[VOIPSEC] How to test VoIP security

Erik.Hofmann at infineon.com Erik.Hofmann at infineon.com
Tue Nov 15 07:57:45 CST 2005 

Maybe a risk assessment point of view and a bit more structured approach
can be helpful.

1) 
consider a certain starting szenario (end user using VoIP over Internet,
organisation / enterprise deploying VoIP inhouse, provider - ISP -
offering VoIP services commercially etc)

Ask for targets of protection, threat szenarios and business impact in
case of security incidents, worst-case-szenarios. 
Example: management board needs confidentiallity, carrier needs
integrity and authentication regarding his billing of his VoIP services,
location of enterprise needs availability in telephony service etc.

2)
Assess potential business impact and identify most important threats.
(may be not necessary for you)

3) 
Assess how certain threats may become incidents and what risk is coming
up for a particular business impact / damage.
How could confidentiality be breached?
How can availability be threatened?
How could integrity be breached, authentication be compromised?

To answer all questions consider that there is a complete VoIP design
with:
* VoIP components
* protocols (SIP, RTP on top of TCP/UDP IP running on Ethernet etc)
* systems with software and operating systems (UAs, signalling servers,
gateways, registrars etc)
* Network environments (ethernet, WAN, network components (routers,
switches), firewalls etc)
* processes and administration
* physical protection

Example:
You need confidentiallity of phone calls within a closed VoIP V-LAN,
protection against unauthorized wire tapping against someone which may
have physical access to that net.
How may this happen?
Man in the midle attacks? How could that technically be done? sniffing
tools, ARP spoofing access to network in between? etc
Registration hijacking? Is this really a confidentiality problem for the
voice data? How could that be happen?
Impersonation of server: Is this a threat which may lead to
confidentiality problem? Yes may become a man in the middle problem...

What counter measures can I implemented to reduce this risk? Router
configurations, hardening SIP server, configuring UAs? etc
etc etc...

If you than additionally need a proof of concept, you can deploy testing
tools to compromise the VoIP environment.


hope this thoughts help you a little bit ...

Erik 
 

>-----Original Message-----
>From: Voipsec-bounces at voipsa.org 
>[mailto:Voipsec-bounces at voipsa.org] On Behalf Of Floris Jan Schepel
>Sent: Tuesday, November 15, 2005 11:47 AM
>To: voipsec at voipsa.org
>Subject: [VOIPSEC] How to test VoIP security
>
>Dear experts,
>
>I am a IT student at TI Mon3aan, in the Netherlands, whit a 
>work placement at Heerema.
>My study here is to find out, how to secure VoIP.
>Heerema will work whit a Cisco Avaya solution. A Cisco 
>network, whit Catalyst 4506, 3560, and 2950 switches.
>The VoIP environment will be Avaya, like the 8700 media 
>servers, G650 Media gateways direct to ISDN, and Avaya IPphones.(H.323)
>
>On a lot of sites, there are explanations how to secure a VoIP 
>environment, but none of this sites, tell me how to test a 
>VoIP environment. I am looking for a tool or a appliance, with 
>I can test and log the security of this VoIP network. I like 
>to use this tool or appliance on a test network.
>
>I'ts not the purpose to knock (DoS) or Hack the VoIP network 
>down. I have Google'd a lot and, checked the email list, but I 
>have failed to find something usefull. I also have read a lot 
>of VoIP books, like: "Switching to VoIP", and Carrier grade 
>Voice over IP" but none of them gives me information of what I 
>am looking for.
>
>I hope, that you can help me, testing this VoIP environment 
>without harming it.
>
>
>Thanks for you help,
>Floris
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list