Using the OSI network layer model as a basis, here’s how to derive a simplified three-layer model for SIP-based VoIP and corresponding threats and defenses. The resurgence of interest in VoIP to provide telephone services worldwide is often credited to the use of session initiation protocol (SIP) for signaling. Both residential and enterprise VoIP services are widely deployed. IP telephony may be used either to replace the primary telephone service or to provide additional telephone lines.
IP telephony offers some dramatic benefits over traditional or plain old telephone systems (POTS), such as reduced operating costs, portability and accessibility. IP telephony has its share of problems. To date, most of the focus has been on such challenges as voice quality, latency and interoperability. Security of the VoIP network is only now being recognized as an important issue to be addressed.
Multiple security threat models exist in current implementations of SIP-based VoIP networks. These threats are further aggravated because in order to allow similar access as the public switched telephone network (PSTN), VoIP networks are often implemented over the public Internet, which is a potentially hostile environment.
The very same reasons that make SIP so popular, e.g., its similarity to hypertext transport protocol (HTTP), are also the reasons for its vulnerability. This can lead to similar problems such as identity theft, impersonation, denial of service (DOS), hijacking and theft of services, and violation of privacy and confidentiality. The good news is that many of the security mechanisms for SIP-based VoIP can be the same as those used for HTTP. The challenge is simply to make these mechanisms SIP- and VoIP-friendly. In addition, SIP and its extensions provide for a number of intrinsic security features that can be used to harden implementations.
In addition to transmitting voice, a basic telephone system transmits many signals such as off-hook, on-hook and dual tone multi-frequency (DTMF) tones for dialed digits, etc. It also needs to maintain the state of the call, and generate a dial tone, ring-back and other tones. It can be said that there are two distinct streams of information on the wire: the signaling and the voice.
In PSTNs, some of the signaling travels in-band along with the voice up to the central office where it is sent over the Signaling System 7 (SS7) network. The SS7 network is not accessible to the public. Therefore, the PSTN is relatively secure. In VoIP telephony, voice is carried by real-time protocol (RTP) and the signaling by one of the many signaling protocols such as H.323, MGCP or SIP. Both of these transport streams are sent over the public Internet or on networks connected to the public Internet. This leaves the VoIP telephone network vulnerable.
Due to the nature of the IP network, in order to use it for telephony, additional requirements must be met by a VoIP device such as:
- User authentication: The phone is no longer physically connected to the PSTN and needs to be authenticated
- Address translation: Translating phone numbers into IP addresses and vice-versa
- Routing: Locating and routing to the correct service gateway for the destination phone
- Feature translation: Transparently translating advanced phone features such as call waiting, call hold, call forwarding, etc.
- Caller ID: Generation of and decoding and transmission of caller ID over IP
- Call detail records: Generation and transmission of billing information for PSTN and VoIP services
- Legal: Access to emergency services and provision for intercept by law-enforcement agencies
In addition to just providing a transparent translation of telephone services, any VoIP device (since it is connected to the Internet) should provide for mechanisms to protect from toll fraud, eavesdropping and call hijacking among other things, and maintain message integrity. This is in addition to standard network security to protect against DoS and DDoS attacks.
SIP was not designed to provide for all of these requirements, and it is not the only protocol that the communicating devices will need. The purpose of SIP is just to make communication possible. The communication itself must be achieved by another means (and possibly another protocol). Since SIP is an IETF specification, it is designed to use other existing IETF protocols to fill in the gaps.
VoIP threat assessment model
Starting from the basic OSI Reference Model and the Department of Defense (DoD) or TCP/IP reference model, the SIP-based VoIP network can be analyzed by a layered approach. Threats and therefore countermeasures can also be mapped to the layers of the network reference models. With this layered analysis strategy, it becomes immediately apparent that each layer has different security threats.
A defense strategy can also follow this layered approach. This eases deployment and leads to the three-layer security model as follows:
- Infrastructure security layer: Protect and secure the network infrastructure
- Network services security layer: Protect and secure end-users, access and service enablers
- Application security layer: Protect and secure SIP-based VoIP and other network applications
Based on general network security precepts, each security layer then needs to be evaluated on the basis of the following parameters:
- Authentication: Confirm the identity of communicating entities, whether individuals, devices, services or applications. Authentication guards against impersonation or replay of previous communications.
- Authorization: Cross-checks identity for role and access. This prevents unauthorized access to services, access to stored information, toll fraud, etc.
- Accountability/Audit: Keeps track of usage and security services. This helps in early detection and recovery from threats and attacks.
- Availability/Reliability: Redundancy, perimeter protection and hardening ensure that authorized users continue to have access to network devices, services and stored information despite an ongoing attack such as a DoS attack.
- Confidentiality: Encryption of communication streams prevents unauthorized intercepts and eavesdropping. In addition, encryption can be coupled with access control to protect stored information.
