Introduction:

Security is a concern for every company at every level. The wide adoption of VoIP and new protocol standards has introduced many new issues. For most enterprises, the adoption of VoIP is a migration path – a fact that contributes to increased complexity for the IT security personal and network administrators. VoIP introduces new systems, vendors, applications, servers, operating systems, and the like. The introduction of media gateways to handle traditional telephony converted to VoIP on the data network introduces security management challenges on the network. If not using media gateways, organizations are adopting VoIP providers that carry traffic on an IP network connection. This course will help you understand the issues of VoIP security on all levels of the network. We will follow the OSI model to ensure that all levels are covered. We will begin by learning the technical concepts related to network security. We will then study the protocols such as SIP and H.323 on the IP network. We will conclude with a discussion of the policies and procedures that enhance VoIP security.

Audience:

Network security planning teams, network administrators, IT and telecom engineers, and IT security management. This course is also beneficial for the homeland security community and crime prevention/investigation officers. Are you involved with commercial or military deployment planning for VoIP? Depending on your background and job, we can tailor the course to focus on the technical or managerial issues. Are you a network engineer or administrator who would like to “fill in the holes” and catch up with the state-of-the-art of security planning? Let us know so we can focus on the areas that interest you the most. Are you a VoIP network or application installer who would like to learn the security concepts and theory that underlie your craft? We can focus on the tools and techniques that will help you become more “tech savvy” on VoIP security issues. Are you a manager, executive, or sales person whose work involves VoIP security systems? If so, we can emphasize those parts of the course that deal with policy management, vendor audits, and procedural security issues.

Prerequisites:

VoIP: Protocols, Design, and Implementation State-of-the-art of VoIP Technology for Professionals, Managers, and Executive

Customize it:

This 3-4-day VoIP Security course will be customized to your needs and specifications. Enowireless will assist you in identifying those needs and specifications. A word to the wise, there are many vendors of wireless training. They will typically have a broad and general course, one size fits all, already developed and just put your organization’s name on the title slide. This minimizes their effort and time investment. At Enowireless, every course is made to your exact and exacting specifications. We help you ensure what you are getting is what you really need even if at the beginning you weren’t too sure of what that was. We fit the class to your needs. We never fit you into our “standard”, one size fits all, class.

Objectives:

Practical, Immediately Useful Benefits of Attending: Detailed strategies and design guidelines to maintain QoS while ensuring IPTelephony Network Security Apply proper design and integration techniques to your VoIP application deployment to mitigate risks of attack Examine VoIP management tools and best practices to support risk mitigation Design security solutions for multiple voice network deployments Learn how NAT and Firewalls impact call setup, media streams, latency, and application level gateway Examine how to overcome NAT issues using STUN, TURN, and ICE Build and manage VoIP solutions over a VPN Get approved configuration techniques for securing Cisco CallManager 3.2 and 4.0 Identify SIP Security Features and learn how to configure and administer those features Learn H.323 security issues including Port usage risk, firewall inspection, and NAT configurations Understand the threats and security holes with VoIP call control protocols H.323, SIP, and MGCP Detail how IPSec and RTPEncryption help secure MGCP call signaling Accurately audit a VoIP network deployment to determine its security risks Administer security for LAN and WAN VoIPTraffic Understand the impact of CALEA on ITSPs Learn about VoXMLand XMLservices and how to secure these services

