RE: Voice over IP applications vulnerabilites/attacks ?

[Keith Stewart <kstewart () cisco com>]

<VendorHat = on>

Cisco produced a White Paper on IP Telephony Security as a part of its SAFE 
Security Blueprints.

www.cisco.com/go/safe/

It's more directed at the secure network design side of the question than 
the actual intrusions/attacks side.  A lot of it boils down to Security 101 
- people are going to try and attack your systems, so put some appropriate 
security policies in place to try and mitigate the risk.  The good thing 
with the SAFE docs is the recommendations have all been heavily tested, and 
the docs include the Cisco configs for the recommendations.

<VendorHat = off>

As far as actual attacks against the systems, AFAIK, there's been no 
significant reported attack against an IP Telephony installation.  In a 
large part, that's because existing installations are typically 
self-contained enterprise or SMB installations, and thus the entire system 
is protected from external aggressors by your enterprise firewalls (i.e. no 
conduits in/out for VoIP ports, phones on un-NATed address spaces, etc.), 
and because VoIP protocols are still relatively unknown by people outside 
the industry (i.e the most commonly deployed protocol is still H.323, and 
323 messages are ASN.1 encoded - security through obfuscation, 
anyone?).  But as there's more and more deployments, and the protocols are 
around longer, it becomes more and more important to make sure security is 
designed into a VoIP deployment.

Keith

At 12:02 PM 1/2/2003 -0600, Paul D. Scallan, Jr. wrote:
> I am going to assume that you are talking VOIP in the "phone to phone"
> sense (although the following can apply to any application of VOIP).
>
> I think you will find that certain phones themselves are prone to
> certain vulnerabilities.  See:
> http://www.eweek.com/article2/0%2C3959%2C373289%2C00.asp  Mostly the
> problem with the phones themselves are:  they contain remote-accessible
> code which can be exploited to cause a denial of service, and possibly
> leak information and the phones are also weak in ways that facilitate
> man-in-the-middle attacks directed at intercepting telephone traffic.
>
> Also, There are three main vulnerabilities to IP networks and these
> result from its benefits. While in the traditional voice network one has
> to tap into a specific circuit to eavesdrop, in an IP network any
> equipment connected to the corporate LAN can identify, store and
> playback the VoIP packets that traverse that LAN. The use of shared
> media by VoIP systems opens the door to some uncertainty as to the
> source of a call, and may require authentication.  The anonymity of an
> unprotected, unauthenticated IP network makes it susceptible to hostile
> use, such as prank calls, sending computer viruses or flooding the
> network.  Despite the above, the vulnerability of an authenticated,
> protected VoIP network to internal abuse does not markedly differ from
> traditional telephone networks.  Since there is no such thing as a
> secure IP network, only secure computing - one must secure the
> telephones, conversations, computers, and servers. Set up a chain of
> trust for authentication (encryption), control access (passwords and
> firewalls), encrypt for privacy, and employ call accounting software to
> establish accountability.  One can achieve some measure of security by
> strategically allocating sub-nets, and choosing to use IP Switches
> instead of IP Hubs. However, security considerations should not override
> routing and traffic accommodations. Firewalls can and should be used to
> protect segments of a network from hostile traffic. This does not
> relieve each network device from protecting itself and filtering out
> undesired communications. Physical and network access to any VoIP server
> that is used to authenticate users, that controls access to the public
> telephone network, or that contains potentially confidential information
> should be locked down and treated with the same security precautions as
> any server with a confidential database.
>
> Further, another good article:
> http://www.eetimes.com/story/OEG20021014S0072
>
>
> PAUL D. SCALLAN, JR.
> IT/IS/Production Manager - Paralegal
> KAUFMAN & ASSOCIATES, INC.,
> VOICERITE! and SCALLAN SERVICES
> The Moss Building
> 109 East Vermilion, Suite 200
> Lafayette, Louisiana  70501
> 337-237-4434 (main)
> 800-503-2274 (toll-free)
> 337-234-0715 (facsimile)
> 337-247-4486 (24 hour mobile)
> depo () kaufmanandassociates com
> http://www.kaufmanandassociates.com
> http://www.voicerite.net
> http://www.scallanservices.com
>
>
>
> -----Original Message-----
> From: Avi Chesla [mailto:avic () V-Secure com]
> Sent: Thursday, January 02, 2003 11:14 AM
> To: 'focus-ids () securityfocus com'
> Subject: Voice over IP applications vulnerabilites/attacks ?
>
>
> Hi,
>
> Is anyone familiar with Voice over IP vulnerabilities/Intrusions, floods
> etc ?
>
> I heard Checkpoint has some new protection capabilities concerning the
> issue.
>
>
> Avi