| Voice over IP (VoIP) has finally come of age and is being rapidly embraced across most markets as an alternative to the traditional public-switched telephone network (PSTN). VoIP is a broad term, describing many different types of applications (hard phones, softphones, proxy servers, Instant Messaging clients, peer-to-peer clients, and so on), installed on a wide variety of platforms (Linux, Windows, VxWorks, mobile devices, PCs, and so on), and using a wide variety of both proprietary and open protocols (SIP, RTP, H.323, MGCP, SCCP, Unistim, SRTP, ZRTP, and so on) that depend heavily on your preexisting data network's infrastructure and services (routers, switches, DNS, TFTP, DHCP, VPNs, VLANs and so on). Correspondingly, VoIP security is just as broad a subject thanks to the heterogeneous nature of these environments found in the consumer, enterprise, carrier, and small/medium–sized business markets.All kinds of network application identification methods are covered, such as host-behavior identification, traffic-behavior identification. Also, how they are used for VoIP network monitoring and management is covered. Furthermore, packet-level behavior identification method is emphasized. Stateful packet inspection (SPI) and deep packet inspection (DPI) is described as well.Various types of malicious VoIP DoS attacks can be performed that target your supporting infrastructure, such as DNS poisoning, DHCP exhaustion, and ARP table manipulation to name a few. With the appropriate level of network access, an attacker can also completely subvert and control the VoIP session, including eavesdropping, diverting, or squashing the conversations taking place. The countermeasures are obviously not just VoIP specific, but are also critical to preventing MITM attacks against all other critical applications flowing through your network. Also, SIP-based systems, including SIP proxies, SIP phones, and media gateways, are very vulnerable to various types of flood-based attacks as well as various types of signaling and RTP stream manipulation attacks. Countermeasures are available, but must be applied across the entire system to be truly effective.Finally, the design and implementation of SIP-aware firewall with dynamic layer 7 filtering is described. To protect SIP communication networks from attacks, especially flooding attacks like Denial-of-Service or message spam, Firewalls are deployed at the ingress point of the network to filter potential malicious traffic. But traditional Firewalls can not match the requirement of SIP communication networks, because they do not support SIP stateful packet inspection (SPI), SIP deep packet inspection (DPI) and dynamic configuration of RTP/RTCP media streaming pinhole. In this paper we give in-depth analysis of dynamic signaling process of SIP/RTP stack, propose a method to implement SIP SPI, SIP DPI and dynamic configuration of RTP/RTCP media streaming pinhole, and also we give detailed description on its design and implementation based on linux Netfilter framework. Finally, we show performance evaluation result of this kind of SIP-aware firewall with dynamic layer 7 filtering. This firewall offers the feature of dynamic media stream"pin-hole"which can effectively prevent SIP proxy or phone from being attacked targeting media stream related vulnerability. |
PDF Full Text Request