Understanding Voice over IP Security
1st Edition
Published on 1. January 2006
276 pages
978-1-59693-051-3 (ISBN)
Description
This authoritative and practical book offers a current and comprehensive understanding of VoIP (Voice over IP) security. You learn how to design and implement secure VoIP networks and services, and how to integrate VoIP securely in existing data networks. You discover how emerging IETF SIP and media security standards will affect future VoIP deployment, and how end-to-end encryption may be deployed to eventually protect all VoIP calls. The book explains Internet security basics, attack types and methods, and details all the key security aspects of a data and VoIP systems and networks, including identity, authentication, signaling, and media encryption. This practical resource discusses security architectures of perimeter vs. end-to-end security in terms of VoIP systems. You also find security approaches and architectures in related applications, such as the World Wide Web, Secure Shell, and the PSTN. A chapter on client and server security discusses general security of Internet hosts in a VoIP system. What's more, the book presents current techniques to combat spam and covers the future problems of spim (spam over instant messaging) and spit (spam over internet telephony).
More details
Other editions
Additional editions
Alan B. Johnston
Understanding Voice Over IP Security
Book
03/2006
Artech House Publishers
€113.50
Shipment within 10-20 days
Content
- Understanding Voice over IP Security
- Contents
- Foreword
- Acknowledgments
- 1 Introduction 1
- 1.1 VoIP: A Green Field for Attackers 2
- 1.2 Why VoIP Security Is Important 3
- 1.3 The Audience for This Book 4
- 1.4 Organization 4
- 2 Basic Security Concepts: Cryptography 7
- 2.1 Introduction 7
- 2.2 Cryptography Fundamentals 7
- 2.2.1 Secret Key (Symmetric) Cryptography 10
- 2.2.2 Asymmetric (Public Key) Cryptography 12
- 2.2.3 Integrity Protection 13
- 2.2.4 Authenticated and Secure Key Exchange 17
- 2.3 Digital Certificates and Public Key Infrastructures 20
- 2.3.1 Certificate Assertions 22
- 2.3.2 Certificate Authorities 24
- References 27
- 3 VoIP Systems 29
- 3.1 Introduction 29
- 3.1.2 VoIP Architectures 29
- 3.2 Components 31
- 3.3 Protocols 32
- 3.3.1 Session Initiation Protocol 32
- 3.3.2 Session Description Protocol 40
- 3.3.3 H.323 42
- 3.3.4 Media Gateway Control Protocols 45
- 3.3.5 Real Time Transport Protocol 46
- 3.3.6 Proprietary Protocols 47
- 3.4 Security Analysis of SIP 48
- References 49
- 4 Internet Threats and Attacks 51
- 4.1 Introduction 51
- 4.2 Attack Types 51
- 4.2.1 Denial of Service (DoS) 51
- 4.2.2 Man-in-the-Middle 56
- 4.2.3 Replay and Cut-and-Paste Attacks 57
- 4.2.4 Theft of Service 58
- 4.2.5 Eavesdropping 59
- 4.2.6 Impersonation 60
- 4.2.7 Poisoning Attacks (DNS and ARP) 60
- 4.2.8 Credential and Identity Theft 61
- 4.2.9 Redirection/Hijacking 62
- 4.2.10 Session Disruption 63
- 4.3 Attack Methods 64
- 4.3.1 Port Scans 64
- 4.3.2 Malicious Code 65
- 4.3.3 Buffer Overflow 67
- 4.3.5 Password Theft/Guessing 69
- 4.3.6 Tunneling 69
- 4.3.7 Bid Down 69
- 4.4 Summary 70
- References 70
- 5 Internet Security Architectures 73
- 5.1 Introduction 73
- 5.1.1 Origins of Internet Security Terminology 73
- 5.1.2 Castle Building in the Virtual World 74
- 5.2 Security Policy 75
- 5.3 Risk, Threat, and Vulnerability Assessment 77
- 5.4 Implementing Security 79
- 5.5 Authentication 80
- 5.6 Authorization (Access Control) 82
- 5.7 Auditing 82
- 5.8 Monitoring and Logging 84
- 5.9 Policy Enforcement: Perimeter Security 85
- 5.9.1 Firewalls 86
- 5.9.2 Session Border Controller 90
- 5.9.3 Firewalls and VoIP 82
- 5.10 Network Address Translation 93
- 5.11 Intrusion Detection and Prevention 95
- 5.12 Honeypots and Honeynets 97
- 5.13 Conclusions 97
- References 98
- 6 Security Protocols 101
- 6.1 Introduction 101
