VoIP Network Security and Forensic Models using Patterns

VOIP NETWORK SECURITY AND FORENSIC MODELS USING PATTERNS

by

Juan C. Pelaez

A Doctoral Dissertation Submitted to the Faculty of the

College of Computer Science and Engineering

In Partial Fulfillment of the Requirements for the Degree of

Doctor of Philosophy

Florida Atlantic University

Boca Raton, Florida

August 2007

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.

VOIP NETWORK SECURITY AND FORENSIC MODELS USING PATTERNS

by Juan C. Pelaez

This doctoral dissertation was prepared under the direction of the candidate's dissertation advisor, Dr. Eduardo B. Fernandez, Department of Computer Science and Engineering, and has been approved by the members of his supervisory committee. It was submitted to the faculty of The College of Computer science and Engineering and was accepted in partial fulfillment of the requirements for the degree of Doctor of Philosophy.

fairperson, Department of

Computer Science and Engineering

Dean, College of Computer

Science and Engineering

Dissertation Advisor

Dean, Graduate Studies and Programs

3 f , 7 J & 7 ’A

Date

u


Acknowledgements

First, I would like to thank God for giving me strength, hope, and perseverance in my

studies. Without Him none of this would be possible or worthwhile.

I would also like to thank my dissertation advisor, Dr. Eduardo B. Fernandez, for his

guidance and helpful criticism throughout this research. To my Committee Members

and my good friend Ruby Grant, thank you for taking the time to read and revise my

written and oral presentation of this dissertation. I also thank my employer, the

United States Army Research Laboratory, for their financial and technical support

during this research.

Last but not least, I would like to thank my lovely wife, Pitty Pelaez, and my devoted

mother, Martha Henao, for their unconditional loving support throughout my

educational endeavors. I am very grateful for having a family that has encouraged me

at each and every step of my life.

iii


Abstract

Author: Juan C. Pelaez

VoIP Network Security and Forensic Models using

Patterns

Florida Atlantic University

Dr. Eduardo B. Fernandez

Doctor of Philosophy

Title:

Institution:

Thesis Advisor:

Degree:

Year: 2007

Voice over Internet Protocol (VoIP) networks is becoming the most popular

telephony system in the world. However, studies of the security of VoIP networks are

still in their infancy. VoIP devices and networks are commonly attacked, and it is

therefore necessary to analyze the threats against the converged network and the

techniques that exist today to stop or mitigate these attacks. We also need to

understand what evidence can be obtained from the VoIP system after an attack has

occurred.

Many of these attacks occur in similar ways in different contexts or environments.

Generic solutions to these issues can be expressed as patterns. A pattern can be used

to guide the design or simulation of VoIP systems as an abstract solution to a problem

in this environment. Patterns have shown their value in developing good quality

software and we expect that their application to VoIP will also prove valuable to build

secure systems.

This dissertation presents a variety of patterns (architectural, attack, forensic and

security patterns). These patterns will help forensic analysts as well, as secure systems

developers because they provide a systematic approach to structure the required

information and help understand system weaknesses. The patterns will also allow us

to specify, analyze and implement network security investigations for different

architectures. The pattern system uses object-oriented modeling (Unified Modeling

Language) as a way to formalize the information and dynamics of attacks and

systems.

IV


Table of Contents

LIST OF FIG U R E S......................................................................................... viii

LIST OF T A B L ES.........................................................................................................xi

CHAPTER

1 INTRODUCTION................................................................................................... 1

2 BACKGROUND........................ ...6

2.1 Introduction............................. ...6

2.2 Internet Protocol Networks ............................................................... 6

2.3 IP Telephony.........................................................................................................7

2.3.1 Signaling and Media Protocols.................................................... 9

2.3.2 VoIP Building Blocks...............................................................................11

2.3.3 VoIP Network Operation........................................ 13

2.3.4 Wireless VoIP ................. 15

2.4 Network Forensics................................................. 16

2.4.1 Reference F orensic Model.........................................................................17

2.4.2 Network Forensic Tools and Techniques .................................................19

2.4.3 Post-mortems vs. Real-time Analysis ......................................................282.4.4 What is Network Evidence?...................................................................... 29

2.5 Summary ......... .30

3 VoIP ARCHITECTURES .......................................................................32

3.1 Introduction........................................................................................................32

v


3.2 Patterns for VoIP Signaling Protocol Architectures.............................................33

3.2.1 H.323 Signaling Protocol Architectures.................................................... 34

3.2.2 Hybrid VoIP Signaling Protocol Architectures..........................................40

3.3 VoIP Wireless Architectures................................................................................ 51

3.3.1 VoIP in WLANs ................................................................................ 51

3.3.2 VoIP in Cellular Networks................. 52

3.3.3 VoIP in GPRS .................................................................................. 55

3.3.4 VoIP in UMTS.................................................................................. .........56

3.3.5 Mobile Internet Telephony ................ 56

3.3.6 VoIP in Satellite Networks.......................................................................... 57

3.4 VoIP in Tactical Internet......................................................................................... 57

3.4.1 Tactical Internet .......... 59

3.4.2 Joint Network Node ................................................................................... 61

3.5 Summary................................................................................................................. 64

4 ATTA CK S A N D SECURITY PA TTERN S FO R VoIP

N E T W O R K S ...................................................................................................... 66

4.1 Introduction........... ........... 66

4.2 Roles in a basic VoIP model...................................................................... 67

4.2.1 Internal roles.................................................................................................67

4.2.2 External roles................................................. 68

4.3 Attacks against the VoIP network..........................................................................70

4.3.1 Attacks when making/receiving a voice call..............................................71

4.3.2 Registration attacks....................................... 73

4.3.3 Attacks against Audit.................................................. 74

4.4 VoIP security patterns..................................................................................... 75

4.4.1 Network segmentation.................................................................................75

4.4.2 VoIP tunneling..................................................................................... 78

4.4.3 Signed authenticated call ................................................................... ........ 81

4.4.4 Secure VoIP call................................................................................... 85

4.5 Summary......................................................................................................... 88

vi


5 ATTACK PATTERNS........................................... 89

5.1 Introduction.............................. 89

5.2 A template for attack patterns..............................................................................90

5.3 Attack pattern: Denial-of Service (DoS) in VoIP ............................................ 92

5.4 Attack pattern: Call interception in VoIP......................................................... 104

5.5 Attack pattern: Theft of service in VoIP.......................................................... 116

5.6 Attack pattern: Call hijacking in VoIP............................................................ 123

5.7 Attack pattern: IP spoofing in VoIP ............. 133

5.8 Summary and discussion................................................................................ 139

6 VoIP NETW ORK FORENSIC PA TTERN S...................................................143

6.1 Introduction.................................................................... 143

6.2 VoIP evidence collector................................................................................... 144

6.3 VoIP evidence analyzer.................................................................................... 155

6.4 Summary ................................................................................................ 163

7 CONCLUSION AND FUTURE W O R K .........................................................164

REFERENCES.......................................................................... 169

ACRONYM S................................................................................................................ 180

vii


List of Figures

Figure 2.1 Class diagram for a VoIP development................ .............................................10

Figure 2.2 Sequence diagram for a telephone-to-telephone connection..............................14

Figure 3.1 Relationships between VoIP architectural and security patterns......................34

Figure 3.2 Class diagram for a H.323 architecture............................................................. 37

Figure 3.3 Sequence diagram for call connection in H.323................................. 38

Figure 3.4 Hybrid VoIP signaling protocol architecture.................................................... 44

Figure 3.5 Sequence diagram for a call connection in hybrid configurations................. .....45

Figure 3.6 Class diagram for a VoIPoW application using WLANs...................................52

Figure 3.7 Class diagram for a VoIPoW application using GSM........................................54

Figure 3.8 Class diagram for Verisign network routing directory........................................55

Figure 3.9 Class diagram for a simplified Tactical Internet architecture.............................. 59

Figure 3.10 Class diagram for a Joint Network Node architecture..................................... ..63

Figure 4.1 Use Case diagram for a VoIP system..................................................................69

viii


Figure 4.2 Relationships between VoIP security patterns................................................... 76

Figure 4.3 VoEP Segmentation..............................................................................................78

Figure 4.4 Authenticated Call sequence diagram ............................................................... 83

Figure 4.5 Class diagram for a VoEP Secure Channel......................................................... 87

Figure 5.1 Class diagram for an H.323 architecture............................................................ 96

Figure 5.2 Class diagram for DoS attacks in H.323............................................................ 97

Figure 5.3 Sequence diagram for a DoS attack in H.323.................................................... 98

Figure 5.4 Class diagram for a MGCP environment........................................................... 99

Figure 5.5 Sequence diagram for a call interception............................. ............................108

Figure 5.6 Class diagram for CALEA model.................................................................... 114

Figure 5.7 Sequence diagram for a Theft of Service attack.................................................119

Figure 5.8 Class diagram for a SIP architecture................................................................ 126

Figure 5.9 Class diagram for a VoIP Call Hijacking attack............... 128

Figure 5.10 Sequence diagram for Call Hijacking attack in SIP..................... 128

Figure 6.1 Relationships between VoIP patterns.............................................................. 144

Figure 6.2 Evidence Collector class diagram...................................................................... 148

ix


Figure 6.3 Sequence Diagram for evidence collection in VoIP .............................. 152

Figure 6.4 Class diagram for a VoIP network forensic system..........................................158

Figure 6.5 Sequence diagram for evidence analysis in VoIP............................................160

Figure 7.1 VoIP pattern system ........................... 167

x


List of Tables

Table 2.1 DFRWS digital investigative framework

XI


To Lissie and Sophie the most precious gifts God has given me


Chapter 1

Introduction

VoIP is defined as the transport of voice over Internet Protocol based networks. Any

data network that uses IP can be used to establish this service. VoIP uses IP to

transmit voice as packets over an IP network. Therefore, VoIP can be achieved on

any data network that uses IP, such as the Internet, intranets and Local Area Networks

(LAN), where digitized voice packets are transmitted over the IP network.

VoIP has had a strong effect on global communications by allowing human voice and

video to travel over existing packet data networks along with traditional data packets.

Consequently, the overwhelming majority of Public Switched Telephone Networks

(PSTN) in service today will be replaced by the VoIP infrastructure within the next

decade.

In carrier networks, VoIP has been mainly deployed in enterprise networks or as a

trunking technology to reduce transport costs in voice backbone networks [Dre03].

To alleviate the increment in network capacity needs, one unified trunk network is

created based on the concept of converged networks. Here, the IP network is used as

a backbone between two voice switches/gateways. VoIP over Wireless (VoIPoW)

which is considered a typical application in IP telephony, is becoming the most

1


popular system for mobile communication in the world. However, studies of the

security of wireless VoIP networks are still in their infancy. Wireless devices are

commonly used by terrorists, and it is therefore necessary for network investigators to

understand which evidence can be obtained from the VoIP system after an attack has

occurred.

Many forums have discussed the benefits of VoIP, but only a few of them have

openly discussed its security risks. Current VoIP products are still weak and there is a

need to improve their security [Wie06], Security patterns are useful to guide the

design of security systems by providing generic solutions that can stop a variety of

attacks. In this research we will present some security patterns that describe

mechanisms that can control many of the possible attacks and which could be used to

design secure systems.

In order to avoid attacks and discover security vulnerabilities, it is necessary to be

aware of typical risks and to have a good understanding of how vulnerabilities can be

exploited. Without this understanding we may produce a VoIP system that is more

expensive than necessary and that has a large performance overhead.

We show here an approach to list all potential attacks by using use case diagrams,

considering each action in each use case and analyzing how it can be attacked by an

internal or external attacker. From the list of threats we can deduce what security

patterns are necessary to prevent or mitigate the threats.

Many of these attacks occur in similar ways in different contexts or environments.

Generic solutions to these issues can be expressed as patterns. A pattern is an

encapsulated solution to a problem in a given context and can be used to guide the

2


design or evaluation of systems [Gam94]. Patterns have shown their value in

developing good quality software and we expect that their application to VoIP will

also prove valuable to build secure systems. VoIP patterns were introduced in [Pel04]

and only one other paper has shown this type of patterns [Anw06], who also describe

our Secure VoIP Call pattern as well as three other different patterns.

The purpose of this dissertation is to generate a comprehensive pattern system

including a collection of architectural, attack, forensic and security patterns,

providing best practices for IP telephony systems. Our goal is to analyze the attacks

against a VoIP network and the techniques that exist today to mitigate these attacks,

and then to understand network forensic investigations in a VoIP converged

environment, using the existing methods for this basis. The proposed pattern system

will help network designers to improve the level of security not only in voice but also

in data, video, and fax over IP networks. The pattern system will also allow us to

specify, analyze and implement network security investigations for different

architectures. We will make use of UML (Unified Modeling Language) [Boo98] to

describe these patterns. This dissertation will address some of the most important

existing VoIP network security and forensic issues, and will give a detailed

presentation of problems which exist or are likely to exist in the future. However, this

research does not guarantee to provide a generalized framework for every network

forensic technique in VoIP.

In VoIP network forensics a systematic approach is needed to detect vulnerabilities

and the resulting attacks. We will introduce attack patterns as a helpful investigative

method which should be integrated in the VoIP network forensic process. This pattern

3


describes, from the point of view of the attacker, how a type of attack is performed

(what system units it uses and how), proposes ways of stopping the attack by

enumerating possible security patterns that can be applied for this purpose, and helps

analyzing the attack once it has happened by indicating where we can find forensics

data as well as what type of data. Attack patterns enable us to discover vulnerable

parts of the VoIP network and allow us to be better able to secure them. There are

various threats to a VoIP deployment from external domains and internal sources.

The goal is to prevent those attacks that have the potential to affect a VoIP

environment.

To address the needs of forensic investigations in VoIP, we will also propose a new

type of pattern, the forensic pattern. Forensic Patterns provide an abstract view of

forensic information to network investigators. Forensic patterns would also be useful

for training apprentice forensics technicians about common investigative techniques

and tools. Developing forensic patterns will result in a better and faster response and

investigation of network attacks [Moh03].

To effectively analyze security and network forensic issues in VoIP networks, we

start by giving an overview of VoIP and its applications including its internetworking

with Wireless Networks. Then we will continue modeling the actual IP telephony

infrastructure to develop object oriented patterns; characteristics of the most

important VoIP architectures are reviewed, including a VoIP network infrastructure

deployment in a Tactical Internet environment. To develop security patterns, we

analyze the attacks against the VoIP infrastructure from the H.323 and Session

4


Initiation Protocol (SIP) standards, and from a hybrid architecture perspective, which

will give a clear set of use cases to which we can relate these attacks.

We will analyze network forensics in a converged environment and the most popular

network forensic tools available today for investigators. Further, we will introduce the

concept of attack patterns and provide some examples. Finally we will introduce the

forensic patterns in order to complete the VoIP pattern system which constitutes the

core of this research report. The use of automated mechanisms for evidence collection

in real time is fundamental when conducting network forensics investigations in a

VoIP environment.

Likewise, in today’s mobile communications world network investigators are in need

for network models that allow not only the detection of complex attacks, but also that

support forensic evidence collection, storage and analysis. The analysis of different

types of records in VoIP devices and the use of these records to reconstruct any attack

related event are not automated. Those forensic manual methods make the analysis

almost impossible due to the large volume of data in IP networks.

This dissertation is organized as follows: in Section 2, an overview of VoIP

technology is provided together with the necessary background for this dissertation.

In Section 3, characteristics of the most important VoIP architectures are briefly

reviewed. In Section 4, a set of security patterns are presented. In Section 5, the

concept of attack patterns is introduced. Finally in Section 6, network forensic

patterns are presented. This dissertation ends with Section 7, where conclusions are

presented and future work is proposed.

5


Chapter 2

Background

2.1 Introduction

This chapter provides the reader with the background and an overview of IP

telephony, followed by an analysis of PSTN versus voice over IP telephone systems.

Likewise, an introduction to network forensics and the forensic process is presented

in order to outline the functionalities of forensic patterns that will be introduced later

in this dissertation. This forensic process also outlines the sequence of events during

forensic investigations. This chapter concludes with the analysis of some relevant

network forensic methods and tools.

2.2 Internet Protocol Networks

Internet Protocol (IP) networks are those that use IP to provide the functionality for

interconnecting end systems across multiple networks [Sta02], VoIP technology uses

IP-based networks to establish and manage communication sessions between terminal

devices. IP is the network level protocol that encapsulates the higher layer PDU

6


(protocol data unit) into IP datagrams. One of the most important features of IPv4 is its

32-bit IP (128-bit for IPv6) address: a virtual address given to each host and router in

the network. The Address Resolution Protocol (ARP) is used to obtain the actual

physical address of the device. IP networks are “best-effort” delivery networks i.e. the

network will attempt to deliver the traffic, but if problems occur or the destination host

cannot be found, the traffic is discarded [Bla02], It is necessary for higher layers, such

as the Transmission Control Protocol (TCP), to compensate for this. This is a major

disadvantage for real-time traffic over IP networks that require a certain QoS in order to

produce acceptable service. Therefore, in order to transfer voice over IP networks with

an acceptable quality, it is necessary to develop and implement separate protocols.

2.3 IP Telephony

VoIP (a.k.a. IP Telephony) is defined as the transport of voice over IP-based

networks. Any data network that uses IP can be used to establish this service. VoIP

uses IP to transmit voice as packets over an IP network rather than the traditional

circuit-switched networks of today’s telecoms. Therefore, VoIP can be achieved on

any data network that uses IP, such as the Internet, intranets, and Local Area

Networks (LAN), where digitized voice packets are transmitted over the IP network.

VoIP can be considered as one more transport technique within the IP layer.

Existing network infrastructures can be used to carry both data and voice traffic, a

combination which is very attractive to new users. Savings come from eliminating the

need to purchase new Private Branch Exchanges (PBX) equipment, and from

7


reducing staff and maintenance costs, as only one network needs to be supported

[WeiOl]. The possible savings on the present cost of transmitting long distance

messages by voice and fax traffic via existing carriers provide extra incentives for

moving to VoIP.

In the mid-90’s when VoIP was first introduced, its implementations consisted of

using the Internet for low-cost PC-to-PC voice communication. Today this

technology has improved due to adoption of standards, interoperability among

networking equipment, and improvements in Quality of Service (QoS). In addition,

signaling protocols are used to set up and end calls and to carry infonnation required

to locate users and negotiate capabilities. Major communication companies like

Siemens and Cisco have developed numerous VoIP products and security solutions

that are already available on the market.

In carrier networks, VoIP has been mainly deployed in enterprise networks or as a

trunking technology to reduce transport costs in voice backbone networks [Dre03].

The transmission of VoIP networks enables a wide variety of applications, and VoIP can

be applied to almost any voice communications requirement. VoIP over wireless

(VoIPoW) is considered a typical application within the VoIP technology.

In VoIP, in addition to delivering voice, the IP protocol performs some of the related

functions of the voice network that are necessary to convert the whole network into a

full system. Some of these functions include special features, collect calling,

gateways into the public voice network, and associated actions [GorOO].

When using the IP protocol, there are three different types of connections for setting

up the call. In all of the cases of VoIP, the IP Protocol is used: (1) PC-to-PC, in

8


which individuals online talk through their PCs, (2) PC-to-telephone, in which

individuals make and receive voice calls and messages while on the Internet, and (3)

telephone-to-telephone, in which calls are made and received using regular phones

connected to PSTN or IP-telephones connected to a data net (an example of this type

of connection will be given in section 2.3.3).

Figure 2.1 shows a class diagram describing how an IP telephony system integrates

with the PSTN. This model shows how it becomes possible to place a call from a

regular telephone number to a PC running an H.323 client. The PBX that supports the

standard phone (caller) formats Caller and Callee numbers and forwards them to the

VoIP gateway via PSTN network. The gateway takes the voice call from circuit

switched PSTN and places it on the IP network. The Gateway then queries the

gatekeeper via IP network with Caller/Callee numbers (note that the voice packets do

not go through the gatekeeper, only the call signaling) and the gatekeeper translates

them into a routing number based upon service logic. Finally, the gateway routes the

call to the called party (i.e., Callee).

The call quality of VoIP has improved to such a high level that it is difficult for a

subscriber to differentiate between packetized voice and a digital circuit. This makes

it possible for VoIP to compete successfully with the traditional telephone system

(i.e., PSTN).

2.3.1 Signaling and Media VoIP Protocols

Two types of protocols are used in VoIP: signaling protocols and media transport

protocols. Signaling allows call information to be carried across network boundaries

9


transmit packets

AnalogPhone

PC Router

Gateway

PBX

Gatekeeper

Figure 2 .1 . Class Diagram for a VoIP deployment

providing session setup, control and teardown. VoIP signaling protocols generally can

be divided into two main groups, client-server and user-to-user. In the latter group,

SIP and H.323 are the two most popular. Media exchange (Client-server type)

protocols are out of the scope of this dissertation; however in chapter 6, the

Megaco/H.248 control protocol architecture is used to analyze Denial of Service

attacks.

H.323 defines a family of protocols specified by the ITU research group [ITU06].

The standard provides a foundation for signaling in order to exchange voice, video,

and data communications in an IP-based network. H.323 supports Secure Real-Time

protocol (SRTP) for media confidentiality and Multimedia Internet Keying (MIKEY)

for key exchange. It is important to emphasize that the signaling is only protected up

to the gateway.

10


SIP is a more recent standard for multimedia conferencing over IP. The standard was

defined by the Internet Engineering Task Force (IETF) [Ros02] and is conceptually

simpler than H.323. SIP is used for creating, modifying and terminating sessions

between endpoints. SIP supports the Secure Real Time Protocol (SRTP) for securing

media traffic and Transport Level Security (TLS) and Secure / Multipurpose Internet

Mail Extensions (S/MIME) for signaling protection. Although most VoIP

implementations today use the H.323 protocol for IP services, SIP is gaining more

acceptance in the network telephony market due partly to its flexibility and lower

implementation costs. It is possible to use each protocol alone or both protocols

within the same network in order to provide universal connectivity.

2.3.2 VoIP Building Blocks

A typical VoIP deployment consists of the following physical elements: terminal

devices, gateways, call servers, and optional elements.

Terminal Devices

Terminal device refers to any device used by an end-user that supports placing and

receiving calls in a VoIP network. IP phones connected to LANs (a.k.a. hardphones)

are included as well as PC-based IP Phones (a.k.a. Softphones). Softphones are

applications installed on user systems (e.g., desktops) with speakers and

microphones; they reside in the data segment (implemented by VLANs). On the other

hand, Hardphones are located in VLANs that support only IP telephony services. This

11


segmentation technique will be further explained in Section 4. IP phones offer

services such as user directory lookups, Web browsing, instant messaging, and multi-

media conferencing; these IP services are accessed via a proxy server.

Gateways

Gateways are devices that provide voice services, including such features as PSTN

access, IP packet routing, and backup call-processing. This is the device that provides

access to legacy voice systems for local calls, toll bypass, and WAN backup in case

of failure. Gateways convert data packets from the IP network into voice before

sending them over a carrier network such as Integrated Services Digital Network

(ISDN) or PSTN. On the other side, when VoIP is used internally, the gateway

basically routes packetized voice data between the source and the destination.

Call Servers

The IP-PBX is a server that provides call control and configuration management for

IP telephony devices. This device provides the core functionality to bootstrap IP

telephony devices, provide call setup, and route calls throughout the network to other

voice devices, including voice gateways and voice-mail systems [MarOl], This

basically moves the standard functions of Private Branch Exchange (PBX) to a

dedicated server.

12


Optional Elements

Optional elements in a VoIP environment are Multipoint Control Units (MCU) used

for conferencing and back-end-services (BES), which provides such services as data

tracking of call endpoints and authentication servers.

2.3.3 VoIP Network Operation

Initially, the terminal devices access a Dynamic Host Configuration Protocol (DHCP)

server to obtain an IP address; all IP telephony devices are then required to complete

a registration with the call server before placing a call. After completing the

registration process, the IP telephony devices are configured with access to voice

mail, data services, time-of-day, speed-dials, any other custom configurations, and an

extension. Then the devices will be ready to make and receive a call. In order to

support directory services, the call server will add the registered device to the DNS.

The caller will pick up the IP-phone and dial the extension of the remote user with

whom [s]he wants to speak. The extension number is sent to the IP-PBX, which in

turn notifies the destination device that a call is incoming. The IP-PBX will be able to

complete the call because the destination device went through the registration

process. Once the remote user takes the device off the hook, the remote device

notifies the IP-PBX that it is willing to accept the call. The IP-PBX will then notify

both devices that a channel is available to start the conversation.

In a telephone-to-telephone connection type, if the call is made using regular phones

that are connected to a PSTN, the network-based call would proceed as follows:

13


1. The caller picks up a standard telephone, which is supported by a PBX. The

PBX is physically connected to the gateway over one of the access cards.

2. The caller then dials an access code (e.g., 7) that tells the PBX to route this

call over the PBX trunk connected to the gateway. Next, the caller types in the

branch or extension number (e.g., 123-4567).

3. The gateway routes call setup messages over the enterprise network to the

remote gateway. The gateway sets up the call via the PBX, and if the called

party is available, voice bits will be encapsulated within the IP payload

[Min02],

Figure 2.2 shows a sequence diagram for a telephone-to-telephone connection type.

