Documente Academic
Documente Profesional
Documente Cultură
REDSHIFT NETWORKS
COMMUNICATIONS
UCTM vs. NEXTGEN
ANDFIREWALL
COLLABORATIONS
Voice solution vendors are making tremendous progress in tightly tying the
operation of enterprise data applications with the IP-telephony features to
improve the overall employee connectivity and business productivity. The
combination of these two previously separate worlds is being called “Unified
Communications” (UC) when the integration happens at the end user
desktop PC or “Communication-Enabled Business Processes” (CEBP) when
the integration is within an enterprise application running on dedicated
servers. As a result, higher enriched services are now possible ranging from
click-2-call applications, connection anywhere/anytime/any-device, UC
communication services such as Presence and Collaboration across any IP-
based device etc.
Enterprises must understand that while IP Voice, Video, UC&C networks and
applications present great promise, they also present unique security
requirements that are different from conventional data applications. Due to
real-time nature of communications combined with disparate open
networks, the overall network complexity and threat vectors exposure is
alarming.
This white paper attempts to narrowly focus on the numerous threat vectors
that plague these applications ranging from Voice Denial-of-Service (VDOS)
attacks, SPAM over Internet Telephony (SPIT) attacks, eavesdropping,
spoofing, number harvesting, protocol anomaly or fuzzing attacks, signal and
media manipulation attacks and toll fraud. The paper presents shortcomings
in existing security solutions and presents the requirements for
comprehensive requirements for securing Unified Communications &
Collaborations, IP Voice and Video networks, systems and applications.
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
Introduction
The emergence of Unified Communication, Collaborations, IP Voice and Video technology is
causing a fundamental shift in the telecommunications industry. Traditional communication
systems and applications running on legacy TDM networks are soon being replaced by their IP
counterparts providing numerous benefits to businesses. The benefits ranging from low cost of
operation, ability to quickly provision enriched software enabled communication services, provide
ease of manageability, usability and adaptability to business fluctuations and finally leveraging
from open standards and its ecosystem.
Voice and UC solution vendors are making tremendous progress in tightly tying the operation of
data applications (and UC services) with the IP-telephony features. This helps improve the overall
employee connectivity and business productivity. The combination of these two previously
separate worlds is being called “Unified Communications” (UC) when the integration happens at
the end user desktop PC or “Communication-Enabled Business Processes” (CEBP) when the
integration is within an enterprise application running on dedicated servers. As a result, higher
enriched services are now possible ranging from click-2-call applications, connection anywhere/
anytime/any-device, UC communication cloud services such as Presence and Collaboration being
offered across any IP-based device.
The stakeholders must understand that while IP Voice, Video, UC&C networks and applications
present great promise, they also present unique security requirements that are different from
conventional data applications. Due to real-time nature of communications combined with the
complex interconnect involving many entities, the overall network complexity and threat vectors
exposure is alarming.
This white paper attempts to narrowly focus on the numerous threat vectors that plague UC&C
networks and applications ranging from Voice/UC Denial-of-Service (VDOS/UC-DOS) attacks, SPAM
over Internet Telephony (SPIT) attacks, Eavesdropping, Spoofing, Number Harvesting, Protocol
anomaly or Fuzzing attacks, Signaling or Media threats, Toll Fraud and a myriad of UC
Infrastructure and Application layer threats. The paper describes the internal architecture and
technology used by the RSG Unified Communications Threat Management (UCTM) platform of
products. The UCTM gateway solutions provide comprehensive Visibility, Control and Protection of
Unified Communications & Collaborations, IP Voice and Video networks, systems and applications.
technologies are not well suited to counterattack them. The real-time reliability requirements also
need to be close to perfect. A typical response to a security attack in data world would require a
human intervention which incurs significant time delays to reduce the scope of the threat and
apply appropriate mitigation solutions. While this may be satisfactory in the data world, VOIP/UC
systems require a real-time response to security threats.
VOIP/UC is also highly sensitive to QOS parameters. If the security solution causes a noticeable
loss in voice quality or UC service experience delays, it becomes an unacceptable solution. Any
interruption in the flow of packets, reassembly or jitter will impact the quality of the voice
conversation or integrity of a UC service. In the data world, these issues are addressed by
retransmission of the lost data causing additional delays to the end user. While this may be
acceptable in the data world, a retransmission in VOIP/UC realm would indicate that the caller
would have to repeat the lost voice message, or invoke the service again. This is an unacceptable
solution.
