Archive

Archive for the ‘telecom’ Category

【转贴】一篇很好的VoIP安全的文章 (2007-01-30 16:53:55)

二月 17, 2009 留下评论
VoIP Security Challenges: 25 Ways to Secure your VoIP Network

VoIP technology has the tech geeks buzzing.  It has been touted as:

– the killer of telecoms
– a solution for the third world’s communication gap
– revolutionizing factor in international business

But despite all the buzz, and the predictions that everyone will be it using it by 2009, why does it seem that every time you make a phone call with Skype the quality sucks…or that your Vonage calls constantly get dropped…or worse, that teenage hackers are stealing your personal information and bringing down the whole network?

A VoIP network is susceptible to the usual attacks that plague all data networks:

…viruses, spam, phishing,  hacking attempts, intrusions, mismanaged identities, Denial of Service (DoS) attacks, lost and stolen data, voice injections, data sniffing, hijacked calls, toll fraud, eavesdropping, and on and on and on.

The only difference is, with other technologies people take basic steps to protect themselves. With VoIP, nobody is doing so.  As a result, all we hear about in the mainstream media is how vulnerable and unreliable VoIP is.  And let’s face it…until people start taking the steps to safeguard their networks, this technology isn’t going to go places.

So for those you geeks who want to see the technology get broadly adopted, (and maybe fulfill some of the lofty aspirations mentioned above) start by first protecting your own VoIP network, and then helping to protect those of your friends and neighbors.  Pretty soon, we can dump the “vulnerable” label and start gaining some non-techie fans.

So without further adieu, here are 25 ways to help you get started.

