October 13, 2007

Are we improving security for VoIP while reducing security for the rest of the network?

On episode 66 of the BlueBox Podcast, a listener, Rhodri Davies, provided feedback about the "PSTN being more secure" (minute 44:43) where he played devil's advocate and pointed out the following facts about VoIP security (please, listen to the audio for the original comments):
  • Does the improved security just apply to telephony itself rather than to the IP network as a whole?
  • It seems VoIP protocols were designed to be hardly secured ;): Complex signaling, dynamically negotiated ports, point to point communications, etc. It is hard for conventional firewalls to deal with these protocols.
  • Protecting the whole IP network is made more complicated by the presence of VoIP.
  • Are we trying to improve security for the telephony while reducing security for everything else in the network?
He wanted to now Dan and Jonathan opinions, and Dan asked for other listeners comments, so I decided to jump in ;)
I agree with the comment that the design of VoIP protocols like SIP and RTP was not gracefully aligned with security. Fortunately, we've found security solutions to this (see below), and this is changing with the introduction of new VoIP protocols like IAX2. The fact the signaling and media traffic travels through a single port makes IAX2 more firewall friendly. At least it seems we are learning from the past, something that it is not always true in infosec.

It is true also that complexity and security are not very good friends, and that complex VoIP protocols are difficult to secure. However, we already have (and are in the process of getting standards for) the technologies required to do so, such as stronger signaling authentication and identity, signaling encryption through SIPS (TLS-based SIP) or SIP over DTLS, or media encryption using SRTP (Secure RTP) and key exchange mechanisms, like ZRTP or DTLS-SRTP.

In relation to the firewalls analysis, I agree that conventional firewalls were not designed to, and cannot, deal with VoIP protocols easily. Similarly to Web applications protection today, where we need specific Web-based firewalls to inspect all HTTP, Web 2.0 and Web services traffic, for VoIP we require special security devices like Session Border Controllers (SBC's) or Application-layer Gateways (ALG's) to inspect and filter VoIP traffic. These can be independent devices or get integrated as a module into traditional firewalls. Similarly to Web encrypted traffic (HTTPS), we also need solutions to deal with the inspection of VoIP encrypted communications. Apart from the obvious recommendation of segregating data and voice traffic in different networks or VLANs, I suggest to use different and separate devices/firewalls for the standard IP data traffic and for VoIP.

In the same way we do not consider Web and secure Web applications, and its inherent complexity, a motivating factor involved in reducing the overall network security (or we do? ;) ), I don't think VoIP does. Of course VoIP introduces new attack vectors, threats and risks, and we have the opportunity and the tools to enjoy dealing with them ;)

Honestly, I think VoIP is helping a lot to increase the overall security of network architectures. The introduction of VoIP brings network segregation awareness, and new and more secure network designs. A good design and architecture, based on defense in depth and layered security principles, directly helps to increase the overall network security.

As a security consultant, about seven years ago I started promoting the usage of network authentication and access through 802.1x (it even appeared on my first GIAC paper). I could never understand why we all agreed to the need of strong authentication and authorization mechanisms for systems and applications, but this was "never" the feeling for the network itself. With the help of penetration testing exercises, I've been educating organizations through the years about the internal threat risk and the need of layer-2 controls in data networks. The introduction of wireless technologies, with no physical barriers, incredibly helped to promote the usage of 802.1x/EAP. In some environments, 802.1x has been extended to the wired network too, and I think VoIP is going to tremendously help even more to extend 802.1x/EAP to any network based device (data or voice, wired or wireless). This will lead to more advanced network access/admission control (NAC) or protection (NAP) environments, even to specific ones focused on VoIP endpoints.

As the main author of the new hands-on SANS VoIP Security course (Security 540), I reflect in the author statement the need to overcome the "VoIP cannot be secure" misconception, and briefly answer the common question: "What is (or could be) more secure, VoIP or the existing PSTN?"

