SOME NEW METHODS FOR VOIP SECURITY ...

SOME NEW METHODS FOR VOIP SECURITY EDUCATION

JAROSLAV DOCKAL

SOME NEW METHODS FOR VOIP SECURITY EDUCATION ÚJ MÓDSZEREK A This paper describes two approaches to security education – one at the civilian university and the other at the military university. There are given and described reasons for involving a part of a security course based on VoIP security. The paper acquaints also with plans for further improving these lectures regarding the lab research.

A cikk az információbiztonság oktatásának két megközelítését hasonlítja össze. A civil egyetemekét és a katonai egyetemekét. Az összehasonlítás rávilágít azokra az okokra, amiért érdemes a VoIP alapú információbiztonság oktatására külön figyelmet fordítani. A cikk továbbá ismerteti a jövőbeni terveket ezen előadások és laboratóriumi gyakorlatok fejlesztésére.

Two approaches to security education My paper staring point of consists in comparing security education at the civilian and military university. This part will facilitate to explain why we chose VoIP security and why we consider this education so important. To compare, I chose Masaryk University (MU), the second largest university in the Czech Republic. MU has nine faculties, one of them is Faculty of Informatics (FI). FI has 10 bachelor study programs where the program „Computer Systems and Data Processing” allows the students to choose from three specializations, including the „Security of Information Technologies”. „Security of Information Technologies” ia also one of 14 FI master study programs. This master program covers 11 courses: „Coding, Cryptography and Cryptographic Protocols”, „Cryptography” (offered at the Faculty of Science), „Information Technology Security”, „Seminar on Information Technology Security”, „Applied Cryptography”, „Data Protection and Information Privacy”, „Information policy and SIS of Czech Re103

BIZTONSÁGTECHNIKA

public”, „Information Law, Authentication and Access Control”, „Postgraduate seminar on IT Security and Cryptography” and „Security Laboratory”. The University of Defence (UoD) consists of three faculties, our Faculty of Military Technology (FMT) has only two study programs called the same – Military Technology, bachelor and consequential master program. One component of this program is a security part of this program. In bachelor study this part is involved into a course „Security CIS (Communication and Information Systems)” that covers two semesters. In master program the security part is covered by four courses: „Security Analysis and Audit”, „Techniques of Cryptography”, „Cisco Network Security and Management” and „CIS Security”. We use a wide spectrum of cooperation between MU and UoD: the cooperation in research, text syllabuses prepation, common exam boards for PhD study etc. We also organize special security seminars and cooperate within the scopes of a Czech & Slovak peer-reviewed magazine Data Security Management (www.dsm.tate.cz). In cooperation we also organize a scientific conference „Security and Protection of Information” (www.unob.cz/spi) that is a part of co-program of the military exhibition IDET (International Fair of Defense and Security Technology and Special Information Systems). Notwithstanding our similiarities and cooperation you can at the first sight see important differencies:  MU prefers mathematics-based security education, UoD prefers practical forms of education;  while range of the assumed future involvement of MU students is very extensive, UoD knows future positions of its students (in ICT area they are involved as a system administrator, network administrator, database administrator, application administrator, web administrator, security officer);  for UoD it is impossible to cover all disciplines in ICT and the same is true for the security area. Our alumnuses should be more specialized in latest disciplines. One of them is VoIP security. One of the above mentioned special disciplines is called VoIP security. This discipline was not required by CIS (Communication and Information Systems) department of our General Staff. But we predict that this request will be urgent within several years. 104

SOME NEW METHODS FOR VOIP SECURITY EDUCATION

VoIP security education These lectures suppose knowledge methods of IP telephony. We use IP telephony bundle and the practical knowledge of SIP technology. Our education is based on free products ans simultaneously on practical knowledge of the Cisco IP telephony products. For this part of training we bought Cisco IP Telephony bundle and use a lab portfolio [1], however of 46 labs there is only one devoted to security. Particular tasks are devoted to verifying phones, restriction to phone registration, configuration of IP phone activity and prevention to Toll Fraud. Resulting from our ideas it is not enough and that is why we added own tasks:  Defence of the IP telephony infrastructure by separation voice and data VLANs (defence f.e. to VOMIT attack) with ACLs (Access Control List) configuration for every from two VLANs: interface FastEthernet0/3 switchport access vlan 10 switchport mode access switchport voice vlan 15

