Tag Archives: Hackers

Securing VoIP Enterprise Networks

Leave a reply

VoIP-over-VPN technology protects the privacy of corporate voice communications in industrial networks, while delivering the cost-saving and technology benefits of Voice-over-IP.

By reducing or eliminating phone charges, consolidating infrastructure, and streamlining network operations and maintenance, Voice over Internet Protocol (VoIP) offers tremendous cost-savings for oil and gas companies and other industrial sectors. As with any new technology, however, there can be a down-side.

Most VoIP gateways compromise communication security by transporting VoIP and data traffic without encryption, making the information susceptible to interception by snoopers, hackers, and so forth. Because of such security concerns, many enterprises that handle highly-sensitive information have been reluctant to cash in on the benefits of deploying VoIP technology in their networks.

Standards for voice encryption, such as SRTP and SIP TLS, are emerging. These techniques encrypt the voice as the analog signal is converted to digital form in the coder-decoder (CODEC). But the standards are still under development and are not yet ready for the commercial market. VoIP-over-VPN, in contrast, offers a secure solution for converged digital voice and data communications today.

VoIP gateways with VoIP-over-VPN offer companies that handle sensitive information a way to move forward and implement secure, converged VoIP and Data networks.

VoIP-over-VPN Technology for Secure Encrypted Voice

A VoIP VPN combines Voice-over-IP and Virtual-Private-Network technologies to offer a method for delivering secure voice. Because VoIP transmits digitized voice as a stream of data packets, the VoIP VPN solution accomplishes voice encryption simply and elegantly. The technique applies existing standard data-encryption mechanisms inherently available in the collection of protocols used to implement a VPN.

The VoIP gateway-router first converts the analog voice signal to digital form, encapsulates the digitized voice within IP packets, then encrypts the digitized voice using IPSec, and finally routes the encrypted voice packets securely through a VPN tunnel. At the remote site, another VoIP router decodes the voice and converts the digital voice to an analog signal for delivery to the phone.

Other advantages

Security is not the only reason to pass Voice-over- IP through a Virtual Private Network, however. Session Initiation Protocol, the preferred VoIP protocol is notoriously difficult to pass through a firewall because it uses random port numbers to establish connections. A VPN solution avoids this firewall issue when configuring remote VoIP clients. The VPN virtually moves users inside the same local network as the VoIP server.

Author: Antoine Abi Antoun
Source

Remove Vulnerability From VoIP Networks

2 Replies

Using the OSI network layer model as a basis, here’s how to derive a simplified three-layer model for SIP-based VoIP and corresponding threats and defenses. The resurgence of interest in VoIP to provide telephone services worldwide is often credited to the use of session initiation protocol (SIP) for signaling. Both residential and enterprise VoIP services are widely deployed. IP telephony may be used either to replace the primary telephone service or to provide additional telephone lines.

IP telephony offers some dramatic benefits over traditional or plain old telephone systems (POTS), such as reduced operating costs, portability and accessibility. IP telephony has its share of problems. To date, most of the focus has been on such challenges as voice quality, latency and interoperability. Security of the VoIP network is only now being recognized as an important issue to be addressed.

Multiple security threat models exist in current implementations of SIP-based VoIP networks. These threats are further aggravated because in order to allow similar access as the public switched telephone network (PSTN), VoIP networks are often implemented over the public Internet, which is a potentially hostile environment.

The very same reasons that make SIP so popular, e.g., its similarity to hypertext transport protocol (HTTP), are also the reasons for its vulnerability. This can lead to similar problems such as identity theft, impersonation, denial of service (DOS), hijacking and theft of services, and violation of privacy and confidentiality. The good news is that many of the security mechanisms for SIP-based VoIP can be the same as those used for HTTP. The challenge is simply to make these mechanisms SIP- and VoIP-friendly. In addition, SIP and its extensions provide for a number of intrinsic security features that can be used to harden implementations.

VoIP Overview

In addition to transmitting voice, a basic telephone system transmits many signals such as off-hook, on-hook and dual tone multi-frequency (DTMF) tones for dialed digits, etc. It also needs to maintain the state of the call, and generate a dial tone, ring-back and other tones. It can be said that there are two distinct streams of information on the wire: the signaling and the voice.

In PSTNs, some of the signaling travels in-band along with the voice up to the central office where it is sent over the Signaling System 7 (SS7) network. The SS7 network is not accessible to the public. Therefore, the PSTN is relatively secure. In VoIP telephony, voice is carried by real-time protocol (RTP) and the signaling by one of the many signaling protocols such as H.323, MGCP or SIP. Both of these transport streams are sent over the public Internet or on networks connected to the public Internet. This leaves the VoIP telephone network vulnerable.

