Securing Voice Over Network Assets

Question 1

Threats to PBXs

Answer 1

Theft of service – I.e., toll fraud, probably the most common of motives for attackers.
Disclosure of information – data disclosed without authorization, either by deliberate action or by accident. Examples include both eavesdropping on conversations or unauthorized access to routing and address data.
Data modification – data altered in some meaningful way by reordering, deleting or modifying it. For example, an intruder may change billing information, or modify system tables to gain additional services.
Unauthorized access – actions that permit an unauthorized user to gain access to system resources or privileges
Denial of service – actions that prevent the system from functioning in accordance with its intended purpose. A piece of equipment may be rendered inoperable or forced to operate in a degraded state.
Traffic analysis – a form of passive attack in which an intruder observes information about calls and makes inferences from things such as the source and destination numbers, or the length or frequency of the calls.

Question 2

PBX security vs OS Security

Answer 2

External access/control – Like larger telephone switches, PBXs typically require remote maintenance by the vendor. Instead of relying on local administrators to make operating system updates and patches, organizations normally have updates installed remotely by the switch manufacturer. This of course requires remote maintenance ports.
Feature richness – The wide variety of features available on PBXs, particularly administrative features and conference functions, provide the possibility of unexpected attacks. A feature may be used by an attacker in a manner that was not intended by its designers. Features may also interact in unpredictable ways causing security problems. Even though the features may be fairly standard, the implementation between vendors is different, thus the reason instruments can often not be interchanged between PBXs.

Question 3

PBX susceptibility to tapping

Three General methods

Answer 3

Analog Voice with separate Control Signals
Analog Voice with inclusive Control Signals
Digital Voice with Inclusive Control Signals

Question 4

PBX Signaling information

Answer 4

is typically commands to the instrument (turn on indicators, microphones, speakers, etc.) and status from the instrument (hook status, keys pressed, etc.).

Question 5

Analog Voice with separate Control Signals

Answer 5

Analog voice is passed between the PBX and the instrument on either a single pair of wires or two pairs (one for transmit and one for receive). If there is any additional signaling communication (other than the hook switch) between the PBX and the instrument, it is done on wires that are separate from the voice pair(s). The voice line can be easily tapped by connecting an amplifier to the pair of voice wires. The amplified voice signal can then be heard directly with a speaker or headphones or be recorded.

Question 6

Analog Voice with inclusive Control Signals

Answer 6

Analog voice and control signaling is passed between the PBX and the instrument on either a single pair of wires or two pairs. This can be done if the signal path is of high enough bandwidth to pass voice information (less than 4KHz) plus additional data information. For example, voice information can be combined with data information modulated onto a carrier tone that is centered outside of the voice band.
Vulnerable to tapping by connecting an amplifier to the pair and passing signal through filters to separate the voice and data information. Data information can be recovered by demodulating the carrier tone.

Question 7

Digital Voice with Inclusive Control Signals

Answer 7

Voice and control signaling data are passed across the same pair of wires. There may be two pairs of wires, one for each direction, or both directions could be combined onto one pair of wires using echo cancellation. Conventional tapping techniques won’t work against most types of digital lines.

If separate pairs are used for transmit and receive, each pair could be tapped to provide access to the bit streams but the format needs to be determined.

Question 8

Echo Cancellation

Answer 8

If both transmit and receive are combined on one pair using echo cancellation, the digital voice with inclusive control signals tapping methods would not work.

Each transmit end of the link can only determine what is being received by subtracting out what it is transmitting from the total signal. An attack would depend on a known original condition on an end.

Question 9

Maintenance Feature Vulnerability - Maintenance-out-of-service (MOS)

Answer 9

this feature allows maintenance personnel to place a line out of service for maintenance. If a line is placed MOS while it is in operation, the PBX may terminate its signaling communication with the instrument and leave the instrument’s voice channel connection active even after the instrument is placed on-hook.

Question 10

Maintenance Feature Vulnerability - Line Testing Capabilities

Answer 10

the ability to connect two lines together in order to transmit data from one line to the other and verify whether or not the second line receives the data properly. This feature would allow someone with maintenance access to connect a user’s instrument to an instrument at another location in order to eavesdrop on the area surrounding the user’s instrument without the user’s knowledge.

Question 11

Benefits usually cited for implementing VoIP

Answer 11

Long-Distance toll savings
Increased number of calls with less bandwidth
Additional and enhanced services
Most efficient use of IP assets
Combined network/telecom infrastructure

Question 12

IP Telephony - H.323 Components

Answer 12

Terminal
Gateway
Gatekeeper
MCSU

Question 13

IP Telephony H.323 Components - Terminal

Answer 13

a terminal, or a client, is an endpoint where H.323 data streams and signaling originate and terminate. It may be a multimedia PC with a H.323 compliant stack or a standalone device such as a USB (universal serial bus) IP telephone. A terminal must support audio communication; video and data communication support is optional.

