White Paper
Creating a Secure Voice over IP Infrastructure
Using VPN-1 solutions to enable secure VoIP communications
Check Point protects every part of your network—perimeter, internal, Web— to keep your information resources safe, accessible, and easy to manage.
�Creating a secure Voice over IP infrastructure
Contents
Executive summary ………………………………………………………… 3 Enabling complex, diverse VoIP protocols ……………………………… 4 Protecting the converged network ……………………………………… 5 Delivering high voice quality ……………………………………………… 9 Solving the NAT problem ………………………………………………… 10 Summary …………………………………………………………………… 11
�Using VPN-1 solutions to enable secure VoIP communications
Executive summary
Voice over Internet Protocol (VoIP) adoption is growing at a rapid rate as corporations move voice traffic from dedicated phone networks to converged networks where voice, video, and data coexist. According to the Deloitte and Touche report, Getting Off the Ground: Why the Move to VoIP Is a Decision for All CxOs (2004), 66 percent of the Global 2000 businesses will be using VoIP at employee desktops during 2006. Why? VoIP technologies give organizations increased voice services such as delivering voice mail to traveling employees over email and lower operational costs for long distance and other phone services. Yet the benefits come with security risks. Placing voice traffic on the data network exposes it to the same attacks—worms, buffer overflows, and more—that plague the existing network infrastructure. And the complexity and diversity of VoIP protocols make it nearly impossible for traditional security solutions to cope with voice on the data network. What is needed is a perimeter security solution that is not only VoIP aware, but also can make intelligent security decisions to protect the VoIP network from attack. The VPN-1® product line delivers the advanced technologies needed for organizations to deploy VoIP without sacrificing security. With intelligent security based on Stateful Inspection and Application Intelligence™, VPN-1 can solve the four most common problems associated with integrating VoIP into a perimeter security strategy. 1. Enabling complex, diverse VoIP protocols: Companies can choose from among a host of VoIP protocols—all which function completely differently and interact with security in ways that traditional firewalls cannot handle. VPN-1 delivers the most intelligent security for the widest variety of VoIP protocols available in a perimeter security solution. The intelligent security of VPN-1 delivers two benefits that other perimeter solutions do not. First, it enables complete inspection of both the network layer and the payload—where additional VoIP data is placed. Second, because VPN-1 was developed to be aware of how VoIP sessions should work, it can detect and stop malicious VoIP activity without administrator interaction. 2. Protecting the converged network: Placing voice traffic on the data network exposes it to traditional data attacks. VPN-1 goes beyond simple support for VoIP protocols to an awareness of how VoIP works, providing preemptive protection for both the VoIP network and the underlying infrastructure. 3. Delivering high voice quality: A major concern for VoIP deployments is maintaining the high level of voice quality people are used to from traditional phone services. VPN-1 integrates Quality of Service (QoS) mechanisms to ensure that the quality of voice traffic is not reduced while still maintaining a high level of security. 4. Solving the NAT problem: Network address translation (NAT) is a common security function that is often incompatible with VoIP deployment. VPN-1 provides the greatest range of deployment options for VoIP in a NAT environment without the use of third-party products. This paper explains why traditional security measures cannot solve these four issues and how VPN-1 can solve them by delivering intelligent, flexible security for corporations looking to deploy VoIP today.
Check Point Software Technologies Ltd.
