Voice over IP and IP telephony Network convergence Telephone and IT PoE (Power over Ethernet) Mobility and Roaming

ming Telco Switched -> Packet (IP) Closed world -> Open world Security and privacy IPhreakers VoIP vs 3G

 Signaling User location Session Setup Negotiation Modification Closing Transport Encoding, transport, etc.

 SIP IETF - 5060/5061 (TLS) - HTTP-like, all in one Proprietary extensions Protocol becoming an architecture End-to-end (between IP PBX) Inter-AS MPLS VPNs Transitive trust IM extensions (SIMPLE) H.323 Protocol family H.235 (security), Q.931+H.245 (management), RTP, CODECs, etc. ASN.1

 RTP (Real Time Protocol) 5004/udp RTCP No QoS/bandwidth management Packet reordering CODECs old: G.711 (PSTN/POTS - 64Kb/s) current: G.729 (8Kb/s)

 Systems SIP Proxy Call Manager/IP PBX User management and reporting (HTTP, etc) H.323: GK (GateKeeper) Authentication server (Radius) Billing servers (CDR/billing) DNS, TFTP, DHCP servers

 Voice Gateway (IP-PSTN) Gateway Control Protocols Signaling: SS7 interface Media Gateway Controller Controls the MG (Megaco/H.248) SIP interface Signaling Gateway Interface between MGC and SS7 SCTP - ISUP, Q.931 Transport Media Gateway: audio conversion

 Firewall Non-stateful filtering Stateful filtering Application layer filtering (ALGs) NAT / firewall piercing (H.323 : 2xTCP, 4x dynamic UDP - 1719,1720) (SIP : 5060/udp) Encrypted VPN SSL/TLS IPsec Where to encrypt (LAN-LAN, phone-phone, etc)?

Denial of Service ICMP Flood IP Spoofing Port Scans Land Attack IP Source Route Evasdropping or recording In VOIP eavesdropping is a type of an attack, if an attacker able to eavesdropp a communication. Then he can launch different type of an attack like Man in the Middle attack etc. Call Hijacking and Spoofing Call Redirection Voice SPAM (Vishing, Mailbox Stuffing, Unsolicited Calling) Voicemail Hacking

 Signaling Layer Attacks SIP Registration Hijacking Impersonating a Server SIP Message Modification SIP Cancel / SIP BYE attack SIP DOS attack Media Layer Attacks Eavesdropping RTP insertion attack SSRC collision attacks

SIP Registration attack Attacker impersonates a valid UA to a registrar himself as a valid user agent. So attacker can recieve calls for a legitmate user. Impersonating a Server When an attacker impersonates a remote server and user agent request are served by the attacker machine. SIP Message Modification If an attacker launches a man in the middle attack and modify a message. Then attacker could lead the caller to connect to malicious system. SIP CANCEL / SIP BYE SIP Denial of Service In SIP attacker creates a bogus request that contained a fake IP address and Via field in the SIP header contains the identity of the target host.

Eavesdropping SSRC collision If an attacker eavesdropp the conversation and uses one s peer SSRC to send RTP packet to other peer, it causes to terminate a session.

 Two types of security solutions End-to-End security In SIP end points can ensure end-to-end security to those messages which proxy does not read, like SDP messages could be protectedusing S/MIME. Media is transferred directly, so end-to-end security is achieved by SRTP. Hop-by-hop security TLS, IPSec TLS provide transport layer security over TCP. Normally SIP URI is in the form of sip:abc@example.com, but if we are using TLS then SIP URI will be sips:abc@example.com and signaling must be send encrypted.

 Authentication means to identify a person. If we take SIP as signaling protocol in VOIP, it defines two mechanisms for authentication HTTP digest authentication S/MIME HTTP Digest Authentication HTTP digests mechanisms used between users to proxies, users to users but not between proxies to proxies. S/MIME S/MIME uses X.509 certificates to authenticate end users in the same way that web browsers use them.

 In VOIP media is send directly between users using RTP. Encryption of media is achieved by IPSec Secure RTP (SRTP)
It provides a framework for encryption and message authentication of RTP and RTCP. Cipher Algorithum: AES Authenitcation is an optional feature. SRTP uses Security Description for Media Streams (SDES) algorithum to negotiate session keys in SDP.

MIKKEY
Mikkey provides its own authentication and integrity mechanisim. Mikkey messages carried in a SDP with a=key-mgmt attritbute.

SIPScan - enumerate SIP interfaces TFTPBrute - TFTP directory attacking UDP and RTP Flooder - DoS tools hping2 TCP session flooding Registration Hijacker - tool to take over H.323 session SIVUS - SIP authentication and registration auditor Vomit - RTP Playback VOIP HOPPER IP Phone mimicing tool Dsniff - various utilitarian tools (macof and arpspoof) Wireshark (Ethereal) / tcpdump - packet capture and protocol analysis