VoIP Threats and

Countermeasures
Interop NY – Sept 19, 2006
Gregory M. Lebovitz
gregory@juniper.net

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1

 VoIP Security Threats
Security Threat Ramifications

DoS attack on PBX, IP All voice Top Security Concerns

70%
Phone or gateway communications fail 60%

Major Concern
50%
40%

Unauthorized access to Hacker listens to voice 30%

20%

PBX or voice mail system mails, accesses call logs, 10%

0%
company directories, etc. IP PBX DoS IP PBX Back Door to Voice All LAN
Attack Hacking Corp Network Intercept on segments have
WAN Voice access
Hacker utilizes PBX for
Toll fraud long-distance calling,
increasing costs
Eavesdropping or Voice conversations •IP PBX DoS attacks
man-in-the-middle unknowingly intercepted
attack and altered •IP PBX hacking
•Back door to corporate network
Worms/trojans/viruses Infected PBX and/or
on IP phones, PBX phones rendered useless, •Voice intercept on WAN
spread problems
throughout network •All LAN segments have voice access
IP phone spam
Lost productivity and
annoyance

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 2

 Voice Quality and Service Issues
VoIP Service Ramifications
Issue
Failure to Unable to communicate
connect/get with others
service/make calls Less productivity
Customer
Poor quality voice – dissatisfaction
clicks, echo, noise
Latency
Calls get dropped Customer dissatisfaction
intermittently Jitter

Calls not Packet loss

Unable to communicate
completed during with others
high traffic times

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 3

 Interoperability Issues

Interoperability Issue Ramifications

New and evolving protocols

Need for constant attention, upgrades
and service disruption
Multi-vendor solution Service disruption due to
components configuration, testing and ongoing
Multi-vendor equipment to • Best in Class Multi-
maintenance of systems
get best in class solution vendor components
Proprietary Interoperability issues among • Evolving protocols
implementations of • Service Provider
protocols by vendors Vendors, resulting in poor quality
interoperability
Dropped calls, or inability to set up call

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 4

 Security through Firewall ALGs
ƒ VoIP Security Challenge
• Traditional firewall solutions open a range of ports for VoIP support
• Exposes the network to possible security risks as open ports can be
exploited
ƒ SIP, H.323, and MGCP ALGs minimize network security risk
• ALGs dynamically open/close media ports for call duration based on
negotations observed in signaling
• NAT, route, or transparent deployment
PORT RANGE VoIP Aware - ALG
Call
Call
Processing
Processing
Server
Server
Signaling
Signaling

Dynamic
pinholes
EndPoint Media Wide Range of Ports; Media
EndPoint
Undue Exposure

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 5

Address Translation
The Unintelligent Way, Application Blind

Some NAT/Firewalls NAT IP but not SIP & SDP

Voice Over Broadband (Cable, DSL)
Router
Data FW/NAT
194.90.133.115 VoIP Service Provider

Internet Protocol
Source: 194.90.133.115
Destination: 194.90.133.116 Softswitch

User Datagram Protocol

SIP/Phone
10.10.10.117
Source port: 61455
Destination port: 5060
IP Network
Session Initiation Protocol
Application
Request-Line: INVITE sip:1060@194.90.133.116 SIP/2.0 Server
Via: SIP/2.0/UDP 10.10.10.117:5060
From: sip:kagoor63@194.90.133.116
To: sip:1060@194.90.133.116
Cable/DSL
Modem
Contact: <sip:kagoor63@10.10.10.117:5060> Media
Server
198.134.45.2 Session Description Protocol Version (v): 0
Owner Address: 10.10.10.117
Connection Address: 10.10.10.117
MGCP IAD
10.0.0.1 Media Port: 20304
Media
Media Proto: RTP/AVP Gateway
POTS Phone

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 6

 Address Translation
Application Aware NAT

Need perform application-level NAT

Voice Over Broadband (Cable, DSL)
Router
Data FW/NAT
194.90.81.144 VoIP Service Provider

Internet Protocol
Source: 194.90.81.144
194.90.133.115
VF-4000 session Softswitch
border controller
Destination: 194.90.133.116

