[VOIPSEC] An issue of trust?

[Shawn Merdinger]

Date: Fri, 16 Jun 2006 14:29:41 -0300 (BRST)
Hello all,

>From: "Andre Fucs de Miranda" <afucs-listas at mandicmail.com>
>Subject: Re: [VOIPSEC] An issue of trust?
>To: voipsec at voipsa.org
>
>Gentlemen,
>
>Security is not related to traffic, it's related to USER (pvt or business)
>and regulation requirements; nothing more. The reality is that skype it's not
>"secure" simply because you have no control over the encryption. Period. I'm
>sorry; it could be using the best martian military grade encryption. Still I
>have no reason to choose Skype or any other comercial or foreign company as a
>trusted party.

I've found this thread and Andre's last sentence quite interesting,
and several smart folks expressing their varied views of what
constitutes "trust" and "security," the impact of CALEA, etc.  Fwiw, I
don't think anyone has gotten it right, and I'm not even sure there is
"right" answer...but through dialog we all may gain better
perspectives of the issues.

Andre's paragraph I quoted above is what spurned me to add my own
thoughts to this thread.  Specifically I'd like to address that in
implementing these solutions we are, at a basic level, using networked
boxes running a hodgepodge of software with a multitude of security
problems, especially with implementation of features, services and
protocols...to name just a few.

Stated plainly:  Software security bugs exist in products.  Some get
fixed, some don't.   Features add into products to improve security
may actually well expose the product and network to increased risk of
compromise.  This is something that I'm sure we can all agree on.

To that end, let's take a critical look at some aspects of CALEA
capable devices.  I use Cisco gear (mostly) in these examples not to
pick on Cisco, but rather because they have great document ion and are
IMHO one of the few vendors willing to disclose details of product
problems.

Cisco uBR10012
============

The Release Notes for Cisco uBR10012 - Cisco IOS Release 12.3
BC<http://cco.cisco.com/univercd/cc/td/doc/product/cable/ubr10k/ub10krns/123bcu10.htm>
indicate several CALEA related bugs of interest:

"CSCek35970:  The IP ToS/DSCP byte is not overwritten for PacketCable
CALEA replicated packets with the value received by GATE-SET COPS
messages.  There are no known workarounds."

"CSCej68481:  Traceback and randam [SIC] PRE reloads occur during LC
switchover with PacketCable call having CALEA wiretap turned on.
Workaround: Turn off CALEA wiretap."

"CSCsb28546:  Voice RTP/UDP packets are not forwarded to CALEA DF
(Server) after Line Card or PRE switch-over is performed.  There are
no known workarounds."

While these Cisco bugs are tied to a particular device and is arguably
"one off" scenario, I suggest a look at the defined "li user" in
Cisco's Lawful Intercept enabled IOS devices with Role-Based CLI
Access.

One may think that admin (level 15) access on a LI enabled IOS box has
all privileges this document seems to indicate otherwise:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part30/hclivws.htm

.....snip.....

Commands available in lawful intercept view belong to one of the
following categories:

•Lawful intercept commands that should not be made available to any
other view or privilege level
•CLI views that are useful for lawful intercept users but do not have
to be excluded from other views or privilege levels

Troubleshooting Tips

To display information for all users who have access to a lawful
intercept view, issue the show users lawful-intercept command. (This
command is available only to authorized lawful intercept view users.)

........./snip........

When we talk about "security" -- I also suggest raising critical
technical questions of how CALEA operations are conducted when we're
dealing with multiple vendor's gear.  Take for example the methods of
accessing applications that runs on the SS8 Mediation Device:

http://www.cisco.com/technologies/SII/SII.pdf

.....snip (pg. 24).....

The three methods of accessing the SS8 Networks Xcipio mediation
device are through a CLI, a direct GUI, and a JAVA web interface.
Except for surveillance information, all configurations must be done
using Man-Machine Language (MML) commands. Surveillance information
can be configured using the GUI or by the user calea_gui. Some
configuration information (such as call agents) can be viewed using
the GUI or user calea_gui but cannot be modified through the GUI or
user calea_gui.

Calea_gui is an X Window application that must be run on the SS8
mediation device and displayed either locally or by being sent to a
remote X Window server. The SS8 mediation device also supports a web
interface that can be used to provision targets through any web
browser or UNIX or LINUX workstation.

....../snip.....

Finally, if we look a little closer at this PDF
<http://www.cisco.com/technologies/SII/SII.pdf>, there "appear" to be
multiple hardcoded usernames across different devices required for
configuration of the LI environment.

>From pg. 25

"Collection Function Configuration
The add-cf command adds the collection function and must be executed
by user calea_adm."

>From pg. 26

"Surveillance Record Configuration
The add-surveillance command is used to add a record for each subject
that is to be monitored for call data or call data and call content.
It must be executed by user calea_opr."

>From pg. 33

"Verifying the Cisco BTS 10200 Softswitch Call Agent Configuration
The following commands can be used to verify the LI configuration on
the Cisco BTS 10200 softswitch call agent. Each of these EXEC commands
can be issued only by the user calea."

Just something to think about as we all move towards a better
understanding of "security"

Thanks!
--scm