August 2002
Security In Converged Networks
BY ANDREAS M. ANTONOPOULOS & JOSEPH D.
KNAPE
With all new technologies there is a security �honeymoon� during
which the technology is below the hacker�s radar because of lack of
widespread use. As a technology becomes more prevalent, and critical to
organizations, its security will be probed and cracks will be found very
soon. Internet telephony has now reached the critical mass of adoption and
maturity that makes it not only a viable target but also a valuable one, as
it becomes part of business critical applications. Whether the intent is to
disrupt or profit, it will not be long before the first victims appear.
Beyond the monetary risks, there is also a very serious privacy threat as we
have become accustomed to government regulation that at least protects our
privacy from everyone outside government.
Legacy telephony has long enjoyed a level of protection through law,
boundaries of physical security, and plain old obscurity that delegates it
to a separate category of hacking. Apart from a few exceptions, telephony
hackers or �Phreakers� as they are dubbed, were a breed of their own
with very specialized tools and techniques. Very few hackers were adept both
in the world of computers and in the world of telephony.
The telephony landscape and its relation to society is rapidly changing.
When the phenomenon of �convergence� between telephony and Internet
started, it also brought closer the world of the phreaker and the hacker.
VoIP brings all this to the next level. Unfortunately, the security inherent
in VoIP solutions is equivalent to that of the early Internet: Non-existent.
CONVERGING NETWORKS, CONVERGING THREATS
With the convergence between voice and data, the critical barrier to
would-be attackers quickly crumbles. The physical separation of the two
networks and the relative security of voice networks were primarily enforced
by federal laws and proprietary infrastructures, which are less effective as
the networks converge. From a legislative perspective the transformation of
the telephony landscape is of great concern: The current laws do not protect
security or privacy; nor do they allow law enforcement access for wiretaps.
Where the Internet spreads, it brings with it disrupting influences of new
models and paradigms. In telephony the disruption is just starting, but the
changes are going to be more staggering than we can imagine.
Since IP is the underlying protocol used for the transmission of voice
data, a VoIP network will be susceptible to the same security problems
inherent in any IP-based network. Additionally, there is an added level of
complexity in VoIP networks because of the challenges that must be met by
VoIP technology in order to achieve useful levels of service for
transmitting speech in an efficient and effective way.
The most important threats in a converged world of ubiquitous VoIP are:
- Eavesdropping from anywhere in the world (Privacy).
- Social engineering (Authenticity/Integrity).
- Disruption of voice communications/Denial of service (Availability).
- Resource Theft (free calls for all).
VIRTUAL WIRETAPS
Eavesdropping on a telephony network requires either physical access to the
wiring, or access to the digital backbones of the telephone companies. In a
converged network, all the eavesdropper need do is compromise the security
of the data network (or the endpoints) and he or she can access the voice
streams. Such a �virtual wiretap� is much more insidious than a physical
wiretap, because it is almost impossible to detect. The copying of bits does
not impact the original stream in any way. Therefore, unless one can control
the access to the data network, the voice data is vulnerable. In many ways,
we have grown used to an �expectation of privacy� on telephone networks.
This will no longer hold true unless we take steps to ensure our privacy
with sophisticated security measures. Furthermore, the �virtual wiretap�
can be effected from, and the sound transmitted to, anywhere in the world.
In fact I could hire someone to tap into your network and send me the audio,
from anywhere in the world: Outsourcing meets wiretaps. For me to be able to
listen in to your conversation, I would have to be able to decode the audio
stream. With most current protocols, this is trivial. Encryption, however,
would put an insurmountable obstacle in my path.
Encryption is a well-developed technology, which has been applied to many
different communications solutions. In the cellular phone market the term
�digital� has become synonymous with �private� as the encryption has
been sold as a product feature. There are two barriers to the application of
encryption in VoIP. The first, as ever, has to do with standardization of
the protocols. In order for encryption to be effective it must be very
simple to use; in effect it must be transparent to the user. This requires
standardization of the VoIP protocols (still in the early stages) and the
encryption mechanisms. Because of the necessity to allow for upgrading of
the encryption standards as they become obsolete or easy to �crack,� it
is important to have an open architecture that allows for �negotiation�
of suitable encryption algorithms between the end-points at runtime. This
can be implemented in a similar way to the current support for multiple
voice codecs with runtime negotiation.
