Security In Voice Over IP Converged Networks 113
dotslash writes: "This article at Internet Telephony Magazine has a very interesting analysis of security issues created by converging data and telephony networks with VoIP: "When the phenomenon of "convergence" between telephony and Internet started, it also brought closer the world of the phreaker and the hacker. VoIP brings all this to the next level. Unfortunately, the security inherent in VoIP solutions is equivalent to that of the early Internet: Non-existent.""
Simple Answer (Score:2)
Re:Simple Answer (Score:3, Insightful)
I'm not saying it's a good idea to just forget about security, but people should remember there's nothing sacred about privacy electronic communications. If it's really important to keep something secret, don't say it on an insecure line.
Re:Simple Answer (Score:2)
Re:Simple Answer - Simpler solution (Score:1)
As if analog was better? (Score:4, Interesting)
"Virtually no security" is an improvement over "_no_ security."
Re:As if analog was better? (Score:1)
Re:As if analog was better? (Score:1)
Yeah, but a voice T1 hardly qualifies as an analog phone line.
Not true (Score:2)
I my self am a good neighbor. I'm a good neighbor with 5 years worth of experience. Feel free to contact me if you wish to hire me.
Re:As if analog was better? (Score:2)
Re:As if analog was better? (Score:1)
Re:As if analog was better? (Score:2)
Another mention of the problem from last year (Score:1)
Security inherited from IP network? (Score:4, Insightful)
That said, I really don't see VoIP on a large scale taking off for a while. Two things need to occur before that happens;
- Suitably fast data service has to be ubiquitous. Spotty DSL/Cable coverage won't do it.
- Said data service has to be less expensive than conventional phone service. This one's a no brainer.
- Wireless data on a large scale would help as well.
So far, I don't see these criteria being met in all but niche markets, and that's exactly where VoIP has found itself... for now.
Re:Security inherited from IP network? (Score:3, Informative)
Now security is a bit of a concern, but since most people who would want to intercept my calls would likely try either the analog line first or else try to intercept the cordless phone signal, I'm not worried too much. If they can get in, they can listen to me get pestered by friends for solutions, or hear about how my nephew across the country is doing well in school. If I had something really pressing, I'd look for another solution, but for now I'm content to wait for the service to provide support through a firmware update, and if they don't and I need it then I'll look for something else.
Re:Security inherited from IP network? (Score:3, Informative)
Then you are crazy. The amount of money that can be saved by rerouting interoffice calls over the corporate wan is staggering. Because business class SLA's on PRI's for voice are so expensive many businesses are still paying rates close to what consumers were 10 years ago, not the great low rates we are used to today. In the case of our large (180 person) satelite office nearly 80% of our long distance traffic (measured in minutes) was back to one of the companies two major north american campuses or to our manufacturer in taiwan, when we decided to move to VoIP it was determined that the equipment would pay for itself in about 9 months, not a bad ROI at all!
Re:Security inherited from IP network? (Score:2)
Sometimes I think that gets overlooked in doing pricing comparisions. Bandwidth isn't free. PRI SLAs aren't cheap, but Frame circuits, PVCs, and CIR aren't cheap either.
Re:Security inherited from IP network? (Score:2)
Re:Security inherited from IP network? (Score:2, Insightful)
You are failing to consider large-scale campus and satellite office type situations. Two terrific examples being Enormous State University and Maximegalon Consolidated, Inc.. Each of them is just dying to get VOIP going, just to save on long-distance charges between the disparate campuses where they do business. Flat rates is always preferable to toll-based rates. Especially business rates.
What amazes me is that most post here that I've read are considering freedom from evesdropping as the only inmportant aspect of security. Far more important in this situation is theft-of-service.
Some folks have brought up the obvious aspect of this by pointing out that live, unsupervised network jacks are not exactly uncommon on large university campuses, often also in many corporations. Throw unsecured wireless nets in and the networks become very porous indeed. While those ARE potential disabling factors in VOIP security, they aren't the true achilles heel. Those are the issues that are already known from the regular computing-over-IP security regimen. There are well known security regimens to handle tham. Those may or may not exist at any given location, depending on the diligence of the security professionals.
What few people are considering is something that is built right into VOIP, as an aspect of adapting private-network telephony to the public-network internet: VOIP call signaling is IN-BAND. I'll say it again: Voice-Over-IP signalling is IN-BAND.
You can encrypt the content of the call all you want, but the information necessary to get the calls through on VOIP has to be accessible to the devices that route the call. Encryption (at current tech) of the signalling will slow down the call enough to impact quality of service.