Latency is another factor. Modern data security solutions employ encryption and/or deep-packet
inspection methods to improve security. Both these methods introduce additional time delays and
jitter to VOIP/UC packet streams, thus impacting the overall QOS.
Lastly UC networks based on open standards will continue to interact with legacy PSTN networks
using proprietary VOIP and UC protocols. This poses new set of challenges, attack vectors with a
large number of new infrastructure and security threats. With such myriad of deployment
solutions and architectures spanning multiple protocols, endpoints, systems and networks, the
complexity of threat detection and mitigation grows exponentially.
A typical unified service (e.g. a web conferencing session that requires registration validation)
requires communication flows that can potentially span multiple server farms, as indicated by the
arrows. The red arrows indicate the communication flows being currently protected by various
best-of-breed vendors. The green dotted arrows indicate the communication flows that will
otherwise flow naked without the RSG (placed inline). The bold green lines indicate the
communication flows being protected with RSG placed inline.
Several buffer overflow exploits publicly available against the Cisco IOS operating system
[1]
Denial-of-Service (DOS) exploits triggered by fragmented UDP packets for Alcatel and
Avaya phone [2]
A known Cisco SIP-based phone telnet service vulnerability that allows the telnet service
to be exploited by an attacker due to weak password permissions set on the VOIP device
[3]
The SNMP services offered by the devices may be vulnerable to reconnaissance attacks.
Example, valuable information was gathered from an Avaya IP phone by using SNMP
queries with the “public” community name *4+
Several publicly available tools that generate TCP and/or UDP flooding attacks
Malformed TCP packet generators that can result in undesirable crashes
Someone who hacked into a company's router could listen in to a board of directors' meeting and
use the information illegitimately to buy more stocks or sell the information to another institution.
The possibilities of threat risks are very large.
Toll fraud happens when a hacker gains illegitimate access to a VoIP network and allows
unauthorized users to makes calls to a premium rate number, e.g. repeated long distance calls to
international toll numbers. VoIP systems are particularly vulnerable to toll fraud because they
form an integral part of an enterprise's IP network, unlike PBX systems that are closely monitored
and managed by separate groups. VoIP toll fraud attacks can lead to serious financial damage and
loss of reputation in a remarkable short period of time.
There are several hundreds of such tools available in the web today that any one can download
and run it against a VOIP/UC network. Few examples of open-source tools include PROTOS [5] and
SiVUS [6]. Commercial tools include Spirent ThreatEX [7] and CodeNomicon [8]. A malicious user
can run these tools against any VOIP/UC network in a matter of minutes resulting in varied threat
risks ranging from application crash, information leaks or a denial of service.
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
Voice/UC DOS/DDOS attacks can be one of two kinds, (1) resource starvation or (2) resource
unavailable. The resource starvation usually happens due to flooding attacks originating either
from a single source or multiple sources. A naïve attacker can flood the destination server with
several control packets hogging significant CPU bandwidth making the victim server launching the
VOIP or UC service totally unusable. The DDOS attack is a variant of DOS, whereby the attacker
uses multiple sources to collectively generate and send excessive number of flood packets to the
victim server, often with fake and randomized source addresses, so that the victim server cannot
easily identify the flooding sources.
The second attack type (more of stealth DOS category) uses a carefully crafted mechanism to
exploit a specific vulnerability (e.g. buffer overflow, shell code, forge a BYE request, send
malformed or fuzzed inputs etc.) to one of the networking facing process resident on the victim
server or VOIP/UC endpoint thereby making it unusable, often leading to a crash or an
compromise on the VOIP/UC service integrity.
UC-DOS attacks can range from one of several kinds ranging from Presence state flooding,
Message Waiting Indication (MWI) flood attacks, sudden upsurge in Music-on-Hold messages,
Unified Messaging (UM) flooding attacks with sudden upsurge in emails indicating new spurious
Voice messages etc.
