Téléphonie sur IP sécurisée
advertisement
Secured IP telephony Agenda » ToIP : risks ? » Security analysis » Bests practices » Security in Aastra 5K solution » Engineering Secured IP Telephony. © 2008 Aastra Communications, Ltd. 2 ToIP : risks TDM versus ToIP » TDM = dedicated solution without any link to is/it link. – Generally not seen in the Company’s security Policy. – A little of Applications – High Availability level (>99,99%) » ToIP – Shared “transport” network: IP-Network – Deep Interaction in the IS/IT solutio: ToIP is part of the company process ToIP projects are managed by DIS/IT managers >> ToIP is part of the security policy of all Companies Secured IP Telephony. © 2008 Aastra Communications, Ltd. 4 Which risks ? » Call listening-in – Physical access to wiring closet or to PSTN access (with sensor) needed with a TDM solution (access to wiring closet) – No physical access needed with ToIP » Service degradation : DoS (Denial of Service) or DDos (Distributed DoS) attacks – Potential vulnerability to virus or worm – New threats from network world (ex : SPIT = SPAM on unified messaging) – TDM solution availability = 99,998% ! » Fraudulent use of resources – Same risks as legacy telephony : rights bypassing / abusive call Secured IP Telephony. © 2008 Aastra Communications, Ltd. 5 Phreaking Example of attack – legacy telephony » Attacks on access equipment – Phreaking : scan of numbers, toll-free number – Voice messaging equipment – Free telephony, » Inappropriate use of facilities – Call forward for listening-in and extra-billing, telephony IT resale on black market, advertising message, play on enterprise image… » Denial of service – Busy line, call forward on VM, >> ToIP is concerned too by such attacks Secured IP Telephony. © 2008 Aastra Communications, Ltd. 6 Hacking Example of attack on IP protocol » Signaling protocols subject to packet injection and listening (UDP = spoofing), » Network sniffing : classic network analysis to obtain information » DoS on signaling flow : bad programming and saturation, » Play with protocol request: SIP/Cancel, SIP/bye, » Eavesdropping by capturing RTP flow (i.e with ethereal), » TFTP et DHCP attack : bad configuration to gain access… >> ToIP is concerned too by such attacks Secured IP Telephony. © 2008 Aastra Communications, Ltd. 7 Phreaking and Hacking In real life » Attack on VoIP provider to steal minutes » ~1 M$ of damage » Attack could have been prevented if « best practices » had been respected. Secured IP Telephony. © 2008 Aastra Communications, Ltd. 8 Security approach Objectives = CIA + P » Confidentiality – No illegal listening / illegal access to directory » Integrity – Service can not be created, changed, or deleted without authorization » Availability – Protection mechanism guaranty availability of service, » Proof (Audit) – Log of actions / CDR Secured IP Telephony. © 2008 Aastra Communications, Ltd. 10 Equipments » Confidentiality, Integrity, Availability, and Proof (audit) Call server Gateways Applications IP ISDN LAN Switches Routers Level 2 & 3 WAN Managements WAN Windows, Unix... System Terminals Dedicated to ToIP Management Remote Access Interfaces Network Servers Commun Secured IP Telephony. © 2008 Aastra Communications, Ltd. 11 End to end security (1/2) Remote working, mobility Remote management IP Phone CTI SOHO INTERNET WIFI&DECToIP LAN GLOBAL APROACH Call Server WAN Signaling LAN RTC/RNIS Gateway Servers & Applications SIP trunk LAN Legacy phones RTC/RNIS Secured IP Telephony. © 2008 Aastra Communications, Ltd. 12 End to end security (2/2) » Same level of protection – On all equipments – On all software layer – End to end Application layer Operating system RTP UDP TCP Network IP ATM Ethernet Transport Datalink Physical layer Secured IP Telephony. © 2008 Aastra