Pro And Cons Of Security Measure Information Technology Essay

Pro And Cons Of Security Measure Information Technology Essay This work requires the student execute a limited research based assignment in Network security. This work should be a conference style paper. Suggested Topics are given below. However, the work should reflect real thought and effort. The grade will be based on the following factors: novelty, depth, correctness, clarity of presentation, and effort. Students can select any other topics relevant to network security other than listed below with the approval of the module leader. In this paper student should explain the Security issues relevant to their topics and should analyze any two of the security tools/measures widely used to overcome those issues. More emphasize is given to the analysis of pros and cons of the security measures followed where a thorough knowledge/understanding of the problem and its countermeasures are gained. Introduction Voice over Internet Protocol also known as Voice over IP, IP Telephony or VoIP and it started by a small company called Vocaltec, Inc in February 1995 from Israel. [Joe Hallock, A Brief History of VoIP] By that time, it will be the first internet phone software. Vocaltec aims are to provide user to makes phone call from one computer to another computer using sound card, microphone and speaker. This VoIP software created by Vocaltec only works when both caller and the receiver have the same setup software installed. VoIP is design for deliver the voice communication and multimedia session over the Internet Protocol and it is also categorized as one of the internet technology, communication protocol and transmission technology. In simpler terms, VoIP converts the voice signal from your telephone into a digital signal that travels over the Internet. There are three types of VoIP tools that are commonly used; IP Phones, Software VoIP and Mobile and Integrated VoIP. The IP Phones are the most institutionally established but still the least obvious of the VoIP tools. Of all the software VoIP tools that exist, Skype is probably the most easily identifiable. The use of software VoIP has increased during the global recession as many persons, looking for ways to cut costs have turned to these tools for free or inexpensive calling or video conferencing applications. Software VoIP can be further broken down into three classes or subcategories; Web Calling, Voice and Video Instant Messaging and Web Conferencing. Mobile and Integrated VoIP is just another example of the adaptability of VoIP. VoIP is available on many smartphones and internet devices so even the users of portable devices that are not phones can still make calls or send SMS text messages over 3G or WIFI.[2] One of the most significant advantages of VoIP (over a traditional public switched telephone network (PSTN also known as a legacy networks) is that one can make a long distance phone call and bypass the toll charge. This integrated voice/data solution allows large organizations (with the funding to make the transfer from a legacy network to a VoIP network) to carry voice applications over their existing data networks. VoIP telephone systems are susceptible to attacks as are any internet-connected devices. This means that hackers who know about these vulnerabilities (such as insecure passwords) can institute denial-of-service attacks, harvest customer data, record conversations and break into voice mailboxes.[26] Another challenge is routing VoIP traffic through firewalls and network address translators. Private Session Border Controllers are used along with firewalls to enable VoIP calls to and from protected networks. For example, Skype uses a proprietary protocol to route calls through other Skype peers on the network, allowing it to traverse symmetric NATs and firewalls. Other methods to traverse NATs involve using protocols such as STUN or ICE. Many consumer VoIP solutions do not support encryption, although having a secure phone is much easier to implement with VoIP than traditional phone lines. As a result, it is relatively easy to eavesdrop on VoIP calls and even change their content.[27] An attacker with a packet sniffer could intercept your VoIP calls if you are not on a secure VLAN. However, physical security of the switches within an enterprise and the facility security provided by ISPs make packet capture less of a problem than originally foreseen. Further research has shown that tapping into a fiber optic network without detection is difficult if not impossible. This means that once a voice packet is within the internet backbone it is relatively safe from interception. There are open source solutions, such as Wireshark, that facilitate sniffing of VoIP conversations. A modicum of security is afforded by patented audio codecs in proprietary implementations that are not easily available for open source applications[citation needed]; however, such security through obscurity has not proven effective in other fields.[citation needed] Some vendors also use compression, which may make eavesdropping more difficult.