Signaling Threats
The signaling protocols if not properly authenticated, encrypted and without proper authorization
controls can result in several threats ranging from:
Media Threats
Employing video communications over IP networks greatly enhances an organization’s
collaboration points. Ensuring that IP network is ready for video is critical to realizing the full
business benefits of Unified Communications. However, media infrastructure suffers from several
threat vectors that range from:
Examples include
The above figure shows an example where a telemarketer floods corporate VOIP phones with
Viagra SPAM messages. There is a general perception that Voice SPAM will suffer the same fate as
Email SPAM. Most of the VOIP deployments today are confined to restricted zones with limited
internet access, once they become available to open networks and to the reach of spammers, the
problem will exponentially worsen.
RedShift Networks - 2603 Camino Ramon, Suite 2000 - San Ramon, California 94583
Tel: +1 925 242 2530 - Email: info@redshiftnetworks.com
Data Voice Threats
The beauty of converged networks is that voice over IP is 'just' another application running on the
data network. Unfortunately from a security viewpoint, this means that it will also be affected by
all the attacks that affect data networks, even if they are not deliberately targeting voice over IP.
The most significant specific threat to VoIP is denial of service (DOS) because this can bring a data
network to its knees and shut down all applications running on it - including VoIP. This means that
affected users could be without phone service until the network is backed up. Specific threats
include buffer overflow exploits, malicious SQL or command injection [11] and Cross-site scripting
attacks [10].
The security bugs that plague data applications will also affect VOIP/UC users because
VOIP/UC is just one another application facing the internet making the network vulnerable
to malicious users.
Voice Phishing
Voice phishing works very similar to email phishing; It is a new form of identity theft which tricks
ones into revealing personal information when the scammer replaces a website with a telephone
number, or is able to redirect the traffic going to genuine Bank’s PBX to a Fake PBX *as shown in
the example below]. In the case of the former, the message will be marked urgent and will ask one
to respond quickly. Once, the naïve user starts punching his personal information, e.g. social
security number, driver’s license, credit card numbers or Bank ATM’s number, the digits are
retrieved from the payloads using some advanced tools.
To address complex security and deployment challenges mandated by VOIP networks and UC
applications is a formidable challenge. Existing solutions are deficient in a number of ways:
Deep packet inspection capabilities from Layer 3 up to Layer 7 VOIP and UC traffic
Advance correlation of protocol state and security events across the different layers and
security modules
Heterogeneous architecture comprising of both proactive and reactive solution elements
One VOIP security solution – not a slapstick of several piecemeal solutions
Tightly integrated with IP-PBX and other communication infrastructure elements – easy to
deploy and manage
Low latency using advanced software, hardware and system acceleration techniques
Near-zero False-positives and False-negatives
Comprehensively address VOIP, UC and CEBP application security threats
Easy integration with 3’rd party vendor solutions providing UC and SOA services (e.g.
Microsoft, SAP, BEA, IBM)
Provide visibility to all VOIP and UC traffic
Provide control to all UC services, Applications and Assets
Conclusions
Current VOIP security solutions fall into 2 broad categories, (1) Session Border Controllers (SBC)
and (2) Data Security products. The SBC sitting at the edge of the voice network provide basic VOIP
protection capabilities such as Authentication, Encryption and port/ACL filtering. SBC do not have
the horse-power and intelligence to perform deep packet inspection capabilities analyzing higher
VOIP and UC protocol traffic, an essential requirement for protection against VOIP and UC layer
threats.
The data security products do limited deep packet inspection and provide basic DOS/DDOS and
protocol anomaly protection but are simply not geared to address the real-time challenges and
increased complexity of VOIP networks. The QoS requirement for real-time communications (2 ms
for signaling and 100 µs for media) is also a hard deployment challenge to satisfy.
References
[1] Cisco Call Manager Windows 2000 Workstation Service Buffer Overflow
http://www.cisco.com/warp/public/707/cisco-sa-20040129-ms03-049.shtml
http://www.ee.oulu.fi/research/ouspg/protos/
http://www.blackhat.com/presentations/bh-usa-04/bh-us-04-mookhey/old/bh-us-04-
mookhey_whitepaper.pdf
[11] SIP Message Tampering, The SQL Injection Code Attack, Dimitris et al.
http://www.snocer.org/Paper/camera-ready_soft_com.pdf
Author
Srinivas Mantripragada, CTO & VP, Products, RedShift Networks