Course Outline

Chapter 1: IP Telephony & Converged Network Security Issues Although IP telephony design differs greatly with the size of enterprises, the underlying best practices remain virtually the same. For this reason the design discussions are somewhat similar. In this section, you will get an overview of the most common types of attacks in any IP network, and will focus on those attacks that significantly impact an IP Telephony network. A. Sources of attacks Internal External B. All Networks (Especially VOIP) are targets Types of attacks Denial of Service (DOS) TCP/IP insecurity Eavesdropping/Sniffing/Snooping/Wiretapping Vomit Sniffer Pro Etherpeek Packet Spoofing Replay Message Integrity Captain Crunch Phone Phreaking Managing VOIP Networks helps mitigate security threats Management Tools Best Practices Establishing Identity is Important Rogue Devices are major security risks Secure and Monitor All Voice Servers Logical Separation is important The key to controlling Voice Security is Data Segmentation IP Telephony Devices are Insecure IP Phones Call Manager Unity Gateways Routers Switches Applications PC-based phones are especially insecure PC-based phones require open access to both data and voice networks They provide data network access Module 2: VoIP Network Security Design Considerations Security architecture for IP Telephony network must prevent most attacks from successfully affecting valuable network resources. The attacks that succeed in penetrating the first line of defense, or originate from inside the network, must be accurately detected and quickly contained to minimize their effect on the rest of the network. However, in being secure, the network must continue to provide critical services that users expect, especially phone services. Proper network security and good network functionality can be provided at the same time. This section focuses on best practices and design guidelines to maintain QoS while ensuring IP Telephony network security. Small Voice Network Designs Medium Voice Network Designs Large Voice Network Designs Service Provider Voice Network Designs VPN (Virtual Private Networks) and VoIP VON (Voice over network) or Internet voice over IP Example Designs Module 3: IP Telephony Operating System Level Security In this module, you will explore the specific issues with the applications that drive IP Telephony networks and the proper designs to mitigate the effects of attacks. We will discuss basic but important security configurations to handle issues such as time stamping, AAA, and anti-replay configurations. A. Authentication B. Operating System Security Windows 2000 Server DNS Active Directory IIS DHCP Secure Telnet SNMP Terminal Services Suggested services Suggested Security Practices 2. HIDS OKENA Console (Stormwatch) Agent (Stormfront) Configuration Examples for Call Manager, Unity, & Application Servers 3. Virus Protection McAffee Symantec Example configurations 4. MS SQL SQL 7 SQL 2000 Example configurations 5. MS Exchange Exchange 5.5 Exchange 2000 Recommended configurations Summary Module 4: Network Access Security In this module you will review Network Access including Firewalls and Packet filters and review configurations of these services with VoIP. The emphasis in this section will be on how Network Access security impacts QoS in VoIP and what your trade-offs are with regard to service and performance against security. A. Stateful Firewalls VoIP Requirements Soft Phones Unified Messaging Proxy Servers Signaling vs. Payload B. NAT Full Cone NAT Restricted Cone NAT Port Restricted Cone Symmetric NAT C. Issues with Firewalls & NAT Dynamic Port Assignment D. VoIP Issues with Firewalls & NAT Call Setup Media Stream Latency Application Level Gateways E. Proxy Servers Placement of Proxy Servers F. Overcoming NAT Issues STUN TURN ICE G. VPN - advantages and disadvantages Module 5: IP Telephony Application Security The objective of this module is to provide you with information on potential attacks that may be waged against Call Manager, Unity, and many of the other application servers that can be integrated with Call Manager. You will also see examples of approved configuration techniques and third party applications used in securing Cisco Call Manager version 3.2. A. Call Manager and other Vendor IP PBX Security User Security (Identity Spoofing) Physical Security Access Security (Administrative Access) Toll Fraud (Phone Phreaking) Route Patterns PSTN Trunk Considerations CDR reporting CDR reporting tool Avotus Example Configurations B. Unity and other Messaging and Collaboration Security User Security (Identity Spoofing) Physical Security Access Security (Administrative Access) Toll Fraud (Phone Phreaking) Example Configurations C. XML Services and Security XML overview Types of services Chapter 6: Physical Security This module deals with general hardware access security-related issues, objectives, and examples. Hardware Access Biometrics Human Engineering Example installations Summary Chapter 7: Protocol Security This module's objective is to give the user a better look into the protocols that are common in an IP Telephony network. Special care will be given to each protocol’s security-related issues and appropriate configurations to reduce risks. A. H.323 Architecture Gatekeeper Gateways MCU Endpoints Operation (Diagram a VoIP call using H.323) Protocols H.225 H.245 RAS Q.931 RTP & SRTP H.235 H.235 v2 H.235 v2 Annex D H.235 v2 Annex E H.235 v2 Annex F H.235 v3 H.235 v3 Annex G MIKEY Security Issues & Risk Mitigation Port Usage Firewall Considerations NAT Considerations B. SIP Architecture Proxy Server Redirect Server Location Server Registrar Endpoints Operation (Diagram a VoIP call using SIP) SIP Security Features HTTP Digest Authentication MIME & SMIME Confidentiality RTP & SRTP SDP TLS IPSec SIP Authenticated Identity Body SIP Authenticated Identity Management Security Issues & Risk Mitigation Text Encoding Firewall Considerations NAT Considerations C. MGCP, Megaco/H.248 Architecture Call Agent Gateways Endpoints Operation (Diagram a VoIP call using each protocol) Similarities & Differences Security Issues IPSec RTP Encryption Module 8: Attack Mitigation This module covers common attacks in any data network and some of the tools Hackers will use to exploit the IP Telephony network. Unauthorized Access Toll Fraud Denial of Service IP Spoofing Packet Sniffers - Interception and mitigation Virus and Trojan-horse applications Caller Identity Spoofing Repudiation Application Layer Attack Mitigation Summary