[citation needed] However, real security requires encryption and cryptographic authentication which are not widely supported at a consumer level. The existing security standard Secure Real-time Transport Protocol (SRTP) and the new ZRTP protocol are available on Analog Telephone Adapters (ATAs) as well as various softphones. It is possible to use IPsec to secure P2P VoIP by using opportunistic encryption. Skype does not use SRTP, but uses encryption which is transparent to the Skype provider[citation needed]. In 2005, Skype invited a researcher, Dr Tom Berson, to assess the security of the Skype software, and his conclusions are available in a published report.[28] The Voice VPN solution provides secure voice for enterprise VoIP networks by applying IPSec encryption to the digitized voice stream. The IAX2 protocol also supports end-to-end AES-256 encryption natively. Traditional enterprise telecommunications networks used to be viewed as relatively secure because you practically needed to be within physical reach to gain access to them. Sure, things like toll fraud and war dialing were problematic, but those were easily remedied by longer or more complicated passwords and other access controls. The age of converged networks has changed that with voice now traveling over IP networks (VoIP). These converged networks inherit all the security weaknesses of the IP protocol (spoofing, sniffing, denial of service, integrity attacks, and so on). In addition, voice quality and confidentiality are potentially affected by common data network problems such as worms and viruses. Converged networks also offer an array of new vectors for traditional exploits and malware, as each IP endpoint becomes a potential point of network entry. Internet telephony refers to communications services-voice, fax, SMS, and/or voice-messaging applications-that are transported via the Internet, rather than the public switched telephone network (PSTN). The steps involved in originating a VoIP telephone call are signaling and media channel setup, digitization of the analog voice signal, encoding, packetization, and transmission as Internet Protocol (IP) packets over a packet-switched network. On the receiving side, similar steps (usually in the reverse order) such as reception of the IP packets, decoding of the packets and digital-to-analog conversion reproduce the original voice stream.[1] VoIP systems employ session control protocols to control the set-up and tear-down of calls as well as audio codecs which encode speech allowing transmission over an IP network as digital audio via an audio stream. The codec used is varied between different implementations of VoIP (and often a range of codecs are used); some implementations rely on narrowband and compressed speech, while others support high fidelity stereo codecs. Technical review In term of security issues, VoIP encounter numerous of issues reported and some of it can lead into big loss to a company. Below are some of the security issues that discuss in this research. Service Theft The most basic thing a hacker can do with your VoIP service is to steal it. In doing so, the perpetrator can make free calls and possibly start off a new VoIP telephony business of his/her own at amazingly cheap ratesjust like the first criminal who was charged with hacking VoIP 1. Service theft is relatively easy with VoIP because the Session Initiation Protocol (SIP) that is used for authentication in VoIP calls does not use encryption by default. Identity Theft Close on the heels of service theft is the risk of identity theft. If someone can steal a service, they have everything else they need to steal the identity of the person(s) using the service. Accounts as basic as utilities and as critical as financial loans are often tied to a specific phone number. If all else fails, the hacker can, at a minimum, gather sig-nificant information about the target individual(s) to be able to take the next step towards stealing the persons identity. Eavesdropping One might remember when tapping a phone required some serious instruments that needed to be installed at the right places while at the same time the person bugging the phone would have to make sure that nobody watches him/her in action. This procedure is a lot easier with VoIP. The instrument might still look like a phone and work like a phone, but tapping this phone is not at all difficult for someone with the right knowhow and tools and the wrong intentions. Hackers today can take control over several VoIP features such as voicemail, call forwarding, caller ID, call forward-ing, calling plan selection, and billing details. Stealing the VoIP service to enable free calls is actually much less prof-itable and desirable for hackers. Instead, with businesses increasingly using VoIP, sensitive corporate information is now the target. VoIP packets flow over networks like packets of data that can be sniffed just like regular data pack-ets. These packets can then be merged together to play the voice conversation in a normal media player software. Mix VoIP hacking with corporate espionage and you end up with a