Title:
Understanding Voice over IP security
Personal Author:
Publication Information:
Boston, MA : Artech House, 2006
ISBN:
9781596930506
Added Author:
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
---|---|---|---|---|---|
Searching... | 30000010106357 | TK5105.8865 J63 2006 | Open Access Book | Book | Searching... |
Searching... | 30000010183376 | TK5105.8865 J63 2006 | Open Access Book | Book | Searching... |
Searching... | 30000010128469 | TK5105.8865 J63 2006 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
The authors introduce the basics of security as they apply to Internet communication in general, and VoIP specifically, considering VoIP security from architectural, design and high-level deployment points of view. This book should enable an engineer or manager to appreciate the issues associated with VoIP.
Author Notes
Alan B. Johnston holds a B.E.(Hons) in electrical and electronic engineering from the University of Melbourne, Australia and a Ph.D. in electrical engineering from Lehigh University.
Johnston is an advisory engineer at WorldCom and an adjunct at Washington University.
050
Table of Contents
Foreword | p. xiii |
Acknowledgments | p. xvii |
1 Introduction | p. 1 |
1.1 VoIP: A Green Field for Attackers | p. 2 |
1.2 Why VoIP Security Is Important | p. 3 |
1.3 The Audience for This Book | p. 4 |
1.4 Organization | p. 4 |
2 Basic Security Concepts: Cryptography | p. 7 |
2.1 Introduction | p. 7 |
2.2 Cryptography Fundamentals | p. 7 |
2.2.1 Secret Key (Symmetric) Cryptography | p. 10 |
2.2.2 Asymmetric (Public Key) Cryptography | p. 12 |
2.2.3 Integrity Protection | p. 13 |
2.2.4 Authenticated and Secure Key Exchange | p. 17 |
2.3 Digital Certificates and Public Key Infrastructures | p. 20 |
2.3.1 Certificate Assertions | p. 22 |
2.3.2 Certificate Authorities | p. 24 |
References | p. 27 |
3 VoIP Systems | p. 29 |
3.1 Introduction | p. 29 |
3.1.2 VoIP Architectures | p. 29 |
3.2 Components | p. 31 |
3.3 Protocols | p. 32 |
3.3.1 Session Initiation Protocol | p. 32 |
3.3.2 Session Description Protocol | p. 39 |
3.3.3 H.323 | p. 42 |
3.3.4 Media Gateway Control Protocols | p. 44 |
3.3.5 Real Time Transport Protocol | p. 46 |
3.3.6 Proprietary Protocols | p. 46 |
3.4 Security Analysis of SIP | p. 48 |
References | p. 49 |
4 Internet Threats and Attacks | p. 51 |
4.1 Introduction | p. 51 |
4.2 Attack Types | p. 51 |
4.2.1 Denial of Service (DoS) | p. 51 |
4.2.2 Man-in-the-Middle | p. 56 |
4.2.3 Replay and Cut-and-Paste Attacks | p. 57 |
4.2.4 Theft of Service | p. 58 |
4.2.5 Eavesdropping | p. 59 |
4.2.6 Impersonation | p. 60 |
4.2.7 Poisoning Attacks (DNS and ARP) | p. 60 |
4.2.8 Credential and Identity Theft | p. 61 |
4.2.9 Redirection/Hijacking | p. 62 |
4.2.10 Session Disruption | p. 63 |
4.3 Attack Methods | p. 64 |
4.3.1 Port Scans | p. 64 |
4.3.2 Malicious Code | p. 65 |
4.3.3 Buffer Overflow | p. 67 |
4.3.5 Password Theft/Guessing | p. 69 |
4.3.6 Tunneling | p. 69 |
4.3.7 Bid Down | p. 69 |
4.4 Summary | p. 70 |
References | p. 70 |
5 Internet Security Architectures | p. 73 |
5.1 Introduction | p. 73 |
5.1.1 Origins of Internet Security Terminology | p. 73 |
5.1.2 Castle Building in the Virtual World | p. 74 |
5.2 Security Policy | p. 75 |
5.3 Risk, Threat, and Vulnerability Assessment | p. 77 |
5.4 Implementing Security | p. 79 |
5.5 Authentication | p. 80 |
5.6 Authorization (Access Control) | p. 82 |
5.7 Auditing | p. 82 |
5.8 Monitoring and Logging | p. 84 |
5.9 Policy Enforcement: Perimeter Security | p. 85 |
5.9.1 Firewalls | p. 86 |
5.9.2 Session Border Controller | p. 90 |
5.9.3 Firewalls and VoIP | p. 92 |
5.10 Network Address Translation | p. 93 |
5.11 Intrusion Detection and Prevention | p. 95 |
5.12 Honeypots and Honeynets | p. 97 |
5.13 Conclusions | p. 97 |
References | p. 98 |
6 Security Protocols | p. 101 |
6.1 Introduction | p. 101 |
6.2 IP Security (IPSec) | p. 103 |
6.2.1 Internet Key Exchange | p. 105 |
6.3 Transport Layer Security (TLS) | p. 107 |
6.4 Datagram Transport Layer Security (DTLS) | p. 111 |
6.5 Secure Shell (SecSH, SSH) | p. 112 |
6.6 Pretty Good Privacy (PGP) | p. 115 |