If you can eavesdrop on signalling info, you can pretty easily spoof it. Spoof it, and you get a free net-dail-tone. Spammers like open mail relays; hacking/phreaking college students will LOVE open out-bound lines to ANYWHERE.
SSL (Score:1)
Re:SSL (Score:2, Interesting)
Just think of the amount of packets you have to crypt/decrypt per second.
If we assume 44khz, 16-bit (depends on the ADC/DAC I guess) data, well that's a lot of packets.
No one wants to have a 1-2 second delay in their phone conversation.
Re:SSL (Score:2, Interesting)
I agree that lag may potentially become a problem as number of VoIP sessions grows, but, hey, that's what you need a hardware crypto gadgets.
Some Numbers about Voice over IP (Score:2, Informative)
Regular phone networks encode data at 64 kbps (that's bits per second, not bytes) - 8000 samples/seconds, 8 bits per sample.
Cell phones use more extreme compression, and can transmit at less than 16 kbps. Ever noticed how they sound worse, though?
Any stream has a built in delay - you have to buffer up enough sound in a packet before you send it off. So a 1 ms delay means 1000 packets a seconds, which is inefficient for voice. Buffering in voice calls is usually tens of milliseconds.
Delays of under 100 ms are usually not noticable. Delays of 500 ms will bug the crap out of you.
And, of course, there is the speed of light limitation, (5 milliseconds for 1000 miles - once you route that through a fiber optic cable, it can be a few times that, depending on the dielectric constant of the fiber.).
Re:Some Numbers about Voice over IP (Score:3, Informative)
As an example, look at ppp: your ping time over a 56k modem to your ppp server is going to be around 100ms but it takes about 250ms for a 1500 byte packet to get transfered which is why modem users often see around 200-300ms ping times when playing online games (depending on the size of the packets). Even with that 100ms delay, you will still get about 4 packets per second even though 350*4=1400 (or 325*4=1300 if you're going to split the ping).
Re:Some Numbers about Voice over IP (Score:1)
I always measured voice delay from the microphone at the input to the speaker at the output. Your definition is also reasonable.
But if I'm using one of these things, it's the end to end delay that matters to me.
Re:SSL (Score:1)
SSH does TLS negotation or something very similar (it uses OpenSSL, either way) and is *more* than capable of transfering files at 100+KBps even on an old 486 at 66Mhz.
--Knots;
Re:SSL (Score:2)
Telephone signals -- the current ones -- are 8 bit, 8 KHz and compressed out the wazoo.
You aren't playing a concert thru the phone, just talking!
SSL wont cut for many reasons (Score:3, Informative)
* it's transport layer protocol, not an IP one. By default it runs on top of TCP, while majority of VOIP protocols do not require TCP's reliability. Needless to say that this is voids no good by any means.
* it requires reliable carrier for key establishment/renegotiation. Hence dropped and out-of-order packets will effectively break session. This means that you cant just stick SSL between V and IP layers.
You still can run SSL over unreliable layer (such as UDP or IP itself), but this will require certain protocol 'fixup' effort, which might end up be no less effort than building VoIP security from the scratch.
The simpliest solution along the lines of your suggestion would be to use IPsec and classical VPNs. Throw in IKE and you get yourself PKI-based system. It'd be somewhat pain in the arse to configure, but as a quick and dirty solution is will suffice.
Security (Score:2)
Well, there is a flaw in the laws regarding IP networks.
Again, I'd say this is a flaw in the law.
The article points out that older analog telephone lines are covered by laws that prevent people from tapping the lines unless it is someone with the authority and authorization to do so. The article makes it look like the laws regarding VoIP are less advanced, and desperately need updated.
Legal things aside, I would have thought that by now, in this day and age, people would consider security when providing a new service that runs over a computer network. I'm dissapointed in the comapnies who have disregarded security here.
Is there no easy way to make it all tunnel through SSH?
Re:Security (Score:1)
Not the media. The media streams (presently) are mostly UDP streams. This will change once the end-to-end encryption has been implemented by the proxy and UA manufacturers.
It's worth pointing out whether it is tasteful or not is one thing, but the fact is that legislation make is the obligation of the service provider to tap and provide access to a subscriber's calls when the appropriate procedures [epic.org] are followed by law enforcement officials.
The CALEA hurddle, as it is starting to be known in the VoIP world, has solutions [google.ca], some of them good. Typically the place where you are interested in maintaining your internal network VoIP security or gating control is a good place to implement a CALEA solution too.
Little known fact (Score:5, Funny)
Re:Hmmmmmm (Score:1)
Re:Little known fact (Score:1, Troll)
Its all a matter of design... (Score:1)
But encryption is definitely feasible. They already use encryption on satellite phones and whatnot, so what is preventing them from adapting that technology to VoIP?
