Security In Converged Networks

[InfoSec News <isn () c4i org>]

http://www.tmcnet.com/it/0802/0802gr.htm

BY ANDREAS M. ANTONOPOULOS & JOSEPH D. KNAPE
August 2002

With all new technologies there is a security 'honeymoon' during which 
the technology is below the hacker's radar because of lack of 
widespread use. As a technology becomes more prevalent, and critical 
to organizations, its security will be probed and cracks will be found 
very soon. Internet telephony has now reached the critical mass of 
adoption and maturity that makes it not only a viable target but also 
a valuable one, as it becomes part of business critical applications. 
Whether the intent is to disrupt or profit, it will not be long before 
the first victims appear. Beyond the monetary risks, there is also a 
very serious privacy threat as we have become accustomed to government 
regulation that at least protects our privacy from everyone outside 
government.

Legacy telephony has long enjoyed a level of protection through law,
boundaries of physical security, and plain old obscurity that
delegates it to a separate category of hacking. Apart from a few
exceptions, telephony hackers or 'Phreakers' as they are dubbed, were
a breed of their own with very specialized tools and techniques. Very
few hackers were adept both in the world of computers and in the world
of telephony.

The telephony landscape and its relation to society is rapidly 
changing. When the phenomenon of 'convergence' between telephony and 
Internet started, it also brought closer the world of the phreaker and 
the hacker. VoIP brings all this to the next level. Unfortunately, the 
security inherent in VoIP solutions is equivalent to that of the early 
Internet: Non-existent.

CONVERGING NETWORKS, CONVERGING THREATS

With the convergence between voice and data, the critical barrier to 
would-be attackers quickly crumbles. The physical separation of the 
two networks and the relative security of voice networks were 
primarily enforced by federal laws and proprietary infrastructures, 
which are less effective as the networks converge. From a legislative 
perspective the transformation of the telephony landscape is of great 
concern: The current laws do not protect security or privacy; nor do 
they allow law enforcement access for wiretaps. Where the Internet 
spreads, it brings with it disrupting influences of new models and 
paradigms. In telephony the disruption is just starting, but the 
changes are going to be more staggering than we can imagine.

Since IP is the underlying protocol used for the transmission of voice 
data, a VoIP network will be susceptible to the same security problems 
inherent in any IP-based network. Additionally, there is an added 
level of complexity in VoIP networks because of the challenges that 
must be met by VoIP technology in order to achieve useful levels of 
service for transmitting speech in an efficient and effective way.
The most important threats in a converged world of ubiquitous VoIP 
are:

* Eavesdropping from anywhere in the world (Privacy). 
* Social engineering (Authenticity/Integrity). 
* Disruption of voice communications/Denial of service (Availability). 
* Resource Theft (free calls for all). 

VIRTUAL WIRETAPS

Eavesdropping on a telephony network requires either physical access 
to the wiring, or access to the digital backbones of the telephone 
companies. In a converged network, all the eavesdropper need do is 
compromise the security of the data network (or the endpoints) and he 
or she can access the voice streams. Such a 'virtual wiretap' is much 
more insidious than a physical wiretap, because it is almost 
impossible to detect. The copying of bits does not impact the original 
stream in any way. Therefore, unless one can control the access to the 
data network, the voice data is vulnerable. In many ways, we have 
grown used to an 'expectation of privacy' on telephone networks. This 
will no longer hold true unless we take steps to ensure our privacy 
with sophisticated security measures. Furthermore, the 'virtual 
wiretap' can be effected from, and the sound transmitted to, anywhere 
in the world. In fact I could hire someone to tap into your network 
and send me the audio, from anywhere in the world: Outsourcing meets 
wiretaps. For me to be able to listen in to your conversation, I would 
have to be able to decode the audio stream. With most current 
protocols, this is trivial. Encryption, however, would put an 
insurmountable obstacle in my path.

Encryption is a well-developed technology, which has been applied to 
many different communications solutions. In the cellular phone market 
the term 'digital' has become synonymous with 'private' as the 
encryption has been sold as a product feature. There are two barriers 
to the application of encryption in VoIP. The first, as ever, has to 
do with standardization of the protocols. In order for encryption to 
be effective it must be very simple to use; in effect it must be 
transparent to the user. This requires standardization of the VoIP 
protocols (still in the early stages) and the encryption mechanisms. 
Because of the necessity to allow for upgrading of the encryption 
standards as they become obsolete or easy to 'crack,' it is important 
to have an open architecture that allows for 'negotiation' of suitable 
encryption algorithms between the end-points at runtime. This can be 
implemented in a similar way to the current support for multiple voice 
codecs with runtime negotiation.

