Upload File

voip research paper

prev
next
out of 4
Download Voip Research Paper

Upload: gagan-deep

Post on 18-Oct-2015

10 views

Category:

Documents


0 download

Report

DESCRIPTION

Voip

TRANSCRIPT

Voice over IP Security

What are the Risks and Solutions?

Abstract

Voice over IP is one of the quickest developing Internet services and slowly replaces traditional telephony. However, while moving telephony to the public IP platform broadens its service capabilities, some security problems may occur. It is because the amount of threats existing in IP networks is much bigger than in case of traditional telephone networks. The most serious problems of VoIP public networks are this way identified and security solutions are proposed. The Session Initiation Protocol (SIP) is becoming one of the dominant VoIP signalling protocol; however it is vulnerable to many kinds of attacks. Among these attacks, Call Hijacking attacks have been identified as the major threat to SIP. Even though a great deal of research has been carried out to mitigate hijacking attacks, only a small proportion has been specific to SIP. This research examines the way these attacks affect the performance of a SIP-based system. This paper focuses on these VoIP specific security threats and the countermeasures to mitigate the problem.

IntroductionVoIP is one of the most common and cheap technology to communicate short and long distance. It transmits the digitized voice data over IP network which provides a user to have a telephonic conversation over the existing Internet; this voice signal is appropriately encoded at one end of the communication channel transmitted using IP packets, and then decoded at the receiving end which transformed back into a voice signal. VoIP uses IP protocols, originally designed for the Internet, to break voice calls up into digital packets. In order for a call to take place the separate packets travel over an IP network and are reassembled at the far end. Packetized voice also enables much more efficient use of the network because bandwidth is only used when something is actually being transmitted. Fig 1.1 shows the VoIP process.

The basic process involved in a VoIP call is as follows:

1. Conversion of the callers analogue voice signal into a digital format

2. Compression and translation of the digital signal into discrete Internet Protocol packets

3. Transmission of the packets over the Internet or other IP-based network

4. Reverse translation of packets into an analogue voicesignal for the call recipient.The callers voice has to traverse a number of processes before it can reach the calle. There are several protocols used for this purpose. H.323 is a set of recommendations approved by the (ITU-T) for transmission of real-time voice, video and data communication over packet-switched networks. A H.323 network consists of terminals, gateways, and optionally gatekeepers, a MCU, and a Back End Service (BES). Gatekeepers are a wide deployed component in VoIP systems and are responsible for access control, address resolution, bandwidth control and call forwarding. SIP is the Internet Engineering Task Force (IETF) specified signalling protocol used for Internet

calls, multimedia conferences and multimedia distribution. In contrast to H.323, SIP is specifically designed for voice services.

Fig 1.1SIP is an application layer protocol of the OSI communication model that uses text-based messages similar to HTTP. In contrast to H.323, SIP does not require any reliable transport, and can be implemented by using UDP. However, it is recommended that the SIP server supports both UDP and TCP, and that the TCP connection should only be opened if a UDP connection cannot be established. The SIP architecture consists of two parts, the SIP User Agent (UA) and the SIP Network Server.

The SIP UA is a users terminal and consists of two main components:

User Agent Client (UAC) - Responsible for sending requests and receiving responses.

User Agent Server (UAS) - Responsible for receiving requests and sending responses.

The function of the SIP Network Server is to provide name resolution and user location. It consists of three main groups:

Proxy server - Each LAN has its own proxy server which is used by the UAC to pass the request to the next server. The request can be passed to several proxy servers before reaching its destination. Besides routing decisions, the proxy server also provides functions such as authentication, network access control and security, similar to a firewall.

Redirect server - Helps terminals to find the desired address by redirecting the user to another server.

Registrar server - A server that accepts user registration and maps a users telephone address with its IP address.The figure illustrates the setup procedure in a SIP network where a proxy and a registrar server are implemented in a single component. The caller sends an invite request using the Session Description Protocol (SDP) format to the calle through the proxy server. The request is either replied with an Accept or a Reject message. If a Reject message is received the call terminates. Otherwise the caller will finish the three-way handshake by sending an Acknowledgement message to the calle and the media transfer channel will hereafter be created directly between the caller and the calle. Fig 1.2

SIP VulnerabilitiesThere are a number of problems related to SIP regarding security. Finally SIP messages are text-based which make them easier to analyze and therefore easier targets for attackers. This section focuses on the inherent SIP vulnerabilities that exist in most implementations; one of the major attack is Call hijacking.

Call Hijacking / Registration HijackingWith the deployment of VoIP and especially the SIP, there are a number of vulnerabilities you need to address. One such vulnerability is Registration Hijacking. In SIP, a User Agent (UA)/IP phone must register itself with a SIP proxy/registrar (or IP PBX), which allows the proxy to direct inbound calls to the UA. Registration hijacking occurs when an attacker impersonates a valid UA to a registrar and replaces the legitimate registration with its own address. This attack causes inbound calls intended for the UA to be sent to the rogue UA. The following figure illustrates registration hijacking:

Fig 1.3

Registration hijacking allows inbound calls to be hijacked and answered by an attacker. Registration hijacking also allows an attacker to get in the middle and record signalling and audio.