Due to the nature of the IP network, in order to use it for telephony, additional requirements must be met by a VoIP device such as:

  • User authentication: The phone is no longer physically connected to the PSTN and needs to be authenticated
  • Address translation: Translating phone numbers into IP addresses and vice-versa
  • Routing: Locating and routing to the correct service gateway for the destination phone
  • Feature translation: Transparently translating advanced phone features such as call waiting, call hold, call forwarding, etc.
  • Caller ID: Generation of and decoding and transmission of caller ID over IP
  • Call detail records: Generation and transmission of billing information for PSTN and VoIP services
  • Legal: Access to emergency services and provision for intercept by law-enforcement agencies

In addition to just providing a transparent translation of telephone services, any VoIP device (since it is connected to the Internet) should provide for mechanisms to protect from toll fraud, eavesdropping and call hijacking among other things, and maintain message integrity. This is in addition to standard network security to protect against DoS and DDoS attacks.

 

 
Figure 1. How SIP fits into the VoIP Protocol soup

SIP was not designed to provide for all of these requirements, and it is not the only protocol that the communicating devices will need. The purpose of SIP is just to make communication possible. The communication itself must be achieved by another means (and possibly another protocol). Since SIP is an IETF specification, it is designed to use other existing IETF protocols to fill in the gaps.

VoIP threat assessment model

Starting from the basic OSI Reference Model and the Department of Defense (DoD) or TCP/IP reference model, the SIP-based VoIP network can be analyzed by a layered approach. Threats and therefore countermeasures can also be mapped to the layers of the network reference models. With this layered analysis strategy, it becomes immediately apparent that each layer has different security threats.

 

 
Figure 2. The layered approach to threat assessment.

A defense strategy can also follow this layered approach. This eases deployment and leads to the three-layer security model as follows:

  • Infrastructure security layer: Protect and secure the network infrastructure
  • Network services security layer: Protect and secure end-users, access and service enablers
  • Application security layer: Protect and secure SIP-based VoIP and other network applications

Based on general network security precepts, each security layer then needs to be evaluated on the basis of the following parameters:

  • Authentication: Confirm the identity of communicating entities, whether individuals, devices, services or applications. Authentication guards against impersonation or replay of previous communications.
  • Authorization: Cross-checks identity for role and access. This prevents unauthorized access to services, access to stored information, toll fraud, etc.
  • Accountability/Audit: Keeps track of usage and security services. This helps in early detection and recovery from threats and attacks.
  • Availability/Reliability: Redundancy, perimeter protection and hardening ensure that authorized users continue to have access to network devices, services and stored information despite an ongoing attack such as a DoS attack.
  • Confidentiality: Encryption of communication streams prevents unauthorized intercepts and eavesdropping. In addition, encryption can be coupled with access control to protect stored information.
  • Integrity: Prevents unauthorized modifications, deletion, creation or replication of data. Typical mechanisms are based on hashing algorithms such as HMAC, MD-5 and SHA-1. This also helps in early detection of unauthorized activity.
  • Non-repudiation: Proof that communications actually happened. Required for forensic evidence purposes.
  • Privacy/Anonymity: Privacy tackles issues like phone number harvesting, call pattern tracking, etc. that violates the privacy of the user. Anonymity, on the other hand, allows a user to communicate without revealing their identity and is usually contrary to most security policies.

Security mechanisms at the infrastructure layer are normally provided by the broadband access provider. For example, cable networks may authenticate subscribers by MAC address, or DSL networks may use PPPoE, which incorporates a password mechanism for authentication.

At the network services layer, the access and service enablers are typically protected by the broadband service providers and by the backbone network providers. End-users however, are typically not protected and left to their own devices. Most industry security schemes consider end-points as un-trusted.

Broadband access routers are increasingly prevalent at the customer premises end. These routers incorporate network address translators (NATs) that, besides helping to conserve IP address space, are sometimes used along with packet filtering to provide basic firewall functionality. The security provided entirely depends on the correct configuration of these devices. Service providers that provide CPE equipment that is customized and locked to their networks address this issue to some extent, as they can manage the customer equipment and impose some modicum of security. This trend is seen in a large percentage of broadband access networks.