 Defence of every port by IP Source Guard this defences against IP and MAC spoofing.  Transformation of P2P traffic (KaZaa, Morpheus, Groekster, Napster, iMesh etc.) and games (Doom, Quake, Unreal Tournament etc.) to scavenger-class traffic (mapping to DSCP CS1 that has lower priority than Best effort class).  Defence before non-authorized DHCP answers (DHCP Snooping) that could be used as a part of man-in-the-middle attack.  We also plan testing Metreos VoIP firewall that is running over operating system Fedora. This firewall after authentication opens from a specific IP address only those ports that are used at the time of calling. It is an ideal firewall for IP telephony small segregated military units. For monitoring we use a popular network protocol analyzer Whireshark 0.99.1pre1. Cisco IP phones are able to use for voice transport the SRTP protocol with HMAC-SHA-1for authentication and AEC-128-CM for encryption. For registration requests there is used a TLS protocol (SRTS not yet) and encryption in option RSA for signing, HMAC-SHA-1 for 105

BIZTONSÁGTECHNIKA

authentication and AEC-128-CBC for encryption. Students can observe differencies between a secure connection and non-secure connection. We usually carryout our labs on Cisco in our Regional Cisco Academy laboratory or on PCs with free software. Our security training based on free software was inspired by project SNOCER [2] and this education is prepared in co-operation with one of authors of this project.

Example of training We installed some sof-phones X-ten Lite on our student network. In figure 1 there are two of them with IP addresses 160.216.1.109 and 160.216.1.104. In figure there are also two SIP proxies (we chose software SIP Express Router), we installed them on PC with IP addresses 160.216.1.102 and 160.216.1.103One group of students set the scripts for attack generation and installed them on PC with address 160.216.1.102. The other group prepares set of rules for attack detection for the intruder detection system Snort and installed them on PC with IP address 160.216.1.103.

Figure 1 IP telephony configuration

Students are asked to prepare the attack and defense for the entire set of attacks: 106

SOME NEW METHODS FOR VOIP SECURITY EDUCATION

 portscan detections (for this purpose Snort IDS provide several types of preprocessors Portscan Detector, sfPortscan and FlowPortscan);  TCP SYN flood attack (based on the exhaustion of possible amount of open TCP connection on the SIP proxy);  Smurf attack (an attacker uses spoofed source IP address of ICMP echo request and auxiliary broadcast network for amplifying of attack stream);  DoS and DDoS attacks (DDoS shaft synflood, Jolt DoS attack DoS Land attack, DoS Teardrop attack, DoS UDP echo+chargen bomb, DoS NAPTHA, NETBIOS DoS RFPoison, DoS Winnuke attack, DoS Cisco attempt, DoS ISAKMP invalid identification payload attempt);  intrusions directed against DNS server (DNS named query attempt, DNS spoofs query response PTR with TTL of 1 min. and no authority, DNS SPOOF query response with TTL of 1 min. and no authority, DNS zone transfer TCP, DNS named authors attempt, DNS named version attempt, DNS EXPLOIT named 8.2->8.2.1, DNS EXPLOIT named overflow ADM, DNS EXPLOIT named overflow ADMROCKS, DNS named authors attempt, DNS named version attempt, DNS zone transfer UDP, DNS UDP inverse query, DNS TCP inverse query, DNS TCP inverse query overflow, DNS UDP inverse query overflow);  attacks on STUN servers and RTP proxies;  attacks on SIP proxies;  INVITE flooding;  REGISTER flooding;  unauthorized messages;  SQL injection attacks. As an example we should choose the last mentioned SQL injection attack. SQL injection attacks are known mainly from the web environment. Here they are used for injection of malicious SQL code into input fields of HTTP forms. These attacks can also be used in VoIP/SIP networks. SQL injection attacks can be done only if an attacker has good knowledge about SIP proxy implementation. This can be arranged quite easily, especially in the case of Open Source SIP proxies. In the SIP environment SQL injection can be used in INVITE and REGISTER messages mainly in their authentication parts. Thus malicious SQL 107

