Voice Security for the CCNA Security Candidate
For someone new to network security, it is often times enough just to worry about and plan for the traditional attacks, so when you consider the CCNA Training Security exam also introduces the idea of securing Voice Traffic, this might be a little much to take in. After all, even most CCNPs don’t have much experience with Voice traffic. As a CCVP, as well as a CCSP, Voice is a passion of mine, so I thought I would spend a little time discussing the type of voice attacks in this posting and then follow it up in my next posting by going over what you can do to make voice traffic more secure in your network (and for the exam).
Let’s begin by discussing some of the things that can go wrong, in other words, the common voice vulnerabilities and attacks. These fall broadly into the following areas:
• Attacks Against Endpoints
• VoIP Spam
• Vishing and Toll Fraud
• SIP Attacks
There are several different attacks focused on endpoint. For instance, some attackers simply want to access your VoIP resources without providing appropriate credentials. In these situations, the attacker may try and modify various VoIP device settings or even intercept an actual voice stream. Another form of endpoint attack comes in the form of the attacker targeting unsecured VoIP resources. Since the VoIP network relies on rather well-known protocols, attackers can leverage their knowledge of these protocols to gather information about the VoIP resources. Attackers might also target endpoints as a way of launching a denial-of-service (DoS) attack. You are likely familiar with these from the data network but you might not know that variations in the DoS attack also exist in the VoIP world. For example, an attacker might attempt to consume too much bandwidth on a VoIP link. The result of this attack is failed calls or calls of exceedingly poor quality. Attackers could also focus their DoS efforts on a VoIP server like the Cisco Unified Communications Manager. When they do this, they try and consume all of the server’s resources, there by impacting the ability of the VoIP environment to function effectively. Finally, just like in the traditional telephony world, an attacker might be focused on capturing voice conversations. Of course with VoIP, this twist on “wiretapping” is a little different. In this case, the attacker captures voice packets (RTP packets) and then converts these into an audio file. Once they have done this conversion, they can listen to the entire captured conversation.
SPIT (no, not that kind!)
The next type of attack to be aware of is something we have all grown used to combating in email- Spam! Yep, it seems that it is not just for your inbox any more, attackers have found away to bring this to your VoIP network and it’s up to you to protect against it.
So what’s with the name SPIT? It stands for Spam over IP telephony (SPIT)- nice, eh? With this form of attack, the perpetrator could make unsolicited messages periodically appear on a phone’s LCD screen or even more annoyingly, make the phone periodically ring. And you thought all of those emails enticing you to become a millionaire were bad!
The worst part of this is that all of the methods we have developed to defend against spam in our inboxes are ineffective when it comes to handling SPIT. Don’t fear though, there is a way to defend against this. Modern Cisco IP Phones can be configured for authentication using Transport Layer Security (TLS). With this in place, the Cisco IP Phone must authorize any device attempting to communicate directly with the phone. That means all that SPIT (i.e. the unauthorized device sending these messages) can be stopped by not allowing them to authenticate and thereby communicate with the Cisco IP Phone.
Making Calls on the Company’s Dime
Toll fraud is nothing new to the world of telephony. Heck, if you ever caught Matthew Broderick in War Games, you practically got a tutorial in this. Of course the method he used (on a traditional phone) is no longer viable with today’s technology. Still with the world of VoIP there are those who would like to make a call for free and without the proper safeguards, your network might just let them.
Let’s say that you have a corporate telephony policy that states that long distance personal calls are not allowed from the corporate network. An attacker might try and leverage weaknesses in the system to allow them around this. For instance, having their office phone forward to a foreign number and then giving out their office line for someone to call while they are out of the country. The call comes in to the office phone and then is forwarded to the international number making for a “free” international long distance call. The good news is the Cisco Unified Communications Manager has a number of features to help you combat toll fraud. For instance, it alls you to create partitions and calling search spaces that identify which phone numbers may be called from specific Cisco IP Phones. It also offers Forced Authentication Code (FAC) which requires that a user enter a code for calling a particular destination.
Of course, toll fraud is not the only thing to be leery of; there is also the notion of vishing. Yep, that’s not a type-o. Vishing is a “phishing” attack that is per petrated over the phone lines- in this case, the IP phone lines. The basic concept here is the same as with a traditional phishing attack. The bad guy wants to gain personal information (socal security number, credit card number, etc.) from the would be victim and has created a realistic scenario for gaining this information. In phishing attacks, these are often carefully crafted emails that urge the victim to click on a bogus web site and provide their bank account number or the like. With Vishing, the “con” is still the same but it is made by phone and it is often successful because many people trust that human interaction more than they do when asked to provide information over the web. When it comes to combating these attacks user education is key.
If you have a mixed vendor environment for your VoIP solution, chances are you are working with SIP or the Session Initiation Protocol. While SIP offers the ability to work with existing protocols, we also have to be aware that SIP messages are sent in plain text and just like other forms of data sent in plain text, this can create security issues.
Unfortunately, this strength of SIP is also something that can be used by attackers to compromise the security of a SIP network. One example of this would be a man-in-the-middle attack where the attacker convinces a router or phone or SIP server to send SIP and/or RTP packets to the attacker’s PC. With this newly directed packet flow, the attacker could perform registration hacking, which will allow them to intercept incoming calls and ultimately determine how they are routed.
Oh, and there is that plain text thing as well that I mentioned. Since SIP messages are sent in plain text by default, an attacker can manipulate these messages. For example, they might wish to change the SIP addresses in the message (i.e. message tampering attack). Another issue to consider with SIP is that it uses SIP servers (SIP registrar, location, proxy, and redirect) and these may be vulnerable to DoS attacks.
The good news is that Cisco has several solutions to help with these issues. We might use something like a secure tunnel, employing IPSec, to encrypt our SIP messages so they are not sent in plain text. We might also want our Unified Communications Manager to act as a peer in an IPSec tunnel. Proper use of firewalls or IPS sensor might also help to detect and mitigate common DoS attacks that threaten SIP servers. We could also defend again man-in-the-middle attacks by using Cisco Catalyst switches through employing Dynamic ARP Inspection (DAI).
Now that we have a good understanding of some of the common threats and vulnerabilities to our voice traffic, next time we will discuss the steps we can take to secure our voice traffic and be better prepared if we see questions on Voice security on the CCNA Certification Security exam.