Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions

This section follows along with the networking-based attacks we outlined in Chapters 4, 5, and 6.

Attack Infrastructure Flooding Attacks

Popularity:

8

Simplicity:

6

Impact:

7

Risk Rating:

7

All of the flooding denial of service attacks that we outlined in Chapter 4 can have just as damaging an impact in a Cisco VoIP deployment. As a reminder, these included UDP flooding, TCP SYN flooding, ICMP flooding, and established connection flooding attacks.

Countermeasurs Flooding Attacks CountermeasuresAutoQoS

The defenses to most of these flooding attacks involves many of the general countermeasures we covered in Chapter 4, including VLANs, anti-DDoS solutions, hardening the network perimeter, and finally quality of service enforcement by configuring the network infrastructure itself to detect and prioritize VoIP traffic properly.

Perhaps the most important Cisco-specific countermeasure for mitigating flooding attacks is to ensure that quality of service settings are properly configured across your infrastructure. Cisco's IOS Quality of Service Solutions Guide provides a step-by-step list for enabling and tuning QoS parameters for your entire enterprise on IOS-supported devices; go to http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_book09186a0080435d50.html.

The last section of this guide introduces a fairly new feature in IOS, available since release 12.2(15)T. Called AutoQoS, this feature " simplifies QoS implementation and speeds up the provisioning of QoS technology over a Cisco network. It reduces human error and lowers training costs. With the AutoQoS VoIP feature, one command (the auto qos command) enables QoS for VoIP traffic across every Cisco router and switch" (http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455a3d.html).

For a mid- size to large enterprise, the IOS AutoQoS features are compelling because setting up effective QoS for applications can be challenging and time consuming for an IT admin.

Additionally, some Cisco switches also have the ability to apply a feature called scavenger class quality of service. Scavenger class QoS allows the administrator to rate shape certain types of traffic so low that prioritized applications within the network will be unaffected. This is typically a common mitigation technique to some DDoS attacks when bursty worm traffic is detected in the network. More information on scavenger class QoS features is available in Cisco's Enterprise Solution Reference Network Design Guide (http://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigration_09186a008049b062.pdf or http://tinyurl.com/kh5bq).

Attack Denial of Service (Crash) and OS Exploitation

Popularity:

9

Simplicity:

8

Impact:

10

Risk Rating:

9

The majority of problems that CallManager has faced over the years has had more to do with its underlying operating system than the VoIP application itself. Most of the worms and viruses that have affected CallManager 4. x have done so because of a vulnerable Windows component. Consider the following security advisories:

The free Metasploit framework (http://www.metasploit.com) is a fairly easy-to-use exploit tool that comes preinstalled with Microsoft exploits that have at one time or another affected most CallManager 4. x installations (see Figure 7-11).

Figure 7-11: Metasploit Framework with the infamous LSASS vulnerability

Additionally, as with any software product, the CallManager application itself has been prone to various security issues as exhibited by the quote at the beginning of the chapter taken from one such advisory. All of the specific security issues that have affected CallManager 4. x and 5. x are available at "Cisco Unified CallManager Security Advisories, Responses, and Notices," http://www.cisco.com/en/US/products/sw/voicesw/ps556/prod_security_advisories_list.html.

Countermeasurs Denial of Service (Crash) and OS Exploitation Countermeasures

The following are general strategies for mitigating new and existing vulnerabilities in the underlying operating system of CallManager.

Patch Management

Patch updating is the most important task in staying ahead of the shrinking window of time for worm and exploit releases after a new vulnerability is discovered . One of the inherent problems in relying on Cisco for updates is the slight delay incurred in packaging up the latest Microsoft bulletin patches into MCS OS upgrades (http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/osbios.htm). The three main categories for updates to CallManager include the underlying Windows OS, Microsoft SQL Server, and the BIOS updates to the MCS, which are all available from the previous link. The Cisco Voice Technology Group Subscription Tool (http://www.cisco.com/cgi-bin/Software/Newsbuilder/Builder/VOICE.cgi) is a nice notification system that will update you when a patch or software upgrade is available for your particular deployment flavor (see Figure 7-12).