In this case, the model presented in figure 2.1 could easily be altered to have analog

telephones rather than PCs, as endpoints.

dial access code

iprocesses

dial n u m b erroute call

rou te ca llroute ca ll

setup ca li

setup ca ll

estab lishes ca ll

:PBX :VolPGatewav « a c t o r »aCallee:

« a c to r »aCaller: :RemotePBX:RemoteGatewav

Figure 2 .2 . Sequence diagram for a telephone-to-telephone connection

14


2.3.4 Wireless VoIP

VoIP has not only been gaining ground on landline networks but also is developing

considerable interest in wireless networks. The main advantage of VoIP over

Wireless (VoIPoW) is service flexibility. With this technology, users will be able to

use a variety of wireless devices, including cellular phones, two-way radios, PDAs,

laptop computers, and similar devices. The low cost of transport and switching is

another benefit of this technology.

VoIPoW is targeted at data (e.g. mobile laptop) users allowing mobile workers to

make and receive telephone calls on a shared wireless infrastructure. VoIPoW is

becoming available for both wireless LAN and wireless WAN applications.

This technology has two major disadvantages: security and header compression. The

security issues of wireless devices are as serious as any attack on the corporate

database and may have damaging effects on the privacy of individuals and the

protection of resources of an enterprise. The increase in functions in cellular devices

creates new possibilities for attacks, these attacks will be discussed later in this

dissertation.

On the other hand, the large headers of the protocols (IP/UDP/RTP) used when voice

data is sent over the Internet, consume too much bandwidth and make inefficient use

of valuable radio spectrum [EriOO], The data size is only 15-30 octets, whereas the

headers amount to 40 (IPv4) - 60 (IPv6) octets. Header compression protocols like

ROCCO (Robust-Checksum based header Compression) and CRTP (Compressed

Real Time Protocol) can solve this inefficient use of the spectrum. There exist many

15


different forms of implementing VoIP in wireless communications and networking

which will be discussed in Chapter 3.

2.4 Network Forensics

Network forensics is the act of capturing, recording, and analyzing information

collected on active networks from various intrusion detection, auditing, and

monitoring points in order to discover the source of security breaches or other

information assurance problems [Case06, Fer05, Ran06], Network forensics

technology is useful not only to law enforcement, but also to the military and the

private sector. Examples of these network analysis procedures are the examination of

router and firewall logs, or eavesdropped data from a network. Network forensics

adds another dimension of protection to the VoIP system in addition to the well

known security mechanisms discussed in the previous chapter.

Computer and network forensics has been developed to ensure thorough

investigations in a converged environment. Network forensics support VoIP

investigations by providing information about the location and the way that attackers

perform their crimes. The collection of this evidence is crucial in the prosecution of

criminals. Thus, network forensics not only helps to find criminals but also to

indirectly stop network crimes and reduce their incidence. Network forensic models

allow not only the detection of complex attacks, but also the understanding of what

happened after a system is breached.

16


By providing information about the location and the way that attackers perform their

crimes, network forensics support investigations in VoIP. These methods can

illuminate issues such as bandwidth use in terms of machines, protocols, users, or

content. Issues like unauthorized services, cleartext-password protocols, or

implementations that violate protocol standards can also be summarized using these

methods [Cor02].

The collection of data in real time and the use of automatic mechanisms are vital

when conducting network forensics investigations in a VoIP environment. This will

result in a better and faster response to network attacks.

Most network forensic systems are based on inspection traces in order to detect

predefined attack patterns and deviations from normal behavior. Its function is

therefore to assist network forensic specialists in the investigation of crimes

perpetrated through the use of computers and networks.

The major features of network forensics analysis can be summarized into two

fundamental goals [Wan05]: (1) Attack scenario reconstruction, which is the process

of understanding the actions taken by the attacker to complete her job. (2) Attack

group identification, which is the process of discovering the group of hosts involved

in the attack and determining the roles of each host in the group.

2.4.1 Reference Forensic Model

Several models are used for investigation in forensic science. We chose the

framework from The Digital Forensics Research Workshop (DFRWS) because it is a

17


comprehensive approach and is more oriented to this dissertation’s goals. The

DFRWS model shows the sequential steps for digital forensic analysis [DFRWS01].

These steps are shown in Table 2.1.

IDENTIFICATION PRESERVATION COLLECTION EXAMINATION ANALYSIS PRESENTATIONEvent/CrimeDetection

CaseM anagement Preservation Preservation Preservation Documentation

ResolveSignature

ImagingTechnologies

ApprovedM ethods Traceability Traceability Expert Testimony

Profile DetectionChain of C ustody

ApprovedSoftware

ValidationTechniques Statistical Clarification

AnomalousDetection Time Synch. Approved

HardwareFilteringTechniques Protocols Mission Impact

Statement

Complaints LegalAuthority

PatternMatching Data Mining

RecommendedCountermeasure

SystemMonitoring

LosslessCompression

Hidden Data Discovery Timeline Statistical

Interpretation

Audit Analysis Sampling Hidden Data Extraction LinK

DataReduction Spatial

RecoveryTechniques

Table 2.1 - DFRWS Digital Investigative

Framework [DFRWS01]

The initial phase or the Identification of potential digital evidence (i.e., where might

the evidence be found) is covered by the Intrusion Detection Systems (IDS) and in

some sense by the attack patterns. The Preservation phase involves acquiring,

isolating, securing, and preserving the state of the digital evidence; making forensic

images of the evidence; and establishing the chain of custody. A chain of custody

refers to documenting the seizure, custody, control, transfer, analysis, and disposition

of physical and electronic evidence [Wik07]; this process is carried out from the

instant voice packets are collected, through and beyond its final presentation in a

court of law.

18


The Collection phase involves the process of identifying, labeling, recording, and

acquiring forensic data from the possible sources of evidence, according to standard

procedures in forensics. The Examination phase consists of processing large

amounts of collected voice packets. This is achieved by combining automated and

manual methods to assess and extract interesting data while preserving the integrity of

the data. The Analysis phase involves the analysis of the results from the examination

phase, using legally justifiable (automated) methods to determine significance,

reconstruct fragments of data, and derive conclusions based on the collected

evidence.

We will concentrate on the middle phases of the forensic process (i.e. the collection,

examination, and analysis of the evidence) which will be revisited and presented as

patterns in chapter 7. This process provides network investigators a structured method

to collect more and better evidence and to reduce the analysis time in VoIP networks.

The presentation phase involves the legal aspects of the forensic investigation -

presenting the findings in court and corporate investigative units by applying laws

and policies to the expert testimony and securing the admissibility of the evidence

and analysis. This phase is outside of the scope of this research, but it must be

considered in order to create a comprehensive model.

2.4.2 Network Forensics Tools and Techniques

Network forensic investigators need various types of tools to identify and collect

network evidence and to confront the unique forensic challenges presented by a

19


converged network environment. Because voice travels in packets over the data

network, various tools and techniques can be used for network forensic purposes,

such as Network Forensic Analysis Tools (NFAT) or IP traceback and packet

marking across VoIP systems, just to mention a few. They can assist network

investigators in the collection, examination, and analysis of forensic data in order to

identify, store and play back voice communications traversing the network.

This section will address some of the most important existing forensic tools and

techniques and will discuss some of the problems which exist or are likely to exist in

the future. However, this research does not guarantee the creation of a generalized

framework for every forensic method in VoIP.

Previous Work

Several papers have been written about network forensic models by different network

security specialists and organizations, but in general, none of these authors did a

systematic work of identifying formal security patterns for attacks against the VoIP

network infrastructure. One of the earliest discussions about this topic is a paper by

Stephenson [Ste03] discussing an approach to post-incident root cause analysis of

digital incidents (a.k.a. digital post mortems) that has structure and rigor and the

results of which can be modeled formally using Colored Petri Nets. He focuses upon

the investigative approach in forensic digital analysis and the modeling of the

outcome.

20


Shanmugasundaram et al [Sha03] created ForNet, a distributed network logging

mechanism to aid digital forensics over wide area networks. This network forensics

system was designed to integrate forensic, capabilities into network infrastructures.

The system incorporates the use of synopses to tracing payloads, detecting network

attacks and collecting forensic data.

Tang [Tan05] developed a network forensics framework based on distributed

techniques which provides an integrated model for automatic forensic evidence

collection and data storage, supporting the integration of known attribution methods,

and an attack attribution graph generation mechanism to illustrate hacking

procedures. Likewise, Wang and Daniels [Wan05] propose an evidence graph model

to facilitate the presentation and manipulation of intrusion evidence. For automated

evidence analysis, they developed a hierarchical reasoning framework that included

local reasoning and global reasoning.

Ren and Jin [Ren05] developed a model based on distributed adaptive network

forensics and active real time network investigation. The Ren/Jin model seems to be a

more complete and more realistic approach with respect to other existing network

forensic models.

On the other hand, Bogen [Bog05] proposes a core set of modeling views for a

unified computer forensics modeling methodology: investigative process view, case

domain view, and, evidence view. Bogen doesn’t specify network forensic patterns;

he is focused in computer forensics evaluating the utility of case domain modeling to

the problem of deriving keyword search terms for cases.

21


When analyzing the existing network forensic work, we concluded that the use of

UML models in VoIP forensic analysis has not been common. None of these authors

have discussed object-oriented models or attack patterns for VoIP networks.

Packet Sniffers and Protocol Analyzers

Packet Sniffers are also referred to as network monitors or packet analyzers. They are

software applications that capture and decode network traffic. Packet sniffers use a

network adapter card in promiscuous mode to capture voice packets traveling the IP

network. In order to monitor VoIP traffic, an examiner can place packet sniffers on

any backbone device or network aggregation point. Packet sniffers are good tools for

network investigators who want to monitor the information that enters and leaves the

system.

Protocol analyzers usually are able to process not only live network traffic but also

packets that have been recorded previously in capture files by packet sniffers.

Protocol analyzers are useful in displaying network traffic data in an understandable

format [Ken06]. With these tools, investigators are able to capture the packets and

decode the voice packet payload in order to analyze VoIP calls for example.

Unfortunately, however this software is also available for hackers. One of the

currently most popular packet-collection tools is tcpdump; this software can be

downloaded freely on the Internet and is available on most Unix and Windows

platforms.

22


Intrusion Detection Systems

Intrusion Detection Systems (IDS) is another important evidence tool for network

forensics analysis. IDS is a method that identifies suspicious patterns that may

indicate a network attack by inspecting all inbound and outbound network activity.

IDS data is often the starting point for examining suspicious activity. In addition to

identifying malicious network traffic at all TCP/IP layers, IDS also logs many data

fields that can be useful in validating events and correlating them with other data

sources [Ken06].

IDS can be classified into two categories: anomaly detection and misuse (knowledge-

based) detection. Anomaly detection systems require the building of profiles for each

user group on the system. This profile defines an established baseline for the activities

that a normal user routinely does to perform his/her job [Cor02], However these

systems have several drawbacks: these IDS alerts are not well-adapted for forensics

investigation, they are complicated and impractical, and they have a high false

negative rate.

In contrast, misuse detection methods, also known as signature-based detection, look

for intrusive activity that matches specific signatures. These signatures are based on a

set of rules that match typical patterns and exploits used by attackers to gain access to

a network [Fer05]. The disadvantage with misuse detection methods is that they

cannot detect new attacks because they don’t have a known signature.

23


The best solution is to combine signature based systems and anomaly detection

systems that can decrease false alarm rates using a lightweight IDS, e.g. snort

[Casw06]. Snort can be used as a straight packet sniffer, a packet logger, and a full

blown network intrusion detection system.

The problem is that snort is still a misuse detection system, and therefore it only

catches known attacks or unusual behavior. In general, much redundancy exists in

IDS technology as well as high false alarm rates while relevant information may be

missing or incomplete.

Likewise, an IDS system records information that may indicate a suspicious event. In

this way, IDS software records the same basic event characteristics that firewalls and

routers record (e.g., date and time, source and destination IP addresses, protocol,

basic protocol characteristics), in addition to application-specific information (e.g.,

username, filename, command, status code) [Gra05],

Network Forensic Analysis Tools

Network Forensic Analysis Tools (NFAT) are defined as a set of network tools used

to analyze traffic from a forensic point of view. NFATs typically provide the same

functionality as packet sniffers and protocol analyzers as they focus on collecting and

analyzing network traffic [Nis05].

Some of the most popular NFATs available today are Sandstorm Netlntercept,

Niksun NetVCR and eTrust Network Forensics. This software is designed to allow

investigators to discover useful details about the analyzed traffic. In order to analyze

24


the attack behavior by replaying the attacking procedure, NFATs are used to

reorganize the packets into individual transport-layer connections between terminal

devices.

This reconstructive traffic analysis is often limited to data collection and packet level

inspection; however, a NFAT can provide a richer view of the data collected,

allowing investigators to inspect the traffic from further up the protocol stack

[Cor02]. By using these tools, investigators can also observe the voice packet streams

and the associations between terminal devices. Some NFAT tools can even tie IP

addresses, domain names, or other data to physical locations and produce a

geographic map of the activity [Gra05].

IP Traceback and Packet Marking

IP traceback and packet marking are important network forensic analysis techniques

used for attack attribution. IP traceback is defined as any method for reliably

determining the origin of a packet on the Internet [Wik07]. Existing approaches to

solve the problem of finding the source of a VoIP packet are based on probabilistic

packet marking, which overloads existing header fields in order to encode the path

traversed by a packet in a way that will have minimal impact on existing users. In a

denial of service attack, the victim will receive enough traceback packets to be able to

reconstruct the entire attack path [Sha03], To perform IP traceback Alex C. Snoeren

[Sno02] developed what he called a “Source Path Isolation Engine (SPIE)” using a

Bloom Filter as the data storage mechanism.

25


The increase in cellular and wireless handheld devices provides a unique challenge

for network investigators. While an attack on a wired network is investigated by

tracing it back to a physical location, no physical access is required when a wireless

medium is attacked. In this case it is harder to extract evidence.

One form of documented wireless misuse is when wireless networks that allow

anonymous connectivity are used as an anonymous launch pad to commit further

crime. In the event that this crime is discovered, the origin of the attack can only be

traced back as far as the wireless comiection [Sla06]. Likewise, IP telephony allows

attackers to spoof source IP information, which can result in investigative dead-ends.

For instance, even if an IP address has not been spoofed, if the attack has been

launched from a public access machine, this will limit investigative options.

In summary, locating attackers with the IP traceback technology is a potential

security mechanism to counter DoS and many other type of attacks. IP traceback

works even when criminals conceal their geographic locations by spoofing source

addresses.

Logging

The collection of evidence before, during, and after an attack occurs is another

important forensic technique. The best available IP telephony system evidence is

generally provided by logging. Basically, logging is the tracking of all the

information going across a network. With the proper amount of logging information,

investigators will be able to trace a hacker.

26


Log files provide useful audit trails of system activity; they can provide investigators

detailed event information about occurrences within a specific scope. On the other

hand, most applications allow for minimal logging to avoid performance impact

[Sol05],

Ideally, a network administrator would like to keep track of every packet that goes

across the VoIP network. This unfortunately is not an achievable goal because the

storing of network data for forensic analysis in converged networks is complicated.

Current issues about this technique, such as the required data storage (in real-time

networks) and the proposed solution, will be studied in the network forensic patterns

section in Chapter 7.

Reverse engineering

Reverse engineering can be considered another forensic method in the Object-

Oriented Design domain. When using this method, the UML tool loads all the files of

the application and the system, identifies dependencies among the different classes,

and essentially reconstructs the entire application structure along with all the

associations between the classes [Chi03]. This reconstructive traffic analysis is often

limited to data collection and packet level inspection. However, in combination with a

network forensics analysis tool (NFAT) it can provide a better view of the data

collected.

27


2.4.3 Post-mortem vs. Real-time Analysis

In network forensics, the forensic examination of logs can be generally classified into

two categories: post-mortem and real-time analysis. Post-mortem examination refers

to the analysis of network evidence about a crime or other event that already has

occurred and about which nothing can now be done. On the other hand, real-time

analysis is an ongoing process that yields results at a rate that enables the VoIP

system to respond to attacks.

To be effective, real-time analysis requires an automated collection of forensic data in

order to provide data reduction and correlation. In a real-time application like VoIP,

post-mortem data may not be useful. Post-mortem analysis can be used to conduct a

more detailed examination of attacks against the converged network.

Attacks on VoIP applications such as VoIP in Tactical Internet require real-time

evaluation and analysis, in contrast to the traditional method (i.e. post-mortem) used

in law enforcement, in which the victim’s device is taken off-line after an attack has

occurred. Therefore, VoIP in Tactical Internet requires the on-line analysis of its own

compromised systems, whether on-site or at some geographically distant locale. Tools

will need to address the impact of data integrity and transport issues when collecting

information across the network [Gio02]. Although this research focuses on real-time

analysis, post-mortem analysis is also of interest because there are several ideas that

investigators can borrow from it.

28


2.4.4 What Is Network Evidence?

The main purpose of network forensics is the identification and collection of network

evidence. This collected evidence can correspond to plain data or voice conversations

(as in the case of VoIP) that remain behind after someone has misused a network. For

example, the existence of log files can provide, evidence of incidents. The

characteristics and differences of network evidence are similar to those of regular

evidence. It is necessary for forensic examiners to understand the specifics of VoIP

network evidence so that they can properly collect it and use it for live analysis.

According to [Kei06], investigators can collect four types of network-based evidence:

• Full content data, consisting on the actual voice packets, typically including

headers and application information, seen on the wire (for Ethernet) or in the

airwaves (for wireless).

• Session data, consisting on the summaries (e.g. ISP records) of each call made

by the wiretapped party. This data is used to identify the time of the call, the

parties involved, and the duration of the call.

• Alert data, which is created (using IDS) by analyzing network-based evidence

for predefined items of interest.

• Statistical data, which can provide a look of the big picture. For example, in

law enforcement, statistical data might report the average duration of suspect

phone calls, how often criminals communicate, and the most popular time of

the day to speak.

Evidence for network forensics investigations can be also classified as primary and

secondary evidence. The former refers to information that directly indicates attacks or

29


security policy violations. The latter refers to information that does not directly

represent attacks but could provide complementary information for investigation. In

general, primary evidence is the starting point of forensic investigation and provides

the basis for searches for secondary evidence [Wan05], In cases in which primary

sources of forensic data don’t contain enough evidence, investigators need to look for

secondary sources in order to determine additional alleged events and to corroborate

the primary sources of evidence. In our current forensic model, we use network IDS

alerts and NFATs as the primary sources of evidence. The most obvious and common

secondary sources of data are terminal devices (including wireless devices), servers,

and network storage devices. In a converged environment the infrastructure and its

connective elements are also considered secondary sources of evidence in case of

attack.

In order to properly investigate an attack and possibly take action against the

perpetrator, investigators require evidence providing proof of the identity and actions

of an attacker. The first activity in the process of evidence collection is identifying

hardware, software, and data that investigators can use. This process will be described

in the next chapter as a pattern.

2.5 Summary

In this chapter we provided an overview of the VoIP technology and presented

various ways in which VoIP system designers can more effectively streamline the use

of IP telephony. We also presented a brief overview of network forensics and a

30


sample network forensic investigation methodology. The forensic process highlighted

that data collection, examination, and analysis within a typical forensic investigation.

In conclusion, this chapter provided a comprehensive list of the most important

network forensic tools and techniques now available. The opinion conveyed is that

network forensics is still at an early stage of development. However, the use of this

science together with the appropriate network forensic tools is one of the best ways to

protect VoIP networks against criminals. With the information provided on network

forensic tools and techniques, the reader is now able to understand the following two

chapters, which will provide a more detailed analysis of the network forensic issues

mentioned before as well as the proposed abstract solutions for them.

31


Chapter 3

VoIP Architectures

3.1 Introduction

VoIP uses the Real-Time Protocol (RTP) for transport, the Real-Time Transport

Protocol (RTCP) for Quality of Service (QoS) and H.323, SIP, MGCP (Media

Gateway Control Protocol/Megaco) for signaling. These protocols operate in the

application layer; that is, on top of the IP protocol. Most current VoIP

implementations use the H.323 protocol, the same protocol used for IP video. Until

now, users prefer H.323 over SIP, but this may be primarily due to the earlier release

of H.323 (in the 9Q’s) [WeiOl], This situation may change in the near future.

In this chapter, we present here UML models for some aspects of VoIP infrastructure.

We will develop an architectural pattern based methodology where patterns are used

for high-level specification of the VoIP system. These patterns can also be used to

guide the design of VoIP systems and products as well as to simulate these systems.

32


3.2 Patterns for VoIP Signaling Protocol Architectures

Protocol standards imply an abstract architecture that can be used to guide the

implementation of systems or products. We can describe such abstract architectures

by using patterns. The abstraction power of patterns is useful to understand complex

standards, to compare standards, and to analyze if a given product complies with the

standard [Fer06b], An architectural pattern is also useful for simulation. We introduce

here two patterns for call control and signaling in VoIP: the H.323 Signaling Protocol

Architecture and the Hybrid SIP/H.323 VoIP Signaling Protocol Architecture. The

latter addresses the interoperability and coexistence of H.323 and SIP in VoIP

networks.

Figure 3.1 shows a pattern diagram which relates the H.323 and Hybrid signaling

architectural patterns to other existing patterns in VoIP. The patterns described in this

chapter are indicated with a double contour. Since the Hybrid pattern subsumes the

SIP pattern we do not discuss this latter separately. The patterns for Secure VoIP

Calls which performs encryption of calls in a VoIP environment and Signed

Authenticated Calls which performs both device and user authentication will be

discussed in chapter 4. Patterns for cryptography which hide the meaning of messages

can be found in [Bra98],

33


H ybridS ignalingProtocol

H.323SignalingProtocol

uses

au then tica tion uses

SIPSignalingProtocol

SignedA uthen ticated

call

Secure VoIP call

uses uses

Secure C hannel Sym m etric

C ryptographyPK I

F ig u re 3.1 R elationsh ips betw een VoIP a rch itectu ral and security patterns

3.2.1 H.323 Signaling Protocol Architecture

This pattern describes an abstract generic architecture to support the H.323 VoIP

signaling protocol. This protocol is used to set up and terminate voice calls, and to

support the transport of voice, video and data packets over IP-based networks.

Context

In VoIP networks, voice and signaling are multiplexed and travel as normal data

inside LANs, WANs or the Internet. Signaling protocols are required in packet

networks for transport and control. The VoIP infrastructure is designed to initially

support simultaneous users and is capable of scaling. This pattern assumes the

availability of multiple Internet Service Provider (ISP) partners to provide edge

termination for diverse users.

34


Problem

The H.323 protocol is rather complex and requires a combination of components to

perform its functions. How can we structure the components and procedures required

for delivering multimedia communication services (i.e. voice, video and data) across

packet-based networks (e.g. Internet, intranets and Local Area Networks (LANs)?

The solution to this problem is affected by the following forces:

• We need to define an abstract architecture that can be used to guide the design

of products and systems.

• There is a need to maintain a stable and reliable transmission throughout VoIP

conversations.

• Incompatible VoIP products are the result of the absence of industry standards

within this technology. Standards need precise and clear expressions but the

standards documents are textual and long descriptions that are hard to follow

[ITU06].

• Interoperability with other multimedia service networks and terminals is vital

in VoIP. Terminal devices in disparate networks (e.g. softphone

communicating with an analog phone) communicate frequently.

• In order to transport real-time data over VoIP, call signaling is needed to set

up the connections between terminal devices.

35


Solution

Define an abstract architecture using terminals (to make/receive calls), gateways (to

connect different networks), gatekeepers (for control and setup) and multi-point

control units (MCU) (for conferencing).

H.323-based networks have the ability to manage available resources for call routing

via H.323 gatekeepers. Gatekeepers are used for address resolution, terminal devices

admission control (based on bandwidth availability, concurrent call limitations, or

registration privileges), bandwidth management, and zone management (the routing

of calls originating or terminating in the gatekeeper zone, including multiple path

reroute). Gateways coordinate calls by communicating with gatekeepers using the

Registration, Admission, and Status (RAS) protocol [Cis02]. Gatekeepers are the

central part of an H.323 network.

Structure

Figure 3.2 shows the UML class diagram of the H.323 architecture. The components

inside the dotted lines indicate the specific units of the standard while the external

units are the network components that participate in the whole system. The Layer 2

Switch provides connectivity between H.323 components and the rest of the system.

The Gateway takes a voice call from a circuit-switched Public Switched Telephone

Network (PSTN) and places it on the IP network. The PSTN uses PBX switches and

Analog Phones. The Internet (IP network) contains Routers that connect to each

other and Firewalls to filter traffic to the Terminal Devices (i.e. where users interact

36


with the system). The gateway also queries the Gatekeeper via the Internet with

caller/callee numbers and the gatekeeper translates them into routing numbers based

upon service logic. Gatekeepers act like central managers providing call setup and

routing the calls throughout the network to other voice devices. The MCU

(Multipoint Control Unit) is used for conferencing. Softphones are applications

installed in Terminal Devices (e.g. PCs or wireless devices) used to send/receive

calls.

! H.323 ‘

filters

PSTN-to-PSTN

IP-to-IP

AnalogPhone

PSTN

Layer 2 Switch

Firewall

MCU

Router

PBX

Gateway

Internet

TerminalDevice

G atekeeper

Figure 3 .2 Class Diagram for an H.323 architecture

Dynamics

The sequence diagram in Figure 3.3 shows the necessary steps for call connection

between terminal devices in H.323. When Terminal devices (i.e. Caller and Callee)

37


are communicating with each other in disparate networks, more than one gatekeeper

may be necessary, as shown in the figure.

« a c to r »aCaller: S:Gatekeeoer1 !:IGatekeeDer2 « a c to r »

aCallee:

S .dial(Callee.setupO ) vi .