SIP/Phone User Datagram Protocol

10.10.10.117
54101
Source port: 61455 IP Network
Destination port: 5060
Session Initiation Protocol Application
Server
Request-Line: INVITE sip:1060@194.90.133.116 SIP/2.0
194.90.81.144:54101
Via: SIP/2.0/UDP 10.10.10.117:5060
From: sip:kagoor63@194.90.133.116
To: sip:1060@194.90.133.116 Media
Server
@194.90.81.144:54101
Contact: <sip:kagoor63@10.10.10.117:5060>
Session Description Protocol Version (v): 0
194.90.81.144
Owner Address: 10.10.10.117
Connection Address: 194.90.81.144
10.10.10.117 Media
Gateway
Media Port: 62101
20304
Media Proto: RTP/AVP

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 7

 Network Isolation
Large Central Site Call
Processing Redundant security
Subnet devices for failover and
PSTN high availability
Router - QoS policy and
Internal
scheduling
DMZ
Data
Network Scalable VPN supporting
thousands of connections

ALG technology to
extend corporate VoIP

MPLS TE passed to
provider MPLS network
PoE Switch
Internal VoIP Zone architecture for
End-Point
Network
intra/inter zones with
policy enforcement
Secure and Assured Infrastructure

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 8

 Voice Eavesdropping Prevention
ƒ VoIP Security Challenge
• Protecting VoIP calls from Eavesdropping

• Ensuring privacy of VoIP conversations

ƒ Encrypted VoIP Solution

• Encrypt VoIP connections with site-to-site VPN (AES) to

• prevent eavesdropping

• Hide Signaling

IP PBX IP PBX

Branch
Office Corporate
VPN Tunnel Network

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 9

 Unauthorized Use Prevention
ƒ VoIP Security Challenge
• Toll fraud and Unauthorized use
• “Man in the middle” or SIP based DoS
attacks User
Repository
• Intercepting signaling in transit to
“sniff” calls
ƒ Secure VoIP Solution
User: IP Address
• Block or throttle illegitimate calls at xxx.x.x.xxx
the source, to ensure legitimate
signaling and media can pass
User: John Doe User: Jane Jones
• Policy-based access control
for SIP, H.323, and MGCP
• Ensures appropriate access controls
are applied to the signaling and media

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 10

 IPS for VoIP
ƒ Stateful signature and Protocol Anomaly detection for SIP
protocol
ƒ Protocol Anomaly for H.323
ƒ IPS decode for the SIP VoIP protocol
• Anomalies definitions library which will serve to flag
potential attacks and allows to block this traffic or send
alerts
• Blocking if deployed “inline”, alerting if deployed “passively”
ƒ Market Significance
• Addresses VoIP attacks at layers 4 thru 7, including
application layer vulnerabilities as they are discovered

Copyright © 2003 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 11

 Session Border Controllers (SBC)
ƒ Carriers and service providers are increasingly providing VoIP as a new and enhanced
service
• WW VoIP Carrier Equipment = $1.7B in 2004 (+ 36% over 2003)
• $5.9B by 2008
ƒ SBCs are primarily deployed at the network edge to facilitate the secure & reliable
flow of real-time IP traffic across network boundaries.
• Number of service providers purchasing SBCs went from 31% in ’03 to 81% in ’04 (Infonetics)
ƒ SBCs enable VoIP and real time IP services for:
• Carrier-to-carrier peering
• Carrier-to-enterprise service
• Carrier-to-consumer service
ƒ SBCs address the issues of:
• Address translation
• Service assurance (QoS)
• Regulatory compliance (E-911, CALEA)

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 12

 Primary VoIP Border Issues
Security
SS7 IN
Network Softswitch
Address Translation
ƒDoS attacks Media
Gateway ƒConversion of private/public Media
ƒService theft
Application Media OSS Softswitch Gateway
Server Server
Class 5 IP addresses
ƒFraud
Switch Router Other
Firewalls
ƒVoIP challenged by small
Service Provider
Carrier
ƒTopology hiding signaling/media packets Internet
or IP NW
POTS
IP Network ƒVoIP protocols not
Carrier to Carrier
understood Wholesale
by firewallVoIP
Peering
Regulatory Compliance
Carrier to Enterprise Service AssuranceCarrier to SOHO/Residential
ƒE-911 ƒQuality of service
Hosted IP Centrex IP PBX Services Voice Over Broadband (Cable, DSL) Wireless/Mobile
ƒLawful intercept ƒAdmission enforcementWireless/
IP PBX Router
ƒCALEA support ƒLack
Cable/DSL
of reporting
Data
FW/NAT Modem
Mobile
Base Station
10.1 10.1 20.1

