Penetration Testing mailing list archives

Re: VOIP: RTP vs SRTP

From: "thefifth" <thefifth () ameritech net>
Date: Thu, 16 Mar 2006 00:25:16 -0500

From my experience using IPSec VPN (and now SSL-VPN) for securing VoIP has

been pretty strait forward, for remote soft-clients and site-2-site calls.It secures both the signaling and media traffic. This is assuming that theIPSec environment/concentrators can support QoS - i.e. DiffServ toprioritize and expedite VoIP traffic over HTTP or FTP for example.

On the LAN it gets a little more complicated in that you don't want a bunchof potential bottlenecks (firewalls) creating jitter, latency and delaywhich can impair overall voice quality. In the LAN VLAN segmentation canhelp as part of a layered defense, but its not fool proof, i.e. dsnifftools. Therefore the LAN infrastructure needs to be able to detect ArpSpoofing, DHCP server spoofing, etc. while enforcing L2-4 firewall policy atthe individual switch port. In this type of LAN infrastructure VLANsegmentatation and policy enforcement can help preserve VoIP quality in thecase of broadcast storm or massive traffic flloods via DDoS.

802.1x helps at least authenticate the VoIP hard sets and other devices onthe network. It can also help to dynamically assign the device and/or userto the appropriate VLAN. Look for IP Phones that support 802.1x forauthentication. It helps.

With SIP in particular there are many different sessions and call statesactive simultaneously. Also there may be more than just voice in a SIP"call" i.e. video, IM, presence, etc. In a multimedia/VoIP call many portsare opened dynamically which makes firewall rule/policy creation andimplementation very difficult. Imagine a VoIP conference call for a simplecase.

Finally, NAT - if not done correctly (i.e. SIP-NAT ALG's) will break mostconversations.

On the IDS/IPS front remember that VoIP media traffic is relatively smallpackets which require real-time performance. Inspection of a lot of smallpackets at a high rate can be very costly on the throughput/performance ofthe IDS/IPS if they can even identify the traffic at all.

What's getting popular right now are Application Layer Gateways/Firewallsfor multimedia. They've been available in the VoIP/ISP space for a littlewhile now and are now coming to the enterprise space. Most will provideencryption, NAT capability, and "Pin-Hole" firewall capabilities based onthe session and call state. I've seen them from Sipera (www.sipera.com) andNortel (www.nortel.com).

At the end of the day a layered defense is your best bet, but don't forgetabout the QoS requirements.

----- Original Message -----From: "Ken Kousky" <kkousky () ip3inc com>To: "'Chris Serafin'" <chris () chrisserafin com>; <defragz () hotmail com>;<pen-test () securityfocus com>

Cc: "Mike Brown" <MBrown () ip3inc com>
Sent: Sunday, March 12, 2006 12:14 PM
Subject: RE: VOIP: RTP vs SRTP

There's no question that VoIP Security is a BIG issue. Most management

surveys say that it's the first or second reason given for why companiesare

delaying on VoIP.

VoIPSA is certainly a resource, as NIST. They publish a free report (it's

really a 100 page book) on Securing VoIP and it's probably the best guideinthe industry. It's also a great VoIP primer and best of all, you'vealready

paid for it in your tax dollars so you can download it at no cost. (The
administration has not reclassified it as top secret yet)

It's at:
http://www.csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf

The most important lessons here are the recommendations to avoid softphonesand to segment VoIP on a VLAN will prevent many of the desired voipbenefits

so the security frameworks don't map to reality.

If you'd like to present your work in this field or just learn a moreabout

VoIP security join us at the Second Annual Voip Security Conference hosted
by IP3 and Illinois Institute of Technology:

Call for Speakers and Sponsors
The 2nd Annual
Managing VoIP Security Conference
(MVSC 2006)
May 17-18, 2006

IIT- Illinois Institute of Technology
Herman Union Building- Conference Center
Chicago, Illinois, USA
www.voip-wifi.net
or visit:
www.ip3seminars.com/conf.htm






-----Original Message-----
From: Chris Serafin [mailto:chris () chrisserafin com]
Sent: Friday, March 10, 2006 11:55 AM
To: defragz () hotmail com; pen-test () securityfocus com
Subject: RE: VOIP: RTP vs SRTP

I have been thinking of writing a paper about a VoIP security also.  I my

experience [solely Cisco voip] there is absolutely no security in placefor

any VoIP.

Chris Serafin
IT Security / VoIP Engineer
chris () chrisserafin com

-----Original Message-----
From: defragz () hotmail com [mailto:defragz () hotmail com]
Sent: Friday, March 10, 2006 2:23 AM
To: pen-test () securityfocus com
Subject: VOIP: RTP vs SRTP

Hello list,

Planning some internal presentations on VoIP, I was wondering if SRTP

(Secure Real Time Protocol) is now really in use, as a secure replacementof

RTP.

More generally, from your experience, and from what you have seen in "real
life", do you thing that VoIP security is getting better? Do people use
crypto to protect both data and signalling?
I will love to hear your feedbacks...
-Franck


----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to
proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed

service (Cenzic ClickToSecure) or an enterprise software (CenzicHailstorm).


Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com
----------------------------------------------------------------------------
--




----------------------------------------------------------------------------
--
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to
proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed

service (Cenzic ClickToSecure) or an enterprise software (CenzicHailstorm).


Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com
----------------------------------------------------------------------------
--


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?

As attacks through web applications continue to rise, you need toproactively

protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed

service (Cenzic ClickToSecure) or an enterprise software (CenzicHailstorm).

Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com
------------------------------------------------------------------------------




------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?As attacks through web applications continue to rise, you need to proactivelyprotect your applications from hackers. Cenzic has the most comprehensivesolutions to meet your application security penetration testing andvulnerability management needs. You have an option to go with a managedservice (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).Download FREE whitepaper on how a managed service can help you:http://www.cenzic.com/forms/ec.php?pubid=10025And, now for a limited time we can do a FREE audit for you to confirm yourresults from other product. Contact us at request () cenzic com

------------------------------------------------------------------------------

Current thread:

VOIP: RTP vs SRTP defragz (Mar 10)
- Re: VOIP: RTP vs SRTP Sebastien Tricaud (Mar 10)
- RE: VOIP: RTP vs SRTP Chris Serafin (Mar 10)
  - RE: VOIP: RTP vs SRTP Robb Stacy (Mar 10)
  - RE: VOIP: RTP vs SRTP Ken Kousky (Mar 12)
    - Re: VOIP: RTP vs SRTP thefifth (Mar 16)
- <Possible follow-ups>
- RE: VOIP: RTP vs SRTP Noble, Kevin (Com US) (Mar 10)
- RE: VOIP: RTP vs SRTP Bob Bell (rtbell) (Mar 10)