Figure 7-12: Cisco Voice Technology Group Subscription Tool

Additionally, the rest of the Cisco infrastructure (routers, switches, phones, and so on) requires constant updating. These alerts can be set using the Product Alert Tool found on Cisco's website at http://tools.cisco.com/Support/PAT/do/ViewMyProfiles.do and shown in Figure 7-13. A login is required to access this tool.

Figure 7-13: Cisco Product Alert Tool

Install Cisco Security Agent and Anti-Virus on CallManager 4. x

Cisco acquired the host-based intrusion prevention system (HIPS) company Okena in January 2003. Okena's HIPS software product was eventually renamed to Cisco Security Agent (http://www.cisco.com/en/US/products/sw/secursw/ps5057/index.html). Cisco Security Agent (CSA) is able to prevent proactively certain types of security flaws from being exploited on a Windows host, regardless of whether or not that host has been fully patched. CSA is included free with most CallManager 4. x installations these days and is a useful defense- in-depth tool.

While CSA is meant for preventing exploitation of vulnerabilities, it is not a panacea for all malware. You should also install your favorite anti-virus software on the CallManager server to prevent malware (worms, viruses, bots, and so on) from creeping in through a variety of other ways besides vulnerability exploitation (network shares, default passwords).

On Cisco CallManager 5. x , CSA is installed by default with the OS image.

Network-Based Intrusion Prevention

As discussed in Chapter 4, network-based intrusion prevention systems (NIPS) are inline network devices that detect and block attacks at wire speed. A NIPS can be deployed in a network in much the same way as a switch or a router, and it is one of the most effective ways to provide a "virtual patch" while you're waiting to apply a software update.

Disable IIS in CallManager 4. x

The Microsoft IIS web server that comes installed on Cisco CallManager 4. x is also connected to the FTP, web, and email services. IIS has historically been associated with numerous security issues in the past, and is best left disabled when not performing an upgrade.

Attack Eavesdropping and Interception Attacks

Popularity:

5

Simplicity:

7

Impact:

7

Risk Rating:

6

As you hopefully remember from Chapters 5 and 6, we demonstrated a variety of attacks that took advantage of weaknesses in network design and architecture in order to eavesdrop and alter VoIP signaling and conversations. To summarize, the preliminary attacks to first gain access to sniffing the network traffic are

Once an attacker has the ability to sniff or alter the network traffic, then there are a variety of VoIP application-level attacks possible including but not limited to

Countermeasurs Eavesdropping and Interception Countermeasures

The following countermeasures cover these two classes of attacks by first walking through how to harden the networking fabric. Next , we'll delve into enabling encryption features across CallManager phones and servers (enabling SRTP and SCCP/TLS) to address the application layer attacks.

Cisco Switch Hardening Recommendations

Many of these recommendations are gleaned from various Cisco best practices documents. Of course, however, they all assume that you have Cisco gear to begin with.

Enabling Port Security on Cisco Switches to Help Mitigate ARP Spoofing   Port security is a mechanism that allows you to allocate legitimate MAC addresses of known servers and devices ahead of time specific to each port on the switch. Thus, you can block access to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address detected is not on the preassigned list. This will help prevent ARP spoofing attacks. Some of the advantages and disadvantages to enabling port security are covered in Cisco's SRND best practices document on voice security (http://tinyurl.com/ngz330). In general, there are two types of port security, the static entry flavor and the "dynamic" learning flavor. With the dynamic type, the port can be configured to learn the correct amount of MAC addresses that are allowed on that port so that an administrator does not need to type in the exact MAC address.