|
3
�Creating a secure Voice over IP infrastructure
Enabling complex, diverse VoIP protocols
Voice over IP is not a monolithic technology with a set number of standards. Rather, there are multiple protocols that provide voice over the Internet. The most popular VoIP protocols in use today are H.323 and SIP. MGCP is seen more in large networks such as those used by service providers to coordinate between different VoIP deployments. SCCP, or Skinny, is a Cisco proprietary protocol that is often seen in legacy VoIP deployments. Signaling protocols H.323 Session Initiation Protocol (SIP) SCCP Media Gateway Control Protocol (MGCP) Real-time Transport Protocol (RTP) Real Time Control Protocol
Commonly deployed VoIP protocols
Media protocols
Even within a given protocol or standard, firewalls must deal with multiple protocols for a single VoIP phone call. A signaling protocol is used to find the two parties involved and set up the call. The actual conversation is carried by RTP and RTCP, the media protocols. For H.323, setting up a call involves standards such as H.225 and H.245. Making it even more confusing is the number of variants for each protocol. For example, versions 2, 3, and 4 of H.323 are commonly seen in VoIP deployments. Likewise, SIP can come in many formats such as SIP over UDP or SIP over TCP that firewalls must understand and secure. Many organizations have many VoIP variations in use because of mergers and purchasing policies that give divisions or locations control over IT decisions, or simply because multiple applications have been deployed over time. The complexity of VoIP goes beyond the variety of protocols and extends to how they interact with security. H.323 is a prime example of why VoIP is difficult to secure. A traditional firewall secures the perimeter by defining specific ports through which traffic may enter. For example, Web traffic travels across Port 80 so perimeter firewalls allow traffic to enter on Port 80. However, H.323 uses both static ports, such as Port 1720 for call setup, and random dynamic ports. For a traditional perimeter firewall to allow H.323 to cross the firewall, thousands of dynamic and static ports must be left open for voice traffic—creating large holes for attackers to exploit. Because H.323 traffic is encoded in a binary format based on ASN.1, even advanced firewalls have a difficult time analyzing and making proper security decisions about VoIP traffic entering the network. Each instance of the VoIP application will place important information—such as delivery address data— in a slightly different location within a packet. As a result, traditional firewalls do not have the intelligence to parse the message and find the proper information to make security decisions. Solving VoIP security complexity involves moving beyond the traditional firewall to a security solution that is highly aware of VoIP protocols and how these protocols work.
4
|
Check Point Software Technologies Ltd.
�Using VPN-1 solutions to enable secure VoIP communications
The Check Point answer The VPN-1® product line uses Application Intelligence™ and the patented Stateful Inspection technologies to move beyond simple protocol support to a deeper awareness of how VoIP operates. This awareness extends to the most popular protocols and variants in use today, providing the broadest VoIP support available in a perimeter firewall. Unlike specialized VoIP gateways that support a single VoIP protocol and include unproven security features, VPN-1 combines the reliable security needed by today’s businesses with broad protocol support. For SIP, H.323, MGCP, and SCCP/Skinny, VPN-1 is able to dynamically open ports based on the state and context of the conversation. This goes beyond the typical stateful packet inspection done by most firewalls to a comprehension of the actual VoIP conversation. For example, an H.323 session dynamically changes information and port numbers as the session progresses, with the new port information being located in the previous portion of the conversation. VPN-1 disassembles the ASN.1-like format used by H.323 to inspect and make security decisions based on the context. Additionally, VPN-1 can recognize and enforce context on traffic that supports voice features such as call forwarding, hold, and call transfer. SIP RFC 3261 - Latest SIP RFC, RFC 3372 SIP-T, RFC 3311 - UPDATE message, RFC 2976 - INFO message, RFC 3515 - REFER message , RFC 3265 - SIP Events, RFC 3266 – IPv6 in SDP, RFC 3262 - Reliability of Provisional responses, RFC 3428 MESSAGE message, MSN messenger over SIP, SIP over TCP, SIP over UDP, SIP early media H.323 V.2, V.3, V.4 , H.225 V.2, V.3, V.4 , H.245 V.3, V.5, V.7
H.323 SCCP MGCP
Supported VoIP protocols
RFC 3435 – MCGP v1, J.171 - TGCP
Protecting the converged network
The 2004 VoIP State of the Market Report from Distributed Networking Associates stated that 25 percent of respondents felt that voice communications were “much less secure” when placed on the data network. When combined with respondents who felt that it was “less secure,” the percentage who perceive VoIP networks as reducing security reaches 60 percent. The Slammer worm of late 2002 illustrates the security risk in converging voice and data networks. The Gartner Group report, VoIP Security Behind the Firewall (2003), discusses how worms such as Slammer can damage converged networks. For one Gartner client who had successfully deployed VoIP for call center applications, the worm attacked the IP-PBXes that were responsible for linking the VoIP phone network to the traditional external phone system, resulting in a complete loss of call center communications and in a loss of call center data. The VoIP systems were vulnerable because of the underlying operating system that could be attacked via the network.