The CPE for the SIP-based VoIP service is usually a terminal adapter (TA) that connects downstream from the broadband access modem or router and provides an analog phone interface to a regular phone instrument. This VoIP device, in most cases, is not a part of the managed broadband access network. In the case of VoIP, there are two distinct transport streams that need to traverse the firewall and NAT, namely the core signaling transport and the media transport paths. Simple firewalls will not let VoIP traffic through, since they do not know which ports to open for the voice traffic and at what time. In the interest of security, it is not practical to always leave open a large range of ports.

At the application layer, the threat and countermeasures become quite complex. This layer is the most vulnerable layer and different types of threats are becoming increasingly common. There is still a lot of work to be done before standard interoperable mechanisms are put in place to harden an application such as SIP-based VoIP. A collaborative, industry-wide effort is required.

The first step in that direction was taken in October 2005. The Voice over IP Security Alliance (VOIPSA), an industry consortium of VoIP and information security vendors, providers and thought leaders, released the first draft of their VoIP Security Threat Taxonomy, which attempts to identify and qualify the various threats in preparation for standardizing the mechanisms used as countermeasures.

Hardening the VoIP network

A VoIP network relies on the basic IP infrastructure for multiple services such as domain name service (DNS), trivial file transfer protocol (TFTP), file transfer protocol (FTP), etc. SIP-based VoIP networks rely on the DNS mechanism for many types of services related to telephony such as electronic numbering (ENUM). In addition, the use of the service record (DNS SRV) in the DNS server to identify SIP services enables server load balancing and redundancy. This achieves better network reliability during peak traffic and also provides resilience against DOS attacks.

However, DNS has itself been identified as one of the vulnerable systems in the TCP/IP infrastructure. It is vulnerable to many types of transaction attacks including cache poisoning, domain hijacking and man-in-the-middle redirection. Open recursive DNS servers are actively being used as DDoS reflectors, providing a huge amplification factor for such attacks. DNS security extensions (DNSSECs), designed to alleviate some of these shortcomings, are still not widely deployed.

Hence, many SIP-based VoIP implementations are designed to use private DNS. Private DNS breaks the hierarchical tree structure of the DNS and does not allow recursive queries. Instead, private DNS uses a standalone server or servers to provide exclusively VoIP-related DNS services for SIP clients within the managed network. All other DNS requests continue to be serviced by the standard DNS network of servers.

VoIP telephones could be mis-configured by the end-user, either while attempting firmware updates or when adjusting parameters of operation, leading to vulnerabilities or loss of service. Early SIP-based VoIP devices commonly used TFTP to update firmware or configuration files. TFTP is not a very sophisticated or secure mechanism for file transfer, and using it for updating critical files could lead to compromising either the fundamental operating firmware or the configuration of the SIP device.

Modern SIP-based VoIP devices use the more secure FTP or secure HTTP (HTTPS) for firmware updates, and XML over HTTPS for remote configuration by the service provider. In addition, the ability to modify firmware or SIP parameters is usually blocked by the service provider, thus leading to greater reliability of the firmware updates and SIP configurations.

Such a mechanism for configuration and updating also provides service providers with the ability to provision devices based on rate structures such as local or long-distance plans, etc. In addition, it also allows the service provider to hide SIP configuration and dial plans, information that could potentially be used by hackers to steal services.

Author: Vinay R. Rao
Source

The Cloud for Small Business

Leave a reply

Apple Inc yesterday announced the coming of its cloud based platform, aptly dubbed iCloud. According to news reports, the web service will synchronise and coordinate shared content across all devices – a key element being its ability to stream music; in other words an all-new iTunes.

Following its hotly anticipated autumn launch, iCloud has the potential to revolutionise how music is acquired and distributed, offering a service to rival that of Google, Amazon, and Spotify in the UK. Given the huge success of its predecessor, it’s easy to imagine iCloud dominating the industry and becoming the go-to music source.

While MDs, FDs and other senior management will no doubt join up to the iCloud service for downloading their music in a heartbeat (after all, if you don’t have an iPhone, well…) it begs the question why owner managers are so seemingly reticent to use similar services within a working environment? Especially as most people have probably long been using ‘cloud’ based applications for business and leisure without even knowing it nor giving it a second thought.

Not farfetched

If you have a Hotmail, Gmail, Yahoo or other hosted email account and use downloaded resources such as Google Docs, you’re already on the cloud. When you think of it that way, becoming a fully fledged cloud convert by entrusting your work email and desktop to the ether suddenly doesn’t seem so farfetched. Especially when you consider that, up until the early 90s, the mainframe technology that most offices relied on was akin to what’s now being billed as ‘The Cloud’.

