The main threats for a VoIP-enabled business VoIP-SIP Security

The main threats for a VoIP-enabled business are:
    1- DoS (Denial of Service): Attacks that causes a service or a system to be unavailable to legitimate  users.
    2- Eavesdropping: These attacks allow a hacker to listen to the signalling and data traffic
      (conversations) on the network without the traffic being modified.
    3- Redirection : Attacks that redirect traffic through an exterior or compromised computer. A
      call may be redirected to an attacker, or allow the attacker to join a conversation (without the users being aware of him).
   4-Identity: Attacks that manipulate the identity feature of VoIP call (to usurp an identity,
      for instance).
   5- Theft of service: These attacks target paying services and allow the hacker to use them for  free (but often the business that hosts the service still gets billed).
   6- Unwanted contact:There are several cases in which communication can be considered as a form  of attack. SPAM (or SPIT as it’s called in VoIP communication) is an example  of unwanted communication.
Read More:
Read rest of entry

Signalisation Stream Encryption SIPS Best Practices VoIP-SIP Security

The encryption of signalisation messages will guaranty the confidentiality and integrity of the transmitted data. Attacks that monitor or tamper with these messages are therefore prevented. With SIP, signalisation encryption is accomplished with SIPS (SIP over TLS).
It is however important to note that encrypting the messages will add an overhead that can become quite large if the number of simultaneous calls is important enough.
It is therefore important to test the capacity of a VoIP network to support encryption in order to know it’s limits and to know whether changes must be made to the VoIP infrastructure to be able to support the encryption (typically, servers must be added in order to balance the load).
Signalisation stream encryption should not be used in parallel with S.14 IPSEC (redundant).
About SIPS:
SIPS is based on TLS. The integrity of the data is guarantied through the MACs
(Message Authentication Code), which is based on a MD5 hash (16 bytes) or a SHA-1
hash (20 bytes). The authentication can be configured for:

      -Simple authentication (server authenticates itself to the IP phones)
     -  Mutual authentication
The authentication procedure is based on the X.509 protocol, and is done in the handshake phase of TLS. It’s also during this phase that the used algorithms (cipher and MAC) are negotiated and that the symmetric key for the data encryption is generated.

Read More:
Read rest of entry

Mutual Authentication Best Practices VoIP-SIP Security

Mutual authentication allows the server to authenticate the client and the client to authenticate the server. Attacks based on identity usurpation are therefore prevented. With SIP, mutual authentication is accomplished with SIPS (SIP over TLS).
The method used for mutual authentication should be configured on all SIP equipment.
Read More:
Read rest of entry

Authentication HTTP Digest of SIP Messages Best Practices VoIP-SIP Security

HTTP Digest Authentication allows a server to authenticate signalling messages sent by an IP phone. Attacks based on the usurpation of identification become impossible as long as the password policy is strong enough. HTTP Digest must be configured on:
      -All SIP servers
      - The IP phones
    -   Defining the authentication domain
    -   Defining the password (shared secret between the servers and the IP phones)
As this authentication method is vulnerable to offline brute force attacks, it’s recommended to define a policy imposing a suitably long and complex password.
Read More:
Read rest of entry

Secure the switch’s ports Best Practices VoIP-SIP Security

The separation established with solutions S.03 and S.04 may be compromised if an
attacker can connect a machine to a switch port. To avoid this, you should apply the
following solutions (all if possible):
     -   Deactivate or place in an unused VLAN the ports that are unused
     -   A ACL should be set to authorise only known MAC addresses (per port if 
     -   802.1x authentication should be used if the switch and the IP phones support it
Read More:
Read rest of entry

Deactivation or protection (802.1q) of unused ports (hardphone) Best Practices VoIP-SIP Security

   Some hardphones possess additional network ports to allow connectivity to a computer or other network equipment. The hardphone acting as a hub in these cases, both the attached computer and the hardphone find themselves on the same network or VLAN,
The solution is to deactivate the extra ports or to activate the 801.q protocol on the
hardphone so that the separation between the data and VoIP VLANs is maintained.
Read More:
Read rest of entry

802.1Q Network Card Best Practices VoIP-SIP Security

The main problem of a softphone is installed on a computer is that it necessarily links the data network to the VoIP network, There is,however a solution to maintain the separation of the VLANs. It involves installing and configuring an 802.1q network card. These cards can separate communications sending them to their respective VLANs. However, the OS and softphone must also be able to use 802.1q
Read More:
Read rest of entry

Inter-VLAN Filtering Best Practices VoIP-SIP Security

Communication between the VLANS set up in S.04 must be filtered in order to allow only the necessary transmissions. The filtering must be of the “white-list” type, with only pre-defined communication allowed. The filtering can be done:

      -  Through defining ACLs on the switches/routers connecting the VLANs
      - Through placing a firewall between the VLANs
The filter rules can be based on IP addresses, port numbers and protocols, and TCP/IP flags in order to be as strict as possible and authorise only necessary communications. IP phones, for example, don’t need to send a media feed (i.e. RTP) to VoIP servers. So only signalisation traffic (i.e. SIP) should be authorized.

Read More:
Read rest of entry

Separation of DATA and VoIP equipment Best Practices VoIP-SIP Security

The IP separation consists of attributing different addressing domains to the data network and the VoIP network, for example 192.168.1.x addresses for data network elements (the various servers and user PCs) and 192.168.2.x for the VoIP elements (with a subnet mask). Once the separation is in place, it’s possible to set ACLs (Access Control List) on the Layer 3 equipments (L3 switches, routers and firewalls) to authorize communication only between authorised IP addresses.
If the VoIP network needs services such as DNS, DHCH or NTP, is it recommended
that it possess its own servers.
Read More:
Read rest of entry

Configuration lockdown (hardphone/softphone) Best Practices VoIP-SIP Security

Once the softphone/hardphone is configured, it’s important that the configuration be locked (password, permissions...) so that a user cannot modify it (deactivate the authentication for example). If possible, viewing the configuration should also locked.

Management measures should also be taken to avoid accidental modification of the
configuration of the VoIP equipment.
 Read More:
Read rest of entry

Wiki Voip And Fax Tutorials Copyright © 2010 Labloub