1. connect (Callee. setup! W

1

)

0

^ Caller.callproceedO

Callee.setupO v

S,coimect(Caller.callprocccd() I.connecHCaller.callproccalt

^ Caller.alertingQ ^.connect(C aller.alerting( 1̂ connect (Caller, alerting! ]

^ Caller.connect() S ,connect(C aller.connect( Lconncct(Caller.connect(

jrotifv(C allH stablished)

_

Figure 3.3 Sequence diagram for call connection in H.323

Implementation

Most existing VoIP implementations use the H.323 protocol, and the same protocol is

used for IP video (although SIP is more popular for new systems). H.323 references

many other of the ITU telecommunication standardization sector (ITU-T) [ITU06]

protocols such as:

• H.225.0 protocol is used to describe call signaling, the media (audio and

video), the stream packetization, media stream synchronization and control

message formats.

38


• H.245 control protocol for multimedia communication, describes the

messages and procedures used for opening and closing logical channels for

audio, video and data, capability exchange, control and indications.

• H.450 describes the Supplementary Services

• H.235 describes security in H.323

• H.239 describes dual stream use in videoconferencing, usually one for live

video, the other for presentation

• H.460.17-19 describes firewall traversal in H.323

• H.261 H.263 H.264 describes video encoding

Consequences

This pattern has the following advantages:

• It is possible to establish a phone conversation between different domains and to

. use all type of telephony devices throughout IP networks.

• It contains components that can maintain a stable and reliable transmission

between two or more VoIP users.

• The reference architecture lets vendors produce compatible products.

• The components in the H.323 architecture enable network interoperability (e.g.

packet switch-to-circuit switch).

This pattern has the following disadvantages:

39


• H.323 is a rather complex protocol and even its abstract architecture is rather

complex.

• H.323 defines several associated protocols and many services require interactions

between those sub-protocols, which increases complexity and decreases

scalability [Dal99].

• Security features are more easily implemented in SIP when compared to H.323

because of the SIP client-server operation mode.

• H.323 protocols frequently use ASN.l encoding roles. The H.323 ASN.l parser

showed vulnerable to implementation level attacks [OUS04],

Known uses

Cisco [Cis02], and others.

Related patterns

This pattern is related to the Hybrid VoIP Signaling Protocol Pattern described next and

to the security patterns indicated in Figure 3.1. The model of Figure 3.2 is based on an

early model in [Pel04], An E/R model for H.323 is given in [OUS04].

3.2.2 Hybrid VoIP Signaling Protocol Architecture

The Hybrid Protocol Architecture pattern describes an abstract architecture to

combine the H.323 and SIP architectures using a shared infrastructure of interworking

40


functions between both protocols. This architecture allows coexistence and

transparent translation of signaling between both architectures.

Context

In VoIP networks, voice and signaling are multiplexed and travel as normal data

inside LANs, WANs or the Internet. Signaling protocols are required in packet

networks for transport and control. The VoIP infrastructure is designed to initially

support simultaneous users and is capable of scaling. This pattern assumes the

availability of multiple Internet Service Provider (ISP) partners to provide edge

termination for diverse users.

Problem

Some environments have a large variety of users and require the use of multiple

signaling protocols. How do we design an architecture that provides support for both

SIP and H.323 calls, is capable of scaling, and can be made secure?


• VoIP must be able to accommodate multiple existing and potential signaling

protocols.

• Provision must be made for the necessary security mechanisms in order to protect

the VoIP network and its users. As VoIP operates on a converged network, voice

and video packets are subject to the same threats than those associated with data

networks [Pel04], In contrast to PSTN, signaling in VoIP is sent through the

41


public Internet. This leads to easy access to the voice packets (i.e. call

interception) by attackers and its consequent security problems [Wie06],

• Because the interworking function combines both SIP and H.323 functionality,

security considerations for both of these protocols apply [Sch04],

• Because all data elements in SIP or H.323 have to terminate at the interworking

function, the resulting security cannot be expected to be end-to-end. Thus, the

interworking function terminates not only the signaling protocols but also the

security in each domain [Sch04],

• VoIP networks must be based on industry standards so as to provide functionality

between disparate networks and product compatibility.

• Interoperability and coexistence between SIP and H.323 is essential in order to

support new deployments that might use SIP as a substitute VoIP signaling

protocol.

• In deployments where both protocols are used, it is important that there are no

performance limitations related to the call mix between SIP and H.323 calls, and

that there is no significant deviation in calls-per-second measurements compared

to a homogeneous SIP or H.323 network [Cis02],

Solution

The key component of this architecture is defined as the interworking function (IWF)

which provides this SIP-H.323 translation. The main functionality of this

interworking function includes user registration, address translation, establishment of

call connect, and service provision. This functionality can be implemented as part of a

42


VoIP network server such as an H.323 Gatekeeper, a SIP Proxy, or a Softswitch,

which might include a gatekeeper and SIP Proxy. Or, the functionality can be

implemented via an external SIP-H.323 signaling gateway [RadOl].

Structure

The class diagram in Figure 3.4 shows a hybrid configuration where a SIP architecture

(within dotted lines) is combined with an H.323 network. The gateway in the H.323

side takes the voice call from the PSTN network and routes it to the called party. In a

similar way, the SIP protocol uses redirect or proxy servers for call routing. The proxy

server provides security mechanisms for terminal devices such as access control,

authentication and authorization. A hybrid signaling setting may involve two types of

Endpoints: H.323 Terminal devices and SIP User Agents. User Agents (UAs), are

combinations of User Agent Clients (UAC) and User Agent Servers (UAS). The UA is

the phone in the SIP side and the Register server receives registrations and requests

updates of the Location server, which keeps track of the UAs. A UAC is responsible

for initiating a call by sending a URL-addressed INVITE to the intended recipient. A

UAS receives requests and sends back responses. The Proxy server is connected to a

VoIP gateway (to make possible a call from a regular telephone to an IP phone) and to

other proxy servers. The registrar and location server may be integrated in the proxy

server. Once the call has been established, the RTP media packets flow between

endpoints.

43


i InternetSIP Layer 2 switch

signalingS IP server

Routeri

Proxyserver

IP-to-IP

Firewall

tfilter

i

Locationserver

Redirect Register UserAgent

Terminal Device

i. IWF

DirectoryGatekeeper

PSTN-to-PSTN

PBX

Gatekeeper

AnalogPhone

PSTN

Figure 3.4 Hybrid VoIP Signaling Protocol Architecture

Dynamics

The sequence diagram in Figure 3.5 shows the necessary steps for calling from a SIP

phone to an H.323 terminal device using call signaling between a SIP Proxy Server

and a H.323 gatekeeper. As mentioned earlier, these servers provide registration and

address resolution services. For all phases of the voice call, the interworking function

component provides signaling translation.

44


P.dial(SIPinviteO)

K.RASQ

P.RASQ

setupQ

nngingQ

OKQ.OKQ.

RTP/RTCP

K:Gatekeeper« a c to r »S1P-UA:

P:ProxvServer G:IWFH.323-EP:

F ig u re 3.5 Sequence diagram for call connection in Hybrid configurations

Implementation

The implementation of VoIP services (e.g. Call waiting) must be uniform, consistent,

and must effectively work with other signaling protocols. Existing H.323-based

systems must update their existing signaling gateways in order to support additional

SIP-based services.

The capability for H.323 gatekeepers and SIP proxies to interwork in VoIP sharing

routing capabilities is crucial. While the SIP Proxy Server could supply routing

information to SIP gateways, this scheme allows a packet voice carrier to not only use

its existing routing structure on its H.323 gatekeepers, but to also take advantage of

the H.323 Resource Availability Indicator (RAI) functionality for a more efficient

network. The SIP Proxy Server actually acts like another gatekeeper to the H.323

network [Cis02]. Likewise, the SIP proxy server provides registration, address

resolution, and a session initiation services. It is important to note that this type of

45


message exchange between SIP and H.323-based components is only for signaling

purposes. VoIP uses another standard the Real-Time Protocol (RTP) for transport of

media packets between terminal devices.

Additionally to what is shown in Figure 3.5, the interworking function may provide

and update the H.323 gatekeeper with the addresses of SIP UAs. Similarly, the

interworking function can provide information about H.323 endpoints to a SIP

registrar. This allows the SIP proxy using this SIP registrar to direct calls to the

H.323 endpoints via the interworking function [Sch04] and vice versa. Provisions for

communication between the SIP Proxy Server and H.323 gatekeepers, along with

other features that allow SIP and H.323 to coexist on a common network, allow users

the ability to build out hybrid networks that include both SIP and H.323 traffic.

Interworking can be achieved via multi-protocol endpoints (such as IP Phones that

support both SIP and H.323) or via network bridging entities (such as Softswitches or

Signaling Gateways) [RadOl]. When signaling messages are sent from an H.323

gatekeeper, the interworking function translates them into the corresponding SIP

messages and routes them to the equivalent SIP component. By providing translation

of signaling messages from SIP to H.323 and vice versa, the hybrid connects calls

between VoIP devices using disparate signaling protocols. In this setting, address

resolution and registration functions for both H.323 and SIP protocols, are supported

by the interworking component.

An interworking function contains functions [Sch04] from the following list, inter

alia:

Mapping of the call setup and teardown sequences;

46


Registering H.323 and SIP endpoints with SIP registrars and H.323

gatekeepers;

Resolving H.323 and SIP addresses;

Maintaining the H.323 and SIP state machines;

Negotiating terminal capabilities;

Opening and closing media channels;

Mapping media-coding algorithms for H.323 and SIP networks;

Reserving and releasing call-related resources;

• Processing of mid-call signaling messages;

Handling of services and features.

In order to transfer of voice traffic over a packet switched network, some vendor offer

a hybrid or IP enabled design using an existing telephone switch (TDM type), while

others are based on a pure IP or IP centric architecture and only trunk into the local

telephone switch. There are two basic architecture types: IP-enabled and IP-centric

[Gha02], The two are differentiated by:

Where the PSTN to IP conversion takes place

Where supporting call center functions, such as queuing, queue slots,

prompting, music-on-hold, and announcements, take place.

47


IP Centric

This type of VoIP architecture is designed around an IP based core-switching system.

These solutions have distributed IP devices that function together to perform the

functions of a PSTN.

The TDM switching infrastructure is replaced with the VoIP infrastructure, and call

control. In a multi-site deployment, a centralized call control server controls VoIP

streams, whether they arrive at the main facility or the remote sites. In this deployment,

the call control server at headquarters controls all inbound communications

independent of location [Tip04],

IP enabled

IP enabled architectures allow traditional Time Division Multiplexing (TDM) switches

to deliver voice over an IP network. This approach is an extension of the traditional

TDM environment. In this approach the TDM switch is IP- enabled through the

addition of IP trunk and/or line cards. This solution is usually considered by companies

in order to extend the investment life of installed TDM switches [Tip04],

The implementation of the hybrid pattern is feasible using the IP-centric solution.

However, it is far more difficult in an IP-enabled infrastructure, which requires

several PSTN-to-IP gateways. In either case, it requires compatibility between the

applications at endpoints. A key deciding factor in determining when and how to

move to VoIP is the migration strategy. IP-enabled approaches will appeal to the

more conservative and heavily invested call center environment, while IP-centric

48


methods will be the choice of smaller, newer, and more aggressive centers who can

bear some reliability risk to move faster to a more advanced platform [Gha02],

Consequences

The advantages of this pattern include:

• The hybrid pattern provides call connection between VoIP devices using

disparate signaling protocols.

• The hybrid architectural pattern provides protocol flexibility for users to

incorporate SIP networks on established converged infrastructures, while

keeping H.323 functionality within their networks and interoperability with

traditional PSTN networks.

• By using this pattern H.323-based carriers are able to incorporate new VoIP

services to the existing infrastructure by allowing the SIP Server to register

and acquire the address resolution with the H.323 gatekeeper using the RAS

protocol.

• It is possible for a SIP Proxy Server to obtain updated routing information

from VoIP gateways deployed in the hybrid network by enabling the server to

communicate with an H.323 gatekeeper using the RAS protocol.

• This solution provides origination and termination of VoIP calls and more

flexible billing and usage options for several other service providers.

• This solution support additional SIP-based services for H.323-based users that

want to use their existing signaling gateway infrastructure.

49


• This optimized routing structure provides shorter post-dial delay and more

efficient usage of gateway resources.

Possible disadvantages include:

• The combined architecture is complex.

• The deployment of hybrid protocol networks may be affected by QoS and

bandwidth issues.

Known Uses

Vendor solutions that fall into the IP-enabled category include Aspect, Avaya, Nortel,

and other switch providers. Cisco uses IP-centric solutions.

Related Patterns

The Hybrid VoIP Signaling Protocol pattern includes as a subpattem the H.323 pattern

which was previously introduced. The model of Figure 3.4 is based on an early model

in [Pel04]. The pattern is also related to the concept of Attack patterns [Fer07a] and to

the following security patterns [Fer07b]:

• The Secure VoIP Call pattern.

• The Authenticated Call and other similar authentication patterns used to

establish trust relationships between the VPN endpoints.

• The VoIP Tunneling pattern.

50


• The Network Segmentation pattern.

3.3 VoIP Wireless Architectures

There exist many different forms of implementing VoIP in wireless communications

and networking. Some popular forms of wireless VoIP include:

3.3.1 VoIP in WLANs

VoIPoW using the 802.11 standard for wireless local area networks (WLANs) is an

important technology used for converged voice and data on mobile computers.

Most VoIP programs will automatically connect via an accessible internet connection,

and are linked with a particular handset or user account. This would provide an

802.11 equivalent of two-way radio or video broadcasting within a mesh network

without the need for reliance on permanent infrastructure, such as is required for

mobile phone usage. Another advantage of wireless communications via 802.11

wireless networks is that, being packet-based, they can be afforded cryptographic

protection available to all wireless networks. This is a great advantage over Citizen’s

Band (CB) or other analogue communications, which are unable to offer protection

from eavesdropping [Sla06],

Using the installed 802.11 wireless infrastructure for both voice and data is an ideal

approach to solving most communication requirements for mobile users; but this also

increases many existing VoIP security concerns.

51


Figure 3.6 shows a class diagram for a VoIPoW application using the WLAN

approach. Packet networks are used to transmit the compressed voice packets. The

fixed IP terminals (i.e. hardphones and softphones) exchange voice samples with

wireless IP terminals using the RTP protocol.

transrrit packetsPSTN

W irdess Access Poin t

AnalogPhone

Router P B X

W irelessDevice

TP-PBX

Figure 3.6 C lass d iagram for a V oIP oW application u sing W L A N s.

3.3.2 VoIP in Cellular Networks

In the Global System for Mobile communication (GSM) approach, packet networks

are used to transmit the compressed voice packets offering bandwidth savings. The

base station controller (BSC) or base transceiver station (BTS) provides wireless

access to the IP network. Connectivity between the Base Stations (BTSs), Base

52


Station Controllers (BSCs), and the Mobile Switching Center (MSC) is also achieved

using IP networks. The fixed IP terminals (i.e. IP phones/ Softphones) exchange

voice samples with cellular IP terminals using RTP. GSM provides mobility to users

allowing them to use either GSM devices or H.323 terminals (IP phones or PCs) to

access telecommunication services, using VoIP. Thus, a user can move from a GSM

network into an IP network and can use his/her H.323 terminal to receive calls and

other VoIP services. The hardware for a VoIP system is less expensive that of a GSM

or cellular service.

At the present time, some wireless communication companies are offering “dual

mode” wireless phone solutions for enabling seamless roaming between wide-area

cellular networks and Wi-Fi networks (e.g. DSL). These mobile devices are capable

of automatically detecting Wi-Fi access points in order to connect to the IP network.

Figure 3.7 shows a class diagram (adapted from a figure in [Pel04]) for the GSM

approach where packet networks are used to transmit the compressed voice packets

offering a save of bandwidth. Connectivity between the Base Stations (BTSs), Base

Station Controllers (BSCs), and the Mobile Switching Center (MSC) is achieved

using IP networks. The fixed IP terminals (i.e. IPP/PCIPP) exchange voice samples

with cellular IP terminals using RTP.

The main functions in a cellular network that enable mobility are the home location

register (HLR) and the visitor location register (VLR). Through an overlay of these

functions on the landline network, in the form of a third-generation partnership

project (3GPP)-compliant IMS network environment, operators are able to offer subs-

53


transmit packets

MSC

AnalogPhone

Router

Gateway

PC

PBX

BTS

WirelessDevice

IP-PBX

BSC

Figure 3.7 Class diagram for a VoIPoW application using GSM.

cribers possessing a Wi-Fi-enable cell phone access to less expensive fixed-line

services from virtually any location served by a broadband wireless network [Ver05].

The security element of this service is a routing directory which keeps the subscriber-

registry functions that perform device authentication and periodically update the

current location of the mobile phone within the IP and GSM networks. Figure 3.8

shows a class diagram for the Verisign Network Routing Directory [Ver05] which

supports VoIP (SIP and electronic numbering) as well as cellular-based (ANSI-41

and GSM-MAP) location-discovery services, providing authentication and routing

information that may be used to establish connectivity across various wireline and

wireless network technologies.

54


PSTN-to-PSTN

IP-to-IPPSTN

Media Server Router

InterconnectServices

Session Control

GSM

ApplicationServer

PBX

GatewayControllerDatabase

F ig u re 3 .8 C lass D iagram for the V erisign N etw ork R outing D irecto iy

3.3.3 VoIP in GPRS

A challenging task is allowing VoIP applications over packet switched mobile

networks such as GPRS. GPRS (general packet radio service) is a new non-voice

service that is being added to existing IS-136 TDMA (time division multiple access)

networks in the United States and GSM (Global System for Mobile Communications)

networks in the United States and Europe. It provides for the transmission of IP

packets over existing cellular networks, bringing the Internet to the mobile phone

[SchOO]. Anything the Internet offers, from Web browsing to chat and e-mail, is

available from GSM and TDMA service providers via GPRS-enabled devices.

55


3.3.4 VoIP in UMTS

Third Generation (3G) partnership projects (3GPP) allow universal roaming

characteristics and hence 3G mobile systems are referred as Universal Mobile

Telecommunication Systems (UMTS).

Usage of VoIP, which results in end-to-end IP sessions with higher bandwidths as in

UMTS, opens a whole new set of multimedia services for mobile end users.

Delivering these services is one of the main drivers for UMTS. Also using the same

IP technology in both fixed and mobile networks facilitate interworking between

them and the development of new services is provided in a consistent way. One big

challenge ahead for real-time VoIP service is provisioning of enough QoS especially

in this context of mobile networking, controlling the delays introduced by handover,

manage scarce radio resources and also perform admission control.

3GPP has decided to use SIP as call control protocol between terminals and mobile

network [BosOl]. Dedicated server in the network will provide interworking with

other H.323 terminals.

UMTS uses GPRS for data traffic and for voice it uses GPRS Tunneling Protocol

(GTP) on top of IP for packed switched mobile terminals. The mobility problems are

solved by GPRS protocols.

3.3.5 Mobile Internet Telephony

A Mobile Internet Telephony (MVoIP) system that integrates VoIP and mobile

computing can be established using handsets with multiple adapters that will have

different coverage range of communication area and should be used in

56


complementary [CheOO], The system integrates Internet, Cellular Network (which

will broad coverage area but small bandwidth), Wireless Local Network (which will

have high bandwidth but small coverage) and PSTN. Hence the handsets should have

Ethernet, wireless local area network and cellular phone network adapters.

3.3.6 VoIP in Satellite Networks

Satellite systems are part of communications infrastructure and have global coverage

to be able to reach remote areas. Satellite networks have an increasing portion of

their capacities used to carry data packets and are well positioned to enable growth of

VoIP services. New satellite systems provide high-speed internet access to business,

home and military users; these systems offer VoIP service also. COMSAT, a global

satellite communications provider, has a VoIP test bed using commercial VoIP

solution [NguOl]. Satellite links also provide a reliable medium for VoIP transport

and satellite propagation delay does not affect normal operation of VoIP gatekeepers

and gateways.

3.4 VoIP in a Tactical Internet

The war theatre has changed in these modem times, the US Army today needs for

smaller, individual units to combat terrorist cells in an urban environment. In this new

environment new types of strategies and tools are also required: a need for rapid

decision making, clear understanding of tactical assets and their locations, and

reliable, secure, near-real time communications.

57


The US Army is converging on a standard IP backbone in all of the tactical systems,

whether they are sensor, intelligence, surveillance and reconnaissance, unmanned

aerial vehicle or intelligence systems. All Army systems are converging on IP

[Bou06],

Today the US Army is using VoIP on high level units (i.e. battalion, brigade and

division). According to the Army’s Research and Development Communications

center in New Jersey, it is expected that this technology will be fully implemented all

the way from combat units to division level by 2016.

In addition to combining voice, video and data onto the same network, VoIP has the

inherent benefit that it can traverse different types of radio networks. This capability

would provide an advantage in a tactical network, however routing, bandwidth, and

QoS issues may mitigate this advantage [Dur03].

VoIP includes support for these tactical radios. For example, VoIP data could be sent

over an IP network until the point it reached a Single Channel Ground and Airborne

Radio System (SINCGARS) radio net. At the SINCGARS radio, the system would

convert the VoIP packets into an analog voice stream and allow transmission of the

previous VoIP data stream over the tactical SINCGARS network [Dur03], With IP on

the backbone, all the analog systems can co-exist with most of the digital systems. In

addition, VoIP may generate certain inherent benefits over an analog or a proprietary

digital approach. The IP network offers a secure voice channel for sensitive

communications.

58


3.4.1 Tactical Internet

The Tactical Internet is the glue that ties the Force XXI Battle Command Brigade and

Below (FBCB2) digital communications systems together digitally. It is formed by

the integration of tactical digital radios, combat net radios, and commercial Internet

technology. Primary components are the SINCGARS radio used in a data mode, the

Enhanced Position Location Reporting System (EPLRS), and the Near Term Digital

Radio (NTDR) [CamOO]. Figure 3.9 shows a class diagram of the Tactical Internet

where radio networks integrate with the IP network.

transmit packets

PSTN-to-PSTNT e rm in a l D e v ic e

IP-to-lP

SINCGARS NTDREPLRS

Softphone Hardphone

AnalogPhone

PSTN

Router

PBX

Gatekeeper

Internet

Gateway

RadioNetwork

Figure 3.9 Class Diagram for a simplified Tactical Internet architecture

The Tactical Internet is extended beyond the horizon with the Movement Tracking

System, or MTS. This global system utilizes a secure network of commercial

geostationary satellites to provide packet data for long range tracking and messaging

that extends over the horizon to vehicles on the move and in combat situations. The

59


Movement Tracking System has two configurations, The Control Station and the V2

Mobile Unit.

The function and connectivity features of the command/control station allow it to be

operated from a fixed location or from mobile headquarters. The station can operate

independently of phone lines or Internet connection. Likewise, the V2 mobile unit

offers quick installation on a vehicle and provides text messaging and maps that

display MTS-equipped vehicles.

By providing Command and Control Centers with an accurate, continuously updated

digital picture of the battlefield, commanders can exchange critical data with their

troops in near-real time such as position and status. In Tactical Internet today, VoIP

is considered the interface between the tactical radio network and the tactical access

hub [She04],

In the Tactical Internet, for example, VoIP is provided through software running on a

laptop computer communicating with the TOC (Tactical Operations Center) Media

Control Server Unit (MCSU).

The MTS provides near real-time communications through harsh environmental

conditions like dust storms, blizzards, and blistering heat. For this reason, it has

become the backbone for the dissemination of battlefield situational awareness to US

and coalition war fighters in both Operation Iraqi Freedom, and Operation Enduring

Freedom. During these operations, the Blue Force Tracker (BFT) and comparable

systems that provided position location information and basic text capabilities were

extremely valuable during the conduct of a rapidly based war.

60


The inclusion of VoIPoW in a tactical Internet environment is important because of

the interest in wireless configurations within the tactical and command post

communities to enable mobile combat units to roam around the command post. The

goal is to improve the ability of the soldier to perform his/her mission in the battle-

space.

On the battlefield, VoIPoW may provide benefits to mobile combat units. The most

significant benefit is that VoIP allows the voice and data packets to travel over the

same network. The result is that all traffic such as voice, data and video, are passed

over the IP based network. However, the possible savings from the cost of long

distance is not obvious in a Tactical Internet environment. This is because long

distance or over the horizon typical satellite communication connectivity is already

provided at the Department of Defense expense. In the Tactical Internet today, VoIP

is considered the interface between the tactical radio network and the tactical access

hub [She04],

3.4.2 Joint Network Node - Network

Today the U.S Army is using VoIP as a tactical battlefield communications system

with Joint Network Node (JNN) terminal. The JNN architecture is an off-the-shelf

solution for voice, data and video teleconferencing (VTC) over IP.

This IP-centric architecture has been deployed to support units from division down to

battalion level. VoIP phones in the JNN terminals enable commanders to make calls

on the Defense Department’s Secret IP Router Network (SIPRNET) and the Non-

61


secure IP Router Network (NIPRNET). A typical node also gives battalion

commanders broadband data access to the Defense Information Systems Network.

The Joint Network Node uses satellite links for beyond line-of-sight communications

[Bre06],

The JNN architecture is composed of three primary systems that support user

requirements and provide intra-JNN network connectivity and inter-theater

connectivity. A Unit Hub Node (UHN) provides satellite connection management for

all elements of a unit’s network and acts as a base-band or tactical technical node

facility; a Ku/Ka Satellite Communications Time Division Multiple Access (TDMA)

network for intra-JNN connectivity; and a Frequency Division Multiple Access

(FDMA) satellite network for long range BLOS connectivity to the U.S. Department

of Defense Information Systems Network (DISN) Global Information Grid (GIG)

architecture [Edw05], By using this architecture, VoIP phones are connected to

commercial routers, and then supported by Ku/KA satellite technology.