Encryption has become hugely popular as a means to leverage the 
Internet for corporate communications. Virtual Private Networks (VPNs) 
allow companies to transfer data between offices securely. An 
alternative to 'native' support of encryption within the VoIP 
protocols is the use of VPN tunnels in order to 'wrap' the voice 
stream. Unfortunately, this is quite difficult in practice. VPN 
devices and software are not currently designed to accommodate 
real-time traffic. As a result, they tend to add unacceptable levels 
of jitter and latency to the VoIP communications. Although just about 
bearable in small installations (1-2 voice streams), they become 
unwieldy in larger applications (VoIP between branches of a company, 
over VPNs for example).

SOCIAL ENGINEERING

Another important threat for VoIP networks is the ability to 'enhance' 
social engineering attacks. Social Engineering is the practice of 
using social skills and deception to exploit human vulnerabilities 
rather than system vulnerabilities. A common example is persuading 
someone in a company to give you their password by pretending to be an 
administrator in their IT department.

Imagine how much easier it would be to persuade someone that you work 
for the company, if you can make their VoIP phone display the 
origination of the call as 'IT Helpdesk.' Or imagine how simple it 
would be if you could disguise your voice electronically to be 
identical to that of their boss. Software that allows digital 
impersonation has already been demonstrated; albeit crude, it is only 
a matter of time before it is sophisticated enough to be 
indistinguishable from the real person. The saving grace is that with 
current technology, it is unlikely this can be done at real-time 
without significant expenditure. Nevertheless, pre-recorded messages 
that sound like someone else are within the capabilities of desktop 
systems. And don't forget, your grace period diminishes by half every 
18 months according to Moore's law.

In order to protect against this kind of digital impersonation, there 
can be a number of solutions. The most secure approach would be 
widespread application of digital signatures and PKI for the 
authentication of end-users. This approach is not only very difficult 
to apply globally, it also has some disturbing privacy implications 
(anonymity after all is a feature most of us are used to when making 
calls, Caller-ID notwithstanding). An alternative is to apply generic 
controls at an organization's perimeter such as firewalls and 
Intrusion Detection Systems, which would protect against an outsider 
gaining access in this manner.

Technology notwithstanding, the most effective solution is the same as 
with social engineering in other circumstances: Don't believe what the 
phone displays, don't assume you know who you're talking to and be 
smart about what kind of information you give to people on the 
telephone. These are all basic security awareness issues and should be 
handled as such with appropriate training and drills. Security is not 
just about technology; it is about people applying technology with a 
bit of common sense.

BUSY TONE

Although most consumers will berate their telecommunications providers 
and complain bitterly about the service, in truth we have been 
accustomed to a high level of reliability when using the phone. How 
many times in your life have you picked up the phone and not heard a 
dial tone? Achieving the kind of reliability that makes phones 'just 
work' 99.999 percent of the time would be enviable in the world of IT. 
So as we converge and shift voice onto a dynamic ad-hoc network such 
as the Internet we are bound to (at least at first) lose some 
reliability.

> From a security perspective however, there is a much-increased 
opportunity for mischief. This comes mainly in the form of Denial of 
Service (DoS), which is already one of the most common types of 
attacks on the Internet. Denial of Service involves attacks whose main 
aim is to affect the availability of a system by disrupting services, 
applications or networks. In the telephony world, DoS would make you 
always get a busy signal. How would DoS affect a converged network?
It is Wednesday afternoon, and the Federal Reserve is about to 
announce whether it will change interest rates. At the city's largest 
bond trader, all the IP phones stop working at exactly the moment the 
announcement is made. The traders are unable to trade and as a result 
the company loses millions of dollars in the 15 minutes it takes to 
restore service.

Clearly there is a much greater danger of disruption for converged 
networks. Furthermore, as data and voice travel over the same network, 
disruption of one affects the other. The VoIP failure may simply be a 
side effect of a wider DoS attack against the company's network.

