larger cover

Add To My Wish List

Register your product to gain access to bonus material or receive a coupon.

Voice over IP Security

Book

  • Sorry, this book is no longer in print.
Not for Sale
  • Description
  • Sample Content
  • Updates
  • Copyright 2009
  • Edition: 1st
  • Book
  • ISBN-10: 1-58705-469-8
  • ISBN-13: 978-1-58705-469-3

Voice over IP Security

Security best practices derived from deep analysis of the latest VoIP network threats

Patrick Park

VoIP security issues are becoming increasingly serious because voice networks and services cannot be protected from recent intelligent attacks and fraud by traditional systems such as firewalls and NAT alone. After analyzing threats and recent patterns of attacks and fraud, consideration needs to be given to the redesign of secure VoIP architectures with advanced protocols and intelligent products, such as Session Border Controller (SBC). Another type of security issue is how to implement lawful interception within complicated service architectures according to government requirements.

Voice over IP Security focuses on the analysis of current and future threats, the evaluation of security products, the methodologies of protection, and best practices for architecture design and service deployment. This book not only covers technology concepts and issues, but also provides detailed design solutions featuring current products and protocols so that you can deploy a secure VoIP service in the real world with confidence.

Voice over IP Security gives you everything you need to understand the latest security threats and design solutions to protect your VoIP network from fraud and security incidents.

Patrick Park has been working on product design, network architecture design, testing, and consulting for more than 10 years. Currently Patrick works for Cisco® as a VoIP test engineer focusing on security and interoperability testing of rich media collaboration gateways. Before Patrick joined Cisco, he worked for Covad Communications as a VoIP security engineer focusing on the design and deployment of secure network architectures and lawful interception (CALEA). Patrick graduated from the Pusan National University in South Korea, where he majored in computer engineering.

Understand the current and emerging threats to VoIP networks

Learn about the security profiles of VoIP protocols, including SIP, H.323, and MGCP

Evaluate well-known cryptographic algorithms such as DES, 3DES, AES, RAS, digital signature (DSA), and hash function (MD5, SHA, HMAC)

Analyze and simulate threats with negative testing tools

Secure VoIP services with SIP and other supplementary protocols

Eliminate security issues on the VoIP network border by deploying an SBC

Configure enterprise devices, including firewalls, Cisco Unified Communications Manager, Cisco Unified Communications Manager Express, IP phones, and multilayer switches to secure VoIP network traffic

Implement lawful interception into VoIP service environments

This IP communications book is part of the Cisco Press® Networking Technology Series. IP communications titles from Cisco Press help networking professionals understand voice and IP telephony technologies, plan and design converged

networks, and implement network

solutions for increased productivity.