Causes of Registration Hijacking With SIP, registration is normally performed using the connection-less UDP, as opposed to the connection-oriented TCP. UDP simplifies generation of spoofed packets, making attacks like registration hijacking easier. SIP registrars are not required to authenticate the UA requesting a registration. When authentication is used, it is not strong, only involving use of a MD5 digest of the username, password, and timestamp-based nonce sent in the authentication challenge. Furthermore, passwords are often weak. Even strong passwords can be defeated with dictionary-style attacks. Dictionary attacks are those where a list of potential passwords are used to guess a password needed for registration. Quite often, knowing a single password enables breaking many other passwords. The basic authentication based upon plain-text passwords, must not be available. An external attacker can build a directory by scanning for your register able UA addresses. The scanner can send various requests to your SIP proxy/registrar, and determine from the responses, which addresses are valid and register able. Most registrars/proxy servers will not detect directory scanning or registration hijacking attempts.Defences against Registration HijackingThe primary defences against registration hijacking are to use strong authentication and VoIP-optimized Cisco Devices/Firewalls to detect and block attacks. At a minimum, all registrars should use an Asymmetric Key Encryption. Ideally, registrars use strong authentication, such as that provided by the TLS. Registrations from the external network should be disabled if possibleor at least limited to a small set of external UAs. VoIP-optimized firewalls can be used to perform selective registration of external UAs by providing the following functions:o Detect and alert upon directory scanning attempts.

o Log all REGISTER requests. Alert upon any unusual pattern of REGISTER requests.

o If the UAs being used do not ever use a REGISTER request to remove valid contacts, detect and block any use of this request. o Limit REGISTER requests to an established user list.

o Filter any responses to initial REGISTER requests that immediately succeed. This ensures that only correctly configured UAs and registration servers interact.

o Act as a proxy and provide strong authentication for registrars that lack the ability to do so themselves.

Fig 1.4

Devices/Techniques to be UsedThe Fig 1.4 shows the use of Cisco security ASA devices with the firewall that help to secure not only VoIP server as well as end users also. The devices and technique used are:-CISCO ASA This device is used between the servers so that Effective, always-on, highly secure connectivity established between them. Highly secure communications services Stop attacks before they penetrate the network perimeter, also Protect resources and data, as well as voice, video, and multimedia traffic. Control network and application activity. State full Firewall - A mechanism to allow VoIP traffic through firewalls Stateful packet filters can track the state of connections, denying packets that are not part of a properly originated call. VoIP-ready firewalls are essential components in the VoIP network and should be used. HTTP Digest - bases on a challenge-response mechanism. Client's password together with a response are encrypted and sent in the SIP header. The Digest authentication scheme is based on a simple challenge-response paradigm. Here, a valid response contains a checksum of the user name, the password, the given nonce value, the HTTP method, and the requested URI. In this way, the password is never sent in the clear.TLS - hop-by-hop encryption protocol that works between UAs and Proxies. It provides confidentiality, integrity and protection from replay attacks.IPSec - IPSec is a network layer encryption protocol. It works in both hop-by-hop and end-to-end scenarios. It is usually used in a SIP VPN (Virtual Private Network) scenario or between administrative SIP domains. It does not provide key exchange mechanisms, so Internet Key Exchange (IKE) protocol needs to be used additionally.Antivirus/Spyware Remover - searches and scans for known viruses in order to disable them. Each antivirus has a set of known virus definitions, which obviously needs to be regularly updated.

Trusted Phone system - In practical, soft phone system, which implement VoIP using an ordinary PC with a headset and special software, should not be used where security or privacy are a concern Worms, viruses and other malicious software are extraordinarily common on PCs connected to the internet and very difficult to defend against.

Conclusion

There are a number of security issues, which are unique to VoIP. Registration hijacking is one of the more serious issues. An attacker who successfully hijacks registrations in your organization can block, record, and otherwise manipulate calls to and from your organization. This is a very real threatwhich you must counter. You can defeat registration hijacking attempts by selecting a registrar that uses authentication, setting strong passwords, and using VoIP-optimized firewalls to detect and block attacks and Cisco Adaptive Security Appliances (ASA) to counter them. Now the attackers do no directly attack the SIP registrar and End users. If so the firewall & Cisco device can immediately identify the threat and do not allow the communication between them.

Bibliography

Cisco.com http://www.cisco.com/en/US/products/ps6120/index.htmlVoice Over IP and Firewalls, http://download.securelogix.com/library/voice over ip firewalls050105.pdf. SIP: Session Initiation Protocol,

http://www.ietf.org/rfc/rfc2543.txt.An Analysis of Security Incidents on the Internet, PhD thesis,http://www.cert.org/research/JHThesis/Start.html.