- 6.2 IP Security (IPSec) 103
- 6.2.1 Internet Key Exchange 105
- 6.3 Transport Layer Security (TLS) 107
- 6.4 Datagram Transport Layer Security (DTLS) 111
- 6.5 Secure Shell (SecSH, SSH) 112
- 6.6 Pretty Good Privacy (PGP) 115
- 6.7 DNS Security (DNSSEC) 116
- References 119
- 7 General Client and Server Security Principles 121
- 7.1 Introduction 121
- 7.2 Physical Security 122
- 7.3 System Security 122
- 7.3.1 Server Security 122
- 7.3.2 Client OS Security 124
- 7.4 LAN Security 126
- 7.4.1 Policy-Based Network Admission 127
- 7.4.2 Endpoint Control 128
- 7.4.3 LAN Segmentation Strategies 129
- 7.4.4 LAN Segmentation and Defense in Depth 130
- 7.5 Secure Administration 131
- 7.6 Real-Time Monitoring of VoIP Activity 132
- 7.7 Federation Security 132
- 7.8 Summary 132
- References 133
- 8 Authentication 135
- 8.1 Introduction 135
- 8.2 Port-Based Network Access Control (IEEE 802.1x) 137
- 8.3 Remote Authentication Dial-In User Service 140
- 8.4 Conclusions 143
- References 143
- 9 Signaling Security 145
- 9.1 Introduction 145
- 9.2 SIP Signaling Security 146
- 9.2.1 Basic Authentication 146
- 9.2.2 Digest Authentication 147
- 9.2.3 Pretty Good Privacy 152
- 9.2.4 S/MIME 153
- 9.2.5 Transport Layer Security 155
- 9.2.6 Secure SIP 159
- 9.3 H.323 Signaling Security with H.235 160
- References 161
- 10 Media Security 163
- 10.1 Introduction 163
- 10.2 Secure RTP 164
- 10.3 Media Encryption Keying 168
- 10.3.1 Preshared Keys 168
- 10.3.2 Public Key Encryption 169
- 10.3.3 Authenticated Key Management and Exchange 170
- 10.4 Security Descriptions in SDP 172
- 10.5 Multimedia Internet Keying (MIKEY) 173
- 10.5.1 Generation of MIKEY Message by Initiator 177
- 10.5.2 Responder Processing of a MIKEY Message 183
- 10.6 Failure and Fallback Scenarios 186
- 10.7 Alternative Key Management Protocol-ZRTP 188
- 10.8 Future Work 190
- References 190
- 11 Identity 193
- 11.1 Introduction 193
- 11.2 Names, Addresses, Numbers, and Communication 193
- 11.2.1 E.164 Telephone Numbers 194
- 11.2.2 Internet Names 195
- 11.3 Namespace Management in SIP 196
- 11.3.1 URI Authentication 196
- 11.4 Trust Domains for Asserted Identity 199
- 11.5 Interdomain SIP Identity 202
- 11.5.1 SIP Authenticated Identity Body (AIB) 203
- 11.5.2 Enhanced SIP Identity 204
- 11.6 SIP Certificates Service 209
- 11.7 Other Asserted Identity Methods 217
- 11.7.1 Secure Assertion Markup Language 217
- 11.7.2 Open Settlements Protocol and VoIP 219
- 11.7.3 H.323 Identity 219
- 11.7.4 Third Party Identity and Referred-By 219
- 11.8 Privacy 220
- References 223
- 12 PSTN Gateway Security 225
- 12.1 Introduction 225
- 12.2 PSTN Security Model 225
- 12.3 Gateway Security 227
- 12.3.1 Gateway Security Architecture 228
- 12.3.2 Gateway Types 229
- 12.3.3 Gateways and Caller ID 230
- 12.3.4 Caller ID and Privacy 231
- 12.3.5 Gateway Decomposition 231
- 12.3.6 SIP/ISUP Interworking 232
- 12.4 Telephone Number Mapping in the DNS 233
- References 236
- 13 Spam and Spit 237
- 13.1 Introduction 237
- 13.2 Is VoIP Spam Inevitable? 238
- 13.3 Technical Approaches to Combat E-Mail Spam 240
- 13.3.1 Filtering Spam Using Identity Information 240
- 13.3.2 Grey Listing 241
- 13.3.3 Challenge/Response (Sender Verification) 242
- 13.3.4 Distributed Checksum Filtering (DCF) 242
- 13.3.5 Content Filtering 243
- 13.3.6 Summary of Antispam Approaches 243
- 13.4 VoIP and Spit 243
- 13.5 Summary 245
- References 246
- 14 Conclusions 247
- 14.1 Summary 247
- 14.2 VoIP Is Still New 248
- 14.3 VoIP Endpoints Are New 248
- 14.4 VoIP Standards Are Not Complete 249
- 14.5 Base VoIP Security on Best Current Security Practices for Data 249
- 14.6 VoIP Is a QoS-Sensitive Data Application 250
- 14.7 Merging Public and Private VoIP Services Will Be Problematic 250
- 14.8 Concluding Remarks 251
- Index 253
- Recent Titles in the Artech House Telecommunications Library