Communications, Ltd. 13 Best practices ToIP Security elements have to be reliable » Correct end to end integration has impact on security devices : – Risks: security level adapted to security policy – Architecture : easy integration in existing infrastructure Evolution of existing security devices Integration with existing data infrastructure – Performances : quality of voice is a key factor – should not be dependant of network load – Rules : flow control should be easy to implement (firewall, proxy, SBC,..) >> Secrurity has to be transparent for telephony services Secured IP Telephony. © 2008 Aastra Communications, Ltd. 16 Converged network & security Respect of best practices » Electrical protection adapted to ToIP security prerequisites – UPS and battery – Emergency generator » LAN/WAN design adapted to ToIP security prerequisites in term of availability – Core network redundancy (power supply, CPU) – L2 redundancy: STP, rapid STP, multiple STP, 802.3ad + proprietary – VRRP, Routing – critical provider accesses Secured IP Telephony. © 2008 Aastra Communications, Ltd. 17 Converged network & security Respect of best practices » Voice flow insulation – VLAN creation : broadcast limitation and voice flow isolation – Definition of rules for InterVLAN filtering On router or L3 switch (ACL, Vlan ACL) On firewall » Some network services become critical : – Ex : switches, DHCP server(s), TFTP/FTP server(s) » Limit and control resources access – Call server – Applications – Deactivation of unused services Secured IP Telephony. © 2008 Aastra Communications, Ltd. 18 Converged network & security Example : VLAN ACL » Objective : – Prevent from ICMP et TCP flooding DoS attacks Attack : ICMP flooding in voice VLAN » Current generation of switches allow to define ACL (Access Control List) à inside VLAN (VLAN ACL) » IP Phones talks to each other only with UDP » ACL Example of implementation in ToIP phone VLAN: LAN ACL in ToIP VLAN: Only UDP is permitted btw phones – Block TCP and ICMP btw IP Phones Secured IP Telephony. © 2008 Aastra Communications, Ltd. 19 Converged network & security Example : limitation of MAC@ # by port » Objective : Attack : ARP flooding (different MAC@) with frame creation tool – Prevent attack that can saturate switch CAM by ARP requests with different MAC@ flooding CAM overflow attack » Current generation of switches allow to limit @MAC# by port LAN » Example : limit to 2 MAC@ by port – MAC @ phone – MAC @ PC Switch port that allows only 2 MAC@ by port Secured IP Telephony. © 2008 Aastra Communications, Ltd. 20 Converged network & security Example : limitation of rogue DHCP server Attack : rogue DHCP server on LAN » Objective : – Prevent rogue DHCP server on network » Current generation of switches allows to forbid some ports to deliver DHCP Offer Voice DHCP Server LAN » Example – Interdiction to send DHCP offer on Phone Port Ports that blocks DHCP Offer Port that allows DHCP offer Data DHCP Server Secured IP Telephony. © 2008 Aastra Communications, Ltd. 21 Converged network & security LAN Design Authentication & ciphering » Filtering by protocole/ports and/or IP@ – InterVLAN routing rules on L3 device – ACL on switch – Statefull firewall » Number of MAC@ limited by port » All traffic expect RTP is forbidden btw Phones » DHCP protection » Authentication and encryption SSL, sRTP, TLS » IDS / IPS (Intrusion Detection/ Prevention/ Intrusion system L2 IDPS L2 L2 L2 Logical function (Layer 3 Switches, Routers and/or firewalls) FW @MAC Filtering and limiting – Ø DHCP offer L2 Filtering and communication between VLANs L2 L2 VLANs Call Server & gateways L2 VLANs Data Application L2 VLANs Admin L2 VLANs PC and Data endpoint L2 VLANs Telephony Applications L2 VLANs Phone Secured IP Telephony. © 2008 Aastra Communications, Ltd. 22 Converged network & security High level architecture Remote worker, Mobility Remote management Remote worker Secure CTI IP Phone SOHO CTI INTERNET Firewall VPN WAN VLANs LAN Call Server Hardened servers WIFI&DECToIP LAN VLANs Secure mobility Signaling RTC/RNIS Gateway Firewall Servers & Applications VLANs LAN SIP Trunk RTC/RNIS Legacy phones Encryption Secured IP Telephony. © 2008 Aastra Communications, Ltd. 23 Converged network & security WAN Design Voice applications » Protect ToIP ressources : – Voice app & Call Server in DeMilitarized Zone (DMZ) – Filtering rules DMZ Téléphonie ToIP » Virtual Private Network (VPN) managed by enterprise or provider – Encryption – Authentication – Proof FW VPN Remote sites QoS » QoS ToIP+Data LAN commun (VLAN) LAN Secured IP Telephony. © 2008 Aastra Communications, Ltd. 24 Converged network & security Remote workers Voice applications » Secure access to enterprise resources (firewall, VPN concentrator, UTM) DMZ Téléphonie » Virtual Private Network (VPN) managed by enterprise or provider – Encryption – Authentication – Proof » QoS should be a Main Concern (especially with ADSL access) IPSec site to site + IP Phone ToIP FW VPN Remote sites QoS IPSec client to site + Softphone ToIP+Data LAN commun (VLAN) Secured IP Telephony. © 2008 Aastra Communications, Ltd. 25 Converged network & security Remote management Voice applications » Secure access to enterprise resources (firewall, VPN concentrator, UTM) DMZ Téléphonie ToIP » Virtual Private Network (VPN) managed by enterprise or provider – Encryption – Authentication – Proof FW VPN Remote sites QoS IPSec client to site » Use secure protocols (ex : HTTPs) ToIP+Data LAN commun (VLAN) Secured IP Telephony. © 2008 Aastra Communications, Ltd. 26 Security in Aastra solution HA Encryption Protected application SSO Active Directory Win Session (NTLM, Kerberos) Radius (AAA) 802.1x (EAP-MD5) IDS/IPS Applications OS Hardening Server LAN Endpoints Firewall Management Aastra 5000 Security Management everywhere BEST PRACTICES Secured IP Telephony. © 2008 Aastra Communications, Ltd. 28 Aastra 5000 Securisation, High Disponibility » Aastra 5000 CS: Service without any interruption A5000CS Primaire – Secured hardware Stratus® – Spatiale Redundancy with communications not cut » Aastra IPBX/MGW – Specific and secured Hardware – Power Supply Safety using battery – CPU and power supply Redundancy Switch Signalisation WAN » « Local Survivability » on Aastra IPBX/MGW (services kept) – Short or external numbering – Vocal Guides vocaux, announcements, – Transfers, Callbacks, Alternate, multi – lines, monitoring of extensions – Profile of the user A5KCC A5000CS Secondaire Poste IP/SIP IPBX/MGW Secured IP Telephony. © 2008 Aastra Communications, Ltd. 30 Availability of ToIP service Local call Handling on gateway (ex : WAN failure) : Dual Homing Main site R5.1B Provider Remote site Max 500 IP Phone on gtw 2. WAN Failure Gateway X Series WAN Provider 4. Dual Homing Mode : call server function on gateway IP Phone – secured by gtw A5000 Server 3. Subscription to Local gateway 1. Nominal mode : Managed by main Call Servers Secured IP Telephony. © 2008 Aastra Communications, Ltd. 31 Availability of ToIP service Local call Handling on gateway : Dual Homing R5.1B » Same level of services (except access to centralized resources): – – – – Short or external numbering Vocal guide, music, Call forward, call back, alternate, multi line, supervision User profile » No break of communications during failover (except if call transits through the WAN) » No restart of the gtw in case of remote disconnection. » Integrated CDR buffer to save CDR (tickets) and send them to CDR Server » Configuration synchronization A5k towards gateway : – Periodic downloading of the configuration each day for each set Secured IP Telephony. © 