23 VOIP-VOIP

webuser.hs-furtwangen.dewebuser.hs-furtwangen.de/~heindl/ebte-2010ws-Term Paper VOIP.pdf · 3 What is VOIP? ˝VoIP (Voice over Internet Protocol), sometimes referred to as Internet

ZoneFlex 7300 Series - VoIP Phones, VoIP Phone Systems & VoIP

White Paper: VoIP In A Broadband Access Networkjakab/edu/litr/NGN/VoIP/metaswitch_voip_pwp.pdf · The term “Voice over IP” (VoIP) describes the transport of voice over IP based

05 PBX Security in the VoIP environment - white paper 14 03 13 _2_

Installation Manual - VoIP Phones, VoIP Phone Systems & VoIP

Quick Start Guide - VoIP Phones, VoIP Phone Systems & VoIP

Market Research Report : VoIP Market in India 2012

Voice Over Internet Protocol (VoIP)docencia.ac.upc.edu/FIB/PIAM/ieeeespectrumVoIP.pdf · Voice Over Internet Protocol (VoIP) BUR GOODE, SENIOR MEMBER, IEEE Invited Paper During the

Predictive Modeling in a VoIP System - itl.waw.pl · Paper Predictive Modeling in a VoIP System Ana-Maria Simionovicia, Alexandru-Adrian Tantara, Pascal Bouvrya, and Loic Didelotb

GOVERNMENT WHITE PAPER Counting Down to VoIP and UC&C

VoIP acceptance, VoIP connectivi ty, VoIP conformance ...albedotelecom.com/src/lib/BR-VoIP-Lab.pdf · VoIP_LAB_SPA (C) ALBEDO TELECOM - 2009 VoIP acceptance, VoIP connectivi ty, VoIP

VocalTec VOIP Virtual Private Network White Paper · VocalTec VOIP Virtual Private Network White Paper Release 1.4 January 2001. VocalTec Communications VocalTec - VPN White Paper

Congratulations - VoIP Phones, VoIP Phone Systems & VoIP Equipment

Cloud VOIP Deployment White Paper 2011 · 2011. 10. 21. · Source: Gartner (March 2011) Crexendo Cloud VOIP Deployment White Paper. Crexendo Cloud VoIP services are SaaS-based deployments

White Paper: Using LiveAction Software for Successful VoIP Deployments

Market Research Report : VoIp market in india 2014 - Sample

Planning for VoIP - Recursos VoIP · Planning for VoIP White Paper December 2002 Implementing voice over IP is a major project for IT and should be treated as such throughout the

Computer Network Simulation of Firewall and VoIP ... · Paper—Computer Network Simulation of Firewall and VoIP Performance Monitoring 1 Introduction Computer network capabilities

VoIP White Paper

VoIP What is VoIP Background & Benefit VoIP Concepts What is H.323 Another VoIP Protocol SIP Considerations What is VoIP Background & Benefit VoIP Concepts

Research Article A New Wireless VoIP Signaling Device

VoIP Security – Methodology and Results...VoIP Security – Methodology and Results Barrie Dempster - [email protected] NGSSoftware Insight Security Research (NISR) Publication

WHITE PAPER The Business Benefits of VoIP › web › 2016 › Sponsor › Century... · Voice over internet protocol (VoIP) puts voice call traffic on the enterprise’s existing

Monitoring and Managing Voice over Internet Protocol (VoIP) · Network Instruments White Paper Monitoring and Managing Voice over Internet Protocol (VoIP) As with most new technologies,

Your Guide to Troubleshooting VoIP - VIAVI Solutions · Your Guide to Troubleshooting VoIP ... This white paper guides you through the essentials of VoIP troubleshooting, ... MPLS

VoIP White Paper - SatLabssatlabs.org/pdf/VoIP_over_DVB-RCS_by_NERA.pdf · A Radio Resource and QoS Perspective ... 2.3 Techniques for achieving better BW efficiency ... VoIP White

Ixia User Guide...VoIP SIPFunctionsLibrary 32 VoIP SkinnyFunctionsLibrary 71 VoIP MediaFunctionsLibrary 110 VoIP FlowFunctionsLibrary 142 VoIP H323RAS Library 154 VoIP H248Functions

Danny Goderis Alcatel · • Research Institutes ... VoIP, MoIP per class service differentiation ETSI-TIPHON VoIP (‘98) ... proposal conciliate Scalability & per-flow QoS

Making the Move to VoIP: Total Cost of Ownership (Hosted VoIP, VoIP Business, VoIP Providers)

Allworx VoIP White Paper

Research Article Design and Implementation of a VoIP ...downloads.hindawi.com/journals/tswj/2014/917060.pdf · Research Article Design and Implementation of a VoIP Broadcasting Service

Open Research Online · problems it can introduce. Security issues in VoIP are unique and, in most cases, ... we briefly describe the basic VoIP network architecture. The VoIP infrastructure

VoIP Research Paper

Paper 20- Improved Echo Cancellation in VOIP