Figure 3.10 shows the components for a JNN architecture. Network connectivity is

provided through a 2.4 meter Ku/Ka satellite terminal that supports both TDMA and

FDMA transmissions. The JNN is deployed with an AN/TRC-190 (V3) High-

Capacity Line-of-Sight (HCLOS) terrestrial radio system to provide redundant

connectivity between JNNs. Parallel to its connectivity to the UHN, the JNN can

establish direct connectivity to GIG and/or DISN Strategic Tactical Entry Point

and/or another tactical network through current military satellite systems such as the

AN/TSC-85 or 93, Secure Mobile Anti-jam Reliable Tactical-Terminal (SMART-T)

or Phoenix terminal and terrestrial radio systems [Edw05].

62


filter

C onnected to o ther nodes

SM ART-T TSC 85/93

Firewall

LOS TRC-190

Figure 3.2

D1SN U H N

JN NKu/Ka

Satellite

Tactical Hub

O ther M ilitary Satellite Systems

Figure 3.10 Class Diagram for a Joint Network Node architecture

The VoIP system is connected to the Tactical Internet thru a VoIP gateway (to make

possible a call from a radio or a regular telephone to an IP phone). In order to support

brigade and battalion units the JNN also includes commercial routers and switches.

The rest of the tactical architecture is similar to Figure 3.2 and represented by a UML

package.

The UHN base-band unit performs two key functions: intra-JNN network routing and

GIG/ DISN connectivity. At the Brigade level, the JNN node provides an operational

Command Post (CP) with services such as Nonclassified/Secret Internet Protocol

Router (NIPR/SIPR), VTC and tactical and strategic voice. At the Battalion level,

network services are limited to SIPR and secure voice-over IP.

Today, 80 percent of the Army and many of the National Guard and Reserve units

have been converted or are converting. To date, seven US Army Divisions, nine US

Army National Guard and one US Army Stryker Brigade have been funded to field

63


and deploy with JNN-N [W0 0 O6 ]. For example, in Iraq and Afghanistan the 10th

Mountain Division, 4th Infantry Division and 101st Airborne have all IP-based C2

systems.

The JNN Network (JNN-N) also includes a Coalition Wide Area Network, Defense

Red Switch network access, e-mail Defense Message System, Special Circuit

requirements and a Battlefield Video-Teleconferencing capability. JNN also provides

connectivity to the global information grid as well as to all the Army Battle

Command Systems [W0 0 O6 ].

In today’s Tactical Internet, the JNN is still a work in progress. The US Army is

currently using VoIP on high level units however (according to the Army’s Research

and Development Communications center in New Jersey), is expected that this

technology will be fully implemented all the way from combat units to division level

by 2016.

3.5 Summary

We have presented two patterns that describe the architectures implied by the two

main VoIP protocols. The H.323 Signaling Protocol Architecture pattern offers a way

to complement and support the transport of data, voice and video packets in VoIP

systems. The Hybrid Signaling Protocol pattern allows architectural and protocol

flexibility by supporting both H.323 and SIP. These patterns complement our work in

VoIP security patterns [Fer07b] and provide a model of the environment where

specific VoIP security patterns can be implemented, thus adding security to the

64


structure. Patterns describing generic architectures can guide systems development,

be used to evaluate existing designs, be a basis for simulation, and be a pedagogical

tool. We have also discussed existing wireless VoIP implementations and provided

UML models for their architecture. In particular, VoIP in a Tactical Internet is an

important wireless application that is still considered a work in progress.

65


Chap ter 4

Attack and Security patterns for VoIP Networks

4.1 Introduction

In the previous chapter, we have discussed existing VoIP architectures. In VoIP the

convergence of voice and data in the same network brings both benefits and

constraints to users. Among the several issues that need to be addressed when

deploying this technology, security is one of the most critical. In this Chapter, we

considered possible security attacks and relate them to the ways the system is used.

This is a convenient and systematic way of finding most attacks. We also present

some security patterns that describe mechanisms that can control many of the possible

attacks and which could be used to design secure systems. Patterns have shown their

value in developing good quality software and we expect that their application to

VoIP will also prove valuable to build secure systems. We present here four security

patterns, including Network Segmentation, VoIP Tunneling, Signed Authenticated

Call, and Secure VoIP Call. Current VoIP products are still weak and there is a need

to improve their security [Wie06],

66


4.2 Roles in a basic VoIP Model

A VoIP infrastructure is basically composed of network devices and human

components. From the security point of view, the roles and rights of the latter will be

studied in this section with the aid of Use Cases.

Because VoIP networks are vulnerable to attacks from external domains and internal

sources, the human component of this system can be classified as follows:

4.2.1 Internal Roles

• Internal subscriber is a VoIP user, such as an employee. Internal subscribers

are allowed to make and receive voice calls by either using standard or IP

phones (hardphones and softphones). They also have access to data services

by using terminal devices (e.g. PCs).

• Administrator. This role is responsible for maintaining the VoIP network

perimeter and auditing the VoIP system in order to monitor user activities.

The network security administrator is also responsible of properly configuring

security mechanisms and reacting in the presence of attacks.

• Auditor. This role is responsible for performing audit logs to verify the

integrity of the VoIP system. Auditing is especially useful for identifying

potential security breaches or break-in attempts.

67


• Operator is responsible of protecting the system from being compromised, so

that each voice call can be accounted to the appropriate user. [s]he is also

responsible for booting and shutting down the system, performing routine

maintenance of servers, performing system performance metering and on-line

tests, and in general responding to various relevant user requests.

4.2.2 External Roles

• Remote subscribers are users such as employees who occasionally work

from home. They are given access to voice and services only from their

homes.

• Forensic Examiner refers to an investigator who has access (if legally

authorized) to corporate servers in order to inspect data and voice packets.

Forensic investigators need to have a wide range of technical skills including

those necessary for collecting evidence from VoIP networks and components.

They also need a sound understanding of the legal procedures and

requirements related to their investigations. A forensic investigator will be

actively involved in using the VoIP forensic model which will be introduced

later in this dissertation.

Figure 4.1 shows a Use Case diagram for a simplified VoIP system with typical use

cases and internal and external roles. For example, the subscriber role can be

classified as internal or remote, and also according to the type of device used. In

68


addition to these roles, the use case diagram can be used to systematically analyze the

different types of attacks against the VoIP network, following the approach in

[Fer06],

SubscriberRegister/unregister

subscriber

Setup network configuration

AdministratorH ardphone)

Remote Internal Make VoIP call

Softphone)_

Run network

O perator

Make conference call

Use voice-mail

Audit

A uditor

ForensicExaminer Inspect calls

Figure 4.1 U se case diagram for a V oIP system

This set of use cases defines the necessary interactions of a user with the VoIP

system. It outlines a method of listing all potential attacks by considering every action

in a use case and analyzing the ways in which it can be attacked by an internal or

external attacker. From the list of attacks we can decide what security patterns are

required to prevent these attacks.

69


4. 3 Attacks against the VoIP Network

As VoIP operates on a converged (voice, data, and video) network, voice and video

packets are subject to the same threats than those associated with data networks. In

this type of environment not only is it difficult to block network attackers but also in

many cases, examiners are unable to find them out. Likewise, all the vulnerabilities

that exist in a VoIP wired network apply to VoIPoW technologies plus the new risks

introduced by weaknesses in wireless protocols.

Based on the Use Case Diagram of Figure 4.1, we can identify potential internal and

external attackers (hackers). Internal attackers could be a subscriber with a malicious

behavior. Therefore, this Use Case Diagram will help us to determine the possible

attacks against the VoIP infrastructure.

Most of the possible attacks against the VoIP infrastructure will be listed

systematically. Although completeness cannot be assured, we are confident that at

least all important possible attacks were considered. This research does not guarantee

to provide a complete list of every possible threat in VoIP. The threats that we assume

are based on the knowledge of the VoIP application, and from the study of similar

systems.

It should be noted that only attacks against the VoIP system are considered. Attacks

to systems that collaborate with this system are beyond our control (e.g. attacks gainst

radio networks). Additional security issues relevant to telecom, physical networks,

and switches are beyond the scope of this dissertation.

70


Based on the Use Case Diagram of Figure 4.1, we can determine the possible attacks

against the VoIP infrastructure and classified as: Registration Attacks, Attacks when

Making/Receiving a voice call and attacks against Audit.

4.3.1 Attacks when making/receiving a VoIP Call

Many of the already well-known security vulnerabilities in data networks can have an

adverse impact on voice communications and need to be protected against [Pog03].

The attacks when making/receiving a voice call can be classified as follows:

Theft of service is the ability of a malicious user to place fraudulent calls. In this case

the attacker simply wants to use a service without paying for it, so this attack is

against the service provider. A more detailed analysis of this attack will be provided

in the attack pattern section (Chapter 6 ) of this dissertation.

Masquerading, occurs when a hacker is able to trick a remote user into believing

[s]he is talking to his/her intended recipient when in fact [s]he is really talking to the

hacker. Such an attack typically occurs with the hacker assuming the identity of

someone who is not well-known to the target. A masquerade attack usually includes

one of the other forms of active attacks [Sta02],

IP Spoofing, occurs when a hacker inside or outside a network impersonates a trusted

computer. A more detailed analysis of this attack will be provided in the attack

pattern section (Chapter 6 ) of this dissertation.

71


Call Interception is the unauthorized monitoring of voice packets or RTCP

transmissions. Hackers could capture the packets and decode their voice packet

payload as they traverse a large network. This kind of attack is the equivalent of

wiretapping in a circuit-switched telephone system. A more detailed analysis of this

attack will be provided in the attack pattern section (Chapter 5) of this dissertation.

Repudiation attacks can take place when two parties talk over the phone and later on

one party denies that the conversation occurred.

Call Hijacking or Redirect attacks could replace a voice mail address with a hacker-

specified IP address, opening a channel to the hacker [Gre04]. In this way, all calls

placed over the VoIP network will fail to reach the end user. A more detailed analysis

of this attack will be provided in the attack pattern section (Chapter 6) of this

dissertation.

Denial-of-service (DoS) attacks prevent legitimate users of a network from accessing

the features and services provided by the network. A more detailed analysis of this

attack will be provided in the attack pattern section (Chapter 6) of this dissertation.

Signal protocol tampering occurs when a malicious user can monitor and capture

the packets that set up the call. By doing so, that user could manipulate fields in the

data stream and make VoIP calls without using a VoIP phone [Pog03]. The malicious

72


user could also make an expensive call, and mislead the IP-PBX into believing that it

was originated from another user.

Attacks against Softphones occur because as they reside in the data VLAN, they

require open access to the voice VLAN in order to access call control, place calls to

IP phones, and leave voice messages. Therefore, the deployment of Softphones

provides a path for attacks against the voice VLAN. VoIP systems are capable of

handling large volumes of calls using both IP phones and Softphones. Unlike

traditional phones, which must be hardwired to a specific PBX port, IP phones can be

plugged into any Ethernet jack and assigned an IP address. These features not only

represent advantages but also they may make them targets of security attacks.

Note that all these attacks apply also to conference calls and some may apply to the

use of voice mail.

4.3.2 Registration attacks

Brute Force attacks are simply an attempt to try all possible values when attempting

to authenticate with a system or crack the crypto key used to create ciphertext

[Bre99],

Reflection attacks are specifically aimed at SIP systems. It may happen when using

http digest authentication (i.e. challenge-response with a shared secret) for both

request and response. If the same shared secret is used in both directions, an attacker

can obtain credentials by reflecting a challenge in a response back in request. This

73


attack can be eliminated by using different shared secrets in each direction. This kind

of attack is not a problem when PGP is used for authentication [MarOl].

The IP Spoofing attacks described earlier can also be classified as registration

attacks.

4.3.3 Attacks against Audit (IP-PBX and Operating Systems)

Due to their critical role in providing voice service and the complexity of the software

running on them, IP PBXs are the primary target for attackers. Some of their

vulnerabilities include [Col04]:

Operating system attack exploits a vulnerability in an operating system.

Support software attack exploits a vulnerability in a key supporting software

system, such as a database or web server.

Protocol attack exploits a vulnerability in a protocol implementation, such as SIP or

H.323.

Application attack exploits a vulnerability in the underlying voice application,

which is not filtered by the protocol implementation.

Application manipulation exploits a weakness in security, such as weak

authentication or poor configuration, to allow abuse of the voice service.

Unauthorized access occurs when an attacker obtains administrative access to the IP

PBX.

74


The Denial of Service attack described earlier can also be classified as an attack

against audit.

4.4 VoIP Security Patterns

We can now find out what security patterns are needed to stop these attacks. A

security pattern describes a recurring security problem that arises in a specific context

and presents a well-proven generic scheme for its solution. We present four security

patterns which provide a collection of good security practices in VoIP. They should

be helpful to system’s designers in identifying and understanding the mechanisms

needed to protect this type of systems. They will also enable the rapid development

and documentation of new methods for preventing future attacks against VoIP

networks. Figure 4.2 shows the relationships between these security patterns and

related (more general) cryptographic patterns. The patterns presented here are

indicated with a double line.

4.4.1 Network Segmentation

The Network Segmentation pattern performs separation of the voice and data services

to counter possible attacks against the voice VLAN by an attacker in the data VLAN.

Using network segmentation, an attack aimed at the data network won’t impact

critical voice traffic and vice versa.

75


Networksegm entation

usesVoIPT unneling

au then tication

SignedA uthen ticated

call

Secure VoIP call

uses uses

S ecure C hannel Sym m etric

C ryp tographyPKI

F ig u re 4 .2 R elationships betw een VoIP security pa tte rns

Context

Two or more VoIP remote users on different private networks need to establish a

voice call.

Problem

How to prevent data network attacks from affecting voice traffic in a VoIP

environment?


• Data and voice have different characteristics and can be attacked in different

ways.

• If an attacker takes control of the data segment she can easily overcome the

voice section of the system.

76


• Softphones by their nature reside in the data section and are vulnerable to a

variery of attacks, e.g. O/S attacks, application attacks, service attacks, etc.

Solution

Technologies such as virtual LANs (VLANs), and access control, provide the Layer 2

with segmentation necessary to keep the voice and data segments separate at the

access layer. In a VoIP network, terminal devices (i.e. IP phones) must be located in

VLANs that support only IP telephony services, but not existing data services.

Likewise, VoIP servers must be placed on a separate segment protected by a VoIP-

aware firewall. Alternatively, packet filtering can be easily configured on the

existing router or routing switch connecting the voice and data VLANs. The solution

can be optimized by adding a stateful firewall to protect the VoIP VLANs from the

data VLANs. Figure 4.3 shows a segmentation technique in VoIP that is achieved by

sending voice and data on separate VLANs. A stateful firewall is used in the data

VLAN in order to prevent attacks against the voice VLAN when using PCIPPs (i.e.

softphones). On the other hand, the voice VLAN uses a proxy firewall to solve the

firewall/NAT traversal issue.

Consequences


• Critical voice traffic will remain unaffected if an attack occur on the data

network and vice versa.

77


send data

send data

send data/voice

send voice

send voice

Internet

Soft-phone

Hard-phone

Router

Voice segment Application level gateway

QoS enabled switch

Statefulfirewall

D ata segment

Figure 4.3 VoIP Segmentation

• Segmentation will minimize disruption in the event of an attack.

• The addition of another IP segment to host VoIP is a simple task, which

requires only slight reconfiguration of existing network elements.

Related patterns

VoIP Tunneling can be used for segmentation.

4.4.2 VoIP Tunneling

The VoIP Tunneling pattern provides a way of guaranteeing the confidentiality and

integrity of calls in IP telephony by the encapsulation of data from one protocol into

the protocol stream of another.

78


Context

Two or more VoIP remote users on different private networks need to establish a

voice call.

Problem

Voice traffic will be exposed to hackers when traversing a public network such as the

Internet. How to counter Call Interception and other related attacks against VoIP

services when voice packets traverse an external network?

The solution will be affected by the following forces

• A VoIP network has potential problems when sending IP voice through a

firewall (i.e ., the firewall/NAT traversal problem).

• VoIP users need to establish secure communication over public networks (i.e.

the Internet).

• Both endpoints must be authenticated before a voice call is established.

• Softphones need to establish a secured channel for communication with

terminal devices.

Solution

The simplest method to counter Call Interception and other related attacks is to route

the voice traffic over a private network using either point-to-point connections or a

carrier-based IP VPNs. Tunnels are virtual connections between a network ingress

point and a network egress point. At the ingress point, data is encapsulated using

79


encryption, while at the egress point, data is returned to the original source format.

VPNs create private end-to-end pipes or “tunnels” out of the public bandwidth of the

Internet providing secure links between distinct locations on the public network. In

order to establish such a secure channel one endpoint of the tunnel initiates the

connection. The combined use of IP Security (IPSec) tunneling and data encryption

to protect from intruders accessing information is also a good alternative for the use

of firewalls.

Implementation

These tunnels use encryption and other security mechanisms to ensure confidentiality

and data integrity in VoIP networks. Due to performance requirements a symmetric

encryption algorithm should be preferred for the data transport. For this encryption

algorithm, a single key is necessary. This key has to be distributed to the involved

terminal devices. Tunneling uses an Authentication Protocol to establish a trust

relationship between network terminal devices prior to establishing a connection.

Consequences


• Tunnels allow secure transport of the VoIP traffic over the external network.

• It eliminates the risk of exposing a network to intruders when opening ports

on a firewall to allow VoIP to flow through.

• VPNs are cost-effective solutions because users can connect to the Internet

locally and tunnel back to connect to institution resources.

• VPNs improve flexibility and scalability.

80


The disadvantage of this approach is that end-to-end encryption in VPNs will

introduce latency.

Related Patterns

The VoIP Tunneling pattern has direct relationships (see Figure 4.2) to the following

security patterns:

• The Secure VoIP Call which will be presented next.

• The Authenticated Call which will be presented later and other similar

authentication protocols used to establish trust relationships between the VPN

endpoints.

• The Network Segmentation pattern which was previously introduced.

4.4.3 Signed Authenticated Call

The Authenticated Call pattern performs both device and user authentication before

deciding access to VoIP services.

Context

A VoIP subscriber establishes a voice call over a VoIP channel. The subscriber

needs to distinguish whether she is talking with the intended recipient or with an

impostor.

81


Problem

How can an attacker be prevented from masquerading as a VoIP terminal device,

either IP or standard, when network subscribers want to establish a voice call? How

to guarantee that the caller cannot repudiate a call that the callee believes was made

by her?

The following forces affect the solution:

• It is very important to associate a voice call with its legitimate caller.

• Attackers are interested in passing for legitimate users to gain access to

the system.

• Users may deny having made specific calls.

• Users may need to make calls through different administrative domains.

Solution

Digital signatures is an authentication method where subscribers can tie the

identity of a caller with a voice call made by him. In this way, the sender of a signed

voice call is authenticated and cannot deny having sent it.

Implementation

Participants in a VoIP call agree on the use of a mathematical method to prove

identities such as the public key digital signature protocol. Public key cryptography is

typically used for mutual authentication and key agreement. The call can be

established after it is first encrypted, using the caller’s private key and the public key

82


of the remote user (callee). The caller sends the signed voice call to the callee who

also has caller’s public key. [s]he deciphers the signed voice call with the caller's

public key in order to verify it. If the enciphered call makes sense to the callee, since

only the caller's private key could have been used to generate a meaningful call after

decipherment by the callee, both parties can trust each other and are successfully

authenticated.

Public key cryptography-based authentication is the only means of authentication that

scales up to arbitrarily large networks by making it possible to securely distribute

keys relatively easily through unsecured networks [MarOl ].

Figure 4.4 shows a sequence diagram (Refer to the class diagram of Figure 3.2)

illustrating an authenticated call. This solution uses PKI for user authentication

combined with hash between two phones either IP or standard.

com pute hash

\ encrypt/private key

Dial num berconnect call process call

process call

establish call

Send voice packets

decrypt/ public key

com pute hash

~ verify integrity

:IP-PBX« a c to r »aCaller:

:Laver2/3Switch« a c to r »aCailee:

Figure 4 .4 Authenticated Call sequence diagram

83


Consequences


• Digital signatures provide a convenient way for authentication of messages in

VoIP, because verifying the authorship of a message is based solely on the

secrecy of the author's private key.

• Authentication is also the best countermeasure for theft of service attacks

where stolen user identification details may be use to charge calls to someone

else’s account.

• VoIP systems with a global PKI are able to manage trust relationships across

multiple administrative domains.

The disadvantage of this approach is that PKI requires significant amount of

infrastructure.

Known Uses

IPSec-based connection and TLS are authentication mechanisms that can be specified

as those to be used with SIP. IPSec uses either The Authentication Header (AH) or

The Encapsulating Security Protocol (ESP) for providing cryptographic

authentication to IP (v4 and v6) datagrams. The authentication data is computed by

using any of the standard message digest algorithms such as HMAC-MD5 and

HMAC-SHA. [RanOl],

84


Related Patterns

The Authenticated Call pattern is related to other cryptographic authentication

patterns such as the Sender Authentication [Bra98] and The Authenticator [Bro99].

4.4.4 Secure VoIP call

The Secure VoIP call pattern hides the meaning of messages by performing

encryption of calls in a VoIP environment.

Context

Two or more subscribers are participating in a voice call over a VoIP channel. In

public IP networks such as the Internet, it is easy to capture the packets meant for

another user.

Problem

When making or receiving a call, the transported voice packets between the VoIP

network nodes are exposed to interception. How to prevent attackers from listening to

a voice call conversation when voice packets are intercepted on public IP networks?

The solution will be affected by the following forces:

• Packets sent in a public network are easy to intercept and read or change. We

need a way to hide their contents.

• The protection method must be transparent to the users and easy to apply.

85


• The protection method should not significantly affect the quality of the

call.

Solution

To achieve confidentiality, we use encryption and decryption of VoIP calls.

Implementation

In cases where performance is an important issue, symmetric algorithms are

preferred. Such algorithms require the same cryptographic key (a shared secret key)

on both sides of the channel.

If the IPSec standard is used, it is necessary for participants in a call (i.e. Caller and

Callee) to agree previously on a data encryption algorithm (e.g. DES, 3DES, AES)

and on a shared secret key. The Internet Key Exchange (IKE) protocol is used for

setting up the IPSEC connections between terminal devices. The caller encrypts the

voice call with the secret key and sends it to the remote user. The callee decrypts the

voice call and recovers the original voice packets.

Additionally, the Secure Real Time Protocol (SRTP) can be used for encrypting

media traffic and the Multimedia Internet KEYing (MIKEY) for exchanging keying

materials in VoIP.

If public key cryptography is used, the callee must obtain the caller's public key

before establishing a connection. The caller encrypts the voice call with the callee’s

public key and sends it to her. The callee decrypts the voice call and recovers the

original voice packets.

86


The class diagram of Figure 4.5 shows a Secure-channel communication in VoIP

(adapted from the Cryptographic Metapattem in [Bra98]).This model uses the

Strategy pattern to indicate choice of encryption algorithems. Both the Caller and

Callee roles use the same set of algorithms although they are shown only in trhe

caller side.

AlgorithmEncrypter

ft)

DES 3DES AES

Principal

SRTP

IPSec

role

Caller Com m unicates with Callee

make _call* *

answer call

Decrypter

go

Figure 4 .5 Class Diagram for a VoIP Secure Channel

Consequences


• Symmetric encryption approaches provide good confidentiality.

• Encryption is performed transparently to the user’s activities.

• The need to provide separate VLANs for VoIP security could possibly be

removed.

87


• It may no longer be necessary to use IPSec tunneling that was previously

required in the MAN/WAN.


• The quality of the call can be affected if encryption is not performed very

carefully [Wal05].

• It is hard to scale because of the need for shared keys.

Related Patterns

This Secure VoIP pattern is related to the Cryptographic Metapattem [Bra98] and

other

similar encryption protocol patterns.

4.5 Summary and Discussion

This Security patterns chapter focused on the security mechanisms and standards to

stop attacks against the VoIP system. We presented the attacks in an unstructured

form. A systematic study can be done using the approach proposed in [Fer06]. From

the list of threats we can deduce what security patterns are necessary to prevent or

mitigate the threats. Further, this section provided security patterns based on these

well known countermeasures.

88


Chapter 5

Attack Patterns

5.1 Introduction

In this chapter we introduce a new type of pattern, the attack pattern. This pattern

describes, from the point of view of the attacker, how a type of attack is performed

(what system units it uses and how), proposes ways of stopping the attack by

enumerating possible security patterns that can be applied for this purpose, and helps

analyzing the attack once it has happened by indicating where we can find forensics

data as well as identify the type of data. Attack patterns enable us to focus on the

vulnerable parts of a specific VoIP network and allow us to be better able to secure

them. There are various threats to a VoIP deployment from external domains and

internal sources. The goal is to prevent those attacks that have the potential to affect a

VoIP environment. We illustrate this type of pattern by presenting a specific attack

patterns for: Denial of Service (DoS), VoIP Call Interception, Theft of Service, Call

hijacking, and IP Spoofing attacks in VoIP.

89


5.2 A Template for Attack Patterns

An attack pattern describes, from the point of view of an attacker, a generic way of

performing an attack that takes advantage of the specific vulnerabilities of some

environment. It also presents a way to counteract its development in the form of

security patterns as well as a way to analyze the information collected at each stage of

the attack. We describe this type of patterns using a template based on the one used in

[Bus96], which is commonly used for architectural patterns as well as security

patterns [Sch06]. We have reinterpreted its sections to fit the new viewpoint of attack

instead of defense. The sections of the template are described below.

Name -The name of the pattern should correspond to the generic name given to the

specific type of attack in standard attack repositories such as CERT [CERT07] or

Symantec [Sym06],

Intent or thumbnail description -A short description of the intended purpose of the

pattern (what problem it solves for an attacker).

