Transcription

National Security AgencyCybersecurity Technical ReportDeploying Secure UnifiedCommunications/Voice and Videoover IP SystemsJune 2021SN U/OO/153515-21PP-21-0827Version 1.0

National Security Agency Cybersecurity Technical ReportDeploying Secure UC/VVoIP SystemsPart One: Network GuidelinesNotices and historyDocument change historyDate15 June 2021Version1.0DescriptionInitial releaseDisclaimer of warranties and endorsementThe information and opinions contained in this document are provided "as is" andwithout any warranties or guarantees. Reference herein to any specific commercialproducts, process, or service by trade name, trademark, manufacturer, or otherwise,does not necessarily constitute or imply its endorsement, recommendation, or favoringby the United States Government, and this guidance shall not be used for advertising orproduct endorsement purposes.Trademark recognitionBluetooth is a registered trademark of Bluetooth Special Interest Group (SIG), Inc. NISTis a trademark and brand of National Institute of Standards and Technology.Publication informationContact informationClient Requirements / General Cybersecurity Inquiries:Cybersecurity Requirements Center, 410-854-4200, Cybersecurity [email protected] Inquiries:Media Relations, 443-634-0721, [email protected] document was developed in furtherance of NSA’s cybersecurity missions. Thisincludes its responsibilities to identify and disseminate threats to National SecuritySystems, Department of Defense information systems, and the Defense Industrial Base,and to develop and issue cybersecurity specifications and mitigations. This informationmay be shared broadly to reach all appropriate stakeholders.U/OO/153515-21 PP-21-0827 JUN 2021 Ver. 1.01

National Security Agency Cybersecurity Technical ReportDeploying Secure UC/VVoIP SystemsPart One: Network GuidelinesTable of contentsDeploying Secure Unified Communications/Voice and Video over IP Systems .iExecutive summary . 4Part I: Network security best practices and mitigations . 5Accessibility and network separation . 6Mitigations . 7Call eavesdropping protections . 8Mitigations . 8Physical access protections . 8Mitigations . 9Network availability protections . 9Mitigations . 9Network services and protocols protections . 10DHCP . 10DNS. 11NTP . 12Trusted path and channel protections . 12Mitigations . 13Summary of Part I . 13Part II: Perimeter security best practices and mitigations . 14PSTN gateway protections . 14Mitigations . 14Protections for public IP networks functioning as voice carriers . 15Mitigations . 16Signaling gateway protections . 17Mitigations . 17Media gateway protections . 18Mitigations . 18Wide area network (WAN) link protections . 18Mitigations . 18Cloud connectivity protections . 18Mitigations . 19Summary of Part II . 20Part III: Enterprise session controller security best practices and mitigations . 21Software and application protections . 21User accounts and passwords . 22Default UC/VVoIP server configuration settings . 22Audit and logging apparatus . 23Software vulnerabilities . 23Malicious software. 23U/OO/153515-21 PP-21-0827 JUN 2021 Ver. 1.02

National Security Agency Cybersecurity Technical ReportDeploying Secure UC/VVoIP SystemsPart One: Network GuidelinesNetwork services . 24Database security. 24Cryptographic key material . 25Physical security protections . 25Mitigations . 26Service availability protections . 26Hardware and power failures. 26Data loss . 27Emergency Services . 27Client registration protections . 28Mitigations . 28Remote management protections . 28Web-based management interfaces. 28Proprietary management software . 29Summary of Part III. 30Part IV: UC/VVoIP endpoint best practices and mitigations . 31Software and hardware security. 31Software vulnerabilities . 31Third-party software . 32Malicious software. 33Embedded microphones. 33Remote management of UC/VVoIP endpoints. 34Downloading firmware and configuration files . 34Web-based management interface . 35Simple Network Management Protocol (SNMP) . 35Telnet . 36Network connectivity . 36Ethernet . 36Infrared . 37Wireless personal area network (WPAN) . 38Wireless local area network (WLAN). 38Network connectivity mitigation summary . 39Convergence features . 39Mitigations . 40Softphones . 41Mitigations . 41Summary of Part IV . 42End of guidelines . 42FiguresFigure 1: Logical view of a UC/VVoIP system following NSA guidelines. 6Figure 2: Perimeter security device placement following NSA guidelines. 15U/OO/153515-21 PP-21-0827 JUN 2021 Ver. 1.03