2008 Aastra Communications, Ltd. 32 Availability of ToIP service Local call Handling on gateway : » L2 tagging (802.1p/q) and L3 (ToS field Diffserv) available on all Phone » Call Admission Control embedded in Aastra software on all Call Server & Gateway/iPBX range – QoS does not prevent of IP link overloading – Aastra CAC allows to prevent overloading on WAN links with limited bandwidth Codec negociation in relation to load of links In case of overload, fallback mechanism : : rerouting by voice carrier for instance (RTC/RNIS) Secured IP Telephony. © 2008 Aastra Communications, Ltd. 33 Secured IP Phones Embedded features (1/2) » Authentication to A5k software : phone # & PIN code for log-in log-out » Authentication to network access 802.1X R5.1B or MAC@ » Integrated switch – Voice flow tagged in Voice VLAN – Data flow tagged in data VLAN » Optional Communication (Voice) encryption on SIP 675xi & 53xxIP or I7xx R5.2 Secured IP Telephony. © 2008 Aastra Communications, Ltd. 34 Secured IP Phones Embedded features (2/2) » Self admin on 67xxi & 53xxIP : – Password – Automatic log-out after idle state » User profile is on AM7450 » firmware OS is specific : no known virus » Secure firmware update Secured IP Telephony. © 2008 Aastra Communications, Ltd. 35 Secured IP Phones Focus 802.1x » Objective : – Secured access to LAN via IP Phone authentication (EAP-MD5) – Relay of 802.1x requests from PC connected to integrated switch Transparent relay + EAP-Logoff 1 auth. Request EAP-MD5 (802.1x) Check Login+mdp 2 Authentication server (Radius) 6 OK = auth. connection (DHCP, RTP…) OK 5 Authorization 4 3 Rights LDAP Secured IP Telephony. © 2008 Aastra Communications, Ltd. 36 Secured communications ToIP encryption A5000 » VoIP encryption – Encryption based on AES 128 bits – From A5k Server, encrypted diffusion of to : BTW IP PHONES Gateways IP Phone I7xx (for each beginning of call) IP Phone 53xxIP – Key defined by administrator on A5k R5.2 server – Systematic encryption, codec negotiation based on CAC & support of encryption on devices – Indication of encrypted state of communication on terminal IP Phone & Gateway Btw gateways Secured IP Telephony. © 2008 Aastra Communications, Ltd. 37 Secured management » Integrated Web Manager = Aastra Management Portal – Secured access by login/pwd – Different rights Rights for iPbx configuration Rights for directory management (web based) Rights to managed user phones – Log of accesses » Aastra Management 7450 (AM7450): – Right management / administrator – Management flows are encrypted – Gateway and server are authentified HTTPS TLS Secured IP Telephony. © 2008 Aastra Communications, Ltd. 38 Secured Management » Configuration management : – Backup / Restore of user profiles on AM7450 – Automated backup/restore of CS and GTX configurations – Automated backup of CS and GTX logs & inventory of active elements – Configuration audit – numbering plan – Inventory of R2.1 IP Phone, directory #, M7450 M7450 R2.1 Secured IP Telephony. © 2008 Aastra Communications, Ltd. 39 Aastra 5000 - OS » Linux Community » OS Linux customised and ruggedized (OS hardening), no direct access on it » The not-used services are not avaiable: only few accessible (open) ports Secured IP Telephony. © 2008 Aastra Communications, Ltd. 41 A5k software » User profile: – – – – Class of service– ex: discrete listening rights, call forwards,.. Access discrimination Multi – tenant with filtering btw society (multicompany) User pwd » Call logging : – Via CDR & CDR app server– performance analysis – Cut off of com after certain time (parameter) – Business code Secured IP Telephony. © 2008 Aastra Communications, Ltd. 42 Aastra Communication Portal Secured acess » Secured acess to whole Aastra Communication Portal app via SSO (Single Sign On) » User authentication