To sum up, to secure a VoIP network, and the data network as a consequence, besides architecting the network from a security perspective, you must implement multiple security controls:
  • At layer-4 and above, over TCP or UDP, you need to use secure VoIP protocols (there are other options, but these are the most promising ones today):
    • Signaling: SIPS (TCP) or SIP over DTLS (UDP)
    • Media: SRTP
    • Key-exchange: ZRTP or DTLS-SRTP
  • At layer-3 there are firewall-related VoIP solutions like ALG's and SBC's.
  • At layer-2 there are multiple network related solutions, such as 802.1x/EAP, VLAN's, Private VLAN's (PVLAN's), switch port security, Port-based ACL's (PACL's), VLAN ACL's (VACL's), MAC and ARP monitoring, etc. We just must get used to implement all them in any IP-based network, data or voice-based!!
BTW, if your current or planned VoIP deployment includes DTLS, you must be aware of a recent critical flaw in OpenSSL's DTLS implementation (CVE-2007-4995) that could permit remote code execution. Please, check with your vendor if their VoIP products are based on the OpenSSL implementation and ask for fixes.

Labels:

4 Comments:

Anonymous Anonymous said...

Raul,
Couldn't one argue that the PSTN was more secure due to the effort required by the government to wiretap a conversation? In the PSTN, a physical tap needed to be inserted into the line. However, with switched digital architectures, the government simply orders the telecom providers to mirror all the traffic they want to government systems for collection and recording. Bruce Schneier had a good blog a while back regarding the FBI wiretapping network. http://www.schneier.com/blog/archives/2007/08/technical_detai.html

- Regards, Andrew

4:13 AM  
Anonymous Anonymous said...

Raul, As the person who started this thread with my Devil's Advocate comment on Blue Box I wanted to say thanks for the resposne, this was the kind of thing I was trying to elicit, and I agree with what you say.

I think one of your comments is telling though - "...to secure a VoIP network, and the data network as a consequence, besides architecting the network from a security perspective, you must implement multiple security controls".

If you do that that things will be secure, however, security professionals know from experience that this is not a perfect world and people will tend to throw in new systems without adjusting their security. If you do the extra work things will be fine, if you do the minimum to get VoIP working you are reisking problems down the line.

Nothing new there of course! We've heard that story with every other new technology that has come along. It is not an argument for doing nothing it is just the age old argument for doing it right.

Anyway thanks again for following up on my original message to Blue Box. One of the things I like most about Blue Box is the community around it.

10:09 AM  
Blogger Raul Siles said...

Andrew,
The way I see it is that the main differentiator is physical security. The PSTN completely relies on a single protection mechanism, and once the attacker gets physical access to the target line, game over! At least, we can apply defense-in-depth principles to VoIP.

From an overall wiretapping perspective, obviously it is easier for law enforcement (LE) to use the new technologies to monitor communications remotely (and even from a centralized location), without requiring direct physical access to the lines. The same applies to mobile networks (GSM, GPRS, UMTS, etc), where the operator can monitor and decrypt cell conversations selectively.

However, one of the current research areas in VoIP is how to enable legal wiretapping for LE when voice encryption is used (e.g. as required by CALEA). We're pretty much in the same scenario as with HTTPS: It protects the Web communications but increases the complexity of monitoring the traffic.

NOTE: Schneier's site is currently down. I'll check the article and come back with comments if appropriate.

10:44 AM  
Blogger Raul Siles said...

Rhodri,
Thanks for following up! I completely agree with your comments. From a security perspective, VoIP is pretty similar to all the other technologies we are used to. People need to always thing about security for new deployments, and apply best practices.

You're right, and as security professionals, we need to be very exhaustive and meticulous. As defenders, we need to protect each and every security whole; the attacker only needs to find one to break in. We are in a clear disadvantage, so we need to do it, and do it well :)

10:55 AM  

Post a Comment

<< Home