National Security Agency Cybersecurity Technical ReportDeploying Secure UC/VVoIP SystemsPart One: Network GuidelinesExecutive summaryUnified Communications (UC) and Voice and Video over IP (VVoIP) call-processingsystems provide rich collaboration tools and offer flexible ways to communicate bycombining voice, video conferencing, and instant messaging in the modern workplace.Today these systems are integrated into an enterprise’s existing Internet Protocol (IP)infrastructure, use commodity software, and are likely to use open-source and standardprotocols.However, the same IP infrastructure that enables UC/VVoIP systems also extends theattack surface into an enterprise’s network, introducing vulnerabilities and the potentialfor unauthorized access to communications. These vulnerabilities were harder to reachin earlier telephony systems, but now voice services and infrastructure are accessible tomalicious actors who penetrate the IP network to eavesdrop on conversations,impersonate users, commit toll fraud, or perpetrate a denial of service effects.Compromises can lead to high-definition room audio and/or video being covertlycollected and delivered using the IP infrastructure as a transport mechanism.If properly secured, a UC/VVoIP system limits the risk to data confidentiality andcommunication system availability. This security requires careful consideration, detailedplanning and deployment, and continuous testing and maintenance. Deploying SecureUnified Communications/Voice and Video over IP Systems outlines best practices forthe secure deployment of UC/VVoIP systems and presents mitigations for vulnerabilitiesdue to inadequate network design, configurations, and connectivity. This report isseparated into four parts. Each part speaks to the system administrators who will leadmitigation efforts in each area of the system. It describes the mitigations and bestpractices to use when: Preparing networks Establishing perimeters Using enterprise session controllers (ESCs) Adding UC/VVoIP endpoints for deployment of a UC/VVoIP systemUsing the mitigations and best practices explained here, organizations may embracethe benefits of UC/VVoIP while minimizing the risk of disclosing sensitive information orlosing service.U/OO/153515-21 PP-21-0827 JUN 2021 Ver. 1.04

National Security Agency Cybersecurity Technical ReportDeploying Secure UC/VVoIP SystemsPart One: Network GuidelinesPart I: Network security best practices and mitigationsTo securely deploy Unified Communications / Voice and Video over InternetProtocol (UC/VVoIP) systems, the network is the first critical area to implement securityprotections. Part I of Deploying Secure Unified Communications/Voice and Video overIP Systems addresses how to secure the network of one of these systems.UC/VVoIP call-processing security is dependent on a defense-in-depth approach.UC/VVoIP call-processing network elements are on the data network, requiring carefuldeployment and configuration of the network infrastructure to address possible threatsrelated to UC/VVoIP systems. The data-only network infrastructure—including transportdevices such as switches and routers—must mitigate known vulnerabilities of theInternet Protocol (IP) network to protect the call-processing devices.Deploying across a data-only network infrastructure makes devices such as callservers, desktop video teleconferences (VTCs), and UC/VVoIP endpoints moreaccessible to malicious cyber actors. Compromises of the call-processing network areperformed using the same tools used to compromise data-only networks and relatedperipherals (e.g., PCs, smartphones, printers, switches, routers). In addition, maliciousactors can connect to the UC/VVoIP call-processing infrastructure using the datanetwork infrastructure. Separating the UC/VVoIP call-processing and data-onlyinfrastructures makes penetrating the UC/VVoIP systems harder. Virtual local areanetworks (VLANs) allow multiple networks to use the same physical layer 2/3 medium(e.g., switches, routers), but remain logically separated.Because UC/VVoIP endpoint calls in UC/VVoIP systems are carried over moreaccessible data networks than the traditional public switched telephone network(PSTN), eavesdropping is more of a risk. While it cannot eliminate the risk altogether,network security can help make eavesdropping more difficult.In addition, the data-only network infrastructure must now meet the same reliability andquality of service (QoS) requirements as the UC/VVoIP call-processing network. Toensure a secure deployment of UC/VVoIP systems and devices across the datanetwork in a way that also ensures high availability requires the implementation ofredundancy, data backups, power backups, and physical protection of the network.U/OO/153515-21 PP-21-0827 JUN 2021 Ver. 1.05