Context -This section describes the general environment, including the conditions

under which the attack may occur. These may include minimal defenses usually

present in the system as well as typical vulnerabilities of the system.

Problem -Defines the goal of the attack pattern. From a hacker’s perspective, the

problem is how to find a way to attack the system. An additional problem occurs

whenever a system is protected by some defense mechanisms and there may be

indications of how to overcome them. The forces indicate what factors may be

required in order to accomplish the attack and what way, for example, which

90


vulnerabilities can be exploited. Also, which factors may obstruct or delay

accomplishing the attack.

Solution -This section describes the solution of the hacker’s problem, i.e., how the

attack can be performed in order for it to reach its objectives and the expected results

of the attack. UML class diagrams show the system before and during the attack.

Sequence diagrams show the exchange of messages needed to accomplish the attack.

State or activity diagrams may add further detail.

Known uses -Specific incidents where this attack occurred. Details of past attacks are

useful to decide where to look for evidence and how to stop the attack.

Consequences -Discusses the benefits and drawbacks of an attack pattern from the

attacker’s viewpoint. Is the effort and cost of the attack commensurate with the results

obtained? Which are the possible sources of failure?

Countermeasures and forensics -This is a new section compared to the template for

standard security patterns. It describes the security measures necessary in order to

stop, mitigate, or trace this type of attack. This implies an enumeration of which

security patterns are effective against this attack. From a forensic viewpoint, it

describes what information can be obtained at each stage tracing back the attack and

what can be deduced from this data in order to identify this specific attack. Finally, it

may indicate what additional information should be collected at the involved units to

improve forensic analysis.

Where to look for forensic evidence -This section may include a diagram with only

the selected classes and associations relevant to the forensic examination. The attack

91


pattern should not be a comprehensive representation of all classes (that represent

network components) and associations involved in an attack. The pattern should

represent those UML classes that are relevant to the forensic examination. In fact,

UML class diagrams are useful for this purpose because of their abstraction

properties. In cases where primary sources of forensic data (i.e. firewalls, IDS and

NFATs) don’t contain enough evidence, investigators need to look for secondary

sources. The most obvious and common secondary sources of data are terminal

devices (including wireless devices), servers, and network storage devices.

Related Patterns -Discusses other attack patterns with different objectives but

performed in a similar way, or with similar objectives but performed in a different

way.

5.3 Attack pattern: Denial-of-Service (DoS) in VoIP

Intent

The VoIP DoS attack is intended to overwhelm either client and/or server resources

and disrupt VoIP operations through a flood of messages or by degrading the quality

of messages, thus preventing subscribers from effectively using the service.

92


Context

We must take into account two different scenarios when studying DoS attacks:

those where end systems are targets and those that target gateways. In the former,

subscribers try to establish a voice call conversation over a VoIP channel. VoIP

services should be available to subscribers when requested. In the latter, some VoIP

systems use control protocols (e.g. MGCP and Megaco/H.248) and security

mechanisms, in order to manage the Media gateways deployed across the

infrastructure. In general, the VoIP system should have adequate capability (i.e.

routing, bandwidth, and QoS) to meet the peak communication load. The system may

have a minimum set of defenses, e.g. a firewall. More secure VoIP implementations

may have an intrusion detection system (IDS), firewall on the phone itself to check

the media packet flow, or perform authentication.

Problem

IP telephony subscribers need to be blocked from using VoIP services. The attack can

be carried out taking advantage of the following vulnerabilities:

• VoIP security is in an incipient phase at the moment, there is lack of expertise

and security standards. Users might inadvertently expose the system. While

there exist some basic countermeasures such as IDS and firewalls,

administrators may not configure them appropriately.

• Until now VoIP has been developed and deployed focusing on functionality

with less thought for security [Wie06]. That means that not very advanced

93


defenses are in place. For example, strong authentication is not common in

VoIP.

• VoIP is vulnerable to DoS attacks which have not previously been a security

issue with the circuit-switched telephony system because of its analog nature.

• With the rush to implement new VoIP systems, features and standards,

implementation flaws are common. IP PBXs include many layers of software

that may contain vulnerabilities. Programming mistakes, such as not properly

checking the size of the parameters of a protocol request, when exploited, can

result in the following issues [Col04]:

o Remote access. An attacker obtaining remote (often administrator

level) access.

o Malformed request DoS. A carefully crafted protocol request (a

packet) exploiting a vulnerability which results in a partial or complete

loss of function.

o Load-based DoS. A “flood” of legitimate requests overwhelming a

system.

• As with any network-based service, enterprise VoIP must communicate with

other components on a LAN and possibly over an untrusted network such as

the Internet, where packets are easy to intercept.

• Because RTP carries media, which must be delivered in real-time to be usable

for an acceptable conversation, VoIP is vulnerable to DoS attacks that impact

the quality delivery of audio such as those that affect jitter and delay.

94


• VoIP tools can offer very good cover traffic for DoS attacks because VoIP

runs continuous media over IP packets [CRN06].

Solution

Two basic standards are used for VoIP systems: H.323 and SIP. We consider here an

attack in an H.323 environment (see [Anw06] for details of a SIP attack). The SIP

attack can be considered a variant of this pattern or a separate pattern. Likewise,

specific DoS attacks against gateways will be analyzed from the supporting

Megaco/H.248 protocol viewpoint.

Figure 5.1 shows the class diagram of the structure of an H.323 system. The Layer 2

Switch provides connectivity between H.323 components. The Gateway takes a

voice call from a circuit-switched Public Switched Telephone Network (PSTN) and

places it on the IP network. The PSTN uses PBX switches and Analog Phones. The

Internet (IP network) contains Routers and Firewalls to filter traffic to the Terminal

Devices. The gateway also queries the Gatekeeper via the Internet with caller/callee

numbers and the gatekeeper translates them into routing numbers based upon service

logic. The IP-PBX Server acts like a call-processing manager providing call setup

and routing the calls throughout the network to other voice devices. Softphones are

applications installed in Terminal Devices (e.g. PCs or wireless devices).

One method to launch a DoS attack is to flood a server with repeated requests for

legal service in an attempt to overload it. This may cause severe degradation or

complete unavailability of the voice service.

95


TerminalDevice

Layer 2 Switch

Gatekeepermanages

conference IP-PBXInternet

connect

Gateway

PSTN-to-PSTN

connect

PSTN

connectFirewall Router

* *

AnalogPhone

Figure 5.1 Class Diagram for an H.323 architecture

A flooding attack can also be launched against IP phones and Gateways (e.g. a flood

of “register” or “invite” events). With this form of DoS attacks, the target system is so

busy processing packets from the attack that it will be unable to process legitimate

packets, which will either be ignored or processed so slowly that the VoIP service is

unusable. Attackers can also use the TCP SYN Flood attack (also known as resource

starvation attack) to obtain similar results. This attack floods the port with

synchronization packets, normally used to start a connection. In a Distributed DoS,

multiple systems are used to generate a massive flood of packets. To launch a

massive DDoS attack the hacker previously installs malicious software on

compromised terminal devices (infected with a Trojan Horse) that can be triggered at

a later time (a.k.a. “zombies”) to send fake traffic to targeted VoIP components.

Targeted DoS attacks are also possible where the attacker disrupts specific

connections.

96


The class diagram of Figure 5.2 shows the structure for a DDoS attack in an H.323

architecture where any VoIP component can be a target for DoS. Classes Attack

Control Mechanism and Zombie describe the software introduced by the attacker.

Note that the zombie is just a terminal device in a different role.

H.323

Terminal ■ ■ Layer 2 1 i * GatekeeperDevice Switch manages1

Internet IP-PBX

Firewall connect* *

Zombie

Gateway

PSTN-to-PSTN

connect

Attack Control M echanism

AnalogPhone

Figure 5 .2 Class Diagram for DoS attacks in H.323

The sequence diagram of Figure 5.3 shows the sequence of steps necessary to

perform an instance of a DoS attack of the first type mentioned above. An attacker

(internal or remote), with knowledge of a valid user name on a VoIP system, could

generate enough call requests to over-whelm the IP-PBX server. An attacker may

disrupt a subscriber’s call attempt by sending specially crafted messages to his/her

ISP server or IP PBX

97


S.dial(Callee.setupQ )

l.m essage(attackM essageQ )

Callee.sc

I .message! attackM essage())

notify(busyTone)

^ q til^ (c a n n o tP ro cessCall) _

aCaller: l:IP-PBXS:Laver2/3switchaC allee :

Figure 5.3 Sequence diagram for a DoS attack in H.323

component, causing it to over allocate resources such that the Caller receives a

“service not available” (busy tone) message. This is an example of a targeted attack.

Similarly, out-of-sequence voice packets (such as receiving media packets before a

session is accepted) or a very large phone number could open the way to Application

Layer attacks (a.k.a. Attacks against Network Services). Buffer Overflow attacks

might paralyze a VoIP number using repeated calling. For example, an attacker

intermittently sends garbage (i.e. both the header and the payload are filled with

random bytes corrupting the Callee’s jitter buffer voice packets) to the Callee’s phone

in between those of the Caller’s voice packets. Therefore the Callee’s phone is so

busy trying to process the increased packet flow that the jitter (delay variation) causes

any conversation to be incomprehensible [Anw06],

Figure 5.4 shows the class diagram of the structure of a Megaco/H.248 environment.

Megaco/H.248 is the media gateway control protocol, this is a master-slave,

98


transaction-oriented protocol in which Media Gateway Controllers (MGC) control

the operation of Media Gateways (MG) [E1103]. VoIP media gateways are

vulnerable to DoS because they accept signaling messages.

M edia Gateway signaling MGC connect* 1 * *

PSTN Media Gateway

ISDN Media Gateway

<► i >

*

Analog Terminalphone device

Figure 5.4 Class Diagram for an MGCP environment

In this setting, a DoS attack would occur at a MGC when the attacker sends large

amount of UDP packets to the protocol’s default port 2944 or 2945, which keeps the

MGC busy handling illegal messages, and finally blocks the normal service. An

attacker can keep sending Service change or Audit capabilities command to a MG

and thereby bring down the MG [Vuo04], Therefore, VoIP Gateways will not be able

to initiate calls or maintain a voice call during a DoS attack. The audio quality will be

affected as well. An alternative to launch DoS attacks is when an attacker redirects

99


media sessions to a media gateway. The attack will overwhelm this voice component

and prevent it from processing legitimate requests.

Signaling DoS attacks on media gateways can consume all available Time Division

Multiplexing (TDM) bandwidth, preventing other outbound and inbound calls and

affecting other sites that use TDM. On the other hand, due to the fact that VoIP media

sessions are very sensitive to latency and jitter, DoS on media is a serious problem.

VoIP media, which is normally carried with RTP, is vulnerable to any attack that

congests the network or slows the ability of an end device (phone or gateway) to

process the packets in real time. An attacker with access to the portion of the network

where media is present simply needs to inject large numbers of either RTP packets or

high QoS packets, which will contend with the legitimate RTP packets [Col04],

Consequences

The success of this attack implies:

• DoS can be especially damaging if key voice resources are targeted (e.g.,

media gateways).

• Flooding of the firewall can prevent it from properly managing ports for

legitimate calls.

• VoIP QoS can be degraded by jitter and delay and may become totally

unusable.

100


• The zombies in the targeted network can also be used as DoS launching points

from which to attack another network.

Possible sources of failure include:

• Threats and attacks can be defined but are difficult to carry out in practice,

mainly due to the lack of knowledge and testing opportunities for attackers.

Countermeasures and Forensics

The attack can be stopped or mitigated by the following countermeasures:

• DoS is mitigated by disabling and removing unnecessary network services,

reinforcing the operating system, and using host-based intrusion detection

systems (IDS pattern in [Fer05]). This makes it harder to introduce Trojan

horses that may make the terminal device to become a zombie.

• IDS and firewalls ensure that packets with very large sequence numbers and

garbage packets are discarded. Again the IDS pattern is relevant as well as the

Firewalls patterns [Sch06].

• Use of Stateful-Inspection Firewalls (See [Sch06] for a pattern) with Deep

Packet Inspection technology in order to look inside the voice packet, and

analyze the contents of the packet as well as the headers to decide if the

information is safe or not (Proxy Firewall pattern [Sch06]).

101


• Use the Authenticated Call pattern [Fer07b] which performs both device and

user authentication before deciding access to VoIP services. Although this

takes longer it can protect from targeted attacks.

Likewise, the following network forensics mechanisms are possible:

• Logs in the terminal devices not only provide call details (e.g. start/end times

and dates of each call) but they can also reveal the presence of Trojan Horses.

As we indicated, some attacks come from compromised devices that become

zombies.

• Selective use of events sent to the ISP or IP PBX was shown to produce

another range of attacks. Those could be traced through logs on these devices.

• Network forensic analysis techniques such as IP Traceback and Packet

Marking are useful for attack attribution. During a denial of service attack the

victim will receive sufficient traceback packets to reconstruct the attack path

[Sha03]. Locating attackers with the IP traceback technology is also a

potential security mechanism to counter DoS attacks. The deployment of a

traceback mechanism on a single router would provide minimal benefit. This

process requires the cooperation of all network operators along the attack path

in order to trace it back to the source. IP traceback works even when criminals

conceal their geographic locations by spoofing source addresses.

• Comparing traffic patterns against predefined thresholds (as done by some

IDS) is an effective method of detecting DDoS attacks. Such a method can

produce an alert, helping network examiners to detect malicious traffic (e.g.

102


observing congestion in a router’s buffer) from entering or leaving their

networks.

• Event logging allows network administrators to collect important information

(e.g. date, time and result of each action) during the setup and execution of the

attack. For example, logs may identify the type of DDoS attack used against a

targeted system.

• The use of Honeypots placed on selected VoIP components (see Figure 2) and

other network forensics tools can help in the event of a successful attack.

• Network monitoring software is helpful in identifying significant deviations

from normal traffic flows. Network monitoring software can document the

impact of DDoS attacks on network bandwidth and availability, as well as

providing information about the apparent targets [Ken06],

Where to look for evidence

Based on Figure 5.2, the following may be considered secondary sources of forensic

information in a VoIP environment: Terminal devices (i.e. softphones, hardphones

and wireless VoIP phones), gatekeepers, gateways, and IP-PBXs.

Known Uses

DoS attacks are performed on different systems in the Internet every day. Some of

those attacks affect VoIP systems.

103


Related Patterns

Several security patterns for defending against these (and related) attacks are listed in

[Anw06], [Pel04], and [Fer07b], Some general security patterns such as firewalls

[Sch06], IDS [Fer05], and authentication [Sch06] can be used to control these attacks

as discussed earlier. An attack pattern can be developed to describe similar attacks on

SIP networks.

5.4 Attack pattern: Call Interception in VoIP

Intent

The VoIP Call Interception pattern provides a way of monitoring voice packets or

RTCP transmissions. This kind of attack is the equivalent of wiretapping in a circuit-

switched telephone system.

Context

Two or more subscribers are participating in a voice call conversation over a VoIP

channel. In public IP networks such as the Internet, anyone can capture the packets

meant for another user. In order to achieve confidentiality, enterprises may use

encryption and decryption techniques when making or receiving VoIP calls. Since

cryptographic algorithms are typically implemented in hardware, they are difficult to

implement in VoIP, which is software-based. In VoIP networks, transport-protocol-

104


based threats rely upon a non-encrypted RTP stream [Mih06], On the other hand,

enterprises may route voice traffic over a private network using either point-to-point

connections or a carrier-based IP VPN service. Two basic standards are used for

VoIP systems: H.323 and SIP. We consider here an attack in an H.323 environment.

The SIP attack can be considered a variant of this pattern or a separate pattern.

Problem

A call that traverses in a converged network needs to be intercepted. The attack can

be carried out taking advantage of the following vulnerabilities:

• The Real Time Protocol (RTP) is not a complete protocol but rather a

framework where vendors are provided implementation freedom according to

their specific application profiles [Mih06], This means that specific

implementations may have diverse degrees of security.

• In RTP, information on the used codec is available in the header of every RTP

packet, via the PT header field [Mih06].

• PC-based IP Phones (a.k.a. Softphones) are applications installed on user

systems (e.g. desktops) with speakers and microphones that reside in the data

segment. It is possible for worms, viruses and other malicious software

common on PCs to infect the voice segment in VoIP.

• In wireless VoIP (i.e. VoIPoW), publicly available software can be used to

crack Wired Equivalent Privacy (WEP) products.

105


• As VoIP in a wireless environment operates on a converged (voice, data, and

video) network, voice and video packets are subject to the same threats than

those associated with data networks. Likewise, all the vulnerabilities that

exist in a VoIP wired network apply to VoIPoW technologies plus the new

risks introduced by weaknesses in wireless protocols.

• The tools used for call interception purposes can be downloaded freely on the

internet, greatly increasing the potential of this type of attack.

• VoIP security is in an incipient phase at the moment, there is lack of expertise

and security standards. Users might inadvertently expose the system. While

there exist some basic countermeasures such as IDS and firewalls,

administrators may not configure them appropriately.

• Until now VoIP has been developed and deployed focusing on functionality

with less thought for security [Wie06], That means that not very advanced

defenses are in place. For example, strong authentication is not common in

VoIP.

• Because of the many nodes in a packet network, call interception can be

applied in many places.

• The transport of voice data over public networks (i.e. the Internet), facilitates

the possibility of attacks on this technology.

• It is much easier to hack VoIP network hubs than traditional phone switches.

Although hackers cannot intercept voice calls, they can have access to packets

traversing the converged network.

106


• Anyone can record, duplicate and distribute to unintended parties voice calls

over IP

• IP Phones have become available for software developers. The increase in

features and complexity comes however with a security cost: more

applications equal more avenues of attack [Nic07],

• VoIP is vulnerable to call interception attacks which have not previously been

a security issue with circuit-switched networks where tapping requires

physical access to the system. Therefore tapping is a serious concern in IP

telephony when compared with the traditional telephony environment.

Solution

VoIP Call Interception gives attackers the ability to listen and record private phone

conversations by intercepting both the signaling and the media stream. The attacker is

also able to modify the content of the packets being intercepted acting as a man in the

middle. In principle this threat affects both the signaling and the data depending on

the ability of the attacker of intercepting both [Nic07],

Due to the fact that voice travels in packets over the data network, hackers can use

data-sniffmg and other hacking tools to identify, modify, store and play back

unprotected voice communications traversing the network, thus violating

confidentiality. A packet sniffer is a software application that uses a network adapter

card in promiscuous mode (a mode in which the network adapter card sends all

packets received on the physical network wire to an application for processing) to

107


capture all network packets that are sent across a particular collision domain. This

packet sniffer application can reside in a general-purpose computer attached, for

example, in a local area network [Fer05]. For example, the tool "voice over

misconfigured Internet telephones" (a.k.a. “vomit”), takes an IP phone conversation

trace captured by the UNIX tool tcpdump, and reassembles it into a wave file which

makes listening easy [Pog03, Sco04], using MP3 or alternative audio files. The

reassembled files can be collected later, emailed or otherwise sent on to the

eavesdropper. Figure 5.5 shows the sequence of the steps necessary to monitor a

VoIP conversation.

dial num berconnect call

process call

establishes callidentify IP/M AC addresses

A RP sp o o f

im personate callee

create default gatew ay

capture VoIP packets

playback packets

« a c t o r »aCaller: aCallee:

Figure 5.5 Sequence diagram for a call interception

With tcpdump, hackers can identify the IP and MAC addresses of the phone to be

attacked. By using an Address Resolution Protocol (ARP) spoofing tool, the attacker

could impersonate the local gateway and the IP phone on the network, creating a

108


default gateway [Pog03]. This allows RTP streams to and from the target IP phone to

be monitored by the attacker.

The communication between the Gateway and Gatekeeper is equally vulnerable to

call interception using the same techniques described for terminals devices. The RTP

streams can be intercepted between the IP end-stations or between the Gateway and

Gatekeeper (IP Trunk) [Kle03].

Likewise, the FragRouter tool would have to be enabled on the attacking machine so

the data packets would reach their ultimate destination. If the hacker has access to the

local switched segment, she may be able to intercept a call by inserting a phone into

the voice segment with a spoofed Media Access Control (MAC) address, and

assuming the target phone's identity.

Consequences


• It is possible to listen in on a conversation by intercepting the unencrypted

media stream between the two terminal devices.

• Attackers may use telephone systems for divulging crucial information such

as Social Security numbers, Credit Card numbers or any other confidential

information. Inside a company, eavesdropping could allow access to

confidential business information.

• Hackers could capture the packets and decode their voice packet payload

between two or more VoIP terminal devices.

109


• Due to the fact that voice travels in packets over the data network, hackers can

use data-sniffmg and other hacking tools to identify, modify, store and play

back unprotected voice communications traversing the network, thus violating

confidentiality.

• A hacker breaking into a VoIP data stream has access to many more calls than

she would with traditional telephone tapping. Consequently, she has a much

greater opportunity of obtaining useful information from tapping a VoIP data

stream than from monitoring traditional phone systems.

• Call interception attacks result in the attacker being able to use the intercepted

data for other malicious intents, such as: call pattern tracking, number

harvesting, and conversation reconstruction [Nic07],

• The interception and modification threat results in the attacker being able to

modify the packets for malicious actions, examples are [Nic07]:

o Call blackholing - the attacker intentionally drops essential packets

(e.g. INVITE) of the VoIP protocol resulting the call initiation to fail;

o Call rerouting - the attacker redirects the packets on a different path in

order to include unauthorized nodes in the path or to exclude

authorized ones from it;

o Conversation alteration - the attacker alters the packets in order to

modify the conversation between two users;

110


o Conversation degrading - the attacker intentionally drops a selection of

packets or modify the content of them with the objective of degrading

the overall quality of the conversation.


• Call Interception is somewhat limited because it would require physical access

to the local network or remote access to a compromised host on the local

network.

• Intercepting voice traffic as it crosses the Internet is more difficult because

once the packetized voice hits the carrier, it becomes much harder to single

out among other traffic.

• It is more difficult to intercept calls on VoIP networks than capturing and

reading text messages on public networks.



• Call interception is mitigated by encrypting the sensitive data being

transferred using an encryption technique such as secure sockets layer (SSL),

IPSec, or secure shell (SSH).

I l l


• In order to improve performance, it is better to use encryption at routers or

other gateways instead of at terminal devices.

• Use the Secure Real-time Protocol, a profile of the Real-time Transport

Protocol (RTP) which offers confidentiality, message authentication, and

replay protection for the RTP and RTCP traffic [Mih06], This end-to-end

encryption is performed at the media level.

• Use the Secure VoIP Channel pattern [Fer07b] which hides the meaning of

messages by performing encryption of calls in a VoIP environment.

• Use the Network Segmentation pattern [Fer07b] which performs separation of

the voice and data services to counter possible attacks against the voice

VLAN by an attacker in the data VLAN. Using network segmentation, an

attack aimed at the data network (i.e. against softphones) won’t impact critical

voice traffic and vice versa.

• Use the VoIP Tunneling pattern [Fer07b] which provides a way of

guaranteeing the confidentiality and integrity of calls in IP telephony by the

encapsulation of data from one protocol into the protocol stream of another.


• Use packet sniffers (also referred to as network monitors or packet analyzers).

A packet sniffer may be installed on any VoIP component or inter-network

link to monitor VoIP traffic. Packet sniffers are good tools for network

112


investigators who want to monitor the information that enters and leaves the

system.

• Use Network Forensic Analysis Tools (NFAT), which typically provide the

same functionality as packet sniffers and protocol analyzers. NFAT software

is primarily focused on collecting and analyzing network traffic [Nis05].

• The collection of data in real time and the use of automatic mechanisms is

also useful when conducting network forensics investigations in a VoIP

environment.

• With the appropriate tools, investigators could capture the packets and decode

their voice packet payloads in order to analyze VoIP calls.



infonnation in a VoIP environment: Terminal devices (i.e. softphones, hardphones

and wireless VoIP phones), gatekeepers, and gateways.

Known Uses

Government Surveillance is a special case of call interception. Communications

Assistance for Law Enforcement Act (CALEA) is another term for this electronic

surveillance. It means that the legal enforcement agent taps into a communication

channel to intercept, but not alter, the information [Sco04], The wiretap facility is

based on the MAC address of the cable modem so it can be used for either data or

113


digitized voice connections. This feature is controlled by the interface command,

cable intercept, which requires a MAC address, an IP address, and a UDP port

number as its parameters. When activated, the router examines each packet for the

desired MAC address; when a matching MAC address is found (for either the

origination or destination endpoint), a copy of the packet is encapsulated into a UDP

packet which is then sent to the server at the specified IP address and port.

Figure 5.6 shows how the CALEA model components (i.e. Delivery Function (DF),

Collection Function (CF) and Law Enforcement Agency (LEA)) integrate with a

VoIP system providing a transparent lawful interception. Calls are routed via an

access gateway that hides any intercepts in place.

Gatekeeper

transmit packetsdeliver

LEAPSTN

AnalogPhone

PC RouterPBX

CF

LEA

Gateway

Intercept call _

DF

collect

Figure 5.6 Class Diagram for CALEA Model

Wiretaps fall into two categories:

114


Call detail is a tap in which the details of the calls made and received by a subscriber

are passed to LEA. Call records generated from signaling messages can be very

valuable in criminal investigations. Signaling messages provide data about phone

calls - not the content of phone conversations. Therefore, collecting and analyzing

signaling messages may not be subject to the same legal restrictions as recording

voice conversations [Moo05], In the second kind of tap Call content, the actual

contents of a call are passed to LEA. The suspect must not detect the tap, so the tap

must occur within the network and not at the subscriber gateway. Also, the tap may

not be detectable by any change in timing, feature availability or operation. In order

for LEA to tap the content of calls without the subscriber noticing any change, all

calls must be routed via a device competent in duplicating the content and passing it

to that agency.