Encryption has become hugely popular as a means to leverage the Internet
for corporate communications. Virtual Private Networks (VPNs) allow
companies to transfer data between offices securely. An alternative to �native�
support of encryption within the VoIP protocols is the use of VPN tunnels in
order to �wrap� the voice stream. Unfortunately, this is quite difficult
in practice. VPN devices and software are not currently designed to
accommodate real-time traffic. As a result, they tend to add unacceptable
levels of jitter and latency to the VoIP communications. Although just about
bearable in small installations (1-2 voice streams), they become unwieldy in
larger applications (VoIP between branches of a company, over VPNs for
example).
SOCIAL ENGINEERING
Another important threat for VoIP networks is the ability to �enhance�
social engineering attacks. Social Engineering is the practice of using
social skills and deception to exploit human vulnerabilities rather than
system vulnerabilities. A common example is persuading someone in a company
to give you their password by pretending to be an administrator in their IT
department.
Imagine how much easier it would be to persuade someone that you work for
the company, if you can make their VoIP phone display the origination of the
call as �IT Helpdesk.� Or imagine how simple it would be if you could
disguise your voice electronically to be identical to that of their boss.
Software that allows digital impersonation has already been demonstrated;
albeit crude, it is only a matter of time before it is sophisticated enough
to be indistinguishable from the real person. The saving grace is that with
current technology, it is unlikely this can be done at real-time without
significant expenditure. Nevertheless, pre-recorded messages that sound like
someone else are within the capabilities of desktop systems. And don�t
forget, your grace period diminishes by half every 18 months according to
Moore�s law.
In order to protect against this kind of digital impersonation, there can
be a number of solutions. The most secure approach would be widespread
application of digital signatures and PKI for the authentication of
end-users. This approach is not only very difficult to apply globally, it
also has some disturbing privacy implications (anonymity after all is a
feature most of us are used to when making calls, Caller-ID
notwithstanding). An alternative is to apply generic controls at an
organization�s perimeter such as firewalls and Intrusion Detection
Systems, which would protect against an outsider gaining access in this
manner.
Technology notwithstanding, the most effective solution is the same as
with social engineering in other circumstances: Don�t believe what the
phone displays, don�t assume you know who you�re talking to and be smart
about what kind of information you give to people on the telephone. These
are all basic security awareness issues and should be handled as such with
appropriate training and drills. Security is not just about technology; it
is about people applying technology with a bit of common sense.
BUSY TONE
Although most consumers will berate their telecommunications providers and
complain bitterly about the service, in truth we have been accustomed to a
high level of reliability when using the phone. How many times in your life
have you picked up the phone and not heard a dial tone? Achieving the kind
of reliability that makes phones �just work� 99.999 percent of the time
would be enviable in the world of IT. So as we converge and shift voice onto
a dynamic ad-hoc network such as the Internet we are bound to (at least at
first) lose some reliability.
From a security perspective however, there is a much-increased
opportunity for mischief. This comes mainly in the form of Denial of Service
(DoS), which is already one of the most common types of attacks on the
Internet. Denial of Service involves attacks whose main aim is to affect the
availability of a system by disrupting services, applications or networks.
In the telephony world, DoS would make you always get a busy signal. How
would DoS affect a converged network?
It is Wednesday afternoon, and the Federal Reserve is about to announce
whether it will change interest rates. At the city�s largest bond trader,
all the IP phones stop working at exactly the moment the announcement is
made. The traders are unable to trade and as a result the company loses
millions of dollars in the 15 minutes it takes to restore service.
Clearly there is a much greater danger of disruption for converged
networks. Furthermore, as data and voice travel over the same network,
disruption of one affects the other. The VoIP failure may simply be a side
effect of a wider DoS attack against the company�s network.
