Voice over Internet Protocol (VoIP) Security (eBook)
432 Seiten
Elsevier Science (Verlag)
978-0-08-047046-7 (ISBN)
* This book will teach you how to plan for and implement VoIP security solutions in converged network infrastructures. Whether you have picked up this book out of curiosity or professional interest . . . it is not too late to read this book and gain a deep understanding of what needs to be done in a VoIP implementation.
* In the rush to be first to market or to implement the latest and greatest technology, many current implementations of VoIP infrastructures, both large and small, have been implemented with minimal thought to QoS and almost no thought to security and interoperability.
Voice Over Internet Protocol Security has been designed to help the reader fully understand, prepare for and mediate current security and QoS risks in today's complex and ever changing converged network environment and it will help you secure your VoIP network whether you are at the planning, implementation, or post-implementation phase of your VoIP infrastructure.* This book will teach you how to plan for and implement VoIP security solutions in converged network infrastructures. Whether you have picked up this book out of curiosity or professional interest . . . it is not too late to read this book and gain a deep understanding of what needs to be done in a VoIP implementation.* In the rush to be first to market or to implement the latest and greatest technology, many current implementations of VoIP infrastructures, both large and small, have been implemented with minimal thought to QoS and almost no thought to security and interoperability.
Front cover 1
Title page 4
Copyright page 5
Table of contents 6
List of Figures and Tables 16
Foreword 18
Preface 24
Acknowledgments 28
1 The (Business) Value of VoIP 30
1.1 Internet Telephony versus Telephony over the Internet 31
1.2 The Value of VoIP: Return on Investment (ROI) 31
1.2.1 Getting the Most from VoIP: Cost Savings 32
1.2.2 Capital and Expense Savings 33
1.2.3 Productivity Savings 34
1.2.4 New Features 34
1.2.5 Convergence of Technologies 35
1.2.6 Potential Drawbacks in VoIP Implementations 35
1.2.7 VoIP Implementation Realities of ROI 36
1.2.8 What about VoIP Security? 36
1.3 Summary 37
1.4 Endnotes 38
1.5 General References 38
2 Digital Voice Fundamentals 40
2.1 Speech Properties 41
2.2 Classes of Speech 42
2.2.1 Voiced Sounds 42
2.2.2 Unvoiced Sounds 43
2.2.3 Plosive Sounds 43
2.3 Sampling 44
2.4 Quantization 45
2.4.1 Uniform or Linear Quantizers 46
2.4.2 Nonuniform (Logarithmic) Quantization 46
2.4.3 Companding 46
2.4.4 Vector Quantization 47
2.5 Waveform Coding 47
2.5.1 Time Domain Coding: Pulse Code Modulation (G.711) 48
2.5.2 G.711 PCM Standardization 55
2.5.3 Time Domain Coding: Differential PCM (DPCM) 55
2.5.4 Time Domain Coding: Adaptive Differential PCM (G.721/G.726) 56
2.5.5 Continuously Variable Slope Delta (CVSD) Modulation 56
2.5.6 Frequency Domain Coding 57
2.5.7 Vocoding 58
2.5.8 Hybrid Coding 61
2.5.9 G723.1 Recommendation 66