very lucky and enabled hacker. Vishing Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. What if you were to receive a call from your bank or your credit card company that had an automated voice at the other end asking you to enter your debit/credit card number, PIN, and other details? Chances are you might comply with the request. Better still, if you were the person making the call to your phone banking number then these chances are actually quite high considering the fact that you were the person making the call. In both these cases, a Vishing attack could have been launched using VoIP that could lead you to believe that youre calling an entity that you trust. Specifically in the second case, redirecting your call to a Visher would actually be much easier if you use a VoIP based phone. Denial of Service One VoIP hacking method that can cause significant frustration and losses to businesses is the Denial of Service. As the name suggests, the main aim of the hacker is to ensure that your organization is denied the usage of your VoIP telephony service. Voice calls made by an organization can be manipulated, tampered, and even dropped. Hackers can even flood the target VoIP infrastructure with several call-signaling SIP messages. Many times, these DoS attacks are actually a smokescreen for hackers to plant malware or even take control of systems in the background. Spyware and Malware VoIP infrastructure rests on the same architecture as a normal computer system. Essentially, the issues that a normal computer system can face are quite applicable to VoIP infrastructures as well. Top of the list is spyware and malware. Consider the example of a software application that is used to enable VoIP telephony. A user would have to run this software over a computer, a PDA, an iPhone, or such. This introduces the vulnerabil-ity of falling prey to viruses, spyware, malware, worms, and just about all forms of malicious code. SPAM Spam exists with VoIP, although it is known as SPIT or Spam over Internet Telephony. While more typically just an annoyance, SPIT does at times carry viruses and malware, just like spam. While the occurrence of SPIT is not very common today, trends definitely dictate that SPIT is heading in the direction of SPAM. VoIP telephone systems are susceptible to attacks as are any internet-connected devices. This means that hackers who know about these vulnerabilities (such as insecure passwords) can institute denial-of-service attacks, harvest customer data, record conversations and break into voice mailboxes.[26] Another challenge is routing VoIP traffic through firewalls and network address translators. Private Session Border Controllers are used along with firewalls to enable VoIP calls to and from protected networks. For example, Skype uses a proprietary protocol to route calls through other Skype peers on the network, allowing it to traverse symmetric NATs and firewalls. Other methods to traverse NATs involve using protocols such as STUN or ICE. Many consumer VoIP solutions do not support encryption, although having a secure phone is much easier to implement with VoIP than traditional phone lines. As a result, it is relatively easy to eavesdrop on VoIP calls and even change their content.[27] An attacker with a packet sniffer could intercept your VoIP calls if you are not on a secure VLAN. However, physical security of the switches within an enterprise and the facility security provided by ISPs make packet capture less of a problem than originally foreseen. Further research has shown that tapping into a fiber optic network without detection is difficult if not impossible. This means that once a voice packet is within the internet backbone it is relatively safe from interception. There are open source solutions, such as Wireshark, that facilitate sniffing of VoIP conversations. A modicum of security is afforded by patented audio codecs in proprietary implementations that are not easily available for open source applications[citation needed]; however, such security through obscurity has not proven effective in other fields.[citation needed] Some vendors also use compression, which may make eavesdropping more difficult.[citation needed] However, real security requires encryption and cryptographic authentication which are not widely supported at a consumer level. The existing security standard Secure Real-time Transport Protocol (SRTP) and the new ZRTP protocol are available on Analog Telephone Adapters (ATAs) as well as various softphones. It is possible to use IPsec to secure P2P VoIP by using opportunistic encryption. Skype does not use SRTP, but uses encryption which is transparent to the Skype provider[citation needed]. In 2005, Skype invited a researcher, Dr Tom Berson, to assess the security of the Skype software, and his conclusions are available in a published report.[28] The Voice VPN solution provides secure voice for enterprise VoIP networks by applying IPSec encryption to the digitized voice stream. The IAX2 protocol also supports end-to-end AES-256 encryption natively. Securing VoIP To prevent the above security concerns government and military organizations are using Voice over Secure IP (VoSIP), Secure Voice over IP (SVoIP), and Secure Voice over Secure IP (SVoSIP) to protect confidential and classified VoIP communications.