Dynamically Restrict Ethernet Port Access with 802.1 x Port Authentication   Enabling 802.1x port authentication protects against physical attacks whereby someone walking around inside your organization plugs a laptop into an empty network jack in order to sniff traffic. Enabling 802.1x authentication on your switch ports obviously requires that most of your network clients support itone of the main challenges with implementing this feature widely today.

Enable DHCP Snooping to Prevent DHCP Spoofing   As you learned in Chapter 6, DHCP spoofing is a type of man-in-the-middle attack that occurs when an attacker masquerades as a valid DHCP server in order to reroute traffic to his machine. This is typically done by advertising a malicious DNS server with a valid IP address assignment. DHCP snooping is a feature that blocks DHCP responses from ports that don't have DHCP servers associated with them. You can also put static entries in the DHCP-snooping binding table to be used with Dynamic ARP Inspection and IP Source Guard (see next sections) that do not use DHCP. More information on the DHCP snooping feature is available on Cisco's site at http://tinyurl.com/oz4hw.

Configure IP Source Guard on Catalyst Switches   The IP source guard (IPSG) feature uses DCHP snooping to prevent IP spoofing on the network by closely watching all DHCP IP allocations . The switch then allows only the valid IP addresses that have been allocated by the DHCP server on that particular port. This feature mitigates the ability of an attacker trying to spoof an IP address on the local segment. More information on enabling this feature is available on Cisco's site at http://tinyurl.com/oz4hw.

Enable Dynamic ARP Inspection to Also Thwart ARP Spoofing   Dynamic ARP inspection (DAI) is a switch feature that intercepts all ARP requests and replies that traverse untrusted ports. The purpose of this feature is to block inconsistent ARP and GARP replies that do not have the correct MAC to IP address mapping. In turn , this prevents a man-in-the-middle attack. Some of the advantages and disadvantages to enabling DAI are covered in Cisco's SRND best practices document on voice security (http://tinyurl.com/ngz330).

Note 

You must have DHCP snooping enabled to turn on Dynamic ARP inspection (DAI) and IP source guard (IPSG). If you turn DAI or IPSG on without DHCP snooping, you will end up causing a denial of service for all hosts connected on the switch. Without a DHCP snooping binding table entry, hosts will not be able to ARP for the default gateway, and therefore, traffic won't get routed.

Configure VTP Transparent Mode   The VLAN Trunking Protocol (VTP) is a Cisco protocol that enables the addition, deletion, and renaming of VLANs in your network. By default, all Catalyst switches are configured to be VTP servers and any updates will be propagated to all ports configured to receive VLAN updates. If an attacker were able to corrupt the configuration of a switch with the highest configuration version, any VLAN configuration changes would be applied to all other switches in the domain. Put simply, if an attacker compromised your switch with the central configuration on it, she could delete all VLANS across that domain. To alleviate this threat, you can configure switches not to receive VTP updates by setting the ports to VTP transparent mode (see http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_1_20/config/vtp.htm#wp1020711).

Change the Default Native VLAN Value to Thwart VLAN Hopping   Most switches come installed with a default native VLAN ID of VLAN 1. Because attackers can sometimes perform VLAN hopping attacks if they know the VLAN IDs ahead of time, it is usually a good idea to never use VLAN 1 for any traffic. Also, change the default native VLAN ID for all traffic going through the switch, from VLAN 1 to something hard to guess (see http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.htm).

Disable Dynamic Trunk Protocol and Limit VLANs on Trunk Ports to Thwart VLAN Hopping   If a Cisco switch is set for autotrunking, an attacker can perform a VLAN hopping attack by sending a fake Cisco Dynamic Trunking Protocol (DTP) packet. In doing so, the victim switch port might become a trunk port and start passing traffic destined for any VLAN. The attacker would then able to bypass any VLAN segmentation applied to that port. To mitigate against this attack, DTP should be turned off on all switches that do not need to trunk (see http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml).

