Wednesday, February 20, 2008

SIP Security - IPS/IDS role

VOIP uses TCP/IP based communication like data services. Due to this, data threats are applicable for VOIP based systems - VOIP phones, VOIP infrastructure appliances etc.. Most of these threats and possible solutions are well discussed in many forums. Here I tried to give gist of different types of threats that are possible on VOIP systems.
  • Service disruption (Denial Of Service): Service disruption can happen in many ways.
    • Attacker exploiting SIP vulnerabilities and bringing down the service.
    • Attacker exploiting vulnerabilities in software other than SIP and bringing down the service and device (phone or appliance or server).
    • Attacker sending large number of SIP requests towards phone or SIP appliance and making it unusable.
    • Attacker sending large number of packets to bring down the voice quality.
  • Taking control of SIP device:
    • Attacker exploiting vulnerabilities in OS and application software and injecting his/her own code to get the shell access.
    • Attacker exploiting poorly configured devices.
      • Taking advantage of default user name and passwords on devices: Many administrators and users forget to change the factory default credentials. Attackers take advantage of this to get control of the device.
      • Taking advantage of week passwords using brute force attacks.
      • Taking advantage of devices that are on public network with remote access enabled.
  • Service theft: Attackers once they break into SIP phone use this to make many outbound phone calls.
  • Eaves dropping: Hackers can eaves drop on media streams and steal sensitive information. This is possible by
    • Attackers breaking into the system as explained above in 'Taking Control of SIP device' and snooping on the media streams.
    • Attackers spoofing MAC addresses (ARP poisoning) and becoming Man-in-the-middle to snoop on media streams and any other content.
  • SPIT (SPam over Internet Telephony): Similar to Email spam. Unsolicited marketing calls, commercial calls fall in this category. Unlike traditional telephony, cost of making calls using VOIP is way less. Spammer only require high bandwidth data connection which is very cheap.
  • VOIP Phishing (Vishing): Email type of phishing fraud can be extended to VOIP by frauds. They can leave a message indicating it is very important to callback and callback number as if legitimate entity (such as bank) is called by spoofing 'From' address (Caller ID). Innocent user might call this number and provide identity information to illegitimate parties (frauds).

Protecting from these attacks:

No single solution can solve all of above problems. I believe Intrusion Prevention System (IPS) has a role in preventing some of above attacks on VOIP phone and other infrastructure. IPS device can be kept in the line of SIP/Voice traffic to recognize attacks and prevent them in going across. I try to describe IPS role for each of above threat types.

  • Service Disruption -> SIP vulnerabilities and Vulnerabilities of other software running on the devices: IPS devices are actually designed to detect exploits targeting known vulnerabilities. IPS devices have facilities to keep up to date with exploits and vulnerabilities using auto signature download mechanisms. IPS devices also provide facilities for administrators to create their own signatures, if need be. One should look for following capabilities while selecting IPS device to protect SIP infrastructure.
    • SIP protocol intelligence: Look for IPS device having SIP protocol intelligence. Without this, there would be too many false positives. Without this, it may not be possible in some cases to develop signature to cover vulnerabilities.
    • HTTP Protocol intelligence: Almost all SIP infrastructure devices provide configuration via HTTP. Any vulnerabilities in HTTP Server brings down the device as well as may allow 'root' access to the device. Hence, one should look for IPS devices that have HTTP protocol intelligence.
    • Other protocol intelligence: Make a list of services running in your VOIP infrastructure and look for IPS devices having these protocol intelligence.
  • Service Disruption -> flood attacks: IPS devices are ideal for detecting and preventing from flood attacks. IPS devices typically have functionality to detect traffic anomaly. IPS devices doing anomaly checks with application intelligence detect flood attacks without any false positives. Look for IPS devices that support detection of traffic anomaly on specific SIP method or on content of SIP header lines in request or response. IPS devices can detect DDOS attacks that occupy bandwidth, but may not be able to prevent them on real time basis. Due to its detection, it provides information for administrators to take out-of band action.
  • Taking Control of SIP Device -> Vulnerabilities: As stated above, IPS devices are ideal for detecting traffic that exploit vulnerabilities.
  • Taking Control of SIP Device -> Configuration Errors: IPS devices may not be able to detect this effectively. Using IPS rule editor functionality, administrators can create signatures to look for specific strings in the traffic.
  • Taking Control of SIP device -> Brute force attacks : IPS devices can detect this if protocol based error is returned by SIP devices upon bad authentication credentials. IPS traffic anomaly based signatures can detect this.
  • Service Theft: IPS devices may not be able to prevent service theft completely. But IPS device logs can be used to detect any service theft. IPS devices typically log each transaction. Look for IPS device that support SIP based log analysis (inspection) facility. In my view, at the minimum, IPS device should have following functionality:
    • Log inspection and report generation based on multiple filtering criteria such as SIP URI, date & time range, IP addresses etc.. Report output should at the minimum contain information about each local SIP phone (SIP URI). It should give number of calls received, calls originated, average duration of call, time of call etc in addition to detailed entries with each entry indicating time of call, Called party ID, duration of call and other SIP related information to identify the pattern.
  • Eaves-Dropping: IPS devices can detect whether voice traffic is sent in clear using signatures.
  • SPIT: IPS devices having SIP application intelligence can detect SPIT using SIP header line content. For example, IPS devices can detect spammers based on 'From' addresses. This kind of detection is not sufficient when spammer keep changing the 'From' addresses i.e spoofing 'From' addresses. IPS devices can't do turing where callers are provided with random challenge to play back. This turing facility helps in rejecting automated spamming systems (no human). SIP proxy firewalls are better suited for this functionality.
  • Vishing: Vishing problem can be solved only by educating end users. IPS devices can't detect and prevent from users making calls to illegitimate party. IPS devices may help some extent if thare are known 'black' lists. I am not sure even SIP proxy firewalls can solve this problem completely.
IPS device play very important role in detecting some of critical VOIP threats and preventing them. I strongly advice Enterprises deploying VOIP infrastructure to look for IPS devices with SIP intelligence.

No comments: