Secure your VoIP network with open source
10/22/2009 Confidential © Tech Mahindra 2008
Suhas Desai
2Confidential © Tech Mahindra 2008
Agenda
•VoIP Overview
•VoIP Security Threats & Business Impact
•Possible mitigation considerations
•Commercial Security Tools
•Open source and VoIP
•Role of Open source to secure VoIP
•Case Studies
VoIP Overview
3Confidential © Tech Mahindra 2008
� VoIP is being rapidly embraced across most markets as an alternative to the traditional PSTN.
� VoIP is a broad term, describing many different types of applications installed on a wide variety of platforms and using a wide variety of both proprietary and open protocols that depends heavily on preexisting data network’s infrastructure and services.
� The cost savings of VoIP compared to that of circuit switched networks is encouraging companies to move to VoIP.
Introduction to VoIP
� VoIP deployment has brought with it many security concerns like Non-Repudiation, Authentication, Call Quality and Integrity and Privacy; motivating the need for security solutions to deal with the many issues.
� In India, VoIP calls to PSTN are not allowed. For enterprise networks, VoIP are the effective solutions in India.
Issues and Concerns
4Confidential © Tech Mahindra 2008
Agenda
•VoIP Overview
•VoIP Security Threats & Business Impact
•Possible mitigation considerations
•Commercial Security Tools
•Open source and VoIP
•Role of Open source to secure VoIP
•Case Studies
5Confidential © Tech Mahindra 2008
VoIP Security Threats & Business Impact
VoIP Security Threats
� Confidentiality, Integrity and authentication
� Privacy
� Non-repudiation
� Social Threats
� QoS
Business Impact
6Confidential © Tech Mahindra 2008
Agenda
•VoIP Overview
•VoIP Security Threats & Business Impact
•Possible mitigation considerations
•Commercial Security Tools
•Open source and VoIP
•Role of Open source to secure VoIP
•Case Studies
7Confidential © Tech Mahindra 2008
Possible mitigation considerations
[1] Deploy VoIP traffic monitors
Monitor the connections for log activities and fraud detection.
[2] Employ encryption techniques
Strong encryption techniques allow privacy and confidentiality over the network.
[3] Use voice firewalls
Control inbound and outbound connections by filtering the traffic.
[4] Use adequate security infrastructure such as secure gateways, gatekeepers & proxy servers.
[5] Use IPsec tunneling
IPsec provides the secure communication over network by providing authentication and encryption
[6] Conduct regular security audits
Audit VoIP network regularly for security vulnerabilities .
[7] Use VoIP platforms with adequate security features
Prefer VoIP platform with built in security features for development and deployment of VoIP applications.
8Confidential © Tech Mahindra 2008
Agenda
•VoIP Overview
•VoIP Security Threats & Business Impact
•Possible mitigation considerations
•Commercial Security Tools
•Open source and VoIP
•Role of Open source to secure VoIP
•Case Studies
9Confidential © Tech Mahindra 2008
Commercial Security Tools
Commercial Security Testing Tools
Need to perform security assessment of VoIP network with below tools!
10Confidential © Tech Mahindra 2008
Agenda
•VoIP Overview
•VoIP Security Threats & Business Impact
•Possible mitigation considerations
•Commercial Security Tools
•Open source and VoIP
•Role of Open source to secure VoIP
•Case Studies
11Confidential © Tech Mahindra 2008
Open Source and VoIP
Mini-SIP-Proxy, MjServer, MySIPSwitch,
NethidPro3.0.6, Net-SIP, JAIN-SIP
Proxy,OpenSBC,OpenSER,
OpenSIPS,partysip,SaRP,sipd,SIPExpress Router,
Siproxd,SIPVicious,sipX,Vocal,Yxa.
SIP Proxies
Cockatoo,Ekiga,FreeSWITCH,JPhone,Kphone,
Linphone, minisip,MjUA,OpenSIPStack,OpenZoep,
PJSUA, QuteCom ex-Open Wengo, SFLphone,
Shtoom,SipToSis,sipXezPhone,sipXphone,Twinkle,
YATE, YeaPhone.
SIP Clients
Callflow, Open Source Asterisk AMI,
pjsip-perf,miTester for SIP,PROTOS Test Suite,
SFTF, SIP CallerID, SIPbomber, Sipp, Sipper, SIP
Proxy,Sipsak,SIP Soft client, SIPVicious tool
suite,SMAP,Vovida.org load balancer.
SIP Tools
FGnomeMeeting, ohphoneX,OpenPhone.
H.323 Clients
GNU Gatekeeper
H.323 Gatekeeper
AG Projects,Maxim Sobolev's RTPproxy,MediaProxy.
RTP Proxies
[1] Source code available , Easy to customize , Code reuse and redistribute.
[2] Cost Savings.
[3] Higher level of security.
Why Open Source?
Open Source Tools
12Confidential © Tech Mahindra 2008
Asterisk,CallWeaver,OpenPBX,PBX4Linux,
SIPexchange PBX Pingtel's SIP PBX ,
sipwitch,sipX.
