Howto:Security works with innovaphone

From innovaphone wiki
Revision as of 11:23, 20 December 2007 by Tsr (talk | contribs) (New page: ==Applies To== * all innovaphone devices ==More Information== Security issues in VoIP installations become more and more important to customers. While innovaphone very early has imp...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Applies To

  • all innovaphone devices


More Information

Security issues in VoIP installations become more and more important to customers.

While innovaphone very early has implemented a security framework based on the H.235 standard for H.323 supporting authentication and message integrity, the need for encryption to enforce privacy

more and more emerges as a requirement.

This paper discusses the existing mechanisms in the version 6 release of innovaphone firmware as well as the proposed scope of security enhancements to be released with the upcoming “version 7"

Risks

Voice over IP applications are like all other data applications exposed to a number of security threats.

These threats can be categorized as follows

• Availability

• Privacy

• Integrity

• Authenticity

• Accountability

Availability

As all devices attached to a network, VoIP devices may be subject to attacks against the availability of their offered services.

Such so-called Denial of Service Attacks may be attempted using various strategies, including amongst others exploiting weaknesses of the implementation or legal but excessive use of offered

resources.

Privacy

As with all communication systems, VoIP devices may be misused to disclose confidential information.

With telephone systems, this obviously involves unauthorized access to voice conversations.

Moreover, access to configuration data (such as registration accounts, passwords, and extension numbers) can be of interest to attackers as well as call data (such as time and source/destination of

calls).

Integrity

The integrity of call signalling data as well as of the voice communication itself can be of utmost importance.

Spoofing of calling party ids for example may be used to obtain unaccounted access to particular resources (such as long distance calls or special services).

But also more subtle and non-obvious tampering with call signalling data like faking cause codes (signalling busy when the party in fact does not respond) etc. or silently changing a call

destination may cause severe harm.

Security Features implemented in Version 6

innovaphone products today feature a number of security features.

This article provides a rundown of the essential features and how they are enabled.

Securing Configuration Data

All configurations for innovaphone devices are stored in local flash memory.

While access to the data through normal interfaces is password protected, the content can potentially be examined if an attacker has physical access to the device (this would require disassembly of

the device and examination of the flash EPROM).

Whenever you pass a configured device to someone else (e.g. when selling it), you should keep this in mind.

If this is a concern, erase the data before (see related articles below).

Configuration data can be dumped to text format using the “Config show” command.

From version 5 on, the resulting text file does not contain any clear-text passwords.

Still, remaining configuration information may be considered sensitive.

So be careful when providing this information to 3rd parties.

Because passwords are encrypted in the config file, you will need to remember the admin password of the device being dumped in order to load it to another device later on.


Securing Access to Configuration Data

innovaphone devices are configured through a web based interface using HTTP or HTTPS access.

HTTP

For HTTP authentication, both basic authentication (which is not encrypted) as well as digest authentication is available.

You should make sure the browser you are using supports digest authentication which allows for reasonable security against password snooping and man-in-the-middle attacks.

There is an option to enforce digest authentication in the “General Settings” (in other words, to disable basic authentication).

However, since the PBX’s SOAP interface is based on HTTP too, all SOAP clients not supporting digest authentication (and the TAPI driver currently is such a client) would be disabled using this

option.

innovaphone devices feature non-protected access to the devices home page.

This is convenient; however, it may reveal some critical information to random port scanners targeting a device from the Internet.

You may thus choose to password protect even the home page using an option in the “General Settings” area.

By default, all HTTP clients can gain access to the device configuration provided they have the right password.

However, there is an option to restrict HTTP access generally to a particular host or network.

This option allows you to restrict all HTTP access (and thus administrative access too) e.g. to hosts from within your own LAN.

If remote configuration access is required though (which would be disabled by this setting), you may consider to setup an administrative PPTP (or PPP over ISDN) dial-in access to the device.

Many innovaphone devices do support such kind of dial-in out of the box.

You would then use the “assign remote IP address” option and assign a local ip address to the dial-in client.

This way, remote configuration is still possible and additionally secured by the PPTP encryption layer.

Due to the computational overhead of HTTPS, HTTP payload traffic is not encrypted in innovaphone devices.

If payload encryption is critical to you for administration access, make sure you configure an encrypted PPTP dial-in access for configuration as described above.

There is a legacy, telnet based access to the configuration layer.