BIZTONSÁGTECHNIKA

code can be included for example into Username or Realm headers for achieving some evil activity. This is caused by SIP proxy processing of SQL code for obtaining password from database for given Username and Realm. SQL code, which can do this, can look like as follow: Select password from subscriber where username= 'myname' and realm='147.32.121.11'

Now, if we insert, for example, into Username header malicious SQL code such asSIP-URI | SIPS-URI MESSAGE HEADER+ METHOD MESSAGE HEADER =Via | Max-Forwards | From |To myname'; DROP| Contac table |User-agent Subscriber – | Call-Id |CSeq |Authorization |Event |Content-Length weAuthorization can force the proxyusername=".+(';SQL-STATM to execute the malicious SQL code which drops = Digest COMMENT)" realm=" Ipaddress" | DoS. Complete SQL code invoked the Subscriber table and thus achieve = Digest realm=“Ipaddress byAuthorization proxy then looks likeusername=".+" this: (';SQL-STATM COMMENT)“ | Authorization = Digest username=".+(';SQL-STATM COMMENT)" Select password from subscriber where username='myname'; realm=" Ipaddress (';SQL-STATM COMMENT)" DROP table Subscriber -- ' and realm='160.218.1.102' SQL-STATM= UPDATE | INSERT COMMENT The SIP proxy= "--|#" can be forced to invoke execution of number of various UPDATE = SEE SQL 92 syntax SQL codes. Generated attack that is detected by Snort commands: INSERT = SEE SQL 92 syntax

Better than using PCs is apply a notebook with WMware Workstation and all network stations emulate. Requests for these notebooks are more demanding (f.e. 2 GB RAM) but nothing non-realistic.

Further plans Further plans for IP telephony education consist in using special test devices for traffic generation and threat assessment. In our laboratory we plan to generate different types of traffic to determine the total bandwidth supported by VoIP firewalls. For this purpose we chose the Avalanche from SPIRENT. This product graduated a load-generation mechanism that allows Avalanche to automatically ramp up the traffic levels to the desired level. Other load testing products often do not have this facility, making load testing very difficult. Avalanch is a very expensive product and we will lend it from one of the Czech companies in Brno. 108

SOME NEW METHODS FOR VOIP SECURITY EDUCATION

A complementary solution to Avalanche is ThreatEx. This device provides visibility into essential areas of network security. It is able to emulate and analyze the effects of corrupt traffic and other impairments. We will identify vulnerabilities by using ThreatEx to conduct realistic attacks on individual devices or entire networks. The ability to run sequences of controlled attacks significantly accelerates the task of closing system vulnerabilities. ThreatEx uses latest threat signatures, delivering zero-day testing capabilities. We plan to carry out tests on our Cisco 2600 router. One example is a test for known HTTP bug – if „ip http server”is in our running configuration and then we do http:///%%

router could crash.

Conclusion Security of VoIP (especially IP telephony) solves future problems not only in the military area but also in other govermental services. By our opinion it is better to ancipitate problems than solving them then when it is too late; to deal with the request of the military practice earlier than the Army can feel its necessity – it is the right way how to increase significance and importance of the military university.

109

BIZTONSÁGTECHNIKA

References [1] SCHMIDT Cheryl, FRIEND Ernie. IP Telephony Using Call Manager Express Lab Portfolio. Cisco Systems 2007. [2] SNOCER project team: General Reliability and Security Framework for VoIP Infrastructures, http://www.snocer.org/Paper/snocer_D2_2.pdf

110