Category: Networking—IP Communication

Covers: VoIP Security

Online Sample Chapter

VoIP Threat Taxonomy

Sample Pages

Download the sample pages

Table of Contents

Introduction

Part I: VoIP Security Fundamentals 3

Chapter 1: Working with VoIP 5

    VoIP Benefits 6

    VoIP Disadvantages 8

    Sources of Vulnerability 10

        IP-Based Network Infrastructure 10

        Open or Public Networks 11

        Open VoIP Protocol 11

        Exposed Interface 11

        Real-Time Communications 11

        Mobility 11

        Lack of Security Features and Devices 11

        Voice and Data Integration 12

    Vulnerable Components 12

    Myths Versus Reality 14

        Legacy Versus VoIP Systems 14

        Protecting Networks Using Strict Authentication and Encryption 14

        Protecting Networks Using a Data Security Infrastructure 15

    Summary 15

    End Notes 16

    References 16

Chapter 2: VoIP Threat Taxonomy 19

    Threats Against Availability 20

        Call Flooding 20

        Malformed Messages (Protocol Fuzzing) 22

        Spoofed Messages 24

            Call Teardown 25

            Toll Fraud 26

        Call Hijacking 26

            Registration Hijacking 27

            Media Session Hijacking 27

            Server Impersonating 28

        QoS Abuse 29

    Threats Against Confidentiality 30

        Eavesdropping Media 30

        Call Pattern Tracking 32

        Data Mining 33

        Reconstruction 34

    Threats Against Integrity 34

        Message Alteration 35

            Call Rerouting 35

            Call Black Holing 36

        Media Alteration 37

            Media Injection 37

            Media Degrading 38

    Threats Against Social Context 38

        Misrepresentation 39

        Call Spam (SPIT) 39

        IM Spam (SPIM) 40

        Presence Spam (SPPP) 41

        Phishing 42

    Summary 43

    End Notes 44

    References 44

Chapter 3: Security Profiles in VoIP Protocols 47

    H.323 48

        Overview 48

            Components 49

            Basic Call Flow 50

    Security Profiles 52

            H.235 Annex D (Baseline Security) 54

            H.235 Annex E (Signature Security) 55

            H.235 Annex F (Hybrid Security) 56

    SIP 57

        Overview 58

            Components 58

            Basic Call Flow 60

            Session Setup Example 61

        Security Profiles 67

            Digest Authentication 68

            Identity Authentication 69

            Secure/Multipurpose Internet Mail Extensions (S/MIME) 70

            Secure RTP 71

            TLS 71

            IPSec 73

    MGCP 74

        Overview 74

            Basic Call Flow 75

        Security Profiles 75

    Summary 78

    End Notes 79

    References 80

Chapter 4: Cryptography 83

    Symmetric (Private) Key Cryptography 84

        DES 85

        3DES 87

        AES 89

            SubBytes 89

            ShiftRows 90

            MixColumns 91

            AddRoundKey 92

    Asymmetric (Public) Key Cryptography 92

        RSA 93

        Digital Signature 95

    Hashing 96

        Hash Function (MD5) 97

        SHA 98

        Message Authentication Code 99

            MAC Versus Digital Signature 100

    Key Management 100

        Key Distribution 101

    Summary 103

    End Notes 104

    References 104

Chapter 5: VoIP Network Elements 107

    Security Devices 108

        VoIP-Aware Firewall 108

        NAT 109

        Session Border Controller 113

        Lawful Interception Server 114

    Service Devices 116

        Customer Premise Equipment 116

        Call Processing Servers 117

            PAP Versus CHAP 119

            RADIUS Versus TACACS+ 120

    Summary 120

    End Notes 121

    References 122

Part II: VoIP Security Best Practices 125

Chapter 6: Analysis and Simulation of Current Threats 127

    Denial of Service 128

        Intentional Flooding 129

            Simulation 129

            Analysis 135

            Mitigation 137

        Unintentional Flooding 138

            Analysis 139

            Mitigation 141

    Malformed Messages 143

        Simulation 144

        Analysis 150

        Mitigation 154

    Sniffing/Eavesdropping 154

        Simulation 154

        Analysis 158

        Mitigation 161

    Spoofing/Identity Theft 162

        Simulation 162

            Prespoofing Scan 162

            Identity Theft 163

        Analysis 164

        Mitigation 165

    VoIP Spam 165

        Voice Spam 165

        IM Spam 167

        Presence Spam 167

        Mitigation 168

            Content Filtering 168

            Turing Test 168

            Reputation System 169

            Address Obfuscation 170

            Limited-Use Address 171

            Consent-Based Black/White List 171

    Summary 172

    End Notes 173

    References 173

Chapter 7: Protection with VoIP Protocol 175

    Authentication 175

        User-to-Proxy Authentication 176

        User-to-User Authentication 179

    Encryption 182

        Message Encryption (S/MIME) 183

            S/MIME Certificates 184

            S/MIME Key Exchange 185

            Formatting S/MIME Bodies 186