2.5.10 G.728 Low-Delay CELP Recommendation 66
2.5.11 G.729 Recommendation 67
2.5.12 The GSM Codec 70
2.6 Digital Speech Interpolation 71
2.7 Summary 72
2.8 Endnotes 73
2.9 General References 74
3 Telephony 101 76
3.1 Introduction to Telephony 76
3.2 Call Technology Basics 79
3.2.1 Traditional Handsets 81
3.2.2 Switch Hook 82
3.2.3 Side Tone 82
3.2.4 Dialer 82
3.2.5 VoIP and VoIP Phones 82
3.3 Understanding Signaling 84
3.4 Subscriber Loop Signaling 85
3.4.1 Supervisory Signaling 85
3.4.2 Address Signaling 91
3.4.3 Call-Progress Signaling 93
3.5 Components of the Phone System 94
3.5.1 Phone 94
3.5.2 PBX 94
3.5.3 Subscriber Loop 94
3.5.4 Trunk and Access Lines 95
3.6 Making the Basic Telephone Connection 95
3.6.1 On-hook 95
3.6.2 Off-hook 95
3.6.3 Dialing 96
3.6.4 Switching 97
3.6.5 Ringing 97
3.6.6 Talking 97
3.7 North American Numbering Plan (NANP) 98
3.8 International Numbering Plan (ITU-T E.164) 99
3.9 CCS, CCIS, CAS, and SS7 99
3.10 Summary 101
3.11 Endnotes 102
3.12 General References 102
4 Packet Technologies 104
4.1 Packet Networking Overview 104
4.1.1 ISO/OSI Network Model 104
4.1.2 TCP/IP Network Model 108
4.2 Routing and Switching 109
4.2.1 Routing Basics 109
4.2.2 Routing Tables 114
4.2.3 Distance-Vector Routing Protocols 115
4.2.4 Switching 115
4.3 IP Networks 116
4.3.1 Address Resolution Protocol (ARP) 116
4.3.2 Understanding IP, TCP, UDP, and ICMP Packets 117
4.4 VoIP Security Protocols 124
4.4.1 H.235 and Security Profiles 124
4.4.2 H.235v2 124
4.4.3 H.235v2 Annex D: Baseline Security Profile 124
4.4.4 H.235v2 Annex E: Signature Security Profile 125
4.4.5 Voice Encryption Option 125
4.4.6 H.235v2 Annex F: Hybrid Security Profile 126
4.4.7 H.235v3 127
4.4.8 Baseline Security Profile Enhancements 127
4.4.9 Draft H.235v3 Annex G: SRTP and MIKEY usage 127
4.4.10 Draft H.235v3 Annex H: RAS Key Management 129
4.4.11 H.235v3 for Direct-Routed Scenarios 130
4.4.12 SIP Security 131
4.4.13 Existing Security Features in the SIP Protocol 132
4.4.14 Signaling Authentication using HTTP Digest Authentication 132
4.4.15 S/MIME Usage within SIP 132
4.5 Confidentiality of Media Data in SIP 133
4.5.1 TLS Usage within SIP 133
4.5.2 IPSec Usage within SIP 134
4.5.3 Security Enhancements for SIP 134
4.5.4 SIP Authenticated Identity Body 134
4.5.5 SIP Authenticated Identity Management 134
4.5.6 SIP Security Agreement 135
4.5.7 SIP End-to-Middle, Middle-to-Middle, Middle-to-End Security 136
4.5.8 SIP Security Issues 136
4.5.9 MGCP 138
4.5.10 MGCP System Architecture 138
4.5.11 MGCP Security Considerations 138
4.6 Voice Transport Protocols 139
4.6.1 Real-time Transport Protocol (RTP) 139
4.6.2 Transport Control Protocol (TCP) and User Datagram Protocol (UDP) 139
4.6.3 Real-Time Control Protocol (RTCP) 140
4.6.4 Stream Control Transmission Protocol (SCTP) 141
4.6.5 Trivial File Transfer Protocol (TFTP) 142
4.7 Signaling Protocols 143
4.7.1 SIGTRAN 143
4.7.2 H.248/MEGACO 143
4.7.3 MEGACO Security Considerations 145
4.8 DNS and DNSSEC with VoIP 146
4.8.1 DNSSEC and Identity 146
4.9 MPLS and VoIP 147