Check Point Software Technologies Ltd.
|
5
�Creating a secure Voice over IP infrastructure
To successfully integrate voice traffic onto the data network, an organization must first ensure a solid security foundation for the network. Failing to do this presents the following risks: Attacks against VoIP components As the Gartner client discovered, VoIP components such as IP-PBXes or IP phones can be compromised by packet-based attacks. These phones and signal routing devices have two potential weaknesses. First, all the components rely on an underlying operating system that may have vulnerabilities that can be exploited. Second, the components themselves may have vulnerabilities that can be exploited. Because the protocols used for VoIP traffic are relatively new and are continuously changing, there is a distinct possibility of an undiscovered exploit that could give attackers system access, crash devices, or allow improper phone usage. For example, VoIP calls consist of two communications channels being open at the same time: the call control channel and the actual media or data channel. One potential abuse of the VoIP system involves a person terminating the call control channel, signaling to the signal routing device that the call is over, but keeping the media channel open. The result is theft of phone services through underbilling. Denial of voice services Similar to denying service to a Web server by creating legitimate Web page requests, attackers can prevent a VoIP system from being used by flooding it with properly formatted call requests. This simple attack will prevent legitimate call requests from being established. The danger of soft phones Organizations can use VoIP soft phones to connect remote employees without the need for expensive cellular phone bills or long distance. The soft phone— a virtual VoIP phone application that can be placed on laptop computers without the need for an actual telephone handset—gives traveling employees a means to make calls as if they were inside the network. However, these remote computers can become an access point for attackers if they are not properly secured. An unsecured computer can be easily compromised and used to collect data or access the corporate network. Additionally, most VoIP traffic is not encrypted by default as it travels over the Internet. VoIP deployment to remote users requires additional encryption techniques to protect the confidentiality of conversations. The Check Point answer VPN-1 uses Application Intelligence to provide true awareness of application-layer threats and integrated intrusion prevention for VoIP deployments. Application Intelligence provides VPN-1 a deep understanding of how H.323, SIP, or other VoIP protocols are supposed to operate. If traffic deviates from the norm—such as happens when an attacker tries to exploit a vulnerability—VPN-1 detects the shift and preempts the attack.
6
|
Check Point Software Technologies Ltd.
�Using VPN-1 solutions to enable secure VoIP communications
For VoIP, Application Intelligence enforces strict conformance to the supported protocols and standards as well as their expected usage. For example, if a company is using SIP over UDP in its deployment, VPN-1 ensures that the traffic conforms to RFC 3261. To achieve this, Application Intelligence checks for the following: • • • • • Illegal binary or illegal characters in packets Strict RFC enforcement for header characters Header field length restrictions Removal of unknown media types Removal of characters that should not be used for addresses
VPN-1 is also able to validate that VoIP sessions conform to an expected pattern of behavior. One critical way it does this is the enforcement of call control and media traffic. At the end of a call, a terminate signal is sent to a VoIP signal routing device to stop any associated auditing and billing. However, it is possible to keep the call going even after its termination has been reported—evading proper billing and auditing. VPN-1 checks to ensure the presence of both signaling and call information and can terminate the call if necessary. To prevent Denial of Service attacks, VPN-1 checks for the expected behavior in call setup and termination. If a caller establishes a call session and then immediately terminates it, this is a behavior consistent with a Denial of Service attack and future call setup requests will be denied. Additionally, administrators can configure the number of call attempts from an individual IP address within a given amount of time. Through the use of VoIP handover domains, VPN-1 reduces the ability for outside parties to access VoIP conversations for theft of service or call hijacking. Administrators can define the IP addresses for endpoints that a specific signal routing device is responsible for. As a call between two IP phones is established by a signal routing device, VPN-1 checks the IP addresses against the VoIP domain and only allows calls between parties in the domain. As spam moves from instant messaging and email to VoIP, strict enforcement of handover domains will become increasingly important to maintain the value of a VoIP deployment. Check Point VoIP security, however, goes beyond the perimeter. As stated earlier, VoIP deployments will also incorporate soft phones that are deployed on mobile laptop computers. Integrity SecureClientTM provides organizations a means to both lock down those remote PCs against malicious code as well as encrypt conversations. Integrity SecureClient is a centrally managed personal firewall with an integrated VPN client that enables administrators to provide VoIP services to remote users without compromising the network’s security. Because administrators define what applications may or may not access the Internet on a computer, malicious code such as spyware or worms cannot use the remote computer to further infect the network. Additionally, administrators can use application access control to limit which users can access soft phones at all. By using Integrity SecureClient Office Mode to obtain virtual IP addresses for remote computers, administrators can make remote soft phones appear as if they are located on the corporate network. Instead of having a randomly assigned IP address from a wireless hotspot or hotel broadband service, the remote computer has a predictable IP address that can be defined as part of the VoIP domain.