Kid 1. Restrict all VoIP data to one Virtual Local Area Network (VLAN): Cisco recommends separate VLANs for voice and data; this helps prioritize voice over data and also keeps traffic on the voice network hidden from those connected to the data network. VLANs are also useful in protecting against toll fraud, DoS attacks, and eavesdroppers listening in and taking over conversations. A VLAN is an effective closed circle of computers that does not allow any other computer access to its facilities; with the lack of a PC to launch attacks, your VoIP network is quite safe. Even in the case of an attack, the disruption caused is a minimum.
2. Monitor and track traffic patterns on your VoIP network: Monitoring tools and intrusion detection systems can help identify attempts to break into your VoIP network. Scrutinizing your VoIP logs can bring to light irregularities such as international calls made at odd hours or to countries your organization has no ties with (toll fraud), multiple log-on attempts like in a brute-force attempt to crack a password, or a surge in voice traffic during off-peak hours (voice spam).
3. Lock down your VoIP servers: Servers should be secured physically against both internal and external intruders who can intercept data using sniffing techniques, either within the LAN or at the ISP when data travels over the Internet. Since VoIP phones have fixed IP and MAC addresses, it’s easier for attackers to try to worm their way in. Which is why Gary Miliefsky, founder and CTO of NetClarity, recommends locking down IP and MAC addresses that allow access to the administrative interfaces of VoIP systems, and putting up another firewall in front of the SIP gateway. This will restrict incoming access to IT administrators and prevent hackers from getting in.
Encrypt 4. Use multiple layers of encryption: It’s not enough to just encrypt the data packets that are sent out, you have to encrypt call signaling too. Encrypting voice packets prevents voice injections where interceptors can insert their own words into the conversation, giving it a whole new meaning. Steve Mank, CEO of Qovia, cites two common methods of encryption – the Secure Real Time Protocol (SRTP) which encrypts communication between endpoints, and Transport Level Security (TLS) which encrypts the whole call process. Encryption of voice traffic should be supported by providing strong protection at gateways, networks and hosts.
5. Build redundancy into VoIP networks: Be prepared for the day DoS attacks or viruses  threaten to bring your network crashing down – create a network that tolerates failures by setting up multiple nodes, gateways, servers, power sources, and call routers, and hooking up with more than one provider. Don’t stop with just putting the infrastructure in place; run frequent trials to ensure that they are working well and are ready to take over when the primary network fails.
Firewall_1 6. Put your equipment behind firewalls: Create separate firewalls so that traffic crossing VLAN boundaries is restricted only to applicable protocols. This will prevent the spread of viruses and Trojans to servers in case clients are infected. The maintenance of security policies also becomes simpler when each firewall is considered separately. Choose networking and security vendors who support both the Session Initiation Protocol (SIP) and the International Telecommunication Union’s H.323 protocol. Firewall configurations have to be created so that the appropriate ports open and close when necessary.
7. Update patches regularly: The security of a VoIP network depends on both the underlying operating system and the applications that run on it. Maintaining patch currency for both the OS and VoIP applications is imperative in protecting against threats from malware. A study from Forrester Research urges companies to make sure they provide “added security measures for IP telephony, without assuming that vendors will respond to each and every risk that appears with patches for installed products.”
8. Keep your network away from the Internet:
The University of Houston is a pioneer in this security approach – the institution has put its call manager and network out of direct access from the Internet; its IP PBXs are in a domain separate from its other servers and access is restricted.
Softphone 9. Minimize the use of softphones: VoIP softphones are prone to hacker attacks, even when they are behind corporate firewalls, because they are used with an ordinary PC, VoIP software, and a pair of headphones. Also, softphones do not separate voice and data, and are vulnerable to the viruses and worms that normally infect a PC.
10. Perform security audits on a regular basis: Running checks on administrative and user sessions and service activities can help bring irregularities to light. Phishing attempts can be thwarted, spam can be filtered out so it doesn’t clog the network, and intruder attacks can be stopped.
11. Evaluate physical security:
Make sure that only devices and users who are authenticated and pre-approved gain access to your network by limiting access to the Ethernet ports. Administrators are often fooled into accepting softphone devices that are not permitted on the network because hackers can easily imitate IP and MAC addresses by plugging into an RJ44 port.
12. Use vendors who provide digital security certificates: When IP phone vendors provide digital certificates to authenticate devices, users can ensure that the conversation is secure and is not being broadcast to other devices. The phones load digitally signed images to ensure that the software loaded is authentic. Verisign has been a pioneer in providing authentication certificates for wireless IP phones, in an effort to prevent “tapping” (illegal eavesdropping) and “spoofing” (illegal tampering) of conversations.
Gateway 13. Secure your gateways: Configure gateways so that only those who are allowed access can make and receive VoIP calls. Lists with authenticated and approved users can ensure that others are prevented from using the lines to make free calls. Protect gateways and the LANs behind them with a combination of an SPI firewall, application layer gateways (ALG), network address translation (NAT) tools, and SIP support for VoIP soft clients.
14. Manage servers separately: VoIP call servers are often the targets for attackers because they are the heart of any VoIP network. Critical weaknesses inherent in the server include its operating system, and the services and applications it supports. To minimize the chance that hackers get at your VoIP servers, manage traffic to them separately from VoIP signaling and call traffic.
15. Sort SIP traffic: Looking through your SIP traffic and checking for abnormal packets and traffic patterns that are different from the usual will help in cutting short sessions that are not genuine. Anomalies in the syntax and semantics of SIP and events that are irregular and out-of-sequence indicate that attacks are taking or likely to take place.
16. Examine call setup requests at the application layer: VoIP calls are susceptible to hijacking by outsiders who gain access to the network. Set up appropriate security policies so that only those call setup requests that conform to them are accepted.
Router 17. Isolate voice traffic: For external communications, rely on a Virtual Private Network (VPN). Separate your voice and data traffic to prevent unwanted ears from listening in on your conversation. According to Kevin Flynn, senior manager of unified communications for Cisco, the biggest problem for organizations is “bad stuff from the data network getting on to the voice network.” He recommends blocking PC port access to the voice VLAN.
18. Use proxy servers: Protect your network even beyond firewalls by using proxy servers to process data that comes in and goes out. Authentication and integrity are ensured when signaling messages travel between user agents and SIP proxies by integrating SSL tunnels with SIP proxies.
19. Run only applications that are necessary to provide and maintain VoIP services: The very fact that VoIP applications use data that is encrypted could lead to them being used to launch DoS attacks. Attackers can hide behind the cloak of encryption to avoid their activities from being monitored.
20. Configure applications against misuse: Prevent your network from being used to perpetrate toll fraud, phishing scams, and illegal calls by preparing a list of permitted caller destinations.
Woman 21. Add endpoint security layers: Use network admission techniques and IEEE 802.1X port-based network access controls to keep out devices that are not authorized on your LAN or WLAN. Network Access Control (NAC) applications are available from Cisco – Network Admission Control (NAC), Microsoft – Network Access Protection (NAP), and TCG – Trusted Network Connect (TNC).
22. Restrict access according to certain criteria: VoIP network administrators can set up strict admission criteria to prevent access to devices that are potentially unsafe – when they are found to be infected with viruses or worms, when they do not have the latest patches, or when they do not have the right firewalls. These devices can be redirected to a disparate network that makes them compliant and then lets them onto the main network.
23. Avoid remote management: If possible, it is better to stay away from remote management and audits; but when necessary, use Secure Shell (SSH) or IPsec (IP Security) for the purpose. Access your IP PBX from a system that’s physically secure.
Tunnel 24. Use IPsec tunneling rather than IPsec transport: Tunneling and transport are two different encryption modes that support secure exchange of packets at the IP layer. The use of IPsec transport encrypts only the data while hiding the source and destination IP addresses. This prevents administrators from finding out who initiated the call when they analyze traffic.
25. Secure your VoIP platform: VoIP platforms that support the clients are built on operating systems that should be “hardened” to protect the integrity of the networks that run on it and keep out cyber attacks. Disable services that are not absolutely necessary and use host-based methods to detect intrusion.