[29] Secure Voice over IP is accomplished by encrypting VoIP with Type 1 encryption. Secure Voice over Secure IP is accomplished by using Type 1 encryption on a classified network, like SIPRNet.[30][31][32][33][34] Public Secure VoIP is also available with free GNU programs.[35] [edit]Caller ID Caller ID support among VoIP providers varies, although the majority of VoIP providers now offer full Caller ID with name on outgoing calls. In a few cases, VoIP providers may allow a caller to spoof the Caller ID information, potentially making calls appear as though they are from a number that does not belong to the caller[36] Business grade VoIP equipment and software often makes it easy to modify caller ID information. Although this can provide many businesses great flexibility, it is also open to abuse. The Truth in Caller ID Act has been in preparation in the US Congress since 2006, but as of January 2009 still has not been enacted. This bill proposes to make it a crime in the United States to knowingly transmit misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value [37] [edit]Compatibility with traditional analog telephone sets Some analog telephone adapters do not decode pulse dialing from older phones. They may only work with push-button telephones using the touch-tone system. The VoIP user may use a pulse-to-tone converter, if needed.[38] [edit]Fax handling Support for sending faxes over VoIP implementations is still limited. The existing voice codecs are not designed for fax transmission; they are designed to digitize an analog representation of a human voice efficiently. However, the inefficiency of digitizing an analog representation (modem signal) of a digital representation (a document image) of analog data (an original document) more than negates any bandwidth advantage of VoIP. In other words, the fax sounds simply do not fit in the VoIP channel. An alternative IP-based solution for delivering fax-over-IP called T.38 is available. The T.38 protocol is designed to compensate for the differences between traditional packet-less communications over analog lines and packet based transmissions which are the basis for IP communications. The fax machine could be a traditional fax machine connected to the PSTN, or an ATA box (or similar). It could be a fax machine with an RJ-45 connector plugged straight into an IP network, or it could be a computer pretending to be a fax machine.[39] Originally, T.38 was designed to use UDP and TCP transmission methods across an IP network. TCP is better suited for use between two IP devices. However, older fax machines, connected to an analog system, benefit from UDP near real-time characteristics due to the no recovery rule when a UDP packet is lost or an error occurs during transmission.[40] UDP transmissions are preferred as they do not require testing for dropped packets and as such since each T.38 packet transmission includes a majority of the data sent in the prior packet, a T. 38 termination point has a higher degree of success in re-assembling the fax transmission back into its original form for interpretation by the end device. This in an attempt to overcome the obstacles of simulating real time transmissions using packet based protocol.[41] There have been updated versions of T.30 to resolve the fax over IP issues, which is the core fax protocol. Some newer high end fax machines have T.38 built-in capabilities which allow the user to plug right into the network and transmit/receive faxes in native T.38 like the Ricoh 4410NF Fax Machine.[42] A unique feature of T.38 is that each packet contains a portion of the main data sent in the previous packet. With T.38, two successive lost packets are needed to actually lose any data. The data you lose will only be a small piece, but with the right settings and error correction mode, there is an increased likelihood that you will receive enough of the transmission to satisfy the requirements of the fax machine for output of the sent document. [edit]Support for other telephony devices Another challenge for VoIP implementations is the proper handling of outgoing calls from other telephony devices such as Digital Video RecordersDVR boxes, satellite television receivers, alarm systems, conventional modems and other similar devices that depend on access to a PSTN telephone line for some or all of their functionality. These types of calls sometimes complete without any problems, but in other cases they fail. If VoIP and cellular substitution becomes very popular, some ancillary equipment makers may be forced to redesign equipment, because it would no longer be possible to assume a conventional PSTN telephone line would be available in consumers homes. Improving Your VoIP The key to securing a VoIP infrastructure is to remember that it involves sending voice over the Internet Protocol (IP). So, the way to secure it is quite similar to the way you deal with an IP data network. Here are the key aspects to keep in mind when securing a VoIP infrastructure Encryption VoIP packets, by default, are transmitted in clear-text and so encryption is vital to ensure confidentiality. VoIP in-frastructures based on Secure Real-time Transport Protocol (SRTP) take a step ahead of the unencrypted SIP and en-sure that VoIP traffic privacy and confidentiality is maintained. Alternatively, encryption in the form of Transport Layer Security (TLS) or Internet Protocol Security (IPSec) can also make a great difference. Network Design A basic rule of thumb to remember is to logically separate voice and data networks. The best case scenario would be to let the VoIP infrastructure have its own isolated network with only the minimum necessary interactions with other sub-networks via secure firewalls. Having dedicated VoIP servers with audited and hardened operating systems and all unnecessary services disabled is the next step to fortifying your VoIP infrastructure. Soft Phones Soft phones add to an administrators misery by offering another end point that needs to be secured. The ideal solu-tion is to avoid using Soft phones altogether. If they must be used, ensure that they are fully hardened and patched at all times. While it adds an additional bur-den, it is absolutely paramount to the security of the VoIP infrastructure. Hard Phones Hard phones offer a great alternative to soft phones, especially when coupled with private branch exchange (PBX) systems running on a hardened and, preferably, dedicated server. Periodic checks and updates are essential to ensure that the IP-PBX and IP Phone firmware is fully patched. Physical Security This is an often understated aspect of VoIP security. While an organization can spend countless hours and resources securing the medium of transmission, it is critical to also ensure the physical security of the enabling infrastructure components like the hard phones, the VoIP servers, and any other device that directly or indirectly supports the VoIP infrastructure. Physical security can become the Achilles heel of your VoIP infrastructure if it is not respected. Defaults and Passwords More often than not, default passwords and settings are not secure. These defaults are created with a generic scenario in mind and will most likely not fit the requirements and customization that your organization demands. It is impor-tant to replace all default passwords with strong passwords that are at least eight characters long, and employ a com-bination of uppercase letters, lowercase letters, numbers, and special characters. This should be further bolstered by good password policies and robust identity management. Voice Messaging Systems and Storage One typical area that is easy to miss is the security of calls that are stored on voice messaging systems. Ensure that the voice message boxes of all users require that the password be changed each time the service is used. It might cause a bit of inconvenience, but it will also offer a mile of improved security. It is also important to secure the storage of voice messages by performing periodic checks and audits to look for exploitable holes. Vulnerability Assessments Last, but most important, a periodic vulnerability assessment of the VoIP infrastructure can ensure that no holes have emerged due to the ever-changing nature of business requirements and the networks that support them. Inde-pendent audits can often provide useful insights into the state of the VoIP infrastructure and serve as an additional piece of evidence of due diligence in the regulatory compliance armory. Make VoIP Work For You VoIP has truly been a genuine money saver for businesses all over the world and the world is a smaller place, in part thanks to VoIP technology. The security issues around VoIP are serious and very real. However, taking the right steps and countermeasures can truly help your organization make the most of VoIP. The Internet is like alcohol in some sense. It accentuates what you would do anyway. If you want to be a loner, you can be more alone. If you want to connect, it makes it easier to connect. Research Methodology Secondary resources such as journal, white paper and thesis are being use in this research to analyze and further study in order to produce this research. Evaluation VoIP Sniffing Tools VoIP Scanning and Enumeration Tools VoIP Fuzzing Tools VoIP Sniffing Tools AuthTool Tool that attempts to determine the password of a user by analyzing SIP traffic. Cain Abel Multi-purpose tool with the capability to reconstruct RTP media calls. CommView VoIP Analyzer VoIP analysis module for CommView that is suited for real-time capturing and analyzing Internet telephony (VoIP) events, such as call flow, signaling sessions, registrations, media streams, errors, etc. Etherpeek general purpose VoIP and general ethernet sniffer. ILTY (Im Listening To You) Open-source, multi-channel SKINNY sniffer. NetDude A framework for inspection, analysis and manipulation of tcpdump trace files. Oreka Oreka is a modular and cross-platform system for recording and retrieval of