Check Point Software Technologies Ltd.
|
7
�Creating a secure Voice over IP infrastructure
Auditing and logging for VoIP services Security without proper auditing and logging functions is ineffective and that is true for VoIP security as well. To ensure that an organization’s VoIP security policy is properly functioning, VPN-1 provides detailed logs of phone calls, including the IP source and destination or, in the case of SIP, the “from” and “to” URLs and phone numbers. SIP security Stateful Inspection of SIP messages • Open RTP/RTCP connection dynamically • Close RTP/RTCP connection if there is no signaling connection • Continuous enforcement of controldata connection relationship Use of streaming mechanism in SIP over TCP • All messages are fully inspected even if divided in several packets Restricting the following fields • RFC enforcement • Protocol state machine • Usernames • Call-ID • SDP headers H.323 advanced security Stateful Inspection of H.323 messages • Open RTP/RTCP connection dynamically • Close RTP/RTCP connection if there is no signaling connection • Open T.120 connection dynamically • Close T.120 connection if there is no signaling connection • Continuous enforcement of the control-data connection relationship Use of streaming mechanism for H.225 and H.245 • All messages are fully inspected even if divided in several packets Special treatment for the following H.323 messages • H.225 RAS messages
Special syntax control of the following • Q.931 messages SIP messages • H.245 • Registration (REGISTER, ACK) • Support for fast start—encapsulate • Admission control (INVITE) H.245 in H.225 messages • Capability exchange (SDP, OPTION) • Support of H.245 tunneling— Handover domain encapsulate H.245 in H.225 • Provide security enforcement of messages VoIP redirection and handover Restricting the following fields • RFC enforcement • Phone numbers • Presence of IP addresses in specific messages • Presence of phone numbers in specific messages • Protocol flow logic Handover domain • Provide security enforcement of VoIP redirection and handover
Security methods for SIP and H.323
8
|
Check Point Software Technologies Ltd.
�Using VPN-1 solutions to enable secure VoIP communications
Delivering high voice quality
In the AT&T/Economist Business Unit survey, Voice over IP Comes of Age (2004), 64 percent of respondents listed Quality of Service (QoS) as their primary concern for VoIP. People are accustomed to a very high telephone communications service level. Despite all the benefit of VoIP, if it cannot deliver the same level of availability and voice quality as traditional phone service, customers will not adopt it. There are two main factors that degrade the quality of VoIP service. The first is latency, the time it takes a VoIP packet to travel from one phone to the other. The National Institute of Science and Technology report, Security Considerations for Voice over IP Systems (2005), suggests that the maximum one-way latency for voice communications should be no longer than 150 ms. There are a number of factors that can affect latency, including how well routers process the packets. From a security perspective, the largest factor is how long it takes the security gateway to inspect and encrypt the VoIP traffic. The second factor for quality of service is jitter. Jitter occurs when the delay in receiving VoIP packets is irregular—causing packets to arrive out of order or not arrive at all. Rearranging the voice traffic as it arrives is processor-intensive and results in either delays in hearing the conversation or lost pieces of conversation. Although these gaps are usually quite small, the effects render it quite difficult to listen to a VoIP conversation. Encryption—done at the endpoint or at the security gateway—is a prime contributor to jitter. The Check Point answer With VPN-1, enterprises gain integrated Quality of Service to minimize jitter and latency caused by applying the security needed. Within VPN-1, there are a number of different strategies that companies can take to ensure high-quality voice communications. By using these methods in combination, organizations can assign VoIP traffic to a high-priority class both within a local network and across a public network. For example, an administrator can reduce the effect of security inspection on latency by using Low Latency Queuing (LLQ). With LLQ, latency sensitive applications, such as VoIP, are given priority over less sensitive applications. Likewise, organizations may use weighted priorities to ensure that VoIP traffic is allocated a larger amount of bandwidth than discretionary traffic. In addition to QoS controls, it is important to consider the security platform. Platform performance will affect the speed of encrypting and inspecting traffic— directly affecting jitter, latency, and the effectiveness of the VoIP deployment. With both open servers and secured by Check Point appliances available, organizations can design their security deployment to meet the most rigid performance requirements. Hardware acceleration is available to enhance encryption performance, reducing jitter caused by cryptographic processes.