Telnet is inherently unsafe since it transfers unencrypted passwords.

It is not recommended to use this.

From build 04-5807 on, telnet access is disabled by default.

Previous builds can disable telnet access by specifying “/port 0” on the TELNET0 config file line.

HTTPS

HTTPS is supported in the upcoming Version 6 Service Release 2 (V6 SR2)

RFC 2818 defines use of TLS (Transport Level Security, RFC 2246) to secure the HTTP protocol.

Managing Accounts

All administrative functions are secured by account names and passwords.

It is strongly recommended neither to keep the default account nor the default password setting.

Access to VoIP resources

Access to VoIP resources (such as gatekeeper registrations and access to trunk lines) can be secured by account and password.

If securing VoIP resources is an issue, make sure that all gatekeeper accounts are secured by a password.

You may even want to consider disallowing any registration without password, even from within the local area network.

This can be done in the “general settings” area of the PBX.

To protect your trunk lines from unintended access, make sure to configure all gateways (GWxx entries) properly.

For gatekeeper type entries, make sure there is a password, for gateway type entries, make sure the configured netmask suits your needs.

Double check all routing entries to avoid unintended access e.g. to trunk lines.

PPP and PPTP

When using built-in dial-in (PPP, PPTP) interfaces, PAP, CHAP and MS-CHAPv1 are supported.

PAP by design does not allow for password encryption and is thus not recommended.

The CHAP variations do support password encryption using MD4 and DES and are therefore reasonably secure.

There is no payload encryption available for PPP (that is, PPP over ISDN) and PPPoE (i.e. xDSL).

However, using ISDN dialup, payload encryption is not really an issue.

PPTP however features powerful payload encryption in addition to password encryption.

It is using SHA-1 for session key encryption and RC4 up to 128bit for payload encryption.

If payload encryption is an issue to you, you should check the “enable encryption” flag in the PPTP configuration.

Keep in mind that payload encryption incurs computational overhead and the number of concurrent PPTP session the device can handle is reduced.

Using PPTP is an option if fully payload encrypted configuration access is a requirement (see above).

RAS Registrations

H323 user account passwords are obviously sensitive information.

innovaphone devices feature RAS RegistrationRequest (RRQ) password encryption based on the H.235 standard (H.235v2 Annex D – Baseline Security Profile).

By requiring knowledge of a shared secret on both ends, mutual authentication is provided by this mechanism.

H.225 Signalling

Based on the H.235 authentication (see above), H.225 signalling messages carry a signature which ensure message integrity in both directions.

While message content may still be looked at and thus possibly sensitive information may be disclosed, this mechanism effectively disallows corruption of call, authentication and accounting data and

renders man-in-the-middle attacks ineffective.

RTP

RTP (i.e. media stream) traffic is not encrypted with Version 6.

However, media stream endpoints are negotiated securely (see above), so that content spoofing is made difficult.

SIP message security

The current SIP implementation features mutual digest authentication and a reasonable protection against spoofed identities, there is currently no message digest signature available in SIP messages.

The integrity of SIP messages thus is not ensured as is the integrity of H.225 and RAS messages (see above).

SOAP Client account

SOAP clients (such as the TAPI driver or the Operator) require an account/password for authentication at the HTTP layer.

Although the devices admin account can be used for that, it is better practice to use the PBX user password for this.

For the HTTP credentials, you can use the PBX users “Name” as account and it’s “Password” as the password. You will use the “Long Name” as SOAP access user name.

When configuring the TAPI driver e.g., you would create a user with Long Name _TAPI_, Name tapi and a password.

You would then use tapi/password as Gateway Platform Access/Account/Password and _TAPI_ as PBX Access/Username.

SNMP

SNMP is only for monitoring and does not allow any configuration changes.

You may want to restrict the list of “accepted hosts” using the gateway applets SNMP area.

You may want to change the “community” to a non-standard value.

ISDN data calls

ISDN data calls are accepted by innovaphone devices as voice calls are and they are routed similarly.

Although innovaphone devices may be configured to terminate a data call and thus access the local network via dial-in, this option must be explicitly enabled.

Denial of Service attacks

Like any other network device, innovaphone devices may be a target for a denial of service attack.

It is therefore recommended, to protect against malicious access using standard firewall techniques.

However, innovaphone devices feature a built-in DoS filter which will discard unreasonable inbound traffic.