Unfortunately, there is no foolproof way to protect against DoS. A DoS 
attack will target and attempt to exhaust resources that you 
voluntarily make available. For example, if you allow incoming VoIP 
sessions from outside your organization, these can be used 
indiscriminately by anyone. If someone decides to abuse these 
resources, there is not much you can do. They may have disguised their 
source address, or may keep changing source addresses, making it 
difficult or impossible to block an attack. Denial of Service can't be 
stopped because it is based on tying up publicly available resources 
by brute force. If everyone in NY called your phone, you would not be 
able to use it and would have to disconnect it. Even the phone company 
could not help you stop people from calling you without a specific 
number to block.

FREE CALLS FOR ALL

PBX owners have already had to deal with theft of service. Phreakers 
will compromise PBX security and use the system to make free calls or 
organize 'party lines' to communicate with their friends. The 
Communications Fraud Control Association (http://cfca.org/) says “it 
is estimated that annual fraud losses are in excess of $12 billion 
worldwide.”

Convergence will only increase this threat of theft. As the networks 
converge there will be a need for gateways connecting VoIP systems to 
POTS (plain old telephone service). These gateways allow normal phones 
to call VoIP phones and vice-versa. Whether these gateways are part of 
a PBX or part of a VoIP system, they represent the border between 
telecommunications networks and data networks. This means that they 
will make telecommunications networks more accessible from the data 
network side. Hackers will almost certainly find ways to “spoof” 
(pretend to be some known system), gaining access to the gateway as a 
legitimate user and making phone calls at the expense of the company. 
The security designed into such gateways at present is at best 
trivial. Even a rather unskilled attacker can quite easily spoof the 
SIP sessions and UDP packets that compose the voice stream. The 
authentication systems that have been added on to SIP and H.323 in 
order to restrict access are not very well designed and mostly send 
the authentication details in the clear (not encrypted) so that 
someone with access to the network can compromise them quite easily.

The solution to theft of service is a combination of technology, 
monitoring, and awareness. From the technology perspective it is 
imperative that at least simple controls such as firewalls and 
password access be added to the telephony gateways to protect against 
unauthorized access. Monitoring of use and user training and awareness 
can complement the technical solutions in order to improve the 
security. After all, you don’t want to find out about service theft 
when you get your bill and discover it is $250,000 more than expected. 
Continuous monitoring and auditing will at least give you an early 
warning of problems.

CONCLUSION

A global converged network will change the telephony landscape 
completely. New services, applications, and paradigms are already 
emerging. In the rush to migrate telephony to the more flexible 
infrastructure of the Internet, security has almost been an 
afterthought. Soon it will become obvious that a flexible and open 
network creates security problems that were not issues in the closed 
proprietary past of telephony. These issues will need to be addressed 
in order for Internet telephony to flourish. There will certainly be 
challenges at first, but most of the technical difficulties can be 
overcome if security is made part of the design requirements of new IP 
telephony applications from the beginning. As organizations migrate 
their internal phone systems to IP, they will be able to protect them 
by applying security best practices at the perimeter of the 
organization.

Many of the security solutions are not VoIP specific; rather the 
solutions involve the same combination of people, processes, and 
technology that are applied to protect data networks. Security within 
corporate networks can be improved by protecting the perimeter and 
applying encryption. The real challenge will appear when IP telephony 
transcends the boundaries of a single organization. When companies 
start connecting to each other or accepting incoming VoIP connections 
from the public, the security problems will become much more serious. 
Solutions will depend on designing security into the protocols and 
user agents. Unfortunately, security is often “bolted” on as an 
afterthought.

Perhaps the most pertinent lesson is that it is estimated that 
security measures cost 10 times less if they are included in the 
design and not added on after the implementation. Internet telephony 
pioneers can reap significant savings by considering security at the 
earliest stages in the development of applications or systems. If they 
do not, they will soon discover that the honeymoon is over.


Andreas M. Antonopoulos is security practice leader at Greenwich 
Technology Partners. Joseph D. Knape is an independent security 
consultant in Dallas, Texas.

Greenwich Technology Partners is a leading network infrastructure 
consulting and engineering company that designs, builds, and manages 
the complex networks that utilize advanced Internet protocol, 
electro/optical, and other sophisticated technologies. Additional 
information about Greenwich Technology Partners can be found online at 
www.greenwichtech.com.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.