4.9.1 Label Distribution Protocol (LDP) 148
4.9.2 Constraint-based Routing - Label Distribution Protocol (CR- LDP) 150
4.9.3 RSVP and RSVP-TE 150
4.10 Voice over Frame Relay Access Devices (VFRADs) 152
4.11 Voice over ATM (VoATM) 154
4.12 Summary 155
4.13 Endnotes 156
4.14 General References 158
5 VoIP Processing 162
5.1 Voice Packetization 162
5.2 Compression 163
5.3 VoIP Packet Processing Issues 164
5.3.1 Packet Timing Jitter 164
5.3.2 Packet Timing Latency 165
5.4 VoIP Call Setup Protocols 167
5.4.1 Call Setup Protocols from the Telephony Community 167
5.4.2 Call Setup Protocols from the Data-Networking Community 167
5.5 Voice Streaming Protocols 168
5.6 IP Telephony Servers, PBXs, and Gatekeepers 169
5.7 VoIP Gateways, Routers, and Switches 170
5.8 IP Phones and Softphones 173
5.9 VoIP and Converged Network Regulatory Issues 173
5.10 The VoIP Regulatory Freedom Act of 2004 175
5.11 Summary 176
5.12 Endnotes 177
5.13 General References 177
6 VoIP Implementation Basics 180
6.1 Stages of VoIP Implementation 180
6.2 Achieving VoIP Quality and Reliability 182
6.2.1 The Need for Quality of Service (QoS) 183
6.2.2 Link-layer QoS techniques 184
6.2.3 Queuing Techniques 185
6.2.4 IP QoS Techniques 185
6.2.5 QoS Issues 189
6.2.6 QoS in a Voice Over Packet System 190
6.3 Tuning for VoIP QoS 192
6.4 Configuration and Testing 195
6.5 VoIP Management 197
6.6 Service Level Agreements (SLAs) 200
6.6.1 Implementing VoIP SLAs 202
6.7 Other VoIP Implementation Issues 205
6.7.1 Delay 206
6.7.2 Echo 207
6.7.3 Packet Loss 207
6.7.4 Jitter 207
6.7.5 VoIP Header Overhead Problem 207
6.7.6 Standards are Lacking for Call Control Information 208
6.8 Endnotes 209
6.9 General References 209
7 VoIP Security Risks 210
7.1 VoIP Infrastructure Risks 211
7.1.1 VoIP Inherits the Same Threats as the IP Data Network 211
7.1.2 Operating System Vulnerability 213
7.1.3 Human Vulnerability 214
7.1.4 Toll Fraud 215
7.1.5 Easy Access 216
7.1.6 Service Use and Abuse 216
7.1.7 Unintentional and Inadvertent Risks 216
7.1.8 Deliberate Threats 217
7.1.9 Nonemployee or Temporary Employee Granted Access 217
7.1.10 Phreakers Using Phone Systems 218
7.1.11 Hackers Using Computer Systems 218
7.1.12 Service Disruption and Denial of Service 219
7.1.13 Buffer Overflow Attacks 220
7.1.14 SYN Flood 220
7.1.15 UDP Flood 221
7.1.16 Fragmentation Attacks 221
7.1.17 Smurf Attack 221
7.1.18 General Overload 222
7.1.19 Distributed Denial-of-Service Attacks 222
7.1.20 Modems 224
7.1.21 Cable Modems 224
7.1.22 IP Phones 225
7.1.23 Core Routers 225
7.1.24 Media Gateways 226
7.1.25 SIP and SIP Proxies 227
7.1.26 Gatekeepers 230
7.1.27 VoIP Servers and Configuration Exploits 231
7.1.28 Switches 231
7.1.29 VoIP-Based Firewalls 231
7.1.30 Network Access Points 233
7.1.31 Wireless Access Points 233
7.1.32 Remote-Access Points 233
7.1.33 Voice-Mail Systems 234
7.1.34 PBX Risks 235
7.2 VoIP Risk from Attacks 239
7.2.1 Insertion and Evasion Attacks 239
7.2.2 User Identity Theft 241
7.2.3 Device Identity Theft 241
7.2.4 Session (Call) Hijacking 241