Phone Hardening Recommendations

The following is a simple procedure for removing some of the services that are enabled by default on the IP phone, as illustrated in Figure 7-14:

  1. In Cisco Unified CallManager Administration, select Device Phone.

  2. Specify the criteria to find the phone and click Find, or click Find to display a list of all the phones.

  3. To access the Phone Configuration window for the device, click the device name .

  4. Locate and disable the following product-specific parameters:

    • PC port

    • Settings access

    • Gratuitous ARP

    • PC Voice VLAN access

Figure 7-14: Disabling features on a Cisco hard phone

Note 

Disabling GARP only helps protect the phone from man-in-the-middle attacks; obviously the router and other network elements can be prone to attack as well.

Activating Authentication and Encryption

Cisco provides a detailed checklist in order to activate authentication and encryption on your CallManager and phones to ensure that the Skinny signaling sessions require authentication and that they pass over an encrypted TLS tunnel. This also activates SRTP, (RFC 3711) which enables encryption of the actual phone conversations.

  1. Activate the Cisco CTL Provider service in Cisco CallManager Serviceability on each server in the cluster ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuauth.htm#wp1054915 or http://tinyurl.com/y4ecgh).

  2. Activate the Cisco Certificate Authority Proxy service in Cisco CallManager Serviceability to install, upgrade, troubleshoot, or delete locally significant certificates on the publisher database server ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secucapf.htm#wp1082177 or http://tinyurl.com/yyprse).

  3. Configure ports for the TLS connection if you do not want to use the default settings ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuauth.htm#wp1028905 or http://tinyurl.com/y8dmf5).

  4. Obtain at least two security tokens and the passwords, hostnames/IP addresses, and port numbers for the servers that you will configure for the Cisco CTL client ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuauth.htm#wp1029015 or http://tinyurl.com/sfvbb).

  5. Install the Cisco CTL client ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuview.htm#wp1028867 or http://tinyurl.com/y7ds78, http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuview.htm#wp1029357 or http://tinyurl.com/w7vj7, and http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuauth.htm#wp1028944 or http://tinyurl.com/vbpn6).

  6. Configure the Cisco CTL client ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuauth.htm#wp1029015 or http://tinyurl.com/sfvbb).

  7. Configure CAPF to issue certificates ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuview.htm#wp1028867 or http://tinyurl.com/y7ds78, http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secucapf.htm#wp1082192 or http://tinyurl.com/yle4rt, and http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secucapf.htm#wp1067959 or http://tinyurl.com/ycjcyj).

  8. Verify that the locally significant certificates are installed on supported Cisco IP phones ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuview.htm#wp1028867 or http://tinyurl.com/y7ds78, http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secucapf.htm#wp1044293 or http://tinyurl.com/yzem45, and http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secutrbl.htm#wp1058630 or http://tinyurl.com/ylwcl9).

  9. Configure supported phones for authentication or encryption ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuphne.htm#wp1033627 or http://tinyurl.com/yy6mw2).

  10. Perform phone-hardening tasks ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuphne.htm#wp1028813 or http://tinyurl.com/y7cv49).

  11. Configure voicemail ports for security ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuvmp.htm or http://tinyurl.com/yxwd8a).

  12. Configure security settings for SRST references ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secusrst.htm or http://tinyurl.com/y75ldh).

  13. Configure IPSec in the network infrastructure, and configure Cisco IOS MGCP gateways for security ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secumgcp.htm or http://tinyurl.com/y5rt2w and http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secumgcp.htm#wp1060100 or http://tinyurl.com/y5rt2w).

  14. Reset all phones in the cluster ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuview.htm#wp1032075 or http://tinyurl.com/yes4e3).

  15. Reboot all servers in the cluster ( see http://www.cisco.com/univercd/cc/td/doc/product/voice/c_callmg/4_1/sec_vir/ae/sec413/secuview.htm#wp1032075 or http://tinyurl.com/yes4e3).

For more details on any of these specific steps, we recommend reading Cisco CallManager Best Practices by Salvatore Collora (Cisco Press, 2004).

Категории