendors that have phones and phone systems with problems.  

Keith is right....the VOIP circuit has been relatively left alone on the
intrusion/attack venue.  The problem with a lot of PBX work with VOIP
applications is bad installation planning.  A lot of techs and admins
and managers out there do not stop to consider that a VOIP-phone is not
a hardwire phone.....meaning it is potenitally as vulnerable as if you
put a web server, ftp server (with full anon priv.) and a mail server
(with anon relaying enabled) on a ds3 connection with no firewalling or
proxy services being used.  Meaning....hardware is purchased and slapped
onto an static public IP address behind a router (but still within the
sub-net of a corporate network....).  This is tatamount to inviting
disaster into your very valuable corporate network).  Why take a chance?
But this is only so (as Keith and I stated) if your basic network
security structure is mal-conceived from the get-go and implemented as
such.  

My basic point in my original e-mail:   Don't worry about VOIP-specific
software and hardware security devices......just concentrate on your
core network security layout with a very keen eye on the effect of VOIP
apps behind same.  Like Keith said Security 101....best practice.


PAUL D. SCALLAN, JR.
IT/IS/Production Manager - Paralegal
KAUFMAN & ASSOCIATES, INC.,
VOICERITE! and SCALLAN SERVICES
The Moss Building
109 East Vermilion, Suite 200
Lafayette, Louisiana  70501
337-237-4434 (main)
800-503-2274 (toll-free)
337-234-0715 (facsimile)
337-247-4486 (24 hour mobile)
depo () kaufmanandassociates com
http://www.kaufmanandassociates.com
http://www.voicerite.net
http://www.scallanservices.com
 


-----Original Message-----
From: Keith Stewart [mailto:kstewart () cisco com] 
Sent: Thursday, January 02, 2003 4:04 PM
To: Paul D. Scallan, Jr.
Cc: 'Avi Chesla'; focus-ids () securityfocus com
Subject: RE: Voice over IP applications vulnerabilites/attacks ?
Importance: High


<VendorHat = on>

Cisco produced a White Paper on IP Telephony Security as a part of its
SAFE 
Security Blueprints.

www.cisco.com/go/safe/

It's more directed at the secure network design side of the question
than 
the actual intrusions/attacks side.  A lot of it boils down to Security
101 
- people are going to try and attack your systems, so put some
appropriate 
security policies in place to try and mitigate the risk.  The good thing

with the SAFE docs is the recommendations have all been heavily tested,
and 
the docs include the Cisco configs for the recommendations.

<VendorHat = off>

As far as actual attacks against the systems, AFAIK, there's been no 
significant reported attack against an IP Telephony installation.  In a 
large part, that's because existing installations are typically 
self-contained enterprise or SMB installations, and thus the entire
system 
is protected from external aggressors by your enterprise firewalls (i.e.
no 
conduits in/out for VoIP ports, phones on un-NATed address spaces,
etc.), 
and because VoIP protocols are still relatively unknown by people
outside 
the industry (i.e the most commonly deployed protocol is still H.323,
and 
323 messages are ASN.1 encoded - security through obfuscation, 
anyone?).  But as there's more and more deployments, and the protocols
are 
around longer, it becomes more and more important to make sure security
is 
designed into a VoIP deployment.

Keith

At 12:02 PM 1/2/2003 -0600, Paul D. Scallan, Jr. wrote:
> I am going to assume that you are talking VOIP in the "phone to phone" 
> sense (although the following can apply to any application of VOIP).
>
> I think you will find that certain phones themselves are prone to 
> certain vulnerabilities.  See: 
> http://www.eweek.com/article2/0%2C3959%2C373289%2C00.asp  Mostly the 
> problem with the phones themselves are:  they contain remote-accessible

> code which can be exploited to cause a denial of service, and possibly 
> leak information and the phones are also weak in ways that facilitate 
> man-in-the-middle attacks directed at intercepting telephone traffic.
>
> Also, There are three main vulnerabilities to IP networks and these 
> result from its benefits. While in the traditional voice network one 
> has to tap into a specific circuit to eavesdrop, in an IP network any 
> equipment connected to the corporate LAN can identify, store and 
> playback the VoIP packets that traverse that LAN. The use of shared 
> media by VoIP systems opens the door to some uncertainty as to the 
> source of a call, and may require authentication.  The anonymity of an 
> unprotected, unauthenticated IP network makes it susceptible to hostile

> use, such as prank calls, sending computer viruses or flooding the 
> network.  Despite the above, the vulnerability of an authenticated, 
> protected VoIP network to internal abuse does not markedly differ from 
> traditional telephone networks.  Since there is no such thing as a 
> secure IP network, only secure computing - one must secure the 
> telephones, conversations, computers, and servers. Set up a chain of 
> trust for authentication (encryption), control access (passwords and 
> firewalls), encrypt for privacy, and employ call accounting software to

> establish accountability.  One can achieve some measure of security by 
> strategically allocating sub-nets, and choosing to use IP Switches 
> instead of IP Hubs. However, security considerations should not 
> override routing and traffic accommodations. Firewalls can and should 
> be used to protect segments of a network from hostile traffic. This 
> does not relieve each network device from protecting itself and 
> filtering out undesired communications. Physical and network access to 
> any VoIP server that is used to authenticate users, that controls 
> access to the public telephone network, or that contains potentially 
> confidential information should be locked down and treated with the 
> same security precautions as any server with a confidential database.
>
> Further, another good article: 
> http://www.eetimes.com/story/OEG20021014S0072
>
>
> PAUL D. SCALLAN, JR.
> IT/IS/Production Manager - Paralegal
> KAUFMAN & ASSOCIATES, INC.,
> VOICERITE! and SCALLAN SERVICES
> The Moss Building
> 109 East Vermilion, Suite 200
> Lafayette, Louisiana  70501
> 337-237-4434 (main)
> 800-503-2274 (toll-free)
> 337-234-0715 (facsimile)
> 337-247-4486 (24 hour mobile)
> depo () kaufmanandassociates com http://www.kaufmanandassociates.com
> http://www.voicerite.net
> http://www.scallanservices.com
>
>
>
> -----Original Message-----
> From: Avi Chesla [mailto:avic () V-Secure com]
> Sent: Thursday, January 02, 2003 11:14 AM
> To: 'focus-ids () securityfocus com'
> Subject: Voice over IP applications vulnerabilites/attacks ?
>
>
> Hi,
>
> Is anyone familiar with Voice over IP vulnerabilities/Intrusions, 
> floods etc ?
>
> I heard Checkpoint has some new protection capabilities concerning the 
> issue.
>
>
> Avi