Voice over IP Security Patrick Park Cisco Press Cisco Press 800 East 96th Street Indianapolis, Indiana 46240 USA ii Voice over IP Security Patrick Park Copyright © 2009 Cisco Systems, Inc. Published by: Cisco Press 800 East 96th Street Indianapolis, IN 46240 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without writ- ten permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America First Printing September 2008 Library of Congress Cataloging-in-Publication data Park, Patrick, 1971- Voice over IP security / Patrick Park. p. cm. ISBN 978-1-58705-469-3 (pbk.) 1. Internet telephony--Security measures. I. Title. II. Title: VoIP security. TK5105.8865.P37 2008 004.69'5--dc22 2008036070 ISBN-13: 978-1-58705-469-3 ISBN-10: 1-58705-469-8 Warning and Disclaimer This book is designed to provide information about Voice over IP security. Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc. shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capital- ized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. iii Corporate and Government Sales The publisher offers excellent discounts on this book when ordered in quantity for bulk purchases or special sales, which may include electronic versions and/or custom covers and content particular to your business, training goals, marketing focus, and branding interests. For more information, please contact: U.S. Corporate and Government Sales 1-800-382-3419 [email protected] For sales outside the United States please contact: International Sales [email protected] Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at [email protected]. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Publisher Paul Boger Associate Publisher Dave Dusthimer Cisco Press Program Manager Jeff Brady Executive Editor Brett Bartow Managing Editor Patrick Kanouse Development Editor Dan Young Project Editor Seth Kerney Copy Editor Margaret Berson Technical Editors Bob Bell Dan Wing Editorial Assistant Vanessa Evans Designer Louisa Adair Composition Octal Publishing, Inc. Indexer WordWise Publishing Services LLC Proofreader Water Crest Publishing, Inc. iv About the Author Patrick Park has been working on product design, network architecture design, testing, and consulting for more than 10 years. Currently, Patrick works for Cisco as a VoIP test engineer focusing on the security and interoperability testing of rich media collaboration gateways. Before Patrick joined Cisco, he worked for Covad Communications (a VoIP service provider) as a VoIP security engineer focusing on the design and deployment of secure network architecture and lawful interception (under the Communications Assistance for Law Enforcement Act [CALEA]) with various tools and solutions. Patrick graduated from Pusan National University in South Korea, where he majored in computer engineering. While attending graduate school, he wrote the book Web Server Programming with PHP. Patrick lives with his wife and children in Los Gatos, California. v Dedication This book is dedicated to our God who lifted me up for this opportunity, my wonderful wife, Sun, and my children, Janice and Jayden. Thank you all for making me complete. Acknowledgments I’d like to give special recognition to Dan Young and Andrew Cupp for providing their expert technical knowledge in editing the book and working hard to keep the book on time. A big “thank you” goes out to Dan Wing and Bob Bell for giving great comments during the review process and helping me complete this book. Thanks to Allan Konar, Yoon Son, and Mo Kang for contributing their technical expertise, which helped me find the right direction in the initial writing of this book. Last but not least, I’d like to thank my current manager, Shamim Pirzada, who mentors me and encourages me to spend extra time for personal development. Also, thanks to my colleagues, the Photon team, who gave great inspira- tion and technical information. vi Contents at a Glance Introduction xvii Part I VoIP Security Fundamentals 3 Chapter 1 Working with VoIP 5 Chapter 2 VoIP Threat Taxonomy 19 Chapter 3 Security Profiles in VoIP Protocols 47 Chapter 4 Cryptography 83 Chapter 5 VoIP Network Elements 107 Part II VoIP Security Best Practices 125 Chapter 6 Analysis and Simulation of Current Threats 127 Chapter 7 Protection with VoIP Protocol 175 Chapter 8 Protection with Session Border Controller 203 Chapter 9 Protection with Enterprise Network Devices 249 Part III Lawful Interception (CALEA) 289 Chapter 10 Lawful Interception Fundamentals 291 Chapter 11 Lawful Interception Implementation 307 Index 345 vii Contents Introduction xvii Part I VoIP Security Fundamentals 3 Chapter 1 Working with VoIP 5 VoIP Benefits 6 VoIP Disadvantages 8 Sources of Vulnerability 10 IP-Based Network Infrastructure 10 Open or Public Networks 11 Open VoIP Protocol 11 Exposed Interface 11 Real-Time Communications 11 Mobility 11 Lack of Security Features and Devices 11 Voice and Data Integration 12 Vulnerable Components 12 Myths Versus Reality 14 Legacy Versus VoIP Systems 14 Protecting Networks Using Strict Authentication and Encryption 14 Protecting Networks Using a Data Security Infrastructure 15 Summary 15 End Notes 16 References 16 Chapter 2 VoIP Threat Taxonomy 19 Threats Against Availability 20 Call Flooding 20 Malformed Messages (Protocol Fuzzing) 22 Spoofed Messages 24 Call Teardown 25 Toll Fraud 26 Call Hijacking 26 Registration Hijacking 27 Media Session Hijacking 27 Server Impersonating 28 QoS Abuse 29 viii Threats Against Confidentiality 30 Eavesdropping Media 30 Call Pattern Tracking 32 Data Mining 33 Reconstruction 34 Threats Against Integrity 34 Message Alteration 35 Call Rerouting 35 Call Black Holing 36 Media Alteration 37 Media Injection 37 Media Degrading 38 Threats Against Social Context 38 Misrepresentation 39 Call Spam (SPIT) 39 IM Spam (SPIM) 40 Presence Spam (SPPP) 41 Phishing 42 Summary 43 End Notes 44 References 44 Chapter 3 Security Profiles in VoIP Protocols 47 H.323 48 Overview 48 Components 49 Basic Call Flow 50 Security Profiles 52 H.235 Annex D (Baseline Security) 54 H.235 Annex E (Signature Security) 55 H.235 Annex F (Hybrid Security) 56 SIP 57 Overview 58 Components 58 Basic Call Flow 60 Session Setup Example 61 ix Security Profiles 67 Digest Authentication 68 Identity Authentication 69 Secure/Multipurpose Internet Mail Extensions (S/MIME) 70 Secure RTP 71 TLS 71 IPSec 73 MGCP 74 Overview 74 Basic Call Flow 75 Security Profiles 75 Summary 78 End Notes 79 References 80 Chapter 4 Cryptography 83 Symmetric (Private) Key Cryptography 84 DES 85 3DES 87 AES 89 SubBytes 89 ShiftRows 90 MixColumns 91 AddRoundKey 92 Asymmetric (Public) Key Cryptography 92 RSA 93 Digital Signature 95 Hashing 96 Hash Function (MD5) 97 SHA 98 Message Authentication Code 99 MAC Versus Digital Signature 100 Key Management 100 Key Distribution 101 Summary 103 End Notes 104 References 104