The VPN idea that was mentioned was quite interesting. That would indeed work if the software can keep up with real time.
But really VoIP has the same concerns as normal phones and wireless phones. You can intercept calls in both of the other systems (gaining access to phone lines, intercepting cell transmissions, or stealing phone IDs).
So I don't think that security concerns should stand in the way of using VoIP. I wouldn't use it for your most secure of conversations, but soon enough the technology will get better, since now people realize there is a need for this kind of thing.
Do old school phreaks still work (Score:1)
Re:Do old school phreaks still work (Score:1)
Whenever you dropped coins into a pay phone the phone would emit 5 certain frequency tones. People figured out the frequency and amplitude of these tones and played them into the handset, and voila! free phone calls.
They have since upgraded pay phones so that these tones aren't used anymore.
Re:Do old school phreaks still work (Score:2)
Re:Do old school phreaks still work (Score:2)
There's still things that will work though. Not much stopping someone from climbing a pole with a butt phone and tapping another line, etc..
Re:Do old school phreaks still work (Score:1)
Just be sure you take the time to note the difference between a phone cable and a power cable. That's one thing you don't want to learn the hard way.
Who really gives a shit! (Score:3, Insightful)
If you're actually reading this thread - you're wasting your time.
do you really care if someone can easily tap your phone conversations?.
More importantly:
is the value of your conversation worth the energy required for someone to crack your phone call?
In a security course (both in college, and later in a Cisco class) we heard that the risk is equal to the value divided by the effort required to get at that value.
Now: I don't believe this quote exactly, but it's point is clear.
Nobody I know would spend the effort required to tap my personal line just to hear something I might not tell them directly.
Further: Companies with secrets can use:
I. Standard Non-Secure Phone Lines
II. Secure VoIP solutions
III.Standard VoIP solutions over a VPN
Re:Who really gives a shit! (Score:1)
Cisco plays down security issues (Score:2)
"No don't worry yourselves on security just BUY MORE"
Then agian dont worry that standards are still emerging and this stuff will be out of date within two years.
Don't worry that interoperability with many PABX is only partial.
Don't worry that you may loose many of the smart features of your current PABX.
Dont Worry, BUY MORE
Re:Who really gives a shit! (Score:1)
Re:Who really gives a shit! (Score:2)
Maybe you should find better instructors. If the value of the cracking a system exceeds its costs then there are a different set of people that will be tring to crack the system. Most web site cracks have no value (money wise) to the cracker.
bring bring (Score:3, Funny)
what? is this ~l33t_hax0r? i'm sorry, there's no such user.
no, no, this is 129.168.0.1, you must have meant to connect to 192.168.0.1.
j00're welcome.
*click*
goddamnit, i gotta install a firewall.
SIP and security. (Score:4, Informative)
Sure, the protocol itself may have exposure issues, and problems with NAT/PAT devices, but there are companies on the market that are addressing these issues as they arise.
Re:SIP and security. (Score:2, Insightful)
1) No key exchange
2) What is the trust infrastructure ? Here we
are on Amazon,demanding server authenticity for
our 10 dollar book. Yet the SIP call agents
don't have a trust infrastructure definition
and they are supposed to route thousands of
phone calls.
3) Partial payload encryption. SIP has fields
which are hop mutable(changeable). "shudder"
Stating "we use SSL or IPSec" ain't gonna
cut it.
4) SIP is the signalling, xGCP is the control
and RTP is the data. MGCP is a text protocol
and their is no standard for encryption this
bad boy protocol AFAIK.
What the SIP working group really needs is new WG chairs who will stop letting every 2 bit company get a RFC so that their little POS will work. And then they need to define how the heck
all the protocols work together. SIP is the signalling ? How does it exchange RTP keys ? Ask a SIP WG member that question... duh.
I think we should disband the IETF WG since it is fundamentally flawed. It has defined a protocol(and perversed beyond reason), and didn't bother to think how it's gonna work with others securely. No trust models, nothing...at least CableLabs specifications define a security model.
coward76 AT yahoo DOT com
Re:SIP and security. (Score:2, Interesting)
Also, most SIP proxy servers support TLS for secure connections at least between proxies.
The security problems are real, but it doesn't help anybody (except consultants, maybe) to spread myths.
Encryption and Authorization are not the only way (Score:2)
Also, in some environments VOIP on top of IPsec may be reasonable. The article is NOT entirely on target (IMHO it's a cheap hit piece). Consider the Cisco IP Phone in a work station. Since a person plugs his or her PC into the phone for network connectivity, you merely need to have some way to trust that the phone is authorized to use QoS, and you can thus encrypt voice traffic AND have the phone do classification.