- Integrity: Prevents unauthorized modifications, deletion, creation or replication of data. Typical mechanisms are based on hashing algorithms such as HMAC, MD-5 and SHA-1. This also helps in early detection of unauthorized activity.
- Non-repudiation: Proof that communications actually happened. Required for forensic evidence purposes.
- Privacy/Anonymity: Privacy tackles issues like phone number harvesting, call pattern tracking, etc. that violates the privacy of the user. Anonymity, on the other hand, allows a user to communicate without revealing their identity and is usually contrary to most security policies.
Security mechanisms at the infrastructure layer are normally provided by the broadband access provider. For example, cable networks may authenticate subscribers by MAC address, or DSL networks may use PPPoE, which incorporates a password mechanism for authentication.
At the network services layer, the access and service enablers are typically protected by the broadband service providers and by the backbone network providers. End-users however, are typically not protected and left to their own devices. Most industry security schemes consider end-points as un-trusted.
Broadband access routers are increasingly prevalent at the customer premises end. These routers incorporate network address translators (NATs) that, besides helping to conserve IP address space, are sometimes used along with packet filtering to provide basic firewall functionality. The security provided entirely depends on the correct configuration of these devices. Service providers that provide CPE equipment that is customized and locked to their networks address this issue to some extent, as they can manage the customer equipment and impose some modicum of security. This trend is seen in a large percentage of broadband access networks.
The CPE for the SIP-based VoIP service is usually a terminal adapter (TA) that connects downstream from the broadband access modem or router and provides an analog phone interface to a regular phone instrument. This VoIP device, in most cases, is not a part of the managed broadband access network. In the case of VoIP, there are two distinct transport streams that need to traverse the firewall and NAT, namely the core signaling transport and the media transport paths. Simple firewalls will not let VoIP traffic through, since they do not know which ports to open for the voice traffic and at what time. In the interest of security, it is not practical to always leave open a large range of ports.
At the application layer, the threat and countermeasures become quite complex. This layer is the most vulnerable layer and different types of threats are becoming increasingly common. There is still a lot of work to be done before standard interoperable mechanisms are put in place to harden an application such as SIP-based VoIP. A collaborative, industry-wide effort is required.
The first step in that direction was taken in October 2005. The Voice over IP Security Alliance (VOIPSA), an industry consortium of VoIP and information security vendors, providers and thought leaders, released the first draft of their VoIP Security Threat Taxonomy, which attempts to identify and qualify the various threats in preparation for standardizing the mechanisms used as countermeasures.
Hardening the VoIP network
A VoIP network relies on the basic IP infrastructure for multiple services such as domain name service (DNS), trivial file transfer protocol (TFTP), file transfer protocol (FTP), etc. SIP-based VoIP networks rely on the DNS mechanism for many types of services related to telephony such as electronic numbering (ENUM). In addition, the use of the service record (DNS SRV) in the DNS server to identify SIP services enables server load balancing and redundancy. This achieves better network reliability during peak traffic and also provides resilience against DOS attacks.
However, DNS has itself been identified as one of the vulnerable systems in the TCP/IP infrastructure. It is vulnerable to many types of transaction attacks including cache poisoning, domain hijacking and man-in-the-middle redirection. Open recursive DNS servers are actively being used as DDoS reflectors, providing a huge amplification factor for such attacks. DNS security extensions (DNSSECs), designed to alleviate some of these shortcomings, are still not widely deployed.
Hence, many SIP-based VoIP implementations are designed to use private DNS. Private DNS breaks the hierarchical tree structure of the DNS and does not allow recursive queries. Instead, private DNS uses a standalone server or servers to provide exclusively VoIP-related DNS services for SIP clients within the managed network. All other DNS requests continue to be serviced by the standard DNS network of servers.
VoIP telephones could be mis-configured by the end-user, either while attempting firmware updates or when adjusting parameters of operation, leading to vulnerabilities or loss of service. Early SIP-based VoIP devices commonly used TFTP to update firmware or configuration files. TFTP is not a very sophisticated or secure mechanism for file transfer, and using it for updating critical files could lead to compromising either the fundamental operating firmware or the configuration of the SIP device.
Modern SIP-based VoIP devices use the more secure FTP or secure HTTP (HTTPS) for firmware updates, and XML over HTTPS for remote configuration by the service provider. In addition, the ability to modify firmware or SIP parameters is usually blocked by the service provider, thus leading to greater reliability of the firmware updates and SIP configurations.
Such a mechanism for configuration and updating also provides service providers with the ability to provision devices based on rate structures such as local or long-distance plans, etc. In addition, it also allows the service provider to hide SIP configuration and dial plans, information that could potentially be used by hackers to steal services.
Author: Vinay R. Rao