Also, it is based on a dedicated and proprietary operating system which is usually not a target for viruses and other malicious code.

Arp Spoofing

Tools performing VoIP privacy attacks have been made publicly available in order to tap in to VoIP conversations in a local area network.

These attacks are based on spoofing layer 2 networks addresses to create a man-in-the-middle scenario where a conversation can be recorded without service interruption to the original participants.

Basically, the attack is based on the fact that the mapping between IP addresses and Layer2 (MAC) addresses is usually built on-the-fly using a protocol (ARP) that has no security built in.

Attackers can change this association without notice and thus redirect any traffic to themselves.

These kind of attacks have been addressed in V6.

innovaphone ARP stacks will reject unexpected changes to the address mapping, and furthermore cease any traffic to the poisened mac address for 5 seconds.

This way, an Arp spoofing attempt will be seen as service interruption by the end users, giving the network administrator a chance to investigate.

Availability

innovaphone devices have proved to be very robust and reliable.

However, if availability is of utmost importance, redundancy options are available which allow for outstanding protection against loss of service.

Also, all innovaphone devices may be powered via power over Ethernet (PoE) which when combined with an uninterrupted power supply (UPS) ensure seamless operation even in the case of a local power

failure.

PoE may be used concurrently with a local power supply.

Additional Security Features planned for Version 7

Although at present there are a number of security features implemented in innovaphone VoIP devices, there is still a lack of protection for the privacy of communications.

This reflects the fact that previously, the source of attacks usually was expected to be outside of the own organization.

Such risks have been defended using sophisticated firewalls and VPN appliances on the own network border which provide for encryption and thus privacy protection.

However, today’s security risks are more and more expected to emerge from within the organization.

The inability of contemporary local area network equipment to provide for encryption and thus privacy of communications puts the burden on the application.

VoIP application as well as other data applications must provide for end-to-end encryption.

The V7 will introduce a number of features which will help to defend against the risks of security attacks.


SRTP

Secure SIP is a security mechanism defined by SIP RFC 3261 for sending SIP messages over a Transport Layer Security-encrypted channel.

Originally used for securing HTTP sessions, TLS can be repurposed to protect SIP session communications from eavesdropping or tampering.

innovaphone will support with Version 7

AES-128

AES-192

AES-256

all with 32 or 80 bit SHA1 hashed message authentication codes (HMAC).

TLS

The TLS protocol allows applications to communicate across a network in a way designed to prevent eavesdropping, tampering, and message forgery.

TLS provides endpoint authentication and communications privacy over the Internet using cryptography.

Typically, only the server is authenticated (i.e., its identity is ensured) while the client remains unauthenticated; this means that the end user (whether an individual or an application, such as a

Web browser) can be sure with whom they are communicating.

The next level of security—in which both ends of the "conversation" are sure with whom they are communicating—is known as mutual authentication. Mutual authentication requires public key

infrastructure(PKI) deployment to clients unless TLS-PSK or TLS-SRP are used, which provide strong mutual authentication without needing to deploy a PKI.

TLS is needed fore secure SIP (SIPS)

With Version 7 innovaphone will support TLS with the following methods:

RSA with 3DES

RSA with AES-128

RSA with AES-256

all with SHA1 hashes.


H.235

We currently use H.235v2 Annex D – Baseline Security Profile.

It relies on symmetric techniques and provides authentication and/or message integrity based on shared secrets.

H.235v3 Annex G – SRTP & MIKEY usage discusses a key management scheme suitable for use of SRTP (FRC 3711).

As SRTP does not specify a key management scheme by itself, the MSEC working group within the IETF discusses key management solutions and currently favours MIKEY.

MIKEY defines AES as mandatory transport encryption enforces the use of X.509v3 certificates for public key encryption and digital signatures.

innovaphone will implement H.235 key Exchange for SRTP in Version 7.

SIPS

SIPS is SIP over TLS, which is mandated for proxies, redirect servers and registrars by RFC 3261.

However, use of TLS requires a secure transport protocol, i.e. TCP.

Due to the enhanced performance of AES over 3DES, RFC 3853 updates the original 3DES encryption requirement found in RFC 3261 to require AES for S/MIME.

As RFC 3261 does not support the negotiation of security mechanisms to be used between parties, RFC 3329 defines a number of extra header fields to facilitate the negotiation of security mechanism

between a SIP UA and its next hop server.

