Securing VoIP Networks: Threats, Vulnerabilities and Countermeasures

Peter Thermos reads from his book Listen to author Peter Thermos, as he reads from Chapter 3: Threats and Attacks.

Securing VoIP Networks: Threats, Vulnerabilities and Countermeasures Authors: Peter Thermos and Ari Takanen  345 pages; $44.99 Addison Wesley official book page

SRTP The Secure Real Time Protocol (SRTP) is a profile for the Real Time Protocol (RTP, IETF RFC 3550) to provide confidentiality, integrity, and authentication to media streams and is defined in the IETF RFC 3711. Although there are several signaling protocols (for example, SIP, H.323, Skinny) and several key-exchange mechanisms (for example, MIKEY, SDESCRIPTIONS, ZRTP), SRTP is considered one of the standard mechanism for protecting real-time media (voice and video) in multimedia applications. In addition to protecting the RTP packets, it provides protection for the RTCP (Real-time Transport Control Protocol) messages. RTCP is used primarily to provide QoS feedback (for example, round-trip delay, jitter, bytes and packets sent) to the participating end points of a session. The RTCP messages are transmitted separately from the RTP messages, and separate ports are used for each of the protocols. Therefore, both RTP and RTCP need to be protected during a multimedia session. If RTCP is left unprotected, an attacker can manipulate the RTCP messages between participants and cause service disruption or perform traffic analysis.

The designers of SRTP focused on developing a protocol that can provide adequate protection for media streams but also maintain key properties to support wired and wireless networks in which bandwidth or underlying transport limitations may exist. Some of the highlighted properties are as follows:

• The ability to incorporate new cryptographic transforms.
• Maintain low bandwidth and computational cost.
• Conservative in the size of implementation code. This is useful for devices with limited memory (for example, cell phones).
• Underlying transport independence, including network and physical layers that may be used, and perhaps prone to reordering and packet loss.

For more on VoIP security VoIP security is as bad today as it was two years ago, Black Hat 2007 attendees said recently. Network security expert Mike Chapple explains the security risks of deploying VoIP on an 802.1x network.

These properties make the implementation of SRTP feasible even for mobile devices that have limited memory and processing capabilities. Similar design properties are found in MIKEY (Multimedia Internet KEYing). Therefore, the use of MIKEY for key exchange and SRTP for media protection is one combination of mechanisms to provide adequate security for Internet multimedia applications, including VoIP, video, and conferencing.

The application that implements SRTP has to convert RTP packets to SRTP packets before sending them across the network. The same process is used in reverse to decrypt SRTP packets and convert them to RTP packets.

To see how the conversion process works and to learn more about key management defense measures, download the rest of Chapter 6: Media Protection Mechanisms (.pdf).

¹ H. Schulzrinne, et al. "RTP: A Transport Protocol for Real-Time Applications," IETF RFC 3550, July 2003.
² P. Thermos, T. Bowen, J. Haluska, and Steve Ungar. Using IPSec and Intrusion Detection to protect SIP implanted IP telephony. IEEE GlobeCom, 2004.
³ M. Baugher, D. McGrew, M. Naslund, E. Carrara, and K. Norrman. "The Secure Real-time Transport Protocol (SRTP)," IETF RFC 3711, March 2004.
⁴ F. Andreasen, M. Baugher, and D. Wing. Session Description Protocol Security Descriptions for Media Streams, IETF draft draft-ietf-mmusic-sdescriptions-12.txt, 2005.

Reproduced from the book Securing VoIP Networks: Threats, Vulnerabilities and Countermeasures Copyright [2007], Addison Wesley Professional. Reproduced by permission of Pearson Education, Inc., 800 East 96th Street, Indianapolis, IN 46240. Written permission from Pearson Education, Inc. is required for all other users.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT VoIP Security VoIP tools, attacks could increase threat Cisco warns of security appliance flaws Will VoIP attacks result in more than just spam? Has FFIEC made any VoIP-specific mandates? Enterprise security in 2008: Addressing emerging threats like VoIP and virtualization Why does Skype connect to so many servers? Cisco issues CallManager security update Skype outage highlights VoIP issues Will deploying VoIP on an 802.1x network create security problems? Black Hat 2007: VoIP security reaches tipping point VoIP Security Research PKI and Digital Certificates PKI and digital certificates: Security, authentication and implementation What is the best way to administer exams to students via computer? Should computer exams be transmitted as PDF files or Word files? Should PKI systems be used for laptop encryption? Email authentication showdown: IP-based vs. signature-based VeriSign to shed businesses, return to security roots How do anonymous credentials and selective disclosure certificates affect enterprise IAM? Choosing from the top PKI products and vendors Can the symmetric encryption algorithm for S/MIME messages be changed? Creating a personal digital certificate PKI and Digital Certificates Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 5 terms you need to know before you employ VoIP  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary