Cont' - 9 deadly security gaps

Based on work in production VoIP and UC environments, nine common security gaps that can be easily exploited by toll fraudsters when only SBCs or MGs are used for security come to the forefront:  

Weak Policies/Configuration Errors

• 1. Typical MGs and SBCs in many configurations can be easily tricked into accepting calls from unauthorized sources and routing them for free. These devices usually have very basic validation of IP addresses if at all when accepting calls from service provider or from IP-PBX.
• 2. SBCs act as full back-to-back user agents for SIP signaling. In common configurations of SBCs without application layer security, the SBC can be manipulated into transferring, routing or forwarding a call out to PSTN without proper re-authorization. The usual policy in such configurations is to only authorize call origination.
• 3. Typical SBCs and MGs are configured in production with weak management passwords. In many cases, management interfaces are exposed beyond the secure management network. On occasion, this will include exposure to the rest of the enterprise, or service provider network, sometimes even to customers and in some extreme cases even over the Internet. As a result, without additional access controls and policy enforcement, such devices can be easily exploitable to reconfiguration to route calls.  

Functional Limitations

• 4. Internet-facing line-side SBCs typically do not support strong authentication mechanisms such as 2-factor authentication and can be easily compromised with dictionary attacks to accept unauthorized users and route calls for them.
• 5. Internet-facing line-side SBCs typically do not support encrypted configuration protocols for Internet phones. This means that configuration details can be sniffed in transit and used to gain unauthorized access to make toll calls.
• 6. SBCs typically give differentiated error messages that provide a fraudster with very useful reconnaissance information, such as if a username/directory number is configured for registration or does not exist in the network. This information can be later used to better target attacks such as achieving unauthorized access.
• 7. Widely deployed SBCs and MGs are unable to detect atypical call patterns such as unusual number of long distance transfers or forwarding from one caller ID, which are usually indicators of malicious activities including toll fraud. With every hour a toll fraud attack goes undetected, the amount of dollar losses will increase. 

Vulnerabilities

• 8. Typical SBCs have no mechanism for zero-day attack protection, such as signature updates commonly used in security devices. A typical SBC is a complex system and itself has hundreds of thousands, if not millions, of lines of code. Penetration testing in live production environments has shown these systems to be vulnerable to attacks like media anomalies or fuzzing that cause buffer overflows and related issues. Once the SBC is compromised, an attacker can run shell scripts and control the system to do as they please, which could include routing calls for free to the PSTN.
• 9. SBCs and MGs also can be vulnerable to application-layer protocol manipulation attacks, in which fraudsters manipulate packet headers and exploit peculiarities of signaling and media to spoof identities to make unauthorized calls.  

Of course, not every MG or SBC deployment will present these issues or risks, and the level of vulnerability around toll fraud is heavily dependent on other factors about the enterprise and service provider technical environment.  Further, these issues do not imply that SIP trunking itself is inherently insecure or less secure than any other forms of connectivity.  A primary lesson learned over the past several years of VoIP and UC deployment is that attackers have learned to exploit vulnerabilities in the applications that ride over the infrastructure, regardless of the technologies comprising that connectivity.  As a consequence, most network demark devices will miss these threats and so should be complemented by solid end-point security and application layer security. 

Lastly, a widespread best practice is to conduct periodic security architecture assessments that consider the nine deadly security gaps and any other security issues that pose a threat to privacy or smooth operations.  These assessments can pinpoint areas of security weakness and where better application-layer security functions could improve the overall posture. 

Application-layer security, which involves the in-depth analysis of both signaling and media by proxy-capable devices, is an increasingly accepted approach to resolving the common security gaps.  At the most basic level, application-layer security functions are oriented around:

• 1. Ensuring privacy via encryption of all VoIP/UC traffic, including signaling, media, configuration and services
• 2. Enforcing security policies related to specific users, applications, resources and other parameters
• 3. Controlling access at the DMZ and ensuring authentication of users seeking to utilize network resources or enterprise systems
• 4. Monitoring signaling and media for in-bound threats or attacks 

These four basic functions will effectively thwart a toll fraudster because the enterprise will have much greater visibility and control over the traffic traversing the enterprise's VoIP systems or utilizes PSTN links.  

Taken together, application-layer security and periodic assessments can help an enterprise to avoid being the next high-profile VoIP toll fraud victim. 

Satyam Tyagi is Director of Technical Marketing for Sipera Systems, a supplier of VoIP and Unified Communications systems.