Trilight Zone Forum Index Trilight Zone
Privacy & Anonymity is our specialty !
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

VoIP Security Best Practices

 
Post new topic   Reply to topic    Trilight Zone Forum Index -> Security
Author Message
tricore
Guest
PostPosted: Thu Feb 01, 2007 2:45 am    Post subject: VoIP Security Best Practices Reply with quote
What are the security needs for a Voice Over IP (VoIP) installation? VoIP is so new and growing so quickly that security rules have often been developing on-the-fly, rather than through deliberation and careful design.

But now, the Voice over IP Security Alliance (VOIPSA) has begun an effort to define the "best common practices" to confront the threats to VoIP users and providers.

What are these threats? A separate VoIP Security Threat Taxonomy project took on the goal of identifying the threats so that they could be confronted systematically. That taxonomy document has been out for over a year.

The project will use a broad brush for defining requirements, extending out to supporting technologies like firewalls, network design issues (such as the roll of NAT and VPN), and network management. These issues matter to VoIP as much as to any network application.

Even within the VoIP parts of the overall network diagram, there are many elements that need to be secured. First, there are gateway elements that could be attacked from the outside. There also are attacks at the protocol-level, probably SIP or H.323. Then there are call controllers in the network that dispatch calls to endpoints, such as PCs and phones. And within the endpoints themselves, there are applications that could be attacked.

Those are just the network-oriented considerations for attack. VoIP is a system for telephony, so it's potentially vulnerable to attacks that the plain old telephone system (POTS) is vulnerable to, including social engineering attacks.

VOIPSA's three models

To help define the issues, VOIPSA adopted three models to follow:

1. A basic model for multi-party freedom applicable to any public communications system
2. A basic model defining privacy and relating it to security
3. A social responsibility model based on widely accepted principles in the civil and common law.

These models provide guidelines in determining when a system should allow or deny a specific behavior.

The multi-party freedom model defines the rules when multiple parties are involved on a conversation, an implicit feature of VoIP. Participants often move between roles during such a conversation, among them initiating contact, accepting contact, and terminating communications.

The privacy model sets the privileges for users and rules for systems to follow in order to protect communications and privileged data.

The social responsibility model defines rules by looking at the person's intentions and the impact of their actions for determining when actions can be harmful to others. For instance, a denial of service attack could make systems unavailable to third parties.

Different rules could serve different goals in the models defined above, or perhaps goals of multiple models.

Misrepresentation a major concern

Misrepresentation is another major concern addressed in the taxonomy. Users who impersonate others, authorities, or who present false information are clearly a threat to be addressed. This could take a technological form, such as presenting a false Caller ID number, or a more old-fashioned one, such as calling and claiming to be from "network administration" asking for the user's password.

Speaking of old-fashioned attacks, many old concepts have counterparts in the VoIP world that need to be addressed by security best practices. Consider Spam over Internet Telephony, or SPIT.

Taxonomy also addresses attacks performed through traffic monitoring: such attacks could include number harvesting, call pattern tracking, even traffic capture. A different class of attacks modifies the data mid-stream; these are all known more generally as "man-in-the-middle attacks." Encryption is the usual method for addressing such threats.

It turns out that there are many ways to perform a denial of service attack, and the taxonomy addresses them. Here are a few examples:

* Request Flooding
* User Call Flooding
* Endpoint Request Flooding
* Request Looping
* Disabling Endpoints with Invalid Requests
* Injecting Invalid Media into Call Processor

You can join in the effort by joining the project's mailing list and participating. All experience levels are welcome. And click here to learn more about getting involved with VOIPSA.
Back to top
Display posts from previous:   
Post new topic   Reply to topic    Trilight Zone Forum Index -> Security All times are GMT
Page 1 of 1

 


Powered by phpBB © 2001, 2005 phpBB Group