Check Point Software Technologies Ltd.
|
9
�Creating a secure Voice over IP infrastructure
Local access link control Low Latency Queuing (LLQ) LLQ enables highly sensitive traffic such as VoIP to be given the highest priority for security processing, including setting a maximum delay. A portion of bandwidth can be set aside specifically for VoIP transmissions, guaranteeing that other less important traffic will not choke out voice communications. Based on business goals, different types of traffic can be assigned different priorities. For example, VoIP traffic may be given a weight of 50 compared to a weight of 5 for file sharing. During congested network conditions, the ratio between VoIP and file sharing traffic will be 10:1. End-to-end controls Differentiated Service (DiffServ) Integrated DiffServ support allows service providers to identify and prioritize VoIP traffic as it travels across the corporate wide area network (WAN).
Guaranteed bandwidth
Weighted priorities
Check Point QoS methods
Solving the NAT problem
Network Address Translation (NAT)—one of the most prevalent security measures in use today—poses a special problem for VoIP. Commonly used in perimeter firewalls to conserve IP addresses and disguise the internal network structure, NAT maps internal IP addresses that are unroutable over the Internet to the external IP addresses used for located resources across the Internet. In the process, the NAT-enabled firewall modifies the address at the network layer (layer 3) of a packet to reflect the mapping. For most applications, this does not present a problem. However, VoIP protocols embed the IP addresses at the application level as well as the network level. When a VoIP endpoint or device encounters signaling or media traffic from an endpoint behind a NAT gateway, it reads the internal unroutable IP address as the correct IP address and attempts vainly to return traffic to that location. For incoming calls, the problem is exacerbated even further because the externally routable IP address can be shared between hundreds or thousands of endpoints.
10
|
Check Point Software Technologies Ltd.
�Using VPN-1 solutions to enable secure VoIP communications
The Check Point answer VPN-1 provides companies a solution that enables their existing network architecture to coexist with VoIP without the need to stop using Network Address Translation and privately routable IP addresses. VPN-1 maintains a VoIP user database that is synchronized with the information found on a signal routing device. An IP phone must register itself with a signaling device before placing calls. When it does so, VPN-1 recognizes the registration request and records the necessary information in its internal database. Registration makes it possible to initiate calls from outside the VPN-1 protected network to phones whose addresses are translated using hide NAT (many-to-one NAT). VPN-1 is the only perimeter security solution that provides this capability for both the H.323 and SIP protocols. NAT support for SIP networks • Endpoints can be installed with static NAT or hide NAT in the internal network, external network, or DMZ • Incoming calls to hide endpoints that are behind a gateway using hide NAT are supported • SIP-PSTN gateways with hide NAT can be installed in the internal network, external network, or DMZ • SIP-PSTN gateways with static NAT can be installed in the internal network, external network, or DMZ NAT support for H.323 networks • Gatekeepers can be installed in the external network, internal network, or DMZ using static NAT • Gateways/PBXes can be installed in the external network, internal network, or DMZ using static NAT • Endpoints can be installed everywhere using static NAT • Endpoints can be installed everywhere using hide NAT • Incoming calls to hide NAT are supported • H.323-PSTN gateways can be installed everywhere with static NAT • H.323-PSTN gateways can be installed everywhere with hide NAT
NAT support within VPN-1
Summary
When VoIP is introduced into the network, an organization’s perimeter security solution will play a critical role in either enabling or limiting the scope of the deployment and, as a result, the benefits realized from a converged voice and data network. VPN-1 provides organizations the platform for integrating VoIP into a comprehensive security policy without needing to sacrifice their deployment goals. With Stateful Inspection and Application Intelligence, VPN-1 is able to deliver the most intelligent perimeter security solution available for VoIP.
