Check Point Special Advisory

A VoIP (Voice Over IP) infrastructure adds IP-PBXs, gateways, servers (proxy, registrar, and locator servers), and IP phones to the IP backbone network. Each VoIP element, whether it is an embedded system or an off-the-shelf server running a commercialized operating system, is addressable and accessible over the data network like any computer. Each contains a processor running software that can be attacked or used as a launching point for deeper attacks.

SIP, the Session Initiation Protocol, is an IETF standard signaling protocol for Internet conferencing, telephony, presence, events notification and instant messaging. It is one of the most widely used VoIP protocols.

Attacks on data communications can come through the IP voice infrastructure and vice versa. Denial of service attacks targeting weak VoIP elements could flood the network with voice traffic, degrading network performance or shutting down both voice and data communications. Hacked-into gateways might be used to make unauthorized free telephone calls. Unprotected voice communications might be intercepted and stolen or corrupted. Voice packets can be sniffed out and listened to in real time. PC-based soft phones are vulnerable to eavesdropping if the PC is infected with a Trojan horse that snoops into LAN traffic. Voicemail can be redirected to "ghost" mailboxes.

In short, VoIP opens voice communications to the same kinds of security threats that imperil data communications.

The most common threats include:

• Call hijacking. Calls intended for one receiver are redirected to someone else. At best hijacked calls are a disruptive nuisance; at worst they can steal valuable sensitive information.
• Fooled billing. For example, fake BYE and OK messages exchanged over the SIP signaling path appear to terminate a call and billing is stopped, while the media path actually remains open. Undetected, these attacks can rob an organization of considerable revenue.
• Denial of Service (DoS) attacks. The attacker mimics caller identities and cancels pending SIP INVITE requests. The result: an organization's phone system is effectively shut down.

VoIP presents certain specific security challenges. A VoIP phone call has two parts-the exchanged signaling messages that set up the call and the media stream, which carries the voice communication. Signaling and media pathways are separate, requiring two logical connections. SIP signaling passes through proxy servers. Once connections are established through the proxy server, media transmission takes place directly between the initiator and target. Both streams-signaling and media-need to be inspected by a firewall as they cross security boundaries in order to enforce security policies.

The signaling path is vulnerable to impersonators trying to steal or disrupt phone service and to eavesdroppers looking for account codes to override toll call restrictions. The signaling path uses UDP/TCP port 5060.

The media stream bypasses security enforcement points located at proxy servers and flows directly between the endpoints. Common threats to the voice stream include eavesdropping and transport disruption.

There are specific SIP attack information log records that are displayed in the SmartView Tracker in case of SIP based attacks.

• Attack info: Malformed SIP datagram. <SIP Message name> message is out of state
• Attack info: Malformed SIP datagram, Unknown SIP message type
• Attack info: Malformed SIP datagram, Illegal <SIP Message name> users in response packet
• Attack info: Malformed SIP datagram, Illegal characters in packet

In addition, based on the security policy, additional log records would appear in case of bounce attacks, Handover domain violation, message DoS, networking DoS etc.

FireWall-1 inspects VoIP control signals passing through the enforcement point to prevent call hijacking, fooled billing, and DoS attacks. Using information derived from the control signals, FireWall-1 provides this protection through:

• Dynamic management of RTP (media) sessions
• Analysis and enforcement of message states
• Verification of the existence and correctness of call parameters
• Maintenance of the call state for each call
• Enforcement of handover domains

FireWall-1 is able to disassemble and inspect the packets on the signaling stream and dynamically open the port to let them into the network. Yet, it is not enough to perform dynamic and Stateful port opening. FireWall-1 also verifies that the SIP signaling commands that are used to select the IP and port within the signaling packets, match the entire security policy. Thus, the firewall read inside the signaling packets to discover the ports selected in order to enable the two endpoints to send media packets to each other.

Users of NG with Application Intelligence should configure SIP security rules in order to perform additional security checks to each and every SIP packet. This is provided by using SmartDefense additional layer of application Intelligence (Security Administrators should activate: SmartDefense -> Application Intelligence ->VoIP ->Verify SIP header content).