Protecting your voice gateway is extremely important for preventing toll fraud and other criminal activities that can be conducted through your VoIP system. This post covers five key areas that can help reduce risks to your voice gateway.
The other day I was looking through my firewall logs and noticed numerous connect attempts on UDP and TCP port 5060. Since I don't utilize SIP for my home phone service I wasn't too concerned with these connect attempts but I was curious to see who was knocking on my digital door. When I checked the IP address range that the scans were coming from I saw that a large cable Internet service provider owned it. More than likely these packets were from some knucklehead running a VOIP scanning tool against my network range. While I was not going to lose sleep over someone scanning my network for SIP services I was not running, it did highlight for me the fact that there are many VoIP gateways out on the Internet that are not being protected properly and plenty of ethically challenged individuals that are more than happy to take advantage of them.
While my experience with VoIP abuse was harmless, In April of this year we saw an example of the dark side of cloud computing through a SIP brute force password attack that originated from Amazons EC2 cloud service. Someone grabbed their credit card (I'm SURE it was their own personal credit card) and spun up a few virtual machines on Amazon to find and exploit unsecured SIP services on the Internet. While this may have seemed like a good idea, the attackers didn't realize that they had just unleashed the digital equivalent of Godzilla on an unsuspecting Tokyo, resulting in a serious cloud computing smack down. Amazon promptly shut down the VMs after they received reports of numerous sites being taken down through a Denial of Service because of the amount of traffic they were slamming their poor phone systems and Internet pipes with. One site was claiming they were getting hit with over 6gb of traffic a day. This traffic was being generated through an application scanning for SIP services on VoIP getaways and then trying to guess the password. Since amazons cloud service can auto scale computing power and bandwidth based on how much an application uses flooding these sites with traffic. For more info from an actual victim of these attacks and their experience trying to get Amazon to turn off the digital firehose turned off, click here.
These attacks against voice gateways are not a one-time thing based on a specific vulnerability, but a continuous search for exploitable systems. Criminals already realize the economic viability of stealing voice services through the Internet. They can resell VoIP services, make expensive calls, and conduct voice phishing attacks against a businesses customers. With the proliferation of SIP voice services for businesses and end users offering a less expensive alternative to the traditional landline this threat will only get worse. The Internet Storm Center, run by the SANS Institute, shows that reports for SIP port 5060 scan/attacks have increased significantly since June of this year validating that this attack trend is on the upswing.
TCP Port 5060 Scans on the rise Source: SANS Internet Storm Center
The good news is that the impact of many of these threats can be mitigated through five basic security precautions.
- Harden your voice gateway- Your voice gateway should present the smallest attack surface possible. If your gateway is a router, disable unneeded services and utilize firewall features to block access to any ports that you don't use. Intrusion prevention systems and firewalls are encouraged if you intend to place your VoIP gateway on the Internet. If you are deploying a SIP trunk make sure that you enable Session Border Controller (SBC) functionality to firewall and hide (from a SIP prospective) your voice network from the outside world. Cisco's version of SBC s called Unified Border Elements (CUBE) on their gateways and provides many of these protective mechanisms in software.
- Segment your voice vlans- Your voice network should be separated from your data network through firewalling and vlans. This prevents direct access from the data side of your network and will minimize exposure to the voice gateway and call control functions. Preventing a potential attacker from communicating with the voice network is one of the best defenses against VoIP attacks. If software phones are used on PCs then they should only be allowed access with encryption and preferably through a VPN.
- Use authentication and encryption-Voice protocols come in two flavors; TLS encrypted and please hack me now. If you want to ensure that only authorized users are connecting to your voice services, then you need to use authentication to validate that they are who they say they are and encryption to maintain confidentiality of the session. Any end user passwords should follow good security practices and not be easy to guess or be in a dictionary. SIP services should be offered over TLS through TCP port 5061, which in conjunction with strong authentication adds a much higher degree of security to SIP voice trunks.
- Monitor voice network security and review call logs-Voice gateway call logs are a record of all of the calls made to and from the voice gateway. These records are very useful in identifying malicious behavior and can help you spot an attack or compromise BEFORE you get the huge bill. Firewall and IPS logs can spot attack attempts and block them in real time.
- Audit the security of your voice network- The voice network is like any other critical application on the network and should be audited against configuration and security good practices. An audit will help find holes that attackers can exploit and allow you an opportunity to fix them before you have to do the walk of shame into your boss's office.
In my next post I will go over some great tools that you can use for testing and auditing VoIP security. Until then, feel free to share your thoughts in the comments below.