No applications were hosted on the user’s machine but accessed via a server in the corner of the room. The cloud works on the same principle – instead of sending your device into processing overdrive by running multiple programmes, your assets are held in secure data centres.

The greater peace of mind this delivers from a business continuity perspective is perhaps the strongest argument for making the switch (because your data is stored in at least two locations the chances of complete shutdown are almost negligible) but considerations such as running and environmental costs (cloud services are estimated to save at least £1 per day in electricity charges); more flexible working (the ability to access your documents from anywhere with an internet connection); and the option to determine individual user rights (restrict employee downloads, including social media activity and the extraction of confidential company documents) also make a compelling case for the cloud.

For start-ups too, the upfront savings on physical hardware and deployment make the cloud’s pay-as-you-go model a more viable IT infrastructure solution.

Security scare

What’s holding businesses back then? Recent high profile scares at Sony, Amazon and Google have raised concerns in the media about security on the cloud. But the reality is that cyber criminals are unconcerned where the data is hosted – many companies that have stored their data on-site rather than ‘in the cloud’ have suffered a similar fate. Hackers can only break through if the firewall software fails to prevent unauthorised users gaining access.

And seen as very few small businesses can afford the high-end security systems that protect specialist data sites, for SMEs, the cloud is certainly a safer place to store data.

The benefits of cloud computing far outweigh any outside chance of a security scare (and let’s face it, unless you’re in the same league as Sony you probably don’t feature too highly on the average hacker’s hit list).

Indeed, the fact that 70% of CIOs in public and private sector companies in the US, Europe and Asia, said that they were either using or planning to use cloud computing services for hosting their data and applications is testament enough to widespread business belief in the cloud and, closer to home, around 90% of our North West client base at Flexsys is considering moving their email – and at least 70% all their networking, data and applications – over to hosted services.

So, if you can’t beat them, should you join them? Perhaps when you’re downloading your holiday playlist consider what a move to the cloud could mean for you and your business. Because, to paraphrase our friends at Apple, if you’re not on the cloud, well, you’re not on the cloud…


Source

5 Overlooked Threats to Cloud Computing

7 Replies

A lack of understanding about security risks is one of the key factors holding back cloud computing.

Report after report after report harps on security as the main speed bump slowing the pace of cloud adoption. But what tends to be overlooked, even by cloud advocates, is that overall security threats are changing as organizations move from physical environments to virtual ones and on to cloud-based ones.

Viruses, malware and phishing are still concerns, but issues like virtual-machine-launched attacks, multi-tenancy risks and hypervisor vulnerabilities will challenge even the most up-to-date security administrator. Here are 5 overlooked threats that could put your cloud computing efforts at risk.

1. DIY Security.
The days of security through obscurity are over. In the past, if you were an anonymous SMB, the threats you worried about were the typical consumer ones: viruses, phishing and, say, Nigerian 419 scams. Hackers didn’t have enough to gain to focus their energy on penetrating your network, and you didn’t have to worry about things like DDoS attacks – those were a service provider problem.

Remember the old New Yorker cartoon: “on the Internet no one knows you’re a dog”? Well, in the cloud, no one knows you’re an SMB.

“Being a small site no longer protects you,” said Marisa S. Viveros, VP of IBM Security Services. “Threats come from everywhere. Being in the U.S. doesn’t mean you’ll only be exposed to U.S.-based attacks. You – and everyone – are threatened from attackers from everywhere, China, Russia, Somalia.”

To a degree, that’s been the case for a while, but even targeted attacks are global now, and if you share an infrastructure with a higher-profile organization, you may also be seen as the beachhead that attackers can use to go after your bigger neighbors.

In other words, the next time China or Russia hacks a major cloud provider, you may end up as collateral damage. What this all adds up to is that in the cloud, DIY security no longer cuts it. Also, having an overworked general IT person coordinating your security efforts is a terrible idea.

As more and more companies move to cloud-based infrastructure, only the biggest companies with the deepest pockets will be able to handle security on their own. Everyone else will need to start thinking of security as a service, and, perhaps, eventually even a utility.

2. Private clouds that aren’t.
One way that security-wary companies get their feet wet in the cloud is by adopting private clouds. It’s not uncommon for enterprises to deploy private clouds to try to have it both ways. They get the cost and efficiency benefits of the cloud but avoid the perceived security risks of public cloud projects.