Unfortunately, there is no foolproof way to protect against DoS. A DoS
attack will target and attempt to exhaust resources that you voluntarily
make available. For example, if you allow incoming VoIP sessions from
outside your organization, these can be used indiscriminately by anyone. If
someone decides to abuse these resources, there is not much you can do. They
may have disguised their source address, or may keep changing source
addresses, making it difficult or impossible to block an attack. Denial of
Service can�t be stopped because it is based on tying up publicly
available resources by brute force. If everyone in NY called your phone, you
would not be able to use it and would have to disconnect it. Even the phone
company could not help you stop people from calling you without a specific
number to block.
FREE CALLS FOR ALL
PBX owners have already had to deal with theft of service. Phreakers will
compromise PBX security and use the system to make free calls or organize
�party lines� to communicate with their friends. The Communications
Fraud Control Association (http://cfca.org/)
says �it is estimated that annual fraud losses are in excess of $12
billion worldwide.�
Convergence will only increase this threat of theft. As the networks
converge there will be a need for gateways connecting VoIP systems to POTS
(plain old telephone service). These gateways allow normal phones to call
VoIP phones and vice-versa. Whether these gateways are part of a PBX or part
of a VoIP system, they represent the border between telecommunications
networks and data networks. This means that they will make
telecommunications networks more accessible from the data network side.
Hackers will almost certainly find ways to �spoof� (pretend to be some
known system), gaining access to the gateway as a legitimate user and making
phone calls at the expense of the company. The security designed into such
gateways at present is at best trivial. Even a rather unskilled attacker can
quite easily spoof the SIP sessions and UDP packets that compose the voice
stream. The authentication systems that have been added on to SIP and H.323
in order to restrict access are not very well designed and mostly send the
authentication details in the clear (not encrypted) so that someone with
access to the network can compromise them quite easily.
The solution to theft of service is a combination of technology,
monitoring, and awareness. From the technology perspective it is imperative
that at least simple controls such as firewalls and password access be added
to the telephony gateways to protect against unauthorized access. Monitoring
of use and user training and awareness can complement the technical
solutions in order to improve the security. After all, you don�t want to
find out about service theft when you get your bill and discover it is
$250,000 more than expected. Continuous monitoring and auditing will at
least give you an early warning of problems.
CONCLUSION
A global converged network will change the telephony landscape completely.
New services, applications, and paradigms are already emerging. In the rush
to migrate telephony to the more flexible infrastructure of the Internet,
security has almost been an afterthought. Soon it will become obvious that a
flexible and open network creates security problems that were not issues in
the closed proprietary past of telephony. These issues will need to be
addressed in order for Internet telephony to flourish. There will certainly
be challenges at first, but most of the technical difficulties can be
overcome if security is made part of the design requirements of new IP
telephony applications from the beginning. As organizations migrate their
internal phone systems to IP, they will be able to protect them by applying
security best practices at the perimeter of the organization.
Many of the security solutions are not VoIP specific; rather the
solutions involve the same combination of people, processes, and technology
that are applied to protect data networks. Security within corporate
networks can be improved by protecting the perimeter and applying
encryption. The real challenge will appear when IP telephony transcends the
boundaries of a single organization. When companies start connecting to each
other or accepting incoming VoIP connections from the public, the security
problems will become much more serious. Solutions will depend on designing
security into the protocols and user agents. Unfortunately, security is
often �bolted� on as an afterthought.
Perhaps the most pertinent lesson is that it is estimated that security
measures cost 10 times less if they are included in the design and not added
on after the implementation. Internet telephony pioneers can reap
significant savings by considering security at the earliest stages in the
development of applications or systems. If they do not, they will soon
discover that the honeymoon is over.
Andreas M. Antonopoulos is security practice leader at Greenwich
Technology Partners. Joseph D. Knape is an independent security consultant
in Dallas, Texas.
Greenwich Technology Partners is a leading network infrastructure
consulting and engineering company that designs, builds, and manages the
complex networks that utilize advanced Internet protocol, electro/optical,
and other sophisticated technologies. Additional information about Greenwich
Technology Partners can be found online at www.greenwichtech.com.
[ Return
To The August 2002 Table Of Contents ]
|