And that trust can be gotten on the small with simple approaches such as MAC address lockdowns on your switches.
Re:Encryption and Authorization are not the only w (Score:2)
MAC address lock down can be broken on many switches. The common trick is overfill the MAC tables with fake addresses until it dumps the locked down one.
Re:Encryption and Authorization are not the only w (Score:2)
Most ethernet chipsets will accept new MAC addresses from the ISA/PCI bus. MAC addresses and IP addresses are both trivial to fake. A single box dropped between the switch for the R&D dept and the next highest-up switch will net you all of the phone calls to and from R&D. Cryptographic methods are the only robust ways to get confidentiality and/or authentication. Public key systems (like SSL) are usually easier to set up than symetric key systems (like Kerberos).
I agree with many people that it's retarded to come up with a new protocol and say "run this on top of a secure layer if you want". The truth is that 99% of the population won't. It's like saying "yeah, there is this exploding gas tank problem, so weld a tank full of fire fighting foam to the back of your Pinto if you want." It's trivial to say in the standard "this must be run on top of SSL/TLS". In this case, SSL setup times are most likely faster than POTS circuit setup times, so the user going from an analog phone to an SSL/TLS IP phone won't notice any dfference.
Re:Encryption and Authorization are not the only w (Score:1)
DOS (Score:1)
Another consideration ... (Score:1)
Re:Another consideration ... (Score:2)
Remember GSM handsets do encryption/decryption in real-time (not very strong, but it could be better without overloading the CPU).
Oxymoron? (Score:2, Funny)
VoIP and webcasting CARP: on a collision course? (Score:2)
If not, hello loophole!
Re:VoIP and webcasting CARP: on a collision course (Score:1)
Just like a normal radio station, businesses do have to license the music from or otherwise come to an agreement with the copyright holder. That's why all hold music is utter crap. No businesses are willing to pay for big-name artists.
Re:VoIP and webcasting CARP: on a collision course (Score:1)
Been there, but most other haven't... (Score:5, Insightful)
I have met quite a few people, extremely skilled with PBXs, who view data networks as a black box and have almost no knowledge or methodology to work with products that use them, much less secure them.
When these people grasp the realities of the new, converged, technology, we can expect to see quite a few changes both on VoIP systems' built-in security and fail-safe operation.
It has to be said... (Score:2)
Re:It has to be said... (Score:2)
No Sorry your wrong.. All your voice is belong to Echelon..
move along please have a nice day
VPN (Score:1)
At work, we run all our voip traffic over an IPSec VPN. We use Nortel Internet Telephony Gateways for Line Sets, and i2004 phones at the remote offices.
Scary thing is.. when the phone guys were planning it.. they just wanted to expose the ITG Card to the internet to make the phones work!!! Good thing The Data Guy (me) stepped in and demanded all traffic run over VPN's to prevent getting hacked.
When I explained it to them, they had a lightbulb moment. So, companies, beware of the telecom folks you have install your networks.. a lot of the sector isn't ready for convergence. And only a handful of us have a data *AND* voice team.
My School's IP Phone Fiasco (Score:5, Interesting)
My university just recently overhauled the on-campus phone system. They replaced the old (working) system with IP phones. They did the whole job in a matter of months, despite very vocal opposition by the CS department faculty. These Cisco IP phones cost $700 a pop.
They hooked the central hub of the phone system up to generators in the event of a power failure. Unfortunately, all our phones depend on switches and routers scattered throughout campus, and the phones themselves have DC power adapters. In the event of a power outage, the central hub will stays on-line, but all the phones throughout campus go out!
When asked what students and faculty should do in the event of an emergency during a power outage, our IT services department responded, "Try to find someone with a cell phone!"
Worse yet, switches have a mean time to failure of 100,000 hours. With 2,000 switches throughout campus, sections of the phone system go out once every 50 hours. The current average time for IT services to replace a down switch is 2 weeks.
These phone have web servers, and a few other goodies. I'm just waiting until an IP phone worm takes out our entire campus's network and telecommunications infrastructure.
Re:My School's IP Phone Fiasco (Score:1, Insightful)
Cisco does also recommend that the IP phones be placed in a seperate VLAN, both for easy administration and QoS treatment and security reasons. This is very easy to accomplish; you can even keep a workstation attached to the phone in the workstation VLAN - the phone will tag its own frames as belonging to the phone VLAN with 802.1q. One can place ACLs/firewalls at centralized layer 3 boundaries between the networks and place intrusion detection devices inside.