ƒFirewall/NAT issues
MGCP IAD
H.323/SIP
SIP/H.323 Phones Endpoints ƒVPN/VLAN
SIP/H.323 Phones mappings Wireless
POTS Phone
IP Phone
Mobile
Phone

Enterprise SME SOHO/Residential

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 13

 VF-Series Four Key SBC Applications

SS7 IN
Network Softswitch

Media
Gateway Media
Application Media OSS Softswitch Gateway
Server Server
Class 5
Switch Router Other
Carrier
VoIP Service Provider
Network Protection Internet
or IP NW
POTS

IP Network Carrier Peering

Hosted VPN/VLAN Hosted NAT Traversal

Hosted IP Centrex IP PBX Services Voice Over Broadband (Cable, DSL) Wireless/Mobile
IP PBX Router Wireless/
Data Cable/DSL Mobile
FW/NAT Modem Base Station
10.1 10.1 20.1
MGCP IAD

H.323/SIP
SIP/H.323 Phones Endpoints POTS Phone Wireless Mobile
SIP/H.323 Phones IP Phone Phone

Enterprise SME SOHO/Residential

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 14

 DoS Protection – Signalling & Media
Malfunctioning
Router Endpoints or
Data FW/NAT
Malicious Attack
Desktops at HQ

Register
Phone num
1234
SIP/Phone
10.0.0.1
IP Network
alice@juniper.net

Media Rate
Limited to
Codec Bandwidth
SBC
Network at risk due to
signaling DoS attacks Excess
Signaling
Discarded Media
Gateway PBXA PBXB DNS

HQ VoIP Infrastructure

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 15

 Defense Against VoIP Security Threats
VoIP Security Threat Ramifications Defense Technology
•FW with SIP attack protection
DoS attack on PBX, IP All voice communications fail •IDP with SIP sigs/protocol anom
Phone or gateway •SBC with rate limiting

Unauthorized access to Hacker listens to voice

Zones, ALGs,
PBX or voice mail system mails, accesses call logs,
policy-based access control
company directories, etc.

Hacker utilizes PBX for VPNs, encryption

Toll fraud long-distance calling, increasing (IPSec or other)
costs
Eavesdropping or Voice conversations unknowingly VPNs, encryption
man-in-the-middle intercepted and altered (IPSec or other)
attack

Worms/trojans/viruses Infected PBX and/or phones IDP with SIP protocol

on IP phones, PBX rendered useless, spread anomaly and stateful
problems throughout network signatures
ALGs, SIP attack prevention,
IP phone spam Lost productivity and SIP source IP limitations,
annoyance UDP Flood Protection

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 16

 Improving Quality of Voice Service
VoIP Service Issue Ramifications Technology

Unable to communicate with Bandwidth optimization, Traffic

Failure to connect/get
service/make calls
Poor quality voice –
clicks, echo, noise
Customer dissatisfaction
Calls get dropped
intermittently
others Engineering using MPLS
Less productivity
Customer dissatisfaction QoS on the entire network
High performance network
devices
QoS on the entire network
Traffic engineering using MPLS
High Availability/Failover

Calls not completed Unable to communicate with Improve Bandwidth utilization,

during high traffic others compression, WAN optimization,
times MPLS traffic engineering

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 17

 Addressing Interoperability Issues

Interoperability Ramifications Solution

Issue
Need for constant attention, Strong alliances between vendors
New and evolving
upgrades and service disruption to test new solutions. Active
protocols
Participation in industry forums

Multi-vendor equipment Service disruption due to Strong certification program for

to get best in class configuration, testing and new products and single software
solution ongoing maintenance of system train

Changes in Service Leadership in Service Provider

Provider network Customer dissatisfaction because products and alliances to ensure
impacts voice service of service disruption smooth operation

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 18