Plenty of private clouds, though, aren’t all that private. “Many ‘private’ cloud infrastructures are actually hosted by third parties, which still leaves them open to concerns of privileged insider access from the provider and a lack of transparency to security practices and risks,” said Geoff Webb, Director of Product Marketing for CREDANT Technologies, a data protection vendor.

Much of what you read about cloud security still treats it in outdated ways. At the recent RSA conference, I can’t tell you how many times people told me that the key to cloud security was to nail down solid SLAs that cover security in detail. If you delineate responsibilities and hold service providers accountable, you’re good to go.

There is some truth to that, but simply trusting a vendor to live up to SLAs is a sucker’s game. You – not the service provider – will be the one who gets blamed by your board or your customers when sensitive IP is stolen or customer records are exposed.

A service provider touting its security standards may not have paid very close attention to security. This is high-tech, after all, where security is almost always an afterthought.

3. Multi-tenancy risks in private and hybrid clouds.
Many companies, when building out their private or hybrid clouds, are hitting walls. The easy stuff has been virtualized, things like test development and file printing.

“A lot of companies have about 30 percent of their infrastructure virtualized. They’d like to get to 60-70 percent, but the low-hanging fruit has all been picked. They’re trying to hit mission-critical and compliance workloads, but that’s where security becomes a serious roadblock,” said Eric Chiu, President of virtualization and cloud security company HyTrust.

Multi-tenancy isn’t strictly a public cloud issue. Different business units – often with different security practices – may occupy the same infrastructure in private and hybrid clouds.

“The risk to systems owned by one business unit with good security practices may be undermined by the poor security practices of a sister business unit. Such things are extremely difficult to measure and account for, especially in large, multinational organizations,” Webb said.

Another issue is application tiers. In poorly designed private clouds, non-mission critical-apps often share the same resources as mission-critical ones. “How do most companies separate those?” asked Chiu.

“They air-gap it, so the biggest threat for most virtualization and private cloud environments is misconfiguration,” he said. “Eighty percent of downtime is caused by inappropriate administrative changes.”

4. Poorly secured hypervisors and overstressed IPS.
Every new technology brings with it new vulnerabilities, and a gaping cloud/virtualization vulnerability is the hypervisor.

“Many people are doing nothing at all to secure virtualized infrastructures. The hypervisor is essentially a network. You have whole network running inside these machines, yet most people have no idea what sort of traffic is in there,” Anthony said.

Buffer overflow attacks have been successful against hypervisors, and hypervisors are popping up in all sorts of devices that people wouldn’t think of as having them, including Xbox 360s.

Even when organizations believe that they have a handle on the traffic within their cloud environments, they may be fooling themselves, especially if they are relying on legacy security tools. Everyone knows that they need an IPS solution to protect their cloud deployments, but they have no idea what the actual scale of the problem is.

Moreover, many of these appliances have packet inspection settings that by default fail on. In other words, if the device is overwhelmed with, say, video traffic, the majority of traffic passes through as safe and only small samples are inspected for threats.

The IPS will typically trigger a low-level alarm or record this spike in a log, but how many IT units have time to look at logs unless they know they have a problem? Organizations are also slow to realize that they need an array of different protection in virtualized cloud environments than they had in traditional on-premise settings. Or they do realize this and are choosing to ignore it due to budget and time constraints.

The IBM security executives I talked to at RSA ticked off a number of security solutions they would recommend to better protect cloud environments, including IPS solutions with 20 GBps capabilities, DLP and application security. Much of what their advice boiled down to (see item #1 again) is that security is becoming too big of a problem to tackle for most organizations on their own.

5. Insider threats.
Are insider threats keeping you up at night now? Unfortunately, virtualization and the cloud ramp up the risk of insider threats – at least for the time being.

“A smaller number of administrators are now likely to have access to a greater amount of hosted data and systems than ever before, as the cloud systems are managed by a cloud infrastructure management team. This can leave sensitive data open to access by individuals who previously did not have access to it, eroding separation of duties and practices and raising the risk of insider attacks,” Webb said. The ability to walk off with key assets is also simply much easier to do, rights or not, in a virtualized environment than a physical one.

“When the banking restrictions came out, people were worried about someone walking into the physical data center and grabbing a rack of tapes and walking off with it,” Chiu said. Those fears spurred the much higher frequency of encrypting of data at rest.

How do you steal those same assets in a virtual environment, where data encryption is often still an oversight?

“If you have administrative credentials, you pick the virtual machine you want, right click and copy it,” Chiu said. It’s not that hard to spot someone walking out of the building with a box of tapes. A virtual machine on a USB drive isn’t going to raise a single eyebrow.

Source