        Media Encryption 188

            Key Derivation 188

            SRTP Packet Processing 190

            SRTP Test 191

    Transport and Network Layer Security 193

        Transport Layer Security 194

        IPSec (Tunneling) 195

    Threat Model and Prevention 195

        Registration Hijacking 195

        Impersonating a Server 196

        Tearing Down Sessions 196

        Denial-of-Service and Amplification 197

    Limitations 198

        Digest Authentication Limitations 198

        S/MIME Limitations 198

        TLS Limitations 199

        SIPS URI Limitations 199

    Summary 200

    End Notes 200

    References 201

Chapter 8: Protection with Session Border Controller 203

    Border Issues 204

        Between Access and Core Networks 206

        Between Core and Peer Networks 207

    Access and Peer SBCs 208

    SBC Functionality 208

        Network Topology Hiding 208

        Example of Topology Hiding 209

        DoS Protection 213

            Policy-Driven Access Control 213

            Hardware Architecture 215

        Overload Prevention 216

            Registration Timer Control 217

            Ping Control 220

            Load Balancing 220

        NAT Traversal 222

        Lawful Interception 224

        Other Functions 226

            Protocol Conversion 226

            Transcoding 226

            Number Translation 227

            QoS Marking 228

    Service Architecture Design 228

        High Availability 229

            Active-Standby 230

            Active-Active 231

        Network Connectivity 232

        Service Policy Analysis 234

        Virtualization 237

        Optimization of Traffic Flow 239

            Deployment Location 239

            Media Control 240

    Summary 245

    End Notes 246

    References 246

Chapter 9: Protection with Enterprise Network Devices 249

    Firewall 249

        ASA and PIX Firewalls 251

            Routed Mode 251

            Transparent Mode 252

            TLS Proxy Feature 253

            Configuration Example 254

        FWSM Firewall 256

            Routed Mode 256

            Transparent Mode 256

            Configuration Example 257

        Limitations 258

    Unified Communications Manager Express 259

        Access Control 259

        Phone Registration Control 261

        Secure GUI Management 263

        Class of Restriction 264

        After-Hours Call Blocking 266

    Unified Communications Manager 267

        Security Features and Certificates 267

        Integrity and Authentication 269

            Image Authentication 270

            Device Authentication 270

            File Authentication 270

            Signaling Authentication 271

            Digest Authentication 271

            Authorization 272

        Encryption 273

            Signaling Encryption 273

            Media Encryption 274

            Configuration File Encryption 275

        Configuration Guideline 275

    Access Devices 277

        IP Phone 278

        Switch 278

            Mitigate MAC CAM Flooding 278

            Prevent Port Access 279

            Prevent Network Extensions 280

            Prevent Fraudulent DHCP Server 280

            Mitigate DHCP DoS Attacks 281

            Limit ARP Responses 282

            VLAN ACL 282

            Deployment Example 284

    Summary 286

    End Notes 287

    References 287

Part III: Lawful Interception (CALEA) 289

Chapter 10: Lawful Interception Fundamentals 291

    Definition and Background 292

    Requirements from Law Enforcement Agents 293

    Reference Model from an Architectural Perspective 294

        AF (Access Function) 295

        DF (Delivery Function) 295

        CF (Collection Function) 296

        SPAF (Service Provider Administration Function) 297

        LEAF (Law Enforcement Administration Function) 297

    Request and Response Interfaces 297

    Operational Considerations 300

        Detection by the Target Subscriber 300

        Address Information for Call Content Interception 301

        Content Encryption 302

        Unauthorized Creation and Detection 303

        Call Forwarding or Transfer 303

        Capacity 304

    Summary 304

    End Notes 305

Chapter 11: Lawful Interception Implementation 307

    Intercept Request Interface 308

        SIP P-DCS Header 309

            Intercept Process Flow for Outbound Call 310

            Intercept Process Flow for Inbound Call 311

        Cisco SII 313

            Device Interfaces 314

            Intercept Process Flow for Standard Call 316

            Intercept Process Flow for Forwarding Call 319

            Intercept Process Flow for Conference Call 322

            Predesign Considerations 325

            Security Considerations 326

            Configuration Example 327

    Call Data and Content Connection Interfaces 329

        Call Content Connection Interface 330

        Call Data Connection Interface 333

            CDC Messages 333

    Interface Between MD and LEA 339

    Summary 341

    End Notes 342

    References 342

Index 345

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020