7.2.5 Monitoring (Eavesdropping) 242
7.2.6 Controlling a Conversation 242
7.2.7 Call-Forwarding Control 242
7.2.8 Redirecting Control 243
7.2.9 Message Integrity 243
7.2.10 Manipulation of Accounting Data 244
7.2.11 Endpoint Impersonation 244
7.2.12 Gatekeeper Impersonation 246
7.2.13 Back-End Service Impersonation 247
7.2.14 Packet Injection 247
7.2.15 Rogue VoIP Server or Gateway 248
7.2.16 Viruses and Other Malicious Software 248
7.2.17 Sniffing 249
7.2.18 Spoofing 251
7.2.19 Man-in-the Middle Attacks 252
7.2.20 Network Scanning 253
7.2.21 Password Cracking 255
7.2.22 Wardialers and Telephone Line Scanners 255
7.2.23 Annoyances and Spam Calls 257
7.2.24 Caller ID Risks 257
7.2.25 Wi-Fi 259
7.3 Summary 259
7.4 Endnotes 260
7.5 General References 261
8 VoIP Security Best Practices 264
8.1 General 264
8.1.1 Maintain Strong Physical Security 265
8.1.2 Secure the Datacenter 265
8.1.3 Secure the Equipment 266
8.1.4 Secure the Environment around the Equipment 266
8.1.5 Secure the Hardware 266
8.1.6 Harden the Servers 267
8.1.7 Manage Your Storage Intelligently 268
8.1.8 Create a Secure Build Image 268
8.1.9 Secure the System and Application Software 269
8.1.10 Log Consolidation and Unusual Pattern Log Analysis 271
8.1.11 Stay Up to Date with Your Network Equipment Vendors 272
8.1.12 Stay Up to Date with Your Software Vendors 272
8.1.13 Turn off Modem Support when Not Needed 273
8.1.14 Create a Well Educated Security Team 273
8.1.15 Perform Security Incident Postmortems 273
8.1.16 Implement Policy Management 274
8.2 PBX Network 275
8.2.1 Internal Control and Audit 275
8.2.2 Eliminate Unnecessary Modems 276
8.2.3 Securing the IP PBX 276
8.2.4 Remote Access 277
8.2.5 Accounts and Passwords 277
8.2.6 Physical Security 278
8.2.7 Combating PBX and Voice-Mail Vulnerabilities 278
8.3 VoIP Network 281
8.3.1 Separate VoIP Traffic 281
8.3.2 Encrypt VoIP Traffic 282
8.3.3 Isolate IP PBXs and VoIP Servers on a VLAN 282
8.3.4 Put Chatty Protocols on Their Own VLAN 283
8.3.5 Isolate Voice Traffic on a Separate VLAN 283
8.3.6 Unified Management Infrastructure 283
8.3.7 Avoid Use of Voice on Shared Ethernet Segments 283
8.3.8 Build Separate DHCP Servers 284
8.3.9 Put VoIP Devices on Different Windows Domains 284
8.3.10 Beware of Shared Drives 284
8.3.11 Use Private IP Addressing Inside Your Enterprise 284
8.3.12 Use Switches Instead of Hubs 284
8.3.13 Secure the Voice Gateway 285
8.3.14 Maintain Strong Security on All VoIP Servers 286
8.3.15 Filtering on All Segments 287
8.3.16 Filter All Traffic 287
8.3.17 Deploy Firewalls 288
8.3.18 Use a Telecommunications Firewall 290
8.3.19 Intrusion Detection and Prevention Systems 292
8.3.20 Monitoring and Logging 293
8.3.21 Router Security 293
8.3.22 Use Existing Firewalls/IDS to Highlight Attempted Attacks 295
8.3.23 Use Authentication to Exclude Requests from Unknown Hosts 295
8.3.24 Use Dedicated VoIP Firewalls to Prevent Attacks 295
8.3.25 Use a VoIP-Aware Firewall/IDS to Monitor Untrusted VoIP Traffic 296
8.3.26 Security Issues with the Use of H.323, SIP, H. 235v3, MGCP, and MEGACO/H. 248 296