Lawful interception requirements in many countries could prevent a public carrier

from allowing direct connection between IP phones [Dre03], With regard to fighting

terrorism, support for CALEA over IP is a matter of special concern because many

terrorist activities have taken place by using the Internet. VoIP services that cannot be

monitored and lawfully intercepted may be used to perform criminal or terrorist

activity. Thus, lawful interception in VoIP is vital for national security but because it

threatens user’s privacy it must be performed only in authorized cases.

115


Related Patterns

Several patterns for defending against these (and related) attacks are listed in

[Anw06], [Fer07b], A pattern can be developed to describe similar attacks on SIP

networks.

5.5 Attack pattern: Theft of Service in VoIP

Intent

The Theft of Service pattern provides an opportunity for hackers to gain access to

the VoIP network by imitating subscribers or seizing control of terminal devices and

performing free calls.

Context

The VoIP system should have adequate capability (i.e. routing, bandwidth, and QoS)

to meet the peak communication load. The system may have a minimum set of

defenses, e.g. a firewall. Some VoIP systems use control protocols (e.g. MGCP and

Megaco/H.248) and security mechanisms, in order to manage the Media gateways

deployed across the infrastructure as well as to make it difficult for an attacker to

overcome system resources. In a converged network both the signaling and media

traffic must be monitored. Similarly, secure VoIP implementations have an intrusion

detection system (IDS) or firewall on the phone itself to check the media packet flow.

116


Theft of service attack (a.k.a. IP telephony fraud) is intended against service

providers.

Problem

An unauthorized user wants to make expensive phone calls without paying for them.

The attack can be carried out taking advantage of the following vulnerabilities:

• Theft of service attacks may be caused by inadequate security mechanisms in

VoIP, the insertion of malicious software that modifies the normal behavior of

terminal devices, and the unauthorized connection of devices to the network.

• It is possible to charge calls to another user’s account by using stolen user

identification details.

• Phone usage and billing systems can be manipulated by fraudulent telephone

users in order to make profit.

• The benefits of portability and accessibility introduced by IP Telephony have

a downside of an increased risk of service theft [Kle03].

• When using “Hoteling,” the primary protection against theft of service in the

traditional telephony environment, the physical security of the handset, is no

longer enough [Kle03].

• Unattended IP telephone.

• Rogue telephones can be installed.

• MAC addresses are easy to spoof.

117


Solution

This attack could be accomplished using several techniques. An attacker may just

simply want to place calls using an unattended IP phone or assuming the identity of

the legitimate user of a terminal device. The attacker uses the identity of the owner

(i.e. identity theft) without the owner’s consent. She then charges the call to the

owner’s account. A more complex method is when the attacker places a rogue IP

phone on the network or uses a breached VoIP gateway to make fraudulent calls.

In a service volume fraud, the attacker injects in the network more traffic than

what declared in the session request in order to avoid paying for the used

resources [Nic07]. Theft of service can also be perpetrated using falsified

authentication credentials. A number of IP Telephony vendors authenticate their end

points via Ethernet media access control addresses (MACs). MAC addresses are

notoriously easy to spoof. [Kle03], An attacker might impersonate as an IP Telephony

signaling server and “request” an end-device to perform authentication before dealing

with its call request. Using the end-point’s IP Telephony network credentials the

malicious party will be able to authenticate to any IP Telephony based server as well

as to place free of charge phone calls.

Figure 5.7 shows the sequence of the steps necessary to commit theft of service in

VoIP (Figure 1 shows the units involved). First, the attacker uses a brute force attack

to find the special prefixes that Internet phone companies use to identify authorized

calls to be routed over their networks. The attacker then looks for vulnerable ports

and routers in private companies and gets their IP addresses. On finding vulnerable

118


ports, she hacks into the network to get administrator names and passwords. The

attacker then reprograms the routers to allow them to handle VoIP calls, and to

masquerade the true source of the traffic. The attacker then routes her calls to the

targeted network via the routers she has hacked, and then sends the calls from the

targeted network to Internet phone service providers. She may also attach the access

codes to the calls, so that the Internet phone providers believe they are legitimate

calls. Finally, unauthorized calls will go through successfully and will be completed

over the Internet phone provider networks.

:ISP

Send test call

G et proper prefix

S c a n p o i ts

G et PW

ro u te call ro u te callsetup call

establishes call

« a c to r »aCallee:

:VolPRouter« a c to r »

anAttacker: RemotePBX:iP-PBX:

Figure 5.7 Sequence diagram for a Theft of Service attack

Another method of attack is by receiving an application in a spam email, or

accidentally downloaded from the Internet. This application can direct the phone to

call premium rate numbers by installing itself on a softphone (i.e. applications

installed on user systems with speakers and microphones). Finally, the reduction in

costs for Moves, Adds, and Changes (MAC) in an IP Telephony environment has led

119


to the addition of daemons/services on many vendors IP Telephones. Some of the

more popular services include HTTP, SNMP, and Telnet. [Kle03]. Attackers may

take advantage of the benefits of portability and accessibility introduced by VoIP to

perform theft of service. “Hoteling” is one of the most popular features of VoIP, it

consist of moving all the features, including address book, access abilities and

personalized speed dial from one phone to another [Kle03]. When using hoteling, the

physical security of the IP phone is no longer enough.

Consequences


• In order to make expensive calls to premium rate numbers, rogue devices

could be attached to an organization’s network without the user’s knowledge.

• Weaknesses in wireless security policies could also be exploited by rogue

devices.

• Unauthorized phone calls will seem to originate from subscribers inside the

attacked VoIP network.

• Attackers could also steal minutes from VoIP service providers and resell

them on the black market.

• Attackers will be able to register for unauthorized services taking advantage

of the virtual communication paths in IP networks.

• In IP telephony, premium rate numbers will be dialed automatically.

120



• Threats and attacks can be defined and theorized but are difficult to carry out

in practice, mainly due to the lack of knowledge and testing opportunities for

attackers.



• Authentication of terminal devices and users to the VoIP system. Use of the

Authenticated Call pattern [Fer07b] coupled with device identification

measures will help prevent unauthorized access.

• The IP-PBX will prevent unknown terminal devices from being configured

protecting the VoIP system from theft of service

• Limited administrative access to IP-PBXs and VoIP gateways

• VoIP call servers should be configured to reduce the opportunity for dial-

through fraud.

• Guard log-on details and install anti-virus solutions to stop malware infecting

IP phones.

• When signaling message is being used to generate billing information, a good

user authentication is necessary in order to provide non-repudiation

mechanisms for service providers.

121


• Repudiation attacks can take place when two parties talk over the phone and

later on one party denies that the conversation occurred. This type of attack is

not common and it can be easily mitigated with Challenge-response based

client authentication - a cryptographic process that proves the identity of a

user logging onto the network - can also ensure that only authorized personnel

are able to use the phone system.


• Comparing traffic patterns against predefined thresholds (Threshold-based

analysis) is a method used to compare how much data is sent to the user and

how much [s]he actually pays for it [IEC04], Such information can be

obtained from primary evidence sources like routers or IDS systems.

• In order to reconstruct and analyze the inappropriate VoIP network usage,

examiners can use data from network traffic collectors.

• Use NFAT tools to monitor call patterns and events to ensure that

vulnerabilities in VoIP are not being exploited and to identify those that are.

Known uses

Edwin Andres Pena of Miami, FL, USA hacked into the networks of Internet

telephone providers and fraudulently sold more than 10 million minutes of VoIP calls

122


in June 2006 [Sea06]. Likewise, a Panamanian telecom lost $110,000 due to

phreakers (i.e. those who use a computer or other device to trick a phone system)

[Sut07],

Related patterns

The Theft of Service in VoIP pattern has direct relationships to the following attack

patterns:

• The Call Hijacking in VoIP pattern which will be presented next.

• The IP Spoofing in VoIP pattern which will be presented in section 5.7.

• The Call Interception pattern which was previously introduced.

5.6 Attack pattern: Call Hijacking in VoIP

Intent

The Call Hijacking attack pattern is intended to direct a participant or participants of a

VoIP call to a terminal device other than the intended recipient. The hacker is able to

trick a remote user into believing [s]he is talking to his/her intended recipient when in

fact [s]he is really talking to the hacker.

123


Context

Two or more call participants exchanging information (signaling information and the

packetized voice) between them. This call related information is exposed to a number

of possible attacks when traversing public IP networks such as the Internet.

Problem

A call traversing a converged network needs to be redirected to an unintended

recipient. The attack can be carried out taking advantage of the following

vulnerabilities:

• SIP messages have no built-in means to insure integrity. SIP does offer

limited built-in security.

• SIP is a technology still in development; it doesn’t provide security built in

capabilities. This protocol does not support integrity of the message contents.

• Sniffing tools are more effective when using SIP, which is a text-based

protocol.

• Registration in SIP is normally performed using UDP, which makes it easier

to spoof requests. Authentication is often not required and if present, it’s

usually weak [Col05],

• When authentication in SIP is used, it is not strong.

• Failed registrations are not always logged. SIP proxies will not normally

detect directory scanning and registration hijacking attempts [Col05].

124


• Since the data packets do not flow over a dedicated connection for the

duration of a session, an adversary could manipulate the routing of packets

and cause delay in certain paths forcing the packets to take a path chosen by

the adversary. [DISA04]

• The signaling messages are sent in the clear, which allows an attacker to

collect, modify and replay them as they wish.

• Attackers who successfully perform Call Interception attacks can compromise

wireless networks with improperly configured access points.

Solution

Although VoIP is implemented using various signaling protocols, we consider here an

attack in an SIP environment. The H.323 attack can be considered a variant of this

pattern or a separate pattern. In a SIP environment, a proxy server is used to initiate

calls on behalf of endpoints and control call routing. The proxy server also performs

security functions such as authentication, authorization and network access control.

Figure 5.8 shows the components for a SIP-based network. User Agents (UAs), are

combinations of User Agent Clients (UAC) and User Agent Servers (UAS). The UA

is the phone and the register server receives registrations and requests updates of the

location server, which keep track of the UA's. A UAC is responsible for initiating a

call by sending a URL-addressed INVITE to the intended recipient. A UAS receives

requests and sends back responses. The UAC and UAS are identified by SIP

addresses. The proxy server is connected to a VoIP gateway (to make possible a call

125


from a regular telephone to an IP phone) and to other proxy servers. The registrar and

location server may be integrated in the proxy server. The rest of the VoIP

architecture is similar to Figure 5.1 and represented by a UML package. Once the call

has been established, the RTP media streams flow between the end stations directly.

Layer 2 switch

signalingSIP server

Rest o f Fig. 5.1

connect *

ProxyGateway

Locationserver

Redirect Registerserver

UserAgent

F ig u re 5.8 C lass d iagram for a SIP arch itectu re

Call Hijacking in VoIP requires breaking into a converged network and intercepting

packets being sent between two or more subscribers participating in a voice call

conversation (please refer to Call Interception attack pattern). After the IP address or

phone number of either party is discovered, malicious users can use this information

to hijack the call.

This attack is achieved by impersonating a legitimate UA to a SIP register

substituting a legitimate IP address with an attacker IP address. The attacker then

manipulates the registration associated with the victims SIP URI [Mih06],

126


In this way, by manipulating outgoing call requests, the attacker is able to substitute a

legitimate IP address (of either party) in the header (e.g. the “From” header of a SIP

request) of the intercepted packet with her own address.

The hijacking attack can be also be done by performing a DoS attack against the

user's device deregistering the user. Generating a registration race-condition in which

the attacker sends repeatedly REGISTER requests in a shorter timeframe (such as

every 15 seconds) in order to override the legitimate user's registration request

[The04],

The class diagram of Figure 5.9 shows the structure for a VoIP Call Hijacking attack

in an SIP architecture. The sequence diagram of Figure 5.10 shows the sequence of

steps necessary to perform this type of attack. The hijack begins with the attacker

sending a specially crafted REGISTER request to the target proxy/registrar, to unbind

all existing registrations. If the server requires authentication, it replies to the

REGISTER requests with a challenge. Once all legitimate contacts have been deleted,

the attacker sends a second REGISTER message containing a new Contact header

line with the attacker’s address [Col05].

Registration hijacking can also be performed by intercepting and editing REGISTER

requests sent between a valid UA and registrar. This attack is possible, but is less of a

concern than the attack described above [Col05], Likewise, the attacker can spoof a

SIP response, indicating to the caller that the called party has moved to a rogue SIP

address, and hijack the call.

127


Layer 2 switch

signalingSIP server

Rest o fF ig . 5.1

ProxyGateway

to-PSTN

attack

interact attackRedirectserver

RegisterLocationserver

UserAgent

Attacker

F ig u re 5 .9 C lass d iagram for a VoIP C all H ijack ing a ttack

U A 2.connect(SlP inviteQ )1

OKO

M I

ACKQACKQ

« a c to r »SIP-UA1:

P:ProxvServer2P:ProxyServer1 « a c to r »Attacker:

« a c to r »SIP-UA2:

F ig u re 5.10 Sequence diagram for Call H ijacking attack in SIP

128


Consequences


• This attack causes all the victim’s calls to be received by the attacker or other

unauthorized parties. Call hijacking can result in violation of confidentiality to

the legitimate endpoint.

• By performing call hijack in VoIP, an attacker has complete control (i.e.

manipulating, blocking, conferencing, recording) of the call and has access to

all SIP messages.

• The attacker’s station can also capture authentication or other call related

information. Likewise it can masquerade as a voice mail system opening a

channel to the attacker.

• By hijacking the call, the attacker can also perform a Man-In-The-Middle

(MITM) attack, where it transparently sits between the calling and called

UAs, able to collect and modify both the signaling and media. Another type of

MITM attack involves redirection of an inbound call to a media gateway,

generating toll fraud [Col05],

• This attack can be successful even if the remote SIP proxy server requires

authentication of user registration, because the SIP messages are transmitted

in the clear and can be captured, modified and replayed.

• Through call hijacking, the attacker can perform various attacks including

theft of service in VoIP or message tampering. It will also enhance the DoS

vulnerability which will make the user’s device useless.

129


• When this attack is applied to a VoIP network, the Quality of Service (QoS)

may be diminished to a noticeable level [DISA04],


• Successful attacks require that the fake responses coming from the attacker

station contains the right header content to be accepted as legitimate. Some

fields are especially hard to estimate or intercept and thus mirror [Mih06].



• Strong authentication mechanisms for the registration process in SIP reduces

the opportunities for call hijacking

• Use encryption pattern.

• The implementation of Transport Layer Security (TLS) in the Session

Initiation Protocol (SIP) which is known as SIPS [Gur06]; allows to send SIP

messages over an encrypted TLS channel. SIPS also provides strong

authentication between your SIP components

• Use implementations that support TCP/IP for signaling to prevent spoofing

related attacks.

• The VoIP system can be secured by using implementations that support

TCP/IP for signaling, making it more difficult for an attacker to spoof SIP

messages [Col05],

130


• Use of Authenticated Call pattern [Fer07b] coupled with device identification


• Use the VoIP Tunneling pattern [Fer07b] which provides a way of



• Use strong authentication for softphones in order to prevent a rogue

application from attacking the voice network.


• Logs in the terminal devices not only provide call details (e.g. start/end times

and dates of each call) but they can also log all SIP request messages.

• Likewise the examination of SIP server logs will detect and alert upon any

failed authentication attempts; specifically upon any attempts to use

dictionaries to guess passwords.

• Comparing traffic patterns against predefined thresholds (as done by some

IDS) is an effective method of detecting call hijacking attacks. Such a method

can produce an alert upon any unusual pattern of SIP requests.

131




information in a VoIP environment: endpoint devices (i.e. softphones, hardphones

and wireless VoIP phones), proxies and register servers.

Related Patterns

Several security patterns for defending against these (and related) attacks are listed in

[Anw06] and [Fer07b], Some general security patterns such as firewalls [Schu06],

IDS [Fer05], and authentication [Schu06] can be used to control these attacks as

discussed earlier. An attack pattern can be developed to describe similar attacks on

FI.323 networks.

Known uses

A VoIP Call hijacking attack was perpetrated against a U.S. company called Sunbelt

Software. An attacker gained access to their VoIP application system through its

remote access features. In consequence, the company found itself facing an expensive

phone bill showing long-distance calls to all over the Middle East [Hen03],

132


5.7 Attack pattern: IP Spoofing in VoIP

Intent

The VoIP Spoofing pattern is intended to allow hackers (internal or external), to

masquerade a legitimate terminal device.

Context

Two or more subscribers are participating in a voice call conversation over a VoIP

channel that may be intercepted. In public IP networks such as the Internet, anyone

can capture the packets meant for another user.

Problem

An attacker needs to trick a remote user into believing [s]he is talking to his/her

intended recipient when in fact they are really talking to the hacker. The attack can be

carried out taking advantage of the following vulnerabilities:

• VoIP devices such as IP phones, Gatekeepers, Gateways, and Proxy servers

inherit the same vulnerabilities of the operating system or firmware [Shi06] on

top of which they run.

• Many SIP implementations still use the Universal Datagram Protocol (UDP)

for transporting SIP messages, which is an unreliable form of packet transfer.

133


UDP does not use re-transmissions or sequence numbers, so it is easier for an

attacker to spoof UDP packets [Col05],

• Attackers may take advantage of the connectionless nature of the UDP

protocol to spoof registration requests.

Solution

IP spoofing gives attackers the ability to generate an IP packet with an IP source

address other than its own. There are two methods of doing this. The hacker can use

either an IP address that is within the range of trusted IP addresses for a network or an

authorized external trusted IP address that has access to specified resources on a

network.

With user identification based on the IP layer and the IP layer easily tampered with, it is

easy for unauthorized users to impersonate legitimate ones by marking packets sent over

these networks with a “borrowed” IP address. These abuses of services and benefits (e.g.

making international calls) occur at the expense of legitimate users, who are often

completely unsuspecting until the bill arrives—long after the abuser has disappeared

[IEC04],

IP spoofing is possible because the routing of VoIP packets is based only on the

destination address. Due to the fact that the routing mechanism is not based on source

addresses, when the packet is delivered to its destination address, the attacker address

is that of the source and not of the original sender.

134


An IP Softphone can spoof the functionality and appearance of an IP hardphone to the

call processing platform. Using tools such as SMAC (Spoof MAC) which allows

users to change MAC address for almost any Network Interface Cards (NIC) on the

Windows 2000 and XP systems, the IP Softphone can be configured quite easily to

assume the full functionality and rights of any extension given only the MAC address

of that extension. [Kle03].

Some voice mail systems use Caller ID to authenticate administrative access to

individual voice mail accounts. If the Caller ID of an inbound call matches the

number assigned to the telephone associated with the voice mailbox, the system

assumes that the call is originating from that phone, and the call is routed to the voice

mailbox with administrative privileges. Caller ID can be readily spoofed using freely

available PBX software and a H.323/VoIP gateway service, and possibly via other

methods. Caller ID should not be trusted for authentication [Man07].

Consequences


• Attackers can hide their identity for launching DoS attacks. Call hijacking and

theft of service can also be accomplished using IP spoofing.

• When using this attack pattern, malicious users can bypass authentication and

filtering in order to cause information leak, data modification, and arbitrary

code execution.

135


• Without spoof mitigation filters a hacker might be able to spoof the address of

the IP-PBX and UDP flood the entire voice segment [IEC04],

• Attackers will obtain access to sensitive logging data and routing information

from subscribers, even if they are not capable of intercepting VoIP calls.

• IP spoofing attacks against VoIPoW networks makes other type of attacks

possible. Attackers can establish itself as a routing node and perform call

interception for example.

• By using IP spoofing, attackers can take advantage of trust relationships based

on the caller IP address.

• IP spoofing can also be used to gain important VoIP logging information in

order to modify a call session.

• When spoofing weak authenticated voicemail systems, attackers can listen to

and delete messages, modify the greeting, and perform other administrative

functions [Man07].


• The Transmission Control Protocol (TCP) is a connection-oriented,

guaranteed-delivery transport. TCP is more secure than UDP, because it

involves a negotiated setup and tear down, sequence numbers, and

retransmissions for lost packets [Col05].

• Successful attacks require that the forged responses coming from the attacker

machines contains the right header content to be accepted as legitimate. Some

136


header fields are especially hard to estimate or intercept and thus mirror

[Mih06],



• The VoIP system can be secured by using implementations that support

TCP/IP for signaling, making it more difficult for an attacker to spoof SIP

messages [Col05].

• It can also be greatly improved by using a security standard, such as the

Transport Layer Security (TLS), to provide strong authentication and

encryption between your SIP components [Col05],

• Authentication of end-points and users to the VoIP system

• Use of Authenticated Call pattern [Pel04] coupled with device identification


• Use the Network Segmentation pattern [Pel04] which performs separation of

the voice and data services to counter possible attacks against the voice

VLAN by an attacker in the data VLAN. Using network segmentation, an

attack aimed at the data network (i.e. against softphones) won’t impact critical

voice traffic and vice versa.

• Use the VoIP Tunneling pattern [Pel04] which provides a way of



137


• It is necessary to secure all VoIP components (including IP-PBXs and

routers).

• In order to prevent a rogue application from attacking the voice VLAN,

softphones must use strong authentication.

• All solutions require some kind of trust relationship (i.e. shared secret or

certificates authorities) [Nic06],

• Identity management is also an important piece of security framework in SIP

[Nic06],

• Routers can be programmed to discard any outbound packets whose source IP

address does not belong to the router’s client networks. Likewise, inbound or

“ingress” filtering of any IP packets with un-trusted source addresses, before

they have a chance to enter the network, can also be effective [Vat02].


• Network analysis procedures such as the examination of router logs (e.g.

directory scanning attempts, denied connection attempts) and firewall logs,

provide information about the location (i.e. where the attack entered the

network) and the way that attackers performed their exploits.

• In VoIP, the attack pattern technique may be complemented with the use of a

network forensics analysis tool (NFAT) to offer a better view (interpretation)

of the collected voice packets.

138


Related Patterns

The IP Spoofing pattern is related to (i.e. can be used for) other attack patterns such

as the Call Hijacking , Masquerading and Theft of Service in VoIP which were

previously introduced.

Known uses

K.C. Hatcher, a San Francisco graphic artist is among the victims of IP spoofing. She

was billed $12,000 dollars for calls that both she and AT&T agree she didn’t make.

The attack was carried out on her business line on New Year’s Eve 2003 [Del03].

5.8 Summary and Discussion

Attack patterns will guide forensic examiners in the process of searching for

evidence. They could also serve as a structured method for obtaining and representing

relevant network forensics information. Analysts often face a major challenge in

determining which data should be collected. In some situations, collecting the

necessary data might involve identifying all components of the application, deciding

which were most likely to be of interest (based on the details of the situation and the

need), finding the location of each component, and collecting data from those

components [Ken06].

139


Attack patterns are particularly useful in cases where criminals break into a VoIP

network segment that is not monitored by network security devices. Therefore,

investigators should look for evidence in other network components (e.g. terminal

devices) considered as secondary data sources. An attack pattern is also an important

technique that helps examiners to ensure that they have considered all possible

contexts and evidence sources by using the proposed template.

A good part of the value of the proposed approach comes from the fact that the attack,

described dynamically in a sequence diagram, makes direct reference to the

components of the system, described in turn by the class diagram. The sequence

diagram uses objects from classes in the class diagram and we can then relate

messages to the components where they are sent (classes represent the components of

the system). The parameters in these messages are data that can be found in the

corresponding component. In other words, the combination of sequence and class

diagrams tells us where to look and what information we can find after some attack.

Other approaches to describe attacks and their effects include attack or fault trees

[Lev94]. A fault tree analysis indicates using AND OR nodes the conditions for a

system to fail. An attack tree specializes this idea by looking for conditions for an

attack to succeed. Attack trees can also assign probabilities of occurrence for each

condition or event. The problem with fault/attack trees is that they are not associated

to specific places in the network and do not indicate a time sequence for the steps;

therefore, it is hard to trace the attack through them. The supposed formality lent by

event probabilities is fictitious because these probabilities are very hard to estimate

and require a detailed description of a given system, which makes them not practical

140


for generic analyses or for systems not yet built. Attack trees are mostly useful to

determine attack risk or cost values. Another tool is an attack net, which is a Petri net

where places represent attack steps and transitions indicate events that activate steps

[McDOO], Attack nets have been combined with a web-based system to collect expert

knowledge about attacks [Ste02], Attack nets represent well the dynamics of the

attacks but they still have no relation to the system components and their value for

forensics is not clear. A product, “Analyst’s Notebook”, can be used to trace the

propagation of attacks along computer networks [Case06]. However, it works at the

hardware element level and cannot abstract similar types of components, which leads

to a proliferation of units to consider. The name ‘attack patterns'1 was also used in

[Hog04] and their intention is close to ours. Their attack patterns are descriptions of

some step in a generic attack, e.g., string format overflow in syslog(). In addition to

applying to only one step, they do not provide a systematic discussion of each pattern

and don’t consider forensic aspects. Moore et al. [MooOl] also talk of attack patterns.

Their patterns describe the goal of the pattern, its steps, preconditions, and post

conditions. Again, their patterns are similar to one step in our patterns, e.g.,

“Unexpected operator”. [Anw06] provided a systematic listing of problems caused by

attacks leading to specific solutions to avoid them.