Check Point Software Technologies Ltd.
|
11
�About Check Point Software Technologies
Check Point Software Technologies Ltd. (www.checkpoint.com) is the worldwide leader in securing the Internet. It is the market leader in the worldwide enterprise firewall, personal firewall, and VPN markets. Through its NGX platform, the company delivers a unified security architecture for a broad range of perimeter, internal, and Web security solutions that protect business communications and resources for corporate networks and applications, remote employees, branch offices, and partner extranets. The company’s ZoneAlarm product line is one of the most trusted brands in Internet security, creating award-winning endpoint security solutions that protect millions of PCs from hackers, spyware, and data theft. Extending the power of the Check Point solution is its Open Platform for Security (OPSEC), the industry’s framework and alliance for integration and interoperability with “best-ofbreed” solutions from more than 350 leading companies. Check Point solutions are sold, integrated, and serviced by a network of more than 2,200 Check Point partners in 88 countries.
CHECK POINT OFFICES Worldwide Headquarters 3A Jabotinsky Street, 24th Floor Ramat Gan 52520, Israel Tel: 972-3-753 4555 Fax: 972-3-575 9256 email: info@checkpoint.com
U.S. Headquarters 800 Bridge Parkway Redwood City, CA 94065 Tel: 800-429-4391 ; 650-628-2000 Fax: 650-654-4233 URL: http://www.checkpoint.com
©2006 Check Point Software Technologies Ltd. All rights reserved. Check Point, Application Intelligence, Check Point Express, the Check Point logo, AlertAdvisor, ClusterXL, Cooperative Enforcement, ConnectControl, Connectra, CoSa, Cooperative Security Alliance, Eventia, Eventia Analyzer, Eventia Reporter, FireWall-1, FireWall-1 GX, FireWall-1 SecureServer, FloodGate1, Hacker ID, IMsecure, INSPECT, INSPECT XL, Integrity, InterSpect, IQ Engine, Open Security Extension, OPSEC, Policy Lifecycle Management, Provider-1, Safe@Home, Safe@Office, SecureClient, SecureKnowledge, SecurePlatform, SecuRemote, SecureXL Turbocard, SecureServer, SecureUpdate, SecureXL, SiteManager-1, SmartCenter, SmartCenter Power, SmartCenter Pro, SmartCenter UTM, Smarter Security, SmartDashboard, SmartDefense, SmartLSM, SmartMap, SmartUpdate, SmartView, SmartView Monitor, SmartView Reporter, SmartView Status, SmartViewTracker, SofaWare, SSL Network Extender, Stateful Clustering, TrueVector, Turbocard, UAM, User-to-Address Mapping, UserAuthority, VPN-1, VPN-1 Accelerator Card, VPN-1 Edge, VPN-1 Power, VPN-1 Pro, VPN-1 SecureClient, VPN-1 SecuRemote, VPN-1 SecureServer, VPN-1 UTM, VPN-1 UTM Edge, VPN-1 VSX, VPN-1 XL, Web Intelligence, ZoneAlarm, ZoneAlarm Pro, Zone Labs, and the Zone Labs logo are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. All other product names mentioned herein are trademarks or registered trademarks of their respective owners. The products described in this document are protected by U.S. Patent No. 5,606,668, 5,835,726, 6,496,935, 6,873,988 and 6,850,943 and may be protected by other U.S. Patents, foreign patents, or pending applications.
May 18, 2006 P/N 502158