Jason Young, CCIE #8607, MCSE
jyoung@wantec.com
http://www.wantec.com
Re:My School's IP Phone Fiasco (Score:1)
Re:My School's IP Phone Fiasco (Score:2)
Re:My School's IP Phone Fiasco (Score:3, Interesting)
How does the cable powered device request power before it's got any?
Re:My School's IP Phone Fiasco (Score:1)
Re:My School's IP Phone Fiasco (Score:1)
Re:My School's IP Phone Fiasco (Score:2, Insightful)
I work for a VoIP company, doing it with a pure Cisco solution and T1 data lines. The traffic is split at the end router on the customer's site (which has a UPS for itself and the T1 equipment). Their lan plugs into one jack, their phone system (POTS or digital PBX) block into another. The voice traffic goes over the same T1 and DS3's as the data, but on a different "private" network using IPs in the "unroutable" range, until it gets the the voice switch, where it is merged with the national POTS network. The data goes through the same channels, but on publicly accessable IP ranges. All the routers have standard Cisco access security, limiting access via another private network to only machines authed to do so. Also with traffic split in that way, DOS attacks only clog the data line, as the bandwidth for the voice portion is partially reserved.
As for down-time, the most common cause is the data line itself going down. And being provided by the same company as standard phone service (baby bells), gives the same down-time, or better.
Also worthy of mention is that standard POTS lines are not the same old analog lines back to the telco as most people believe. They too get digitized along the way and are sent out on T1/DS1 T3/DS3 lines(DS3=28*DS1's, DS1=24*DS0 lines = 672POTS lines/DS3 using TDM/PCM).
Tm
Re:My School's IP Phone Fiasco (Score:2)
Ever look at how much power these phones take? Cisco uses 48V (which means you need an over priced regulator circut to drop it to 3.3v inside the phone) and 3Com use 24V which means they can use a lower cost regulator but the current is higer. You end up with serveral watts of lost in each wire. Real phones don't seem to have either of these problems.
A bit alarmist... (Score:1)
And this thing about DOS attacks is BS. What corporation in their right minds would carry they VOIP traffic directly over the Internet... C'mon!
Re:A bit alarmist... (Score:1)
802.11b VOIP (Score:1)
What security??? (Score:2)
Protects our privacy?? Oh, you mean like when I use e-mail, IMs or even those less expensive wireless phones?
I guess that head in sand == privacy.
Some good points, some dumb ones... (Score:5, Informative)
The fact of the matter is that most of the large emerging packet telephony networks are not being deployed in enterprises, but in the carrier networks -- telephone companies around the world are replacing their old circuit-switched back-haul networks for packet-switched networks, either ATM or IP. These are private networks which are not open to the general public, and so do not have the same risks as, say running VoIP on the internet would. Sure, the telcos still need to watch out for attackers... it's just that you've raised the bar far enough that 'script kiddies' would have a tough time.
The article also has an over-simplified view of the effort needed to tap an IP phone call. Even if the user were able to mirror any port on the network onto his computer, he still has the extremely hard task of figuring out which port(s) he needs to monitor -- they typically change on a per-call basis, and the user would actually have to mirror two ports (one for each direction of speech) in order to get the entire call. Now, it can be done, but it's difficult. And, it's made even harder because the signalling path (the communication link that handles setting up calls) is usually encrypted, so it becomes impossible to distinguish among calls.
SIP security (Score:1)
Bogus.
The guy hasn't heard of SIP over TLS or S-MIME payloads in SIP signaling.
Think about ISP's providing these services (Score:1)
some considerations (Score:2, Informative)
1. almost all VoIP installations are run on switched networks and phone calls are inherently unicast so only source, destination, and possibly a router can see the traffic. Yes, conference calls can be multicast - but most aren't and switches prune non-multicast group member from the broadcast domain anyway
2. Almost all VoIP installations place voice traffic on a separate VLAN. This VLAN is ususally well protected through routers and the like. Also it's easy to enhance security for the VLAN with basic switch/LAN security techniques (tying MAC addresses to specific ports, traffic filters, even 802.1x)
3. Securing the call setup servers, gateways and other devices is relatively easy - any decent VoIP installation would protect these and distribute them so there's no single point of failure.
4. VoIP can be run of VPN's the main issue is the added latency of the encryption/decryption process.
5. VoIP over the wide area is no less secure than standard long distance.
Theft of service? Huh? Why? (Score:2)
Re:Theft of service? Huh? Why? (Score:1)
VOMIT! ew .... (Score:2, Interesting)
and don't believe the hype about the supposed safety of switched nets -- VoIP phones are so very compliant, they just love redirects.
nobody
If I was smart and wanted to make a network secure (Score:1)