The mechanisms supported are: TLS, HTTP Digest, IPsec with IKE, manually keyed IPsec without IKE, S/MIME.

SIPS will be supported with Version 7

Telnet

The secure shell protocol as per RFC 4251 can be used to apply content encryption to telnet sessions.

We will not implement secure shell as we do not recommended to use Telnet at all, and telnet access is disabled by default.

LDAP

LDAP uses the SASL security as per RFC 2222.

Unfortunately, this does not account for content encryption.

LDAP v3 thus has defined extension for use of TLS with LDAP (in RFC 2830).

With Version 7 innovaphone will support LDAP via TLS

SNMP

SNMP versions 1 and 2 have been considered “insecure”.

SNMP Version 3 includes considerably enhanced security mechanisms (as per RFC 3414).

Unfortunately, this puts some difficult burden on SNMP implementations resulting in a rather little deployment compared to SNMP V2.

There will be no SNMP security implementation on innovaphone side, as it is read only on the devices.

802.1X port security

Port security secures physical ports by enforcing a user authentication before allowing data transfer through a given Ethernet switch port.

The endpoint needs to perform this authentication in order to be able to communicate.

As VoIP telephones usually work as an Ethernet switch (featuring a second “PC port”) they would need to enforce port security on this second port too in order not to compromise the security setup.

The switch implementation must support multiple authentications on one port.

innovaphone will support with Version 7 the 802.1x feature on the phones.

Certificate

Handling of certificate

Still in research - the definitively solution is not fixed now.

The certificate gives the public key an identity

We will use the X.509 certificate

There will be a possibility that the customer can use a own certificate.


Conclusion

Given the fact that today’s IT managers consider threats originating from inside the organisation as (at least) as critical as those originating externally, the only viable solution is a combination

of media stream and signalling encryption performed directly by the endpoints.

Fortunately, both relevant signalling protocols in the PBX environment (H.323 and SIP) seem to converge as far as the media stream encryption (SRTP) and the key management (MIKEY) are concerned.

This should ensure end-to-end compatibility between SIP and H.323 endpoints.

The necessary definitions for use of SRTP with H.323 are part of H.235-Annex G, for SIP it is SIPS - SIP via TCP and TLS.

innovaphone will thus implement SRTP and MIKEY according to H.235 Annex G as well as according to the SIP/SDP key management.

While MIKEY as one mode of operation allows the use of pre-shared keys, the TLS used for HTTP requires an X.509 public key/certificate infrastructure in place.

As the security of data transfer used for configuration is considered crucial, HTTPS is a mandatory requirement.

This implies the existence of an X.509 certificate on each device.

innovaphone devices entertain various http-based client connections to foreign http servers (e.g. for voice announcements, configuration provisioning).

Since these connections are (at least) as critical as configuration sessions where the device acts as an http server, both proper http digest authentication and optionally TLS content encryption

(https) needs to be implemented.

The use of telnet to access innovaphone devices is deprecated and thus there is no need to address possible security issues related to the telnet access.

As a “best practice” rule it is recommended to disable telnet access anyway (which in fact is the default configuration anyway).

While innovaphone devices do support SNMP, they do not allow any modification or retrieval of sensitive data using this mechanism.

It is merely meant to facilitate maintaining devices health status.

SNMP should be guarded against risk originating externally anyway (e.g. using firewall techniques).

Risks originating from inside the organisation are considered less important.

innovaphone will thus stay with the current SNMP v1 implementation.

innovaphone systems make extensive use of LDAP queries to synchronize distributed PBX systems.

These communications obviously carry sensitive data (although from the very beginning there were no passwords conveyed in clear).

innovaphone will thus implement TLS for LDAP for inter-PBX communication.

Securing LDAP access by clients (i.e. phones) to organisational directory services is considered less important as the conveyed data usually is not as critical.

Also, existing directory servers may not support TLS for LDAP.

While 802.1X port security adds some extra barrier against certain types of internal risks, it also creates a number of open issues.

Telephones usually are considered to work even if they are currently not authenticated by user.

This may be mandatory for emergency calls for example.

Use of port security would then mandate the storage of a fixed password within the non-volatile memory of an IP phone.

Furthermore, the authentication of the second (PC) port needs to be performed with 802.1.x multiple authentications.