audio streams. PSIPDump psipdump is a tool for dumping SIP sessions (+RTP traffic, if available) from pcap to disk in a fashion similar to tcpdump -w. rtpBreak rtpBreak detects, reconstructs and analyzes any RTP session through heuristics over the UDP network traffic. It works well with SIP, H.323, SCCP and any other signaling protocol. In particular, it doesnt require the presence of RTCP packets. SIPomatic SIP listener thats part of LinPhone SIPv6 Analyzer An Analyzer for SIP and IPv6. UCSniff UCSniff is an assessment tool that allows users to rapidly test for the threat of unauthorized VoIP eavesdropping. UCSniff supports SIP and Skinny signaling, G.711-ulaw and G.722 codecs, and a MITM ARP Poisoning mode. VoiPong VoIPong is a utility which detects all Voice Over IP calls on a pipeline, and for those which are G711 encoded, dumps actual conversation to separate wave files. It supports SIP, H323, Ciscos Skinny Client Protocol, RTP and RTCP. VoIPong ISO Bootable Bootable Live-CD disc version of VoIPong. VOMIT The vomit utility converts a Cisco IP phone conversation into a wave file that can be played with ordinary sound players. Wireshark Formerly Ethereal, the premier multi-platform network traffic analyzer. WIST Web Interface for SIP Trace a PHP Web Interface that permits you to connect on a remote host/port and capture/filter a SIP dialog. VoIP Scanning and Enumeration Tools EnableSecurity VoIPPack for CANVAS VoIPPack is a set of tools that are designed to work with Immunity CANVAS. The tools perform scans, enumeration, and password attacks. enumIAX An IAX2 (Asterisk) login enumerator using REGREQ messages. iaxscan iaxscan is a Python based scanner for detecting live IAX/2 hosts and then enumerating (by bruteforce) users on those hosts. iWar IAX2 protocol Wardialer Nessus The premier free network vulnerability scanner. nmap the premier open source network port scanner. Passive Vulnerability Scanner The Tenable Passive Vulnerability Scanner (PVS) can find out what is happening on your network without actively scanning it. PVS detects the actual protocol, various administrative interfaces, and VoIP scanner(s). Currently includes over 40 VoIP checks. SCTPScan This tool enumerates open SCTP ports without establishing a full SCTP association with the remote host. You can also scan whole networks to find SCTP-speaking machines. SIP Forum Test Framework (SFTF) The SIP Forum Test Framework (SFTF) was created to allow SIP device vendors to test their devices for common errors. SIP-Scan A fast SIP network scanner SIPcrack SIPcrack is a SIP protocol login cracker. It contains 2 programs, SIPdump to sniff SIP logins over the network and SIPcrack to bruteforce the passwords of the sniffed login. Sipflanker Sipflanker will help you find SIP devices with potentially vulnerable Web GUIs in your network. SIPSCAN SIPSCAN is a SIP username enumerator that uses INVITE, REGISTER, and OPTIONS methods. SIPVicious Tool Suite svmap, svwar, svcrack svmap is a sip scanner. It lists SIP devices found on an IP range. svwar identifies active extensions on a PBX. svcrack is an online password cracker for SIP PBX SiVuS A SIP Vulnerability Scanner. SMAP SIP Stack Fingerprinting Scanner VLANping VLANPing is a network pinging utility that can work with a VLAN tag. VoIPAudit VoIP specific scanning and vulnerability scanner. VoIP Fuzzing Tools Asteroid this is a set of malformed SIP methods (INVITE, CANCEL, BYE, etc.) that can be crafted to send to any phone or proxy. Codenomicon VoIP Fuzzers Commercial versions of the free PROTOS toolset Fuzzy Packet Fuzzy packet is a tool to manipulate messages through the injection, capturing, receiving or sending of packets generated over a network. Can fuzz RTP and includes built-in ARP poisoner. Interstate Fuzzer VoIP Fuzzer Mu Dynamics VoIP, IPTV, IMS Fuzzing Platform Fuzzing appliance for SIP, Diameter, H.323 and MGCP protocols. ohrwurm ohrwurm is a small and simple RTP fuzzer. PROTOS H.323 Fuzzer a java tool that sends a set of malformed H.323 messages designed by the University of OULU in Finland. PROTOS SIP Fuzzer a java tool that sends a set of malformed SIP messages designed by the University of OULU in Finland. SIP Forum Test Framework (SFTF) SFTF was created to allow SIP device vendors to test their devices for common errors. And as a result of these tests improve the interoperability of the devices on the market in general. Sip-Proxy Acts as a proxy between a VoIP UserAgent and a VoIP PBX. Exchanged SIP messages pass through the application and can be recorded, manipulated, or fuzzed. Spirent ThreatEx a commercial protocol fuzzer and ribustness tester. VoIPER VoIPER is a security toolkit that aims to allow developers and security researchers to easily, extensively and automatically test VoIP devices for security vulnerabilties. Differences in how security countermeasures are applied Discussion The Advantages and Disadvantages of VoIP VoIP has many advantages over a regular phone service. However, like any emerging technology, there are still a few kinks in the system. However, as standards are developed it becomes more reliab