8.3.27 Network Address Translation (NAT) 302
8.3.28 VoIP Proxies 305
8.3.29 Virtual Private Networks (VPNs) and IP Security (IPSec) in VoIP 308
8.3.30 IPSec VoIP Considerations 320
8.3.31 Security Association (SA) 321
8.3.32 Enhanced 911 (E911) VoIP Considerations 322
8.4 VoIP Phones 323
8.4.1 Set up the IP Phones Securely 324
8.4.2 Manage Phone Passwords Carefully 324
8.4.3 Limit the Functions Available in Publicly Available Phones 324
8.4.4 Allow Limited Administrative Access 325
8.4.5 Identify Users 325
8.4.6 Disable Automated Phone Registration 325
8.4.7 Maintain Vulnerability Assessments, Antivirus, and Firewall on Softphone Computers 326
8.5 Summary 326
8.6 Endnotes 327
8.7 General References 330
9 VoIP Security and the Law 332
9.1 Regulatory Issues 333
9.2 The 1996 National Information Infrastructure Protection Act 336
9.3 President's Executive Order on Critical Infrastructure Protection 336
9.4 The USA PATRIOT Act of 2001 337
9.5 The Homeland Security Act of 2002 341
9.6 US Patriot Act and Changes to Computer-Related Laws 342
9.6.1 Authority to Intercept Voice Communications 342
9.6.2 Obtaining Voice-Mail and Other Stored Voice Communications 343
9.6.3 Changes to Wiretapping Procedures 343
9.6.4 Scope of Subpoenas for Electronic Evidence 344
9.6.5 Clarifying the Scope of the Cable Act 345
9.6.6 Emergency Disclosures by Communications Providers 346
9.6.7 Pen Register and Trap and Trace Statute 346
9.6.8 Intercepting Communications of Computer Trespassers 347
9.6.9 Nationwide Search Warrants for E-mail 348
9.6.10 Deterrence and Prevention of Cyberterrorism 349
9.6.11 Investigations 353
9.6.12 Ethics 354
9.7 Summary 355
9.8 Endnotes 355
10 The Future of VoIP 358
10.1 The New Breed of VoIP: Internet Telephony 358
10.2 The Internet Telephony Providers 360
10.2.1 Free World Dial-Up 360
10.2.2 Net2Phone 361
10.2.3 Packet8 361
10.2.4 VoicePulse 361
10.2.5 Vonage 362
10.3 VoIP over Wireless LAN (VoWLan) 362
10.4 The Need for VoIP Security 363
10.5 Endnotes 365
Appendix 368
A.1 Abbreviations 368
A.2 Glossary 375
A.3 Related Web Sites 404
A.4 References 408
Index 414
| Erscheint lt. Verlag | 19.1.2005 |
|---|---|
| Sprache | englisch |
| Themenwelt | Sachbuch/Ratgeber |
| Informatik ► Netzwerke ► Sicherheit / Firewall | |
| Technik ► Elektrotechnik / Energietechnik | |
| Technik ► Nachrichtentechnik | |
| ISBN-10 | 0-08-047046-7 / 0080470467 |
| ISBN-13 | 978-0-08-047046-7 / 9780080470467 |
| Haben Sie eine Frage zum Produkt? |
PDF (Adobe DRM)Größe: 2,5 MB
Kopierschutz: Adobe-DRM
Adobe-DRM ist ein Kopierschutz, der das eBook vor Mißbrauch schützen soll. Dabei wird das eBook bereits beim Download auf Ihre persönliche Adobe-ID autorisiert. Lesen können Sie das eBook dann nur auf den Geräten, welche ebenfalls auf Ihre Adobe-ID registriert sind.
Details zum Adobe-DRM
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen eine
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen eine
Geräteliste und zusätzliche Hinweise
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