Question 14

IP Telephony H.323 Components - Gateway

Answer 14

Gateway – a gateway is an optional component in a H.323-enabled network. When communication is required between different networks a gateway is needed at the interface. It provides data format translation, control signaling translation, audio and video codec translation, and call setup and termination functionality on both sides of the network.

Question 15

IP Telephony H.323 Components - Gatekeeper

Answer 15

a gatekeeper is a very useful, but optional, component of an H.323-enabled network. Gatekeepers are needed to ensure reliable, commercially feasible communications. When a gatekeeper exists all endpoints (terminals, gateways, and MCUs) must be registered with it.

Question 16

IP Telephony H.323 Components - Gatekeeper Services

Answer 16

Address translation
Admission and access control of endpoints
Bandwidth management
Routing capability

Question 17

IP Telephony H.323 Components - MCU

Answer 17

A multipoint control unit (MCU) enables conferencing between three or more endpoints. Although the MCU is a separate logical unit it may be combined into a terminal, gateway, or gatekeeper. The MCU is an optional component of an H.323-enabled network.

The MCU provides a centralized location for multipoint call setup. Call and control signaling are routed through the MC so that endpoints capabilities can be determined and communication parameters negotiated.

Question 18

IP Telephony H.225 and H.245

Answer 18

H.225 performs the signaling for call control. H.225 uses H.245 to establish and terminate individual logical channels for communication

Question 19

Five phases of signaling process

Answer 19

Call setup
Initial communications and capability exchange
Establishment of audiovisual communication
Call services
Call termination

Question 20

Which protocols does signaling use?

Answer 20

TCP (H.225 and H.245), UDP(everything else), and IP(everything)

Question 21

If an organization uses a networking vendor, do they use a PBX?

Answer 21

No. A data switch.

Question 22

If an organization uses PBX vendor, do they use a PBX?

Answer 22

Yes.

Question 23

If an organization uses a telecom firewall, do they use a PBX?

Answer 23

Yes. See picture.

Question 24

Benefits of Telecom Firewall Strategy

Answer 24

Least cost Routing
Security – PSTN & Internet
Leverage Existing Infrastructure

Question 25

QOS Issues w/ IP Telephony

Answer 25

Bandwidth (minimum)
Latency (maximum)
Jitter (delay variation)
Packet loss (network congestion or errors)
Availability (individual)
Reliability (network)

Question 26

Special VoIP Security Considerations

Answer 26

Availability requirements for VoIP are extremely critical, higher than normal network operations.
VoIP applications are badly behaved IP applications.
-Tend to use dynamically negotiated ports.
Makes security job harder since we don’t know in advance which port numbers represent legitimate communication.
VoIP applications are more sensitive to delays and other performance issues
-IP designed to work over slow, noisy networks.
Current IP security devices designed to meet the needs of a data-oriented network.

Question 27

Benefits of Security in IP Telephony

Answer 27

CIA and AN

Question 28

Basic Threats to IP Telephony

Answer 28

Data network access through VoIP ports (tunneling)
Free long distance calls over PSTN (spoofing)
Eavesdrop on conversations (packet sniffing)
Record conversations without authorization
Modify, delete, or replace fax/voice packets
Forward incoming phone calls to somewhere else
Denial-of-Service attack on business phone system
Denial-of-Service attack on business data network
Expose private conversations on Internet
Hijack conversations
Block calls of targeted individuals
Log all calls through an organization

Question 29

VOMIT Application

Answer 29

Converts Cisco IP phone convo into a wave file. Can be player from tcpdump output file.

Question 30

IP Telephony Security Restraints (The reason security is practically non-existent)

Answer 30

adds latency to the voice packet
increases computational load of network devices
doesn’t work well with data-centric VPNs
doesn’t work well with data-centric firewalls
increases bandwidth requirements
public-key infrastructure not globally available
doesn’t work well with NAT-enabled routers/firewalls

Question 31

VOIP Gateway w/ IP Firewall port issue

Answer 31

Some firewall ports are left open to allow VoIP packets. Opened ports can be attacked.

Question 32

A VoIP Capable Firewall should

Answer 32

Allow a host to send packets to another through dynamically

assigned ports, Allow signaling devices to “control” the firewall.

Question 33

Traditional Responses to IP Telephony Security Threats

Answer 33

IP Firewalls
-must prioritize to not delay critical packets such as VoIP
-must handle multiple dynamic UDP port assignments
-must be able to handle or else not use NAT
VPNs
-must prioritize VoIP packets
-must handle numerous smaller packets
-must not add too much latency
Encryption
-needs to be FAST
-PKI issues need to be addressed