6.7 DNS Security (DNSSEC) | p. 116 |
References | p. 119 |
7 General Client and Server Security Principles | p. 121 |
7.1 Introduction | p. 121 |
7.2 Physical Security | p. 122 |
7.3 System Security | p. 122 |
7.3.1 Server Security | p. 122 |
7.3.2 Client OS Security | p. 124 |
7.4 LAN Security | p. 126 |
7.4.1 Policy-Based Network Admission | p. 127 |
7.4.2 Endpoint Control | p. 128 |
7.4.3 LAN Segmentation Strategies | p. 129 |
7.4.4 LAN Segmentation and Defense in Depth | p. 130 |
7.5 Secure Administration | p. 131 |
7.6 Real-Time Monitoring of VoIP Activity | p. 132 |
7.7 Federation Security | p. 132 |
7.8 Summary | p. 132 |
References | p. 133 |
8 Authentication | p. 135 |
8.1 Introduction | p. 135 |
8.2 Port-Based Network Access Control (IEEE 802.1x) | p. 137 |
8.3 Remote Authentication Dial-In User Service | p. 140 |
8.4 Conclusions | p. 143 |
References | p. 143 |
9 Signaling Security | p. 145 |
9.1 Introduction | p. 145 |
9.2 SIP Signaling Security | p. 146 |
9.2.1 Basic Authentication | p. 146 |
9.2.2 Digest Authentication | p. 147 |
9.2.3 Pretty Good Privacy | p. 152 |
9.2.4 S/MIME | p. 153 |
9.2.5 Transport Layer Security | p. 155 |
9.2.6 Secure SIP | p. 159 |
9.3 H.323 Signaling Security with H.235 | p. 160 |
References | p. 161 |
10 Media Security | p. 163 |
10.1 Introduction | p. 163 |
10.2 Secure RTP | p. 164 |
10.3 Media Encryption Keying | p. 168 |
10.3.1 Preshared Keys | p. 168 |
10.3.2 Public Key Encryption | p. 169 |
10.3.3 Authenticated Key Management and Exchange | p. 170 |
10.4 Security Descriptions in SDP | p. 172 |
10.5 Multimedia Internet Keying (MIKEY) | p. 173 |
10.5.1 Generation of MIKEY Message by Initiator | p. 177 |
10.5.2 Responder Processing of a MIKEY Message | p. 183 |
10.6 Failure and Fallback Scenarios | p. 186 |
10.7 Alternative Key Management Protocol-ZRTP | p. 188 |
10.8 Future Work | p. 190 |
References | p. 190 |
11 Identity | p. 193 |
11.1 Introduction | p. 193 |
11.2 Names, Addresses, Numbers, and Communication | p. 193 |
11.2.1 E.164 Telephone Numbers | p. 194 |
11.2.2 Internet Names | p. 195 |
11.3 Namespace Management in SIP | p. 196 |
11.3.1 URI Authentication | p. 196 |
11.4 Trust Domains for Asserted Identity | p. 199 |
11.5 Interdomain SIP Identity | p. 202 |
11.5.1 SIP Authenticated Identity Body (AIB) | p. 203 |
11.5.2 Enhanced SIP Identity | p. 204 |
11.6 SIP Certificates Service | p. 209 |
11.7 Other Asserted Identity Methods | p. 217 |
11.7.1 Secure Assertion Markup Language | p. 217 |
11.7.2 Open Settlements Protocol and VoIP | p. 219 |
11.7.3 H.323 Identity | p. 219 |
11.7.4 Third Party Identity and Referred-By | p. 219 |
11.8 Privacy | p. 220 |
References | p. 223 |
12 PSTN Gateway Security | p. 225 |
12.1 Introduction | p. 225 |
12.2 PSTN Security Model | p. 225 |
12.3 Gateway Security | p. 227 |
12.3.1 Gateway Security Architecture | p. 228 |
12.3.2 Gateway Types | p. 229 |
12.3.3 Gateways and Caller ID | p. 230 |
12.3.4 Caller ID and Privacy | p. 231 |
12.3.5 Gateway Decomposition | p. 231 |
12.3.6 SIP/ISUP Interworking | p. 232 |
12.4 Telephone Number Mapping in the DNS | p. 233 |
References | p. 236 |
13 Spam and Spit | p. 237 |
13.1 Introduction | p. 237 |
13.2 Is VoIP Spam Inevitable? | p. 238 |
13.3 Technical Approaches to Combat E-Mail Spam | p. 240 |
13.3.1 Filtering Spam Using Identity Information | p. 240 |
13.3.2 Grey Listing | p. 241 |
13.3.3 Challenge/Response (Sender Verification) | p. 242 |
13.3.4 Distributed Checksum Filtering (DCF) | p. 242 |
13.3.5 Content Filtering | p. 243 |
13.3.6 Summary of Antispam Approaches | p. 243 |
13.4 VoIP and Spit | p. 243 |
13.5 Summary | p. 245 |
References | p. 246 |
14 Conclusions | p. 247 |
14.1 Summary | p. 247 |
14.2 VoIP Is Still New | p. 248 |
14.3 VoIP Endpoints Are New | p. 248 |
14.4 VoIP Standards Are Not Complete | p. 249 |
14.5 Base VoIP Security on Best Current Security Practices for Data | p. 249 |
14.6 VoIP Is a QoS-Sensitive Data Application | p. 250 |
14.7 Merging Public and Private VoIP Services Will Be Problematic | p. 250 |
14.8 Concluding Remarks | p. 251 |
Index | p. 255 |