via Windows Active Directory login/mdp » Unified user and pwd management through Windows Server » Native security and mobility – Windows Login/pswd – Virtual desking or free seating (login-logout) from Aastra IP Phones Secured IP Telephony. © 2008 Aastra Communications, Ltd. 43 Aastra Communication Portal Secured acess 1 4 2 Authentication Login/pwd Windows Windows Server ACP is launched Login : Bob Tel : 5656 Aastra 5000 3 Windows Session is open NTLM Auth 1* 802.1x (optional) + Auth Login/pwd A5000 Check Login+pwd 5 7 Access OK 7 VTI request for number 5656 ACP Search of user : *requests not detailed on schemes 6 Bob & app/rights Secured IP Telephony. © 2008 Aastra Communications, Ltd. 44 Aastra applications Antivirus support » Antivirus support on Aastra applications : highly advised – Respect prerequisite (c.f. LCI) » ACP – Scan and updates authorized during idle state (night) – Scan of logs not permitted » UCP – Directory D:/ not scaned – Updates during idle state Secured IP Telephony. © 2008 Aastra Communications, Ltd. 45 SIP and security » MD5 authentication of Aastra SIP Phone » Digest Access Authentication (RFC2617) via MD5 on trunk SIP: – Crossed authentication VoIP provider<->Aastra 5k » Embedded Session Border Controler (SBC) for support of NATed environments Session Border Controler Auth. MD5 Aastra Com Server Voice ISP Auth. MD5 FW WAN Secured IP Telephony. © 2008 Aastra Communications, Ltd. 46 Security and wireless solutions » Aastra DECToIP – Radio DECT technology natively secured (authentication, encryption) – Qos integrated in RFP : L2 (802.1p/q) & L3 (Diffserv) » Wifi Terminal Aastra 312i – WPA2 support with PSK authentication (Pre Shared Key) for better performances – QoS has to be implemented on ntw infrastructure (example mapping SSID / VLAN) – Light AP solution needed Secured IP Telephony. © 2008 Aastra Communications, Ltd. 47 Checkphone partnership » Check of integrity of communications : – Detection of illegal use of telephony resources – Differential analysis btw configurations Example : gain of privileges » Analysis and filtering : IDPS proble on TDM & IP/SIP trunks Secured IP Telephony. © 2008 Aastra Communications, Ltd. 48 Engineering rules QoS » QoS on LAN : its implementation depends on network load – 802.1p/q tagging – Guaranteed bandwidth for voice flow – Use of different waiting queues of switches: voice flow acheminated in priority » QoS on WAN : recommended – L3 taggin upon Diffserv model & ToS (type of service) field of IP header – L2&L3 QoS have to be coherent – L2&L3 QoS Mapping & MPLS class of service (ex : mapping VLAN <-> class of service) » Aastra Call Admission Control : – Load limited “a priori” on links, fall back mechanism in case of congestion – Embedded on all Aastra equipments Secured IP Telephony. © 2008 Aastra Communications, Ltd. 50 SNEC tool » SNEC (Succession Network Engineering Configuration) » Complete Engineering tool used during presales phase – – – – Traffic modelisation Quality of voice Bandwidth and network planning End to end validation » Version 2 integrates new features : – VPN : IPSec, L2TP, PPTP – xDSL links Secured IP Telephony. © 2008 Aastra Communications, Ltd. 51 VoIP encrypted Performances » No impact on voice communication (delay…) » Some constraints linked to treatments Secured IP Telephony. © 2008 Aastra Communications, Ltd. 52 Tools » Port (TCP/UDP) used in Aastra solutions – http://support.nexspan.net/mkg/mcdfr/ » SNEC Tool (bandwidth, jitter, delay,…) – SNEC http://support.nexspan.net/mkg/mcdfr/ » Technical information (supported antivirus, configuration) : http://support.nexspan.net/support/lci/lci.php?l=f r » Patches management http://support.nexspan.net/extra/Support/patch/i ndex.php?lang=fr&target Secured IP Telephony. © 2008 Aastra Communications, Ltd. 55