What they propose are really security patterns (in fact, they call them design

patterns), they don’t try to relate the attack to the components of the network and

don’t consider forensic aspects. While useful for some type of analyses, none of the

related concepts described above performs the functions that can be provided by our

approach. We consider the context or environment as part of the pattern, a pattern for

141


VoIP using the SIP protocol or using a fixed network would be a different pattern.

This is because we want to relate specific events or data with specific parts of the

network. Preconditions for an attack would be part of the context. Because of the

association with system components we think that our approach is useful to define

where defenses are needed and where to look for evidence of attacks. Developers are

familiar with patterns and using this type of patterns should be easy for them when

looking for ways to correct the security of the system. The fact that each pattern

corresponds to a specific attack would make easy the selection of which security

pattern to use once the possible attacks to the system are determined using a method

such as [Fer06b] or similar. Their value for forensics comes from having an

indication of where to look for attack data, which components of the network may be

more useful to find evidence, and which parts of the network should have additional

capabilities to collect forensic data. The systematic structure provided by the template

is useful to organize information and compare the effects of different attacks. Some of

the methods described in this section can be complementary and it is worthwhile to

look for possible combinations.

142


Chapter 6

VoIP Network Forensic Patterns

6.1 Introduction

In this chapter we propose a new type of pattern, the Forensic pattern. We introduce it

in terms of in Voice over IP (VoIP) networks and it represents a systematic approach

to network forensic collection and analysis of data. In conducting network forensics

investigations in a VoIP environment, the collection of voice packets in real time and

the use of automatic mechanisms are fundamental. We expect that forensic patterns

will enable a faster response and more structured investigations of network attacks.

Attacks on some VoIP applications such as VoIP in Tactical Internet require real-time

evaluation and analysis, in contrast to the traditional method used in law enforcement,

in which the victim’s device is taken off-line after an attack has occurred. Forensic

Patterns provide an abstract view of forensic information to network investigators.

Forensic patterns would also be useful for training apprentice forensics technicians

about common investigative techniques and tools.

In chapter four we introduced several security patterns and Figure 6.1 shows the

relationships between our forensic patterns and existing security patterns. The

143


patterns presented here are indicated with a double line and those under development

with a dash line. The first set of Network Evidence forensic patterns provide abstract

methods for collection and analysis of evidence; on the other hand, Tactical Evidence

patterns are intended for military use (i.e. Tactical Internet). These forensic patterns

will also be applicable to law enforcement, and to some degree the relevant industry.

The collection of all these patterns can be used to build a VoIP network forensic

model.

SecurityPatterns

Secure VoIP call

ufe

m essagesecrecy

VoIPTunneling

| I N d W U l K j j

| Evidence j ] Evidence1 Collector i 1 Analyzer

ForensicPatterns

VoIP Evidence Collector

VoIP Evidence Analyzer

implements

Tactical ] Evidence j Collector i

im plem ent

TZV

Tactical ] Evidence j Analyzer i

implements

AttackPatterns

VoIP/I V I ,

j Network 1im plem en t s ^ Forensic ]

Figure 6.1 Relationship between VoIP patterns

6.2 VoIP Evidence Collector

The VoIP Evidence Collector pattern defines a structure and process to collect attack

packets on the basis of adaptively setting filtering rules for real-time collection. The

144


collected forensic data is sent to a network forensics analyzer for further analysis.

This data is used to discover and reconstruct attacking behaviors.

Context

We are considering a VoIP environment, where the monitored network should not be

aware of the collection process. We assume that evidence is being preserved securely.

We also assume a high-speed network with an authentication mechanism and secure

transport channel between forensic components.

Problem

How to efficiently collect digital attack evidence in real-time from a variety of VoIP

components and networks?


• General security mechanisms, such as firewalls and Intrusion Detection

Systems (IDS), cannot detect or prevent all attacks. They are unable to

stop/detect unknown, internal attacks, and attacks that come in the body of the

messages (at a higher level). We need to analyze how an attack happened so

we can try to stop it in the future.

A real-time application, like VoIP, requires an automated collection of

forensic data in order to provide data reduction and correlation. Current

techniques dealing with evidence collection in converged networks are based

145


on post-mortem (dead forensic) analysis. A potential source of valuable

evidence (instant evidence) may be lost when using this type of forensics

approaches.

• Even though there are a number of best practices in forensic science, there are

no universal processes used to collect or analyze digital information. We need

some systematic structure.

The amount of effort required to collect information from different data

sources is considerable. In a VoIP environment we need automated methods

to filter through huge volumes of collected data and extract and identify data

of particular interest.

The large amount of redundancy in raw alerts makes it difficult to analyze the

underlying attacks efficiently [Wan05]

Since internet telephony uses IP, a considerable percentage of attacks are

perfonned by exploiting IP networks, and a significant amount of evidential

data come from the network [Bru05]. We need to find better ways to collect

this data.

There’s a need for forensic methods with shorter response times. Because the

large volume of irrelevant information and increasingly complex attack

strategies make manual analysis impossible in a timely manner [Wan05].

The waiving of checks in some traffic may result in the missing of traces or

evidence. Data preservation and integrity is needed.

146


Solution

Collect details about the attacker’s activities against VoIP components (e.g.

gatekeeper) and the voice packets on the VoIP network, and send them to a forensic

server. A forensic server is a mechanism that combines, analyzes and stores the

collected evidence data in its database for real-time response.

A common way of collecting data is to use sensors with examination capabilities for

evidence collection. In VoIP forensic investigations, these devices will be deployed in

the converged environment reducing human intervention. We will call these sensors

“Network Evidence collectors.” These hardware devices are attached in front of the

target servers (e.g. Call server) or sensitive VoIP components, in order to capture all

voice packet entering or leaving the system. These sensors are also used by the

Intrusion Detection System (IDS) to monitor the VoIP network. Examiners can also

use packet sniffers and NFAT tools (see sections 5.3.1 and 5.3.3) to capture and

decode VoIP network traffic.

When the IDS detects any attempt to illegally use the call server or a known attack

against VoIP components, it gives alarms to the forensic server which in turn makes

the Evidence Collector start collecting forensic data.

The Evidence Collector then collects and combines the forensic information from

several information sources in the network under investigation. It will also filter out

certain types of evidence to reduce redundancy.

147


Structure

Figure 6.2 shows the UML class diagram of the evidence collector, (modified from

[Ren05]). The Evidence Collector is attached to hosts (e.g. Call server) where we

need to collect evidence in a VoIP network. Forensic data is collected using

embedded sensors attached to key VoIP components or NFAT tools. VoIP

components that are monitored can provide forensics information once an attack

occurs. The Evidence collector should be designed to extract forensic data and

securely transport it (i.e. hash and encrypt) to the forensic server using a VoIP secure

channel [Fer07b], The forensic server combines the logs collected from the target

servers and the VoIP network, and stores them in its database to allow queries via

command user interfaces. The network forensics server also controls the Evidence

Collectors.

VoTPN etwork

Evidence Call Server

ycollectForensiccomponents

EmbeddedSensor Network

TrafficEvidenceCollector Filter

NFAT

Send data M onitor real traffic

Send alarmForensicServer

IDS

Figure 6.2 Evidence Collector Class Diagram

148


The evidence data collected from VoIP key components includes the IDS log files,

system log files and other forensic files. Other sensitive files may include the system

configuration files and temp files. When attached to a terminal device, the Evidence

Collector captures the network traffic to record the whole procedure of the intrusion

and can be used to reconstruct the intrusion behavior [Ren05], The evidence collector

is also able to filter out certain types of evidence to reduce redundancy.

Implementation

After collecting the desired forensic data, the evidence collectors will send two types

of data to the network forensics server depending on the function performed. If the

sensor is attached to a key VoIP component, it will collect Logging system and audit

data; otherwise (i.e. attached to terminal device) it will act as packet sniffers (with the

Network Interface Card (NIC) set to promiscuous mode) or NFAT tools extracting

raw network traffic data (e.g. entire frames including the payloads are captured with

tcpdump). These data is used to discover and reconstruct attacking behaviors.

As mentioned before, after each attack against the VoIP network, the forensic data

collected from key components may include logging data. The following data may

also be included:

• VoIP System information

o Registry

o Logs

149


o Configuration data

o Raw packets (entire frames including the payloads are captured with

tcpdump);

o DNS reverse lookups

• VoIP telephones

o Numbers called

o Incoming calls

o Start/end times and duration

o Voice mail access numbers

o Debit/credit card numbers

o Email addresses

o Call forwarding numbers

o Incoming/outgoing messages

o Access codes for voice mail systems

o Contact lists

• Dual/Smart Phones

o Above, plus contacts, maps, pictures, passwords, documents, ...

o IP geographical localization

150


Likewise, information that characterizes the attacking source may also be collected.

This includes its IP address, the date it has been observed, the domain and ,

geographical location associated to this address, etc [Che05],

In order to keep efficiency when capturing network traffic, we select the data to save:

such as source and destination addresses and ports, protocol type, etc. The evidence

collector can then extract all or selective voice packets (i.e. incoming or outgoing)

over the VoIP network by applying a filter. The database on the forensics server will

store the data sent by evidence collectors in order to perform the corresponding

forensics analysis. We can use network segmentation techniques [Fer07b] to monitor

the voice VLAN traffic independently from data VLAN traffic although the two share

the same converged network.

Dynamics

The sequence diagram of Figure 6.3 shows the sequence of steps necessary to perform

evidence collection in VoIP. In this scenario, as soon as an attack is detected against

the call server (i.e. gatekeeper) by the IDS, the evidence collector starts capturing all

activities of the possible attackers. The Evidence collector will then send the collected

data to the forensic server using a secure VoIP channel. Additionally, the collected

forensic data is filtered and stored in the system database.

151


( n ionitorO

transm itf)

detectOattackf)

transm itO

ifilter()

HDS« a o to r »

anAttacker: :CallServerEvidenceCollecto :ForensicServer

F ig u re 6.3 Sequence diagram for evidence collection in VoIP

Consequences


• The use of automated forensic tools required in this pattern will reduce the

investigation time in VoIP incidents.

• Important logging information such as IP and MAC addresses can be

collected using this approach.

• The approach should be helpful to network investigators in identifying and

understanding the mechanisms needed to collect real-time evidence in

converged systems.

152


• The VoIP Evidence Collector pattern will also enable the rapid development

and documentation of methods for preventing future attacks against VoIP

networks.

• It’s possible to investigate alleged voice calls using the evidence collector

since voice travels in packets over the data network.

• For efficiency, the evidence collector can be set up for capturing selectively

network packet streams over particular servers such as call, database and web

servers. The network forensics server can control the filter rules on the

collector.

• On the other hand, based on the source/destination information, the evidence

collector can filter the packets of a particular phone conversation.

• When encryption is present, the evidence collector can capture the headers

and contents of packets separately.

• The evidence collector pattern could provide data reduction if the size of the

extracted files becomes very large.

The disadvantage of this approach is the scalability and efficiency of the traffic’s

monitor and record. In large volume traffic environments, there is a tradeoff between

the monitored traffic and the available disk space. [Ren05],

153


Known uses

QRadar is a module designed by Q1 labs to offer security monitoring for Voice over

IP (VoIP) networks. This product combines network behavior analysis and security

event correlation for monitoring across the network protocol, application, and security

services layers of a VoIP network [Hic07].

Related patterns

The VoIP Evidence Collector pattern has direct relationships to the VoIP Evidence

Analyzer pattern which will be presented next and to the Secure VoIP Call pattern

presented in section 4.4.4. This pattern is based on ideas of Ren and Jin [Ren05], who

developed a model based on distributed adaptive network forensics and active real

time network investigation. Likewise, Tang [Tan05] developed a network forensics

framework based on distributed techniques which provides an integrated platform for

automatic forensic evidence collection and data storage, supporting the integration of

known attribution methods, and an attack attribution graph generation mechanism to

illustrate hacking procedures. Finally, Wang and Daniels [Wan05] propose an

evidence graph model to facilitate the presentation and manipulation of intrusion

evidence. For automated evidence analysis, they developed a hierarchical reasoning

framework that included local reasoning and global reasoning.

154


6.3 VoIP Evidence Analyzer

The VoIP Evidence Analyzer pattern defines a structure and process to analyze the

collected forensic data packets, and presents a method of investigating an alleged IP

attack scene and tracing back attackers.

Context

We are considering a VoIP environment, where the monitored network should not be

aware of the collection process. We assume the existence of a mechanism to collect

real-time evidence in converged systems and the preservation of such evidence in a

secure way. We also assume a high-speed network with an authentication mechanism

and secure transport channel between forensic components. We also that evidence has

been collected by a VoIP Evidence Collector.

Problem

How to analyze evidence identified and extracted by the VoIP Evidence Collector in

order to discover the attack source and other characteristics of the attack?

The solution is affected by the following forces:

• One of the most costly, time-consuming and human intensive tasks is the

analysis and reconstruction of attacks in a compromised system.

• In order to correlate and interpret attacks against real-time converged

networks examiners need a structure for forensic analysis.

155


• An automated technique is fundamental to locate the attackers and reconstruct

their criminal actions.

• We need shorter response times: Large volume of irrelevant information and

increasingly complex attack strategies make manual analysis impossible in a

timely manner [Wan05].

• Because the amount of data generated by VoIP networks is huge, the storing

of network data for forensic analysis may be complicated.

• Encrypted packets are difficult to analyze.

• The forensic analysis process must guarantee data preservation and integrity

• Attacks in converged networks are becoming more frequent and more

complex to counter.

A method is required for reusing network forensic knowledge and

documenting forensic investigations.

• Forensic incidents in VoIP are often faced with examiners who don’t have

experience executing investigations or using similar forensic tools.

Solution

Combine (i.e. pre-process and store) all forensic logs and network traffic captured by

the Evidence Collector into a forensic data repository (database and files) and analyze

them using techniques such as log correlation and normalization [For04],

Logs are processed and converted into a simple format, and then compared with the

set of predefined misuse and attack patterns to identify possible security violations

156


[Ren05]. The raw traffic data must also be converted into a readable format and

stored in a separate database.

The evidence analyzer then performs automated inference based on the evidence

database and presents results to the forensic investigator. The analysis process

involves using automated methods to sift through large amounts of acquired data and

extract and identify data of particular interest [Gra05].

Structure

Figure 6.4 shows a class diagram describing how an IP telephony and a forensic

system integrate together. This model shows the three primary forensic components:

the Evidence Collector, the forensic server and the network investigator. The

Evidence collector is attached to a host that may be attacked in a VoIP network (e.g.

Gatekeeper).

The main function of the forensic server is combing the logs collected from the target

servers and the VoIP network, and storing them in its database to allow queries via

command user interfaces. The system therefore provides an integrated analysis and a

centralized management for system logging activities.

On the other hand, the network investigator acquires information about attackers and

their sources by using techniques such as IP traceback and packet marking, and by

mapping topology to geographic locations so as to conduct further investigations.

157


manages

IP-to-IPv

conferencing

VoIP Network

Forensic LAN

manages

MCU

Layer 2 Switch

NetworkInvestigator

ForensicServer

EvidenceDatabase

Gateway

EvidenceCollector

TerminalDevice

Gatekeeper

ForensicComponent

Figure 6.4 Class diagram for a VoIP network forensics system

Implementation

After the IDS gives the alert, the network forensics server will send a command to the

Network Investigator (the response is in real-time). The network investigator receives

information from the forensic server about sensitive spots on the VoIP network. Then

the Network Investigator surveys the network in order to obtain useful information,

such as the attacker location, phone numbers, etc. The Network Investigator will also

scan the network for mapping topology to find, for example, a false proxy server, or

traceback the location of the attacker [Ren05], Finally, the network investigator sends

the scan and survey result to the Forensic server using a VoIP secure channel

[Fer07b], This result will include the topology of the network, the IP address, the

MAC address, the possible geographic location of the IP, etc.

158


The network forensics server can also analyze the attack behavior by replaying the

attacking procedures. Network forensics tools can reorganize the packets into

individual transport-layer connections between machines [Ren05].

The forensics server provides correlations in forensics data in order to discover the

attack behavior. This process will provide network investigators a better way to

monitor voice traffic data and correlate events from VoIP security mechanisms (e.g.

IDS).

To construct the given same events, it is necessary to correlate the different format

logs to a single-layer data format by time, IP and User ID. This task is known as

normalization [For04], Correlation in forensics is based on the knowledge of previous

attacks gained by historical methods, geographical location, strength of signal, and

the behavior of the attacker. Likewise, Attack Patterns [Fer07a] will provide prior

knowledge of known exploits. VoIP Correlation Rules correlate events taken from

multiple VoIP source devices including Call Managers, IP PBXs, and voice gateways

[Hic07]. These correlation rules will detect for example theft of service attempts as

well as DoS attacks against VoIP servers.

Even if the communication was encrypted, it is common to perform the so called

“traffic analysis”, inspecting every IP packet containing destination and sender

address. By examining the flow of packets over time, it is possible to infer when a

user is calling, whom they communicate with, the Web sites they visit, etc. Flowever,

the quality of reconstruction relies entirely on the correlation tool one is using

159


[Bra06]. With the appropriate tools, investigators could capture the packets and

decode their voice packet payloads in order to analyze VoIP calls.

Dynamics

The sequence diagram of Figure 6.5 shows the sequence of steps necessary to perform

evidence analysis in VoIP. In the initial phase, the forensic evidence sent by the Evidence

Collector is preprocessed and stored in the Forensic Server Database. After scanning and

surveying the network, the Network Investigator sends the results to the Forensic

Server for further analysis and replay of the attacking procedures.

:VolPNetwork

sendcommandO

scan/surveyQsenddatafl

transmits

analyze ()

sendresultO

analyze ()

:EvidenceCollector :ForensicServer

F ig u re 6.5 Sequence diagram for evidence analysis in VoIP

Consequences


160


• Investigators will be able to perform network forensic investigations in

converged networks in a structured way.

• Designers will be able to correct weak points in a VoIP network perimeter in

order to prevent future similar attacks.

• Forensic investigators can find information on what has occurred to the VoIP

system by looking in the network packet flow.

• Automated evidence analysis will produce an immediate impact on the

forensic investigator’s ability to reduce response times [Wan05],

• The information that is collected could be used to predict or anticipate

adversarial actions, understand the current state of affairs, and help in

determining appropriate courses-of-action. [Gio02].

• The Evidence Analyzer can provide information about analyzing logs and

tracing back attackers.

• All the data from the monitored host, NFAT and investigator will be stored as

the evidence and analyzed for the final presentation.

• Encrypted data can be examined using traffic analysis. By examining the flow

of packets over time, it is possible to infer when a user is using the VoIP

device, whom they communicate with, the call history, etc.

• Investigators can use network traffic data to reconstruct and analyze (in real

time) attacks against the VoIP network as well as to detect inappropriate

network usage.


161


• Disk storage space time overhead requirements may be a concern in some

environments.

• The stored attack patterns need to be continually updated, and this will

normally require human expertise.

• The breaking of any encryption used, including WPA, is an involved process

that cannot be done in real-time [Sla06]. The key used by the attacker to

encrypt/decrypt a voice call conversation is necessary to complete the forensic

analysis.

Known uses

QRadar is a module designed by Q1 labs to offer security monitoring for Voice over

IP (VoIP) networks. This product combines network behavior analysis and security

event correlation for monitoring across the network protocol, application, and security

services layers of a VoIP network [Hic07],

Related patterns

The VoIP evidence analyzer pattern has direct relationships to the VoIP Evidence

Collector pattern which was previously introduced and the Secure VoIP Call pattern.

162


6.4 Summary

We have introduced the concept of forensic patterns as they relate to VoIP

investigations. We illustrated these ideas using UML object oriented models.

Likewise, some issues involved in VoIP forensic investigations were studied. Since

attacks cannot be completely avoided, it is necessary to have appropiate forensics

systems.

The proposed VoIP Evidence Collector pattern could use NFATs in combination with

hardware sensors for real-time collection. Likewise, the VoIP Evidence Analyzer

pattern analyzes the collected forensic data packets, and presents a process of

investigating attacks against the VoIP network. The Evidence Analyzer also uses IP

traceback and packet marking techniques, to map attackers to their geographic

locations.

By using these forensic patterns, investigators will have an structured method to

collect, search and analyze network forensic data. The usefulness of VoIP forensic

patterns will depend on the creation and implementation of a VoIP pattern system

(see figure 6.1). These are the first steps toward a methodology for modeling network

forensics.

163


Chapter 7

Conclusions and Future Work

Due to the fact that VoIP will become more mainstream in the near future, with the

probability of being the most popular system for mobile communication, it is valuable

to study the mechanisms and tools for forensic analysis of converged networks. We

considered possible security attacks and related them to the ways the system is used.

We have applied an approach that generates most of the attacks in a VoIP

environment. This happens because we consider systematically all actions within a

use case and we see how they could be attacked. The set of all use cases introduced in

this dissertation defines all the uses of the VoIP system and from all the use cases we

can determine all the rights for each actor. We have also discussed existing VoIP

architectures and provided UML models for them. This approach provides a precise

framework where to apply security.

One of the best security approaches in VoIP is to use the Secure VoIP Call pattern to

encrypt all voice traffic and the Network Segmentation pattern to separate VoIP from

data traffic in order to increase security and performance; even though it may not be

appropriate for all environments. This would ensure that the critical voice traffic

would be unaffected if an attack did occur on the data network.

164


We have introduced the concept of attack pattern as a systematic description of the

steps and objectives of an attack as well as of ways to defend against it and to trace its

application in a system. Attack patterns as an investigative method help to provide an

understanding of the attacker’s point of view, as the attacker4s goals and methods are

the main focus in almost all forensic investigations. Therefore, attack patterns should

be integrated in the VoIP network forensic process. Developers are familiar with

patterns and using this type of patterns should be easy for them when looking for

ways to correct the security of the system. The fact that each pattern corresponds to a

specific attack would make easy the selection of which security pattern to use once

the possible attacks to the system are determined using a method such as [Fer06a] or

similar.

We introduced an attack pattern template in order to describe how to document and

organize generic attack patterns. The systematic structure provided by the template is

useful to organize information and compare the effects of different attacks. We

applied this approach to the construction of a complete catalog of the most typical

attack patterns in VoIP was introduced, as well as the corresponding security and

forensic patterns.

In addition, we introduced the concept of forensic patterns as they relate to VoIP

investigations. By using these forensic patterns, investigators will have a structured

method to collect, search and analyze network forensic data. Since attacks cannot be

completely avoided, it is necessary to deploy forensics systems. Forensic patterns use

network forensic tools (e.g. NFAT software) and methods like IDS and IP traceback

165


valuable to network investigators in collecting network traffic data. The forensic

information found in VoIP systems has a great potential to be used as evidence.

Forensic patterns can contribute positively towards the efficiency of forensic

investigations in a converged environment. Their value may be realized when semi-

formal UML models are reused on similar investigations.

This research presented effective ways in which network investigators can more

effectively implement the use of network forensics as a secure and convenient method

of collecting digital evidence in a wireless VoIP environment. Our main contribution

in this research is to demonstrate the usefulness of security patterns for network

forensics purposes; as well as the creation of a complete pattern system to be used

during forensic investigation processes. Figure 7.1 shows a pattern system diagram

integrating the four types of patterns (i.e. architectural, attack, security and forensic)

introduced in this dissertation in order to create a semi-formal network forensic model

for a simplified environment. The usefulness of a VoIP network forensic model will

directly depend on this comprehensive VoIP pattern system. We focused on the

functionality offered by these semi-formal UML patterns and their efficacy. These are

the first steps toward a methodology for modeling network forensics.

Future work will include the generation of a UML network forensic model combining

this pattern system as well as new patterns. This Forensic model will help network

investigators to identify actual intrusions, collect more and better evidence, reduce

analysis time, and help to stop attacks against the VoIP network. The forensic model

will also allow examiners to specify, analyze and implement network security investi-

166


implements implementsu sesu ses

m essag€secrecy limplements

implements

lessadeauthenticatio -implementssec rec

implements

VoIP Network Forensic

Model

AttackPatterns

SIPSignalingProtocol

SignedAuthenticated

call

u se s rEvidenceAnalyzer

HybridSignalingProtocol

VoIPTunneling

H.323SignalingProtocol

Secure VoIP call

EvidenceCollector

Networksegm entation

Figure 7.1 VoIP Pattern System

gations for different architectures. Likewise, the proposed model will help network

designers to improve the level of security not only in voice but also in data, video,

and fax over IP networks.

Future work will also include extending VoIP architectures to describe models and

security patterns for Tactical Internet including wireless aspects and the development

of attack patterns for that environment. The tactical internetworking model will also

include the development of more general forensic patterns (i.e. not just for VoIP), as

well as the corresponding security patterns. The VoIP network infrastructure can also

be extended using new wireless technologies such as WiMAX. Another possibility is

the development of simpler patterns that can be used as components in complex

architectures (e.g. an Inter-working Function (IWF) pattern).

167


It is the author’s opinion that in the near future, we will see the development of new

series of mobile communication devices using VoIPoW technology. For example the

US Army is expecting that this technology will be fully implemented all the way from

mobile combat units to division level by 2016. Therefore additional forensic research

for a wireless Tactical Internet is needed.

Advances in network forensics and network forensic patterns can be achieved by

performing further research in the areas of scalability and efficiency of the traffic

monitor for the VoIP evidence collector. Another area that could be addressed, and

consequently improved, is the decryption (for forensic purposes) of VoIP

communications in real-time.

168


References

[Anw06] Z. Anwar, W. Yurcik, R. Johnson, M. Hafiz and R. Campbell.

“Multiple Design Patterns for Voice over IP (VoIP) Security. Procs. o f

the IEEE Workshop on Information Assurance (WIA 2006), Phoenix, AZ,

April 2006.

