-
a third party shoud not be able to read the data that is intended for the recipient
Confidentiality or Privacy
-
recipient should receive the packets that the originator sends without any change to their content. A third party should be unable to modify the packets in transit
integrity
-
The sender and recipientof VoIP signaling or media messages need to be sure that the peer they are
communicating with is in fact who it claims to be.
authenticity
-
protection from Denial-of-Service (DoS) attacks. The VoIP service should be available to the users at all times. Malicious or misbehaving users/devices should not be able to disrupt the service. Mitigation of DoS attacks requires taking measures to protect VoIP resources and to protect the underlying IP network.
Availability
-
Users share a single secret key
Symmetrical. Same key used to encrypt and decrypt
shared key
-
Each user has a related public and private key
Asymmetrical. Different key used to decrypt than was used to encrypt.
Public-Key cryptography
-
cant be abe to retrive the message
hash
-
A hash is created using the original message.
The hash is encrypted using the private key of the signer.
The receiver decrypts the hash using the signer’s public key.
This hash is compared to a recalculated hash from the received message.
If they match, the message was sent from the signer and was not modified in transit.
Digital signature
-
Certificates are a method to distribute public keys
A certificate authority (CA) issues a certificate validating the requestor’s identity and public key
you have to pay certificated authority
public key crytography
-
evolved from SSL
Typically used to secure signaling
Sits on top of TCP
TLS
-
the client authenticates the identity of the server via TLS.
The server uses some other out-of-band means to authenticate the client.
server-auth mode
-
each entity authenticates its peer by verifying its certificate.
Mutual authentication mode
-
provides connection security
It provides privacy and integrity.
algorithms such as Data
Encryption Standard (DES) and RC4 for data encryption.
also without encryption.
For integrity,MD5 and Secure Hash Algorithm (SHA)
Record protocol layer
-
Multiple protocols, such as the TLS handshake protocol,
The TLS handshake protocol is primarily engaged at the start of the data communication
client layer
-
operates at ip layer
protocols to provide security
Authentication Header (AH)
AH provides authentication and integrity.
Encapsulation Security Payload (ESP)
provides privacy in addition to authentication and integrity by encrypting parts of the message.
IPSec
-
is inserted between the IP header and the upper layer protocol (TCP/UDP) header
only the payload of an IP datagram is protected.
Transport mode
-
the entire IP packet is protected.
tunnel mode
-
specified for management of security keys.
uses public-key cryptography techniques to negotiate an authentication key, security protocol (AH or ESP), hashing algorithm, and encryption algorithm.
Internet Key Exchange (IKE)
-
provides to both data packets(RTP) and control packets
defined in RFC 3711
does not specify how the keys are exchanged between
the sender and recipient
Secure Real-time Transport Protocol (SRTP)
-
**to much delay or jitter if you encrypt it in the**
software
-
disable unsed services on what
Unused Ports/Services
-
If you are using Simple Network Management (SNMP) on a device only to gather data, set Simple Network
Management (SNMP) to
read only mode
-
If you are using web-based administration, always use WHAT? with protocols such as Secure Socket Layer (SSL).
secure access
-
Administratively disable any unused port on what layer switch
Layer 2
-
You can use Host-based Intrusion Protection Systems (HIPS) to secure critical voice devices such as
processing elements
-
Separate VOIP traffic, usually by using
VLANS
-
IP layer, use separate IP network address spaces for what type of traffic
data and voice traffic
-
if from a soft device you dont
trust it
-
Filters malicious DHCP messages and builds a database of IP-to-MAC
acts as a firewall between untrusted sources
DHCP snooping
-
All IP traffic on an untrusted port is blocked except for DHCP messages
IP Source Guard
-
inspects all ARP messages on untrusted ports and verifies that the ARP messages are not malicious by comparing the ARP messages against the DHCP snooping binding database
Dynamic ARP Inspection (DAI)
-
flooding the network with traffic out all ports
CAM overflow
-
Configuring a maximum number of MAC addresses per port. If a particular port encounters this limit, the specified action is taken on that port. The offending port can be either shut down or placed in a restricted mode.
–
port security
-
should be on the every host and interface that the switch connected to a pc
attempts to prevent malicious host devices from sending BPDUs
BPDU Guard
-
connected to another switch but should never be the root
configured on a per-port basis
Root Guard
-
monitor and analyze network traffic to detect intrusion.
Network-based Intrusion Prevention Systems (NIPS)
-
send first part of the three part hand shake and wont complete
half open (emboynic)
-
SYN and ACK what layer they deal with
Layer 3
-
trust another server or device for authentication
is trust that is transmitted through another party.
transitive trust
-
they open up pinholes for the voice media to flow through.
Application-Layer Gateways (ALG).
-
It is advisable to use a private address space that is specific for VoIP instead of using
Network Address Translation (NAT)
|
|