Securing a VoIP network is an uphill task, especially when you consider the lack of standards and procedures in place. How secure a network is depends on the right choice of both hardware and software. Without a doubt, VoIP communications can be made more secure and reliable than regular PSTN interactions if the appropriate security measures are in place. So get out there and make the changes to your own networks…

文章来源:http://www.voiplowdown.com/2006/12/voip_security_c.html

分类:telecom

关于运营商专有安全解决方案的思考 (2006-11-29 15:12:52)

十一月 29, 2006 留下评论

前两天参加第二届2006’电信行业网络信息安全管理高峰论坛,在讨论的时候有人提出了是否能够提供针对运营商独有的信息安全解决方案的问题,觉得会上演讲的相关信息和内容基本上对非运营商都适用,而不是运营商专有的信息安全解决方案。当时在会场上我没有发言,一方面想听听大家的声音,另外一方面还考虑的不成熟,现在还是想记录下来目前的想法,供有识之士参考吧。

我觉得运营商独有的安全解决方案存在如下三个方面(或者角度):

1、 传统运营商独有交换网络的安全。

2、 对外运营数据网的安全。

3、 对内支撑承载网的安全。

一、传统运营商独有交换网络的安全。

对于运营商来讲,其相对于其它行业所独有的特点就是运营了电话(固定或移动)网络,而这些网络是运营商的核心,也是其区别于其它企业的一个关键。关于电话网络的安全问题,从最初的“电话飞客”开始就是一个令运营商头痛的问题。但是,随着程控技术的发展,瘦终端模式使得传统电话网络上安全问题变得相对容易得到控制,对于技术水平的要求也是非常高的,其研究的人也越来越少,当然,这并不是说就没有安全问题,而是说其安全问题相对容易得到控制。另外一个层面来讲,由于目前的程控交换机的控制层面是由控制和网管终端来完成的,所以网管终端的安全反倒是一个比较大的短板。但是,随着新的3G技术等的引入,程控网的承载出现IP化的趋势,NGN网络的发展,也加剧了这个进程,交换网络的安全问题也从根本上越来越解决IP网络的安全问题了。

二、对外运营数据网的安全

其实,作为互联网的一部分,电信运营商的网络和其它的网络也并没有本质的区别,但是目前在宽带网上所关注的所谓安全问题,如P2P、IM、带宽占用等,这些问题实际上对于宽带网并没有实质性的安全损害或者威胁,只是对运营商的业务会产生影响,所以我更同意会上一位朋友的说法:“借安全之名,行业务之事”。数据网上用户的流量本身所造成的后果只是对流量带宽的占用,对于用户本身来讲是正常流量,但是却消耗了宽带网自身大量的带宽,也消耗了大量的出口带宽和并发连接,目前运营商想提供自身业务的情况下,如IPTV等,则由于这些P2P流量存在,导致运营商自身提供业务可能无法体现优势,这是目前运营商想尝试封堵或者疏导P2P流量的本质所在。另外,在数据网上存在的DDoS攻击问题,其实质问题也并不是对数据网自身造成影响,而是对处于数据网边缘的运营商自身服务或者边缘用户的业务造成影响,进一步导致运营商无法很好的保障数据网所提供业务的服务质量。排除上述问题,实质上的数据网的安全问题就集中到了数据网的承载设备自身的安全,而这些安全问题的解决,在目前的技术条件下,就只能够由设备自身提供的安全措施来保障了,至少到目前为止,我还没有看到有真正的可以串入到如此高带宽的数据网上面的安全设备或者措施是真正可用的产品,即使存在,也是旁路的记录分析,而不是实时防护。

三、对内支撑承载网的安全。

在运营商的对内支撑承载网部分,一般主要指DCN上所承载的各项运营商内部系统,BSS、CSS、OSS以及OA/MIS等。这些业务自身实际上与大型企业的业务系统并没有本质的区别,所面临的安全问题与其它大型企业所面临的安全问题都基本相同。如果说有运营商独有的解决方案则是由于运营商自身独有的组网特点和管理模式相关的。如运营商的终端问题相较其它企业要复杂的多,有业务终端、维护终端、客服终端、办公终端及合作伙伴终端,还分移动终端及远程终端等,同时这些终端又分布在不同的业务区域和归属,其使用部门、使用目的及访问权限等均不相同,其数量又是非常的庞大,管理维护及安全考虑都相对于其它企业都复杂一些,而考虑安全解决方案的时候都必须要考虑到这些特点,从这个角度上看,我们说这是针对运营商说独有的安全解决方案也不为过。

关于这方面的一点想法希望能够起到抛砖引玉的作用,也希望有识之士拍砖!