[Bla02] U. Black. “Voice over IP,” Prentice Hall, Upper Saddle River, 2002.

[Bog05] C. Bogen, D. Dampier. “Preparing for Large-Scale Investigations with

Case Domain Modeling.” Procs. o f 2005 Digital Forensic Research

Workshop (DFRWS) New Orleans, LA August, 2005.

[Boo98] G. Booch, and J. Rumbaugh. “The Unified Modeling Language User

Guide”, Addison-Wesley Pub Co; 1st edition, Boston (September 30,

1998).

[BosOl] L. Bos. “Toward an All-IP-Based UMTS System Architecture”, IEEE

Network, Jan/Feb 2001.

[Bou06] S. Boutelle. “Frontline CIO Report.” Military Information Technology,

Volume: 10 Issue: 4, May 02, 2006.

[Bra98] A. Braga, C. Rubira, and R. Dahab, “Tropyc: A pattern language for

cryptographic object-oriented software”, Chapter 16 in Pattern

Languages o f Program Design 4 (N. Harrison, B. Foote, and H. Rohnert,

Eds.). Also in Procs. of PLoP’98.

[Bre99] C. Brenton. “Mastering Network Security,” Network Press, San

Francisco, 1999.

[Bre06] B. Brewin. “Army sets new benchmark for IP telephony.” April 10,

2006. http://www.fcw.com/article93980-04-10-06-Print


[Bro99] F. Brown, J. DiVietri, G. Diaz de Villegas, and E. B. Fernandez. “The

authenticator pattern”. In Procs. o f the Pattern Languages o f programs

Conference (PLoP1999).

[Bru05] D. Bruschi M. Monga E. Rosti. “Trusted Internet Forensics: design of a

network forensics appliance.” Workshop o f the 1st international

conference on security and privacy for emerging areas in communication

networks 2005, pp. 33-35. September, 2005.

[Bus96] F. Buschmann, R. Meunier, H. Rohnert, P. Sommerlad, M. Stal.

Pattern-Oriented Software Architecture: A System of Patterns, Volume 1,

Wiley, New York, 1996.

[CamOO] W. Campbell. “Statement of Lieutenant General William H. Campbell

Director for Command, Control, Communications, and Computers”,

March 8 , 2000. http://www.house.gov/hasc/testimony/106thcongress/00-

03-08campbell.htm

[Case06] E. Casey. “Investigating sophisticated security breaches”, Comm, o f

the ACM, vol. 43, No 2, February 2006, 48-54.

[Casw06] B. Caswell. “Snort Users Manual.

http ://www. snort.org/docs/snort_manual/

[CERT07] CERT Coordination Center. Carnegie Mellon University, 2007.

http://www.cert.org

[CheOO] C. Chen. “The study of Mobile Internet Telephony”, Multimedia

Software Engineering, 2000.

[Che05] P.T. Chen, C.S. Laih. “Comparative Survey of Local Honeypot Sensors

to Assist Network Forensics.” Proceedings o f the First International

Workshop on Systematic Approaches to Digital Forensic Engineering

(SADFE’05).

[Chi03] M. Chitnis, P. Tiwari, L. Ananthamurthy. “UML Tools.” February 21, 2003.

http://www.developer.com/design/article.php/1593811

[Cis02] Cisco Systems. “H.323 and SIP Integration”, March 2002.

http://www.cisco.com

170


[Col04] M. Collier. “The Value of VoIP Security”, July 2004.

http://www.voipsecurityblog.typepad.com/

[Col05] M. Collier. “Basic Vulnerability Issues for SIP.” March 2005.

http://voipsecurityblog.typepad.eom/marks_voip_security_blog/2007/03/i

ndex.html

[Cor02] V. Corey. “Forensic Analysis.” Sandstorm Enterprises, December 2002.

http://computer.org/intemet/ NOVEMBER

[CRN06] The Communications Research Network (CRN). “VoIP loophole aids

service deniers?” February 2006. http://www.networkengineering.org.au

[Dal99] I. Dalgic, H. Fang. “Comparison of H.323 and SIP for IP Telephony

Signaling.”

http://www.cs.columbia.edu/~hgs/papers/others/1999/Dalg9909_Compari

son.pdf

[Del03] M. Delio. “Voicemail Hackers Phone It In.” April 2003.

http ://www.wired, com/techbiz/it/news/2003/04/58517

[DFRWS01] Digital Forensics Research Workshop. "A Road Map for Digital

Forensics Research 2001." Digital Forensics Research Workshop 6

November (2001): http://www.dfrws.org

[DISA04] Defense Information Systems Agency. “IP Telephony & Voice over

Internet protocol.” Security Technical Implementation Guide, Version 2,

Release 0. 30 December 2004.

[Dre03] P. Drew. “Next-Generation VoIP Network Architecture” March, 2003.

http://www.msf0 mm.0 rg/Y aBB.pl?num=l 077906803/0

[Dur03] S. Durbano, and T. Krout. “Tactical VoIP in secure wireless networks”,

June 2003 http://www.cengen.com/DEFENSE/VOIPRE~l.PDF

[Edw05] T. Edwards. “Linking the 3rd Infantry Division (3ID) Into the Joint

Network Node (JNN).” Army AL&T Magazine, July-August 2005, pp.4-

9.

[E1103] J. Ellis. “Voice, Video and Data Network” Academic Press, Amsterdam,

2003.


[EriOO] G. Eriksson. “The challenges of voice-over-IP-over-wireless,” Ericsson

Review Vol. 1, 2000, pp. 20-31.

[Fer05] E.B.Femandez and A.Kumar, “A security pattern for rule-based

intrusion detection”, Procs. o f the Nordic Pattern Languages o f

Programs Conference (VikingPLoP 2005 ).

[Fer06a] E. B. Fernandez, M. VanHilst, M. M. Larrondo Petrie, S. Huang,

“Defining Security Requirements through Misuse Actions”, in Advanced

Software Engineering: Expanding the Frontiers o f Software Technology,

S. F. Ochoa and G.-C. Roman (Eds.), International Federation for

Information Processing, Springer, 2006, 123-137.

[Fer06b] E. B. Fernandez, M.M. Larrondo-Petrie, T. Sorgente, and M. Van-Hilst,

“A methodology to develop secure systems using patterns”, Chapter 5 in

“Integrating security and software engineering: Advances and future

vision”, H. Mouratidis and P. Giorgini (Eds.), IDEA Press, 2006, 107-

126.

[Fer06c] E.B.Femandez and N. Delessy, ""Using patterns to understand and

compare web services security products and standards", Proceedings o f

the IEEE Int. Conference on Web Applications and Services (ICIW'06),

Guadeloupe, February 2006.

[Fer07a] E. B. Fernandez, J. C. Pelaez, and M. M. Larrondo-Petrie. “Attack

patterns: A new forensic and design tool.” Procs. o f the Third Annual

IFIP WG 11.9 International. Conference on Digital Forensics, Orlando,

FL, Jan. 29-31,2007.

[Fer07b] E.B.Femandez, J.C. Pelaez, and M.M. Larrondo-Petrie, "Security

patterns for voice over IP networks", Procs. o f the 2nd IEEE Int.

Multiconference on Computing in the Global Information Technology

(ICCGI 2007), March 4-9, Guadeloupe, French Caribbean.

[Fer07c] E.B. Fernandez, M. VanHilst and J.C. Pelaez. “Patterns for WiMAX

Security.” Proceedings o f the 12th European Conference on Pattern

Languages o f Programs (EuroPLoP), Bavaria, Germany, 4-8 July 2007.

172


[Fer08] E. B. Fernandez, E. Gudes, and M. Olivier. The Design of Secure

Systems, Addison-Wesley, Boston, 2008.

[For04] D. Valentino Forte, The Art of Log Correlation - Tools and Techniques

for Correlating Events and Log Files, IR Italy Project, 2004.

[Gam94] E. Gamma, R. Flelm, R. Johnson, J. Vlissides. Design Patterns:

Elements of Reusable Object-Oriented Software, Addison-Wesley,

Boston, Mass., 1994.

[Gha02] A. Gharakhanian. “Which VoIP Architecture Makes Sense For Your

Contact Center?” August 2002. http://www.vanguard.net

[Gio02] J. Giordano, C. Maciag. “Cyber Forensics: A Military Operations

Perspective.” International Journal o f Digital Evidence Summer 2002,

Volume 1, Issue 2.

[GorOO] W. Goralski. “IP Telephony,” McGraw-Hill, New York, 2000.

[Gra05] T. Grance, S. Chevalier. “Guide to Computer and Network Data

Analysis: Applying Forensic Techniques to Incident Response (Draft).”

Recommendations o f the National Institute o f Standards and Technology.

August, 2005.

[Gree04] D. Greenfield, “Securing The IP Telephony Perimeter”, April 5,2004.

http ://www.networkmagazine. com/ shared/article/ showArticle.jhtml?articl

eld=l8900070

[Greg04] P.H. Gregory. 2004. “Microsoft ignoring the biggest source of

security threats?” Computerworld, February 2004.

http: / / www. computerworld. com/securitytopics/security/story/

[Gur06] V. Gurbani, A. Jeffrey. “The Use of Transport Layer Security (TLS) in

the Session Initiation Protocol (SIP).” SIP WG Internet-Draft. February

26, 2006.

[Hen03] L. Hensell. “The new security risk of VoIP.” E-Commerce Times,

October 2003. http://www.ecommercetimes.com/story/31731.html.

173


[Hic07] A. Hickey. “VoIP security monitoring gets proactive.”

SearchVoIP.com, 25 Jan 2007.

[Hog04] G. Hoglund and G. McGraw, Exploiting software-How to break code,

Addison-Wesley, Boston, 2004.

[IEC04] The International Engineering Consortium. “Fraud analysis in IP and

Next Generation Networks.” Web ProForum Tutorials.

http://www.iec.org/tutorials/fraud_analysis/.

[ITU06] International Telecommunication Union. “Packet-based multimedia

communication systems.” ITU-T recommendation H.323. June, 2006.

[Kei06] K. Jones, R. Bejtlich, C. Rose. “Real Digital Forensics.” Addison

Wesley, Upper Saddle River, NJ, 2006.

[Ken06] K. Kent, S. Chevalier, T. Grance and H. Dang. “Guide to Integrating

Forensic Techniques into Incident Response.’’’National Institute o f

Standards and Technology, NIST Special Publication 800-86, August

2006.

[Kle03] A. Klein. “Security Analysis: Traditional Telephony and IP Telephony.”

Assignment: v.l.4b. SANS Institute, April 2003.

[Lap05] P. A. Laplante, and J.N. Colin. AntiPattems: Identification, Refactoring

and Management. Auerbach Publications, 2005.

[Lev94] N. G. Leveson, M.P.E. Heimdahl, H. Hildreth, and J.D. Reese,

“Requirements specification for process control systems”, IEEE

Transactions on Software Engineering, Vol. 20, No 9, September 1994,

IEEE Computer Society Press, Los Alamitos, California, USA (1994)

684-707.

[Man07] A. Manion. “Voice mail systems allow administrative access based on

Caller ID.” CERT Vulnerability Note VU#726548. January 2007.

http://www.kb.cert.org/vuls/id/726548

[MarOl] M. Marjalaakso. “Security requirements and Constraints of VoIP.”

Helsinki University of Technology. September 17 2001.

http ://www.hut. fi/~mmarj ala/voip

174


[McDOO] J. McDermott, “Attack net penetration testing”, Procs. o f the 2000 New

Security Paradigms Workshop, ACM SIGSAC, ACM Press, Sept. 2000,

15-22.

[Mih06] A. Mihai. “Voice over IP Security: A layered approach.” March 2006.

www.xmcopartners.com/whitepapers/voip-security-layered-approach.pdf

[Min02] D. Minoli. “Delivering voice over IP networks” , Wiley Publishing,

Indianapolis, 2002.

[Moh03] G. Mohay. “Computer and Intrusion Forensics.” Artech Flouse,

Boston, MA, 2003.

[MooOl] A.P. Moore, R.J. Ellison, and R.C. Linger, “Attack modeling for

information security and survability”. Tech. Note CMU/SEI-2001-TN-

001, March 2001.

[Moo05] T. Moore, A. Meehan, G. Manes, and S. Shenoi. “Using Signaling

Information in Telecom Network forensics.” Advances in Digital

Forensics: IFIP International Conference on Digital Forensics, National

Center for Forensic Science, Orlando, Florida, February 13-16, 2005.

[NguOl] T. Nguyen. “Voice over IP Service and Performance in Satellite

Networks”, IEEE Communications Magazine, March 2001

[Nic07] S. Niccolini. ‘VoIP Security Threats.” Internet-Draft, NEC SPEERMINT

Working Group. March 1, 2007.

[Nis05] National Institute of Standards and Technology, “Guide to Computer and

Network Data Analysis: Applying Forensic Techniques to Incident

Response”, August 2005 http://csrc.nist.gov/publications/drafts.html

[OUS04] Oulu University Secure Programming Group, University of Oulu,

Finland, PROTOS Test-Suite: c07-h2250v4, October 2004.

http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/h2250v4/index.ht

ml

[Pel04] J.C. Pelaez. “Security in VoIP networks”. Master’s thesis, Florida

Atlantic University, August 2004.

175


[Pel05] J.C. Pelaez and E.B. Fernandez. “Security in VoIP networks”.

Proceedings o f the International Latin American and Caribbean

Conference for Engineering and Technology (LACCEI), June 2005.

[Pel06] J. Pelaez and E.B. Fernandez. “Wireless VoIP Network Forensics”.

Proceedings o f the International Latin American and Caribbean

Conference for Engineering and Technology (LACCEI), June 2006.

[Pel07a] J.C. Pelaez, E.B. Fernandez and C. Wieser. “Patterns for VoIP

Signaling Protocol Architectures.” Proceedings o f the 12th European

Conference on Pattern Languages o f Programs (EuroPLoP), Bavaria,

Germany, 4-8 July 2007.

[Pel07b] J.C. Pelaez, E.B. Fernandez, M.M. Larrondo-Petrie and C. Wieser.

“Attack Patterns in VoIP.” Proceedings o f the on Pattern Languages o f

Programs Conference (PLoP), September 2007, to appear.

[Pog03] J. Pogar. “Data Security in a Converged Network.” July 23, 2003.

http ://www. computerworld. com/securitytopics/security/story/0,10801,83

107,00.html

[RadOl] Radvision. “An Overview of H.323 - SIP Interworking.” October 2001.

http://www.radvision.com/NR/rdonlyres/lB7C291A-148C-4506-8312

D6DA2C58C7B7/0/Overvi ewofH323SIPInterworking.pdf

[RanOl] M Ranganathan. “Investigations into the Impact of Key Exchange

Mechanisms for Security Protocols in VoIP Networks,” Proceedings o f

the First Joint IEI/IEE Symposium on Telecommunication Systems

Research, 27 November 2001, Dublin, Ireland.

http://telecoms.eeng.dcu.ie/symposium/papers/D2.pdf

[Ran06] M. Ranum. “Network Flight Recorder.” 2006.

http://www.nfr.com/forum/publications/monitor.html

[Ren05] W. Ren, H. Jin. “Distributed Agent-based Real Time Network Intrusion

Forensics System Architecture Design.” Proceedings o f the 19th

International Conference on Advanced Information Networking and

Applications (AINA’05). March, 2005.

176


[Ros02] J. Rosenberg. “SIP: Session Initiation Protocol.” Network Working

Group. Request for Comments: 3261. June, 2002.

[SchOO] A. Schieder. “Enhanced voice over IP Support in GPRS and EGPRS”,

Wireless Communications and Networking Conference, 2000.

[Sch04] H. Schulzrinne. “Session Initiation Protocol (SIP)-H.323 Interworking

Requirements draft-agrawal-sip-h323-interworking-reqs-07.” Network

Working Group Internet-draft. October 2004.

[Sch06] M. Schumacher, E.B.Femandez, D. Hybertson, F. Buschmann, and P.

Sommerlad, Security Patterns: Integrating Security and Systems

Engineering, Wiley publishing, New York, 2006.

[Sco04] S. Scoggins. “Security Challenges for CALEA in Voice over Packet

Networks”. April 16, 2004. http://www.interesting-people.org/archives/

interesting-people/200412/msg00044.html

[Sea06] D. Searcey, S. Young. “Arrests Reveal Vulnerability Of Web Phone

Service to Fraud.” The Wall Street Journal, June 8 , 2006.

[Sha03] K. Shanmugasundaram, N. Memon, A. Savant and H. Bronnimann.

“ForNet: A Distributed Forensics Network.” Proceedings o f the Second

International Workshop on Mathematical Methods, Models and

Architectures for Computer Network Security, 2003.

[She04] C. Sheehy. “Tactical Network versatility keeps Warfighter in touch”,

September 2004.

http://www.afcea.org/SIGNAL/subjectindex/command.html

[Shi06] R. Singhai, A. Sahoo. “VoIP Security.” M.Tech. Seminar March 2006.

http://www.it.iitb.ac.in/~rahuls/resources/MTech_seminar_VoIP_Securit

y.pdf

[Sla06] J. Slay, B. Turnbull. “The Need for a Technical Approach to Digital

Forensic Evidence Collection for Wireless Technologies.” Proceedings o f

the 2006 IEEE Workshop on Information Assurance, West Point, NY

July2006.

[Sno02] A. Snoeren. “Single-Packet IP Traceback.” July 2002.

http://www-cse.ucsd.edu/~snoeren/papers/spie-ton.pdf

177


[Sol05] M. Solomon, D. Barrett, N. Broom. “Computer Forensics JumpStart.”

Sybex Books, San Francisco, 2006.

[Sta02]W. Stallings. “Network Security Essentials: Applications and standards.”

Prentice Hall, Upper Saddle River, 2002, 5 - 21.

[Ste02] J. Steffan and M. Schumacher, “Collaborative attack modeling”, Procs.

of ACM SAC 2002.

[Ste03] P. Stephenson. “Modeling of Post-Incident Root Cause Analysis.”

October 2003. http://www.e-evidence.info/1203.html

[Sut07] B. Sutherland. “Stealing Minutes.” Newsweek International, March 19,

2007.

[Sym07] Symantec Corporation. Antivirus Research Center, 2007.

http:// www. Symantec, com

[Tan05] Y. Tang. “A Simple Framework for Distributed Forensics.” January

2005. http://doi.ieeecomputersociety.org/10.1109/ICDCSW.2005.24

[The04] P. Thermos. “Two attacks against VoIP.” April 2004.

http://www.securityfocus.com/infocus/1862

[Tip04] TippingPoint Technologies, Inc. “Intrusion Prevention: The Future of

VoIP Security.” June 2004. http://www.tippingpoint.com

[Vat02] M. Vatis. “Law Enforcement Tools and Technologies for Investigating

Cyber Attacks: a National Needs Assessment.” Institute for Security

Technology Studies at Dartmouth College, June 2002.

[Ver05] Verisign. “Wi-Fi VoIP and Cellular Network Integration: The Power of

Dual-Mode Handsets and Wi-Fi.”

http://www.verisign.com/static/031270.pdf

[Vuo04] S. Vuong, Y. Bai. “A survey of VoIP intrusions and intrusion detection

systems.” Proceedings o f the 6th International Conference on Advanced

Communication Technology, August 2004.

[Wal05] T.J. Walsh and D.R. Kuhn, “Challenges in security Voice over IP”,

IEEE Security and Privacy, Vol. 3 No. 3, May/June 2005, 44-49.

178


[Wan05] W. Wang, T. Daniels. “Building Evidence Graphs for Network

Forensics Analysis.” Proceedings o f the 21st Annual Computer Security

Applications Conference (ACSAC 2005). September 2005.

[WeiOl] E. Weiss. “Security concerns with VoIP.” August 20, 2001, IP

Telephony (VoIP) Threats, Defenses and Countermeasures, Core

competence Inc. http://www.sans.org/rr/paper s/i n dcx. php ?i d=3 2 3

[Wie06] C. Wieser, J. Roning, and A. Takanen, “Security analysis and ex

periments for Voice over IP RTP media streams”, Procs. o f the 8th Intl.

Symp. on System and Information Security (SSI’2006), Sao Jose dos

Campos, Sao Paolo, Brazil, 8-10 November 2006 .

[Wik07] Wikipedia, the free encyclopedia.

http://en.wikipedia.Org/wiki/H epting_vs._AT&T

[W0 0 O6 ] C. Wood, D. Kuehl. “Joint Network Node-Network.” Army

Communicator. PB 11-06-3, Summer 2006, Vol. 31, No. 3.

179


Acronyms

3GPP 3rd Generation Partnership Project

AES Advanced Encryption Standard

ARP Address Resolution Protocol

ASCII American Standard Code for Information Interchange

ATM Asynchronous Transmission Mode

BDE Brigade

BES Back End Service

C2 Command and Control

C4I Command, Control, Communications,

CA Certification Authority

CALEA Communications Assistance for Law Enforcement Act

CD Compact Disc

180


CDR Call Detail Recording

CERT Computer Emergency Readiness Team

CF Collection Function

COTS Commercial-Off-The-Shelf

CP command posts

CRTP Compressed Real Time Protocol

DDoS Distributed Denial of Service

DF Delivery Function

DHCP Dynamic Host Configuration Protocol

DISA Defense Information Systems Agency

DISN Defense Information Systems Network

DLL Dynamic Link Library

DNS Domain Name System

DoD Department of Defense

DoS Denial of Service

DRSN Defense Red Switched Network

DSN Defense Switched Network

EMS Element Management System

EPLRS Enhanced Position Location Reporting System

ESP Encapsulating Security Payload

FAT File Allocation Table

FBCB2 Force XXI Battle Command Brigade and Below

FBI Federal Bureau of Investigation

181


FM frequency modulation

FTP File Transfer Protocol

GB Gigabyte

GPS Global Positioning System

GPRS General Packet Radio Service

GUI Graphical User Interface

HMAC-MD5 keyed-hash message authentication code- Message-Digest algorithm 5

HMAC-SHA keyed-hash message authentication code- Secure Hash Algorithm

HTTP Hypertext Transfer Protocol

ICMP Internet Control Message Protocol

ID Identification

IDE Integrated Drive Electronics

IDS Intrusion Detection System

IETF Internet Engineering Task Force

IM Instant Messaging

INFOSEC Information Systems Security

IP Internet Protocol

IPsec Internet Protocol Security

IPT IP Telephony

ISDN Integrated Services Digital Network

ISO International Organization for Standardization

ISP Internet Service Provider

182


IT Information Technology

ITU International Telecommunications Union

IVR Interactive Voice Response

JNN Joint Node Network

JNTC Joint Network Transport Capability

JOC Joint Operations Center

KB Kilobyte

LAN Local Area Network

LOS Line of Sight

MAC Media Access Control

MAC Modification, Access, and Creation

MAN Metropolitan Area Network

MB Megabyte

Mbps Megabits Per Second

MCSU Media Control Server Unit

MCU Multipoint Control Units

MD Message Digest

MG Media Gateway

MGC Media Gateway Controller

MGCP Media Gateway Control Protocol

MITM Man-In-The-Middle

MS Microsoft

MSE Mobile subscriber equipment

183


MTS Movement Tracking System

MUX Multiplexer

NAT Network Address Translation

NFAT Network Forensic Analysis Tool

NFS Network File Sharing

NIC Network Interface Card

NIPRNet Non-Classified (But Sensitive) Internet Protocol Router Network

NSA National Security Agency

NIST National Institute of Standards and Technology

NTFS Windows NT File System

NTDR Near Term Digital Radio

NTP Network Time Protocol

OS Operating System

OSI Open Systems Interconnection

PBX Public Branch eXchange

PC Personal Computer

PDA Personal Digital Assistant

PDU Protocol Data Unit

PSTN Public Switched Telephone Network

QoS Quality of Service

RAM Random Access Memory

RAS Remote Access Service

RF Radio frequency

184


RFC Request for Comment

ROCCO Robust-Checksum based header Compression

RTCP Real Time Conferencing Protocol

RTP Real-time Transport Protocol

SATCOM satellite communications

SCSI Small Computer System Interface

SD Secure Digital

SDP Session Description Protocol

SFTP Secure FTP

SG Signaling Gateway

SHA-1 Secure Flash Algorithm 1

SINCGAR Single Channel Ground to Air Radio System

SIP Session Initiation Protocol

SIPRNet Secret Internet Protocol Router Network

S/MIME Secure / Multipurpose Internet Mail Extensions

SMTP Simple Mail Transfer Protocol

SNMP Simple Network Management Protocol

SS7 Signaling System Seven

SSH Secure Shell

SSL Secure Sockets Layer

TACSAT Tactical Satellite

TB Terabytes

TCP Transmission Control Protocol

185


TCP Tactical Command Post

TCP/IP Transmission Control Protocol/Internet Protocol

TDM Time Division Multiplexing

TDMA Time Division Multiplexing Access

TFTP Trivial File Transfer Protocol

TLS Transport Level Security

TOC Tactical Operations Center

UA User Agent

UAC User Agent Client

UAS User Agent Server

UDP User Datagram Protocol

UFS UNIX File System

UHF Ultra-High Frequency

UMTS Universal Mobile Telecommunication Systems

UPS Uninterruptible Power Supply

URL Uniform Resource Locator

USB Universal Serial Bus

VLAN Virtual Local Area Network

VLR Visitor Location Register

VoIP Voice Over Internet Protocol

VPN Virtual Private Network

VS AT Very Small Aperture Terminal

WAN Wide Area Network

186


WLAN Wireless Local Area Network

187


VoIP Network Security and Forensic Models using Patterns

Documents

Transcript of VoIP Network Security and Forensic Models using Patterns