Professional Documents
Culture Documents
Outlines
Supporting Protocols Why VoIP security differs from data
network security Need for new technologies
than data networks. Intruders have many potentially vulnerable points to attack
VoIP networks add specialized software, such as call managers, to place and route calls Many network parameters are established dynamically A network component is restart VoIP telephone is restarted or added to the network
QoS issues
Delay and loss
Delay must be less than 150ms %1 loss make call unintelligible 5% loss is catastrophic, no matter how good the codec DoS attack
RTP doesnt guarantee packet delivery Deliver VoIP traffic at high speed with preference
over less urgent traffic
Use routers that forward packets based on ToS bits Priority-based CAC
Infrastructure issues
Eavesdropping VoIP is different with
conventional telephone service
Opportunities for eavesdropped are multiplied Protocols and codecs are standards Tools to monitor and control packet network are widely
available
Sniffer
Security tradeoffs
Convenience and Security
VoIP components are integrated with Web server for configuration Features and ease of use Privacy and DoS vulnerabilities
NAT
Increase the security due to only protect the router Make call into the network very complex Incompatible with IPsec Serial Tunneling (STUN), TURN
VPN
Tunneling VoIP has become popular recently
Guidelines
Put voice and data on logically separate networks Strong authentication and access control on the
voice gateway system Choose a mechanism to allow VoIP traffic through firewalls Use IPsec or SSH for all remote management and auditing access Use IPsec tunneling instead of IPsec transport because tunneling mask the source and destination IP address If the performance is a problem, use encryption at the router or other gateway to allow IPsec tunneling
Guidelines
Look for IP phones that can load digitally
signed images to guarantee the integrity of the software Avoid softphone systems Consider methods to harden VoIP platforms
H.323
http://www.openh323.org/
RTP
WinRTP(http://www.vovida.org/) simRTP (NCTU or csie@NTU)
G.729
http://www.vovida.org/
Other issues
SRTP SIP with authentication IPv6
Discussion
VoIP security
VoIP Network security VoIP data encryption Dynamic encryption change
RTCP QoS report
Manpower
Outline
Introduction The Overall Model of Tracking Anonymous
Peer-to-Peer VoIP Call Active Timing Based Tracking of VoIP Flows Transparent Watermarking of VoIP Flow Experiments Related Works Conclusions
Introduction
Anonymous VoIP
No phone number End-to-end encryption Routed through low-latency anonymizing networks Onion Routing Tor Freedom Tarzan
Introduction
Tracking Skype Call
Free and widely Used End-to-end encryption with 256 bits AES Traverse most firewall and NAT Intelligently and dynamically routs the encrypted call through different peers to achieve low latency Use proprietary peer-to-peer signaling protocol to set up the VoIP calls