Re: VOIP: RTP vs SRTP

From: thefifth (thefifth@ameritech.net)
Date: Thu Mar 16 2006 - 00:25:16 EST

• Next message: Cedric Blancher: "Re: Legality of blue tooth hacking"
• Previous message: chewy: "RE: Triggering IDS"
• In reply to: Ken Kousky: "RE: VOIP: RTP vs SRTP"
• Next in thread: Bob Bell (rtbell): "RE: VOIP: RTP vs SRTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>From my experience using IPSec VPN (and now SSL-VPN) for securing VoIP has
been pretty strait forward, for remote soft-clients and site-2-site calls.
It secures both the signaling and media traffic. This is assuming that the
IPSec environment/concentrators can support QoS - i.e. DiffServ to
prioritize and expedite VoIP traffic over HTTP or FTP for example.

On the LAN it gets a little more complicated in that you don't want a bunch
of potential bottlenecks (firewalls) creating jitter, latency and delay
which can impair overall voice quality. In the LAN VLAN segmentation can
help as part of a layered defense, but its not fool proof, i.e. dsniff
tools. Therefore the LAN infrastructure needs to be able to detect Arp
Spoofing, DHCP server spoofing, etc. while enforcing L2-4 firewall policy at
the individual switch port. In this type of LAN infrastructure VLAN
segmentatation and policy enforcement can help preserve VoIP quality in the
case of broadcast storm or massive traffic flloods via DDoS.

802.1x helps at least authenticate the VoIP hard sets and other devices on
the network. It can also help to dynamically assign the device and/or user
to the appropriate VLAN. Look for IP Phones that support 802.1x for
authentication. It helps.

With SIP in particular there are many different sessions and call states
active simultaneously. Also there may be more than just voice in a SIP
"call" i.e. video, IM, presence, etc. In a multimedia/VoIP call many ports
are opened dynamically which makes firewall rule/policy creation and
implementation very difficult. Imagine a VoIP conference call for a simple
case.

Finally, NAT - if not done correctly (i.e. SIP-NAT ALG's) will break most
conversations.

On the IDS/IPS front remember that VoIP media traffic is relatively small
packets which require real-time performance. Inspection of a lot of small
packets at a high rate can be very costly on the throughput/performance of
the IDS/IPS if they can even identify the traffic at all.

What's getting popular right now are Application Layer Gateways/Firewalls
for multimedia. They've been available in the VoIP/ISP space for a little
while now and are now coming to the enterprise space. Most will provide
encryption, NAT capability, and "Pin-Hole" firewall capabilities based on
the session and call state. I've seen them from Sipera (www.sipera.com) and
Nortel (www.nortel.com).

At the end of the day a layered defense is your best bet, but don't forget
about the QoS requirements.

----- Original Message -----
From: "Ken Kousky" <kkousky@ip3inc.com>
To: "'Chris Serafin'" <chris@chrisserafin.com>; <defragz@hotmail.com>;
<pen-test@securityfocus.com>
Cc: "Mike Brown" <MBrown@ip3inc.com>
Sent: Sunday, March 12, 2006 12:14 PM
Subject: RE: VOIP: RTP vs SRTP

> There's no question that VoIP Security is a BIG issue. Most management
> surveys say that it's the first or second reason given for why companies
> are
> delaying on VoIP.
>
> VoIPSA is certainly a resource, as NIST. They publish a free report (it's
> really a 100 page book) on Securing VoIP and it's probably the best guide
> in
> the industry. It's also a great VoIP primer and best of all, you've
> already
> paid for it in your tax dollars so you can download it at no cost. (The
> administration has not reclassified it as top secret yet)
>
> It's at:
> http://www.csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
>
> The most important lessons here are the recommendations to avoid soft
> phones
> and to segment VoIP on a VLAN will prevent many of the desired voip
> benefits
> so the security frameworks don't map to reality.
>
> If you'd like to present your work in this field or just learn a more
> about
> VoIP security join us at the Second Annual Voip Security Conference hosted
> by IP3 and Illinois Institute of Technology:
>
> Call for Speakers and Sponsors
> The 2nd Annual
> Managing VoIP Security Conference
> (MVSC 2006)
> May 17-18, 2006
>
> IIT- Illinois Institute of Technology
> Herman Union Building- Conference Center
> Chicago, Illinois, USA
> www.voip-wifi.net
> or visit:
> www.ip3seminars.com/conf.htm
>
>
>
>
>
>
> -----Original Message-----
> From: Chris Serafin [mailto:chris@chrisserafin.com]
> Sent: Friday, March 10, 2006 11:55 AM
> To: defragz@hotmail.com; pen-test@securityfocus.com
> Subject: RE: VOIP: RTP vs SRTP
>
> I have been thinking of writing a paper about a VoIP security also. I my
> experience [solely Cisco voip] there is absolutely no security in place
> for
> any VoIP.
>
> Chris Serafin
> IT Security / VoIP Engineer
> chris@chrisserafin.com
>
> -----Original Message-----
> From: defragz@hotmail.com [mailto:defragz@hotmail.com]
> Sent: Friday, March 10, 2006 2:23 AM
> To: pen-test@securityfocus.com
> Subject: VOIP: RTP vs SRTP
>
> Hello list,
>
> Planning some internal presentations on VoIP, I was wondering if SRTP
> (Secure Real Time Protocol) is now really in use, as a secure replacement
> of
> RTP.
>
> More generally, from your experience, and from what you have seen in "real
> life", do you thing that VoIP security is getting better? Do people use
> crypto to protect both data and signalling?
> I will love to hear your feedbacks...
> -Franck
>
>
> ----------------------------------------------------------------------------
> --
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> As attacks through web applications continue to rise, you need to
> proactively
> protect your applications from hackers. Cenzic has the most comprehensive
> solutions to meet your application security penetration testing and
> vulnerability management needs. You have an option to go with a managed
> service (Cenzic ClickToSecure) or an enterprise software (Cenzic
> Hailstorm).
>
> Download FREE whitepaper on how a managed service can help you:
> http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com
> ----------------------------------------------------------------------------
> --
>
>
>
>
> ----------------------------------------------------------------------------
> --
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> As attacks through web applications continue to rise, you need to
> proactively
> protect your applications from hackers. Cenzic has the most comprehensive
> solutions to meet your application security penetration testing and
> vulnerability management needs. You have an option to go with a managed
> service (Cenzic ClickToSecure) or an enterprise software (Cenzic
> Hailstorm).
>
> Download FREE whitepaper on how a managed service can help you:
> http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com
> ----------------------------------------------------------------------------
> --
>
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> As attacks through web applications continue to rise, you need to
> proactively
> protect your applications from hackers. Cenzic has the most comprehensive
> solutions to meet your application security penetration testing and
> vulnerability management needs. You have an option to go with a managed
> service (Cenzic ClickToSecure) or an enterprise software (Cenzic
> Hailstorm).
> Download FREE whitepaper on how a managed service can help you:
> http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com
> ------------------------------------------------------------------------------
>
>

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------

• Next message: Cedric Blancher: "Re: Legality of blue tooth hacking"
• Previous message: chewy: "RE: Triggering IDS"
• In reply to: Ken Kousky: "RE: VOIP: RTP vs SRTP"
• Next in thread: Bob Bell (rtbell): "RE: VOIP: RTP vs SRTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:41 EDT