PBX Platforms
Bayonne,CT Server,OpenVXI,SEMS,sipX PBX,
VoiceXML.
IVR Platforms
Lintad,OpenUMS,SEMS,VOCP.
VoiceMail Servers
H323plus,OpenBloX,Ooh323c,++Skype.
Development Platforms
VoIP Sniffing Tools
AuthTool, Cain & Abel, Oreka , PSIPDump , rtpBreak ,
SIPomatic , SIPv6 Analyzer, UCSniff , VoiPong,
VoIPong ISO Bootable , VOMIT , WIST.
VoIP Scanning and Enumeration Tools:
enumIAX, iaxscan, iWar, SCTPScan,
SIP Forum Test Framework (SFTF), SIP-Scan,
SIPcrack, Sipflanker , SIPSCAN , SiVuS, SMAP.
VoIP Packet Flooding Tools:
IAXFlooder , INVITE Flooder, kphone-ddos ,
RTP Flooder , Scapy , SIPBomber, SIPsak, SIPp .
VoIP Fuzzing Tools:
Asteroid, PROTOS H.323 Fuzzer, PROTOS SIP Fuzzer
VoIP Signaling Manipulation Tools:
BYE Teardown, SipRogue, VoIPHopper
Security Testing Tools
Asterisk Fax Email Gateway, Lintad,Hylafax.
Fax Servers
Contd…
13Confidential © Tech Mahindra 2008
Agenda
•VoIP Overview
•VoIP Security Threats & Business Impact
•Possible mitigation considerations
•Commercial Security Tools
•Open source and VoIP
•Role of Open source to secure VoIP
•Case Studies
14Confidential © Tech Mahindra 2008
Role of Open source to Secure VoIP
[1] Monitor VoIP traffic
Continuously monitor VoIP traffic to identify VoIP attacks. Use tools - SIP-Scan, SiVuS , SMAP etc.
[2] Use encryption
Apply encryption for end points communication. Use SRTP (Secure Real Time Protocol).
[3] Use Firewalls
Put VoIP network beyond open source firewalls. Use firewalls - iptables.
[4] Conduct security audits
Audit VoIP network regularly for security vulnerabilities and configuration flaws. Use - VoIP Security Audit Program (VSAP).
[5] Secure gateways, gatekeepers.
Control the number of concurrent connections for proper utilize bandwidth.
[6] Secure proxy servers
Authenticate authorized access control. Use Asterisk.
[7] Use IPsec tunneling
Ipsec provides secure communication over the public networks.
[8] Secure VoIP platforms
Prefer VoIP platform with built in security features for development and deployment of VoIP applications
Best Practices for Securing VoIP with Open Source tools
Open source products/tools provides options for :
� Secure configuration of servers
� Secure configuration of clients
� Securing gateways
� Securing Firewalls
VOIP/SIP Security Assessment with Open Source before deployment :
Contd…
16Confidential © Tech Mahindra 2008
Agenda
•VoIP Overview
•VoIP Security Threats & Business Impact
•Possible mitigation considerations
•Commercial Security Tools
•Open source and VoIP
•Role of Open source to secure VoIP
•Case Studies
17Confidential © Tech Mahindra 2008
Case Studies
Case Study 1- Security assessment with SiVuS tool
2. Message Generator1. SIP Component Discovery
� SiVuS� SiVuS is the vulnerability scanner for VoIP networks that use the SIP protocol.
� The scanner provides several powerful features to verify the robustness and secure implementation of a SIP component.
� SiVuS is used to verify the robustness and security of their SIP implementations by generating the attacks that are included in the SiVuS database or by crafting their own SIP messages using the SIP Message generator.
18Confidential © Tech Mahindra 2008
Contd…
3. Security Findings Report
19Confidential © Tech Mahindra 2008
Case Study 2- Security assessment with SIP Bomber
2. Password Validation1. Message Generator
� SIP Bomber:� SIP Bomber is used to test SIP-protocol implementation.
� SIPBomber is complied on Linux machines with asterisk server for testing of SIP server implementation.
Contd…
20Confidential © Tech Mahindra 2008
Summary
• Building VoIP network with open source is cost effective and reliable.
• VoIP network can be secured with open source tools, its configurations and settings.
• SiVuS and SIP Bomber tools can be used to assess your VoIP security.
21Confidential © Tech Mahindra 2008
References
[A].Web
[1]. http://www.voipsa.org
[2]. http://www.voip-info.org
[B]. Books
1. Patrick Park;”Voice over IP Security” ; Ciscopress.
2. Thomas Porter, Jan Kanclirz Jr;”Practical VoIP Security”; Syngress Publishing, Inc.
3. James Ransome and John Rittinghouse;”Voice over Internet Protocol Security”; Elsevier
4. Alan B. Johnston, David M. Piscitello;”Understanding Voice over IP Security”;Artech
House
Thank You !!