National Security Agency Cybersecurity Technical ReportDeploying Secure UC/VVoIP SystemsPart One: Network GuidelinesFigure 1: Logical view of a UC/VVoIP system following NSA guidelinesAccessibility and network separationPhysical convergence of voice/video technology across a data network is an advantageof UC/VVoIP call-processing systems. However, placing UC/VVoIP systems and datasystems on the same network means both technologies are now susceptible to thesame techniques and accessible by the same malicious actors. Once an actor haspenetrated the network, both data services and UC/VVoIP call processing will beavailable for exploit. This violates the basic defense-in-depth principle, becausevulnerabilities in one part of the network should not make another part of the networkvulnerable. The border between the voice/video network and the data network shouldbe treated as untrusted and secured accordingly. They should not be freely accessibleto each other. Access from the data network to the UC/VVoIP network should be deniedU/OO/153515-21 PP-21-0827 JUN 2021 Ver. 1.06

National Security Agency Cybersecurity Technical ReportDeploying Secure UC/VVoIP SystemsPart One: Network Guidelinesunless explicitly allowed. The converse from the UC/VVoIP to the data network shouldalso be enforced.MitigationsBy using VLAN technology, lateral movement between the data network and theUC/VVoIP network can be limited, even though both networks share the same physicalnetwork. While VLANs were not designed as security mechanisms, they can be used toenable security features, such as placing access controls on the type of traffic that isallowed on specific VLANs. VLANs allow UC/VVoIP traffic to be isolated from datatraffic and vice versa, while enabling any interactions between them to be tightlycontrolled. This limits the reconnaissance a malicious actor can perform from onenetwork to the other and limits the protocols they can exploit.Place all network devices not specifically used to support UC/VVoIP—such as PCs, fileservers, and email servers—on data VLANs. UC/VVoIP devices should be placed ondifferent VLANs according to their role in the network. Limiting each VLAN to groups ofsimilar devices and protocols makes the development, implementation, andmanagement of security features much easier. UC/VVoIP servers should be placed indifferent VLANs depending on the UC/VVoIP protocol they implement. As an example,all H.323 servers should be placed in an H.323-only VLAN, and all Session InitiationProtocol (SIP) servers should be placed in a SIP VLAN. If a single server implementsmultiple protocols, the network interface card (NIC) should support virtual VLANS so theserver can participate in multiple VLANs. The UC/VVoIP network and the data networkshould have their own servers for standard network support services like the DomainName System (DNS), Dynamic Host Configuration Protocol (DHCP), and Network TimeProtocol (NTP). This is necessary because traffic from these services should not haveto cross the boundary between UC/VVoIP and data VLANs.Dividing the network into multiple VLANs does not provide any benefit if the trafficbetween the VLANs is not restricted. As traffic enters the network through the borderrouter, the border router only performs stateless packet filtering on the traffic due torouting load. Starting at the session border controller (SBC), control traffic betweenUC/VVoIP VLANs with stateful packet filtering devices. Configure the access controllists (ACLs) on the stateful packet filtering devices to allow UC/VVoIP endpoints toconnect only to the UC/VVoIP servers the endpoints need to function and vice versa.Filter based on IP address, port number, and transport protocol instead of on portU/OO/153515-21 PP-21-0827 JUN 2021 Ver. 1.07

National Security Agency Cybersecurity Technical ReportDeploying Secure UC/VVoIP SystemsPart One: Network Guidelinesnumber alone. Only allow protocols necessary for operation to be allowed by the filter.Everything else should be denied.Use an application-layer firewall to separate the UC/VVoIP VLANs from the dataVLANs. The application-layer firewall will function as a checkpoint for all traffic betweenthe UC/VVoIP and data networks. No traffic should be allowed directly between theUC/VVoIP VLAN segmented network and the data VLAN segmented network withoutbeing examined at the application layer by either the firewall or a proxy device in thedemilitarized zone (DMZ). Only necessary protocols should be allowed through thefirewall.Some devices, such as unified messaging servers, fulfill roles on both networks, andthus need access to both the data and UC/VVoIP VLANs. Place these devices in theDMZ managed by the application-layer firewall.Call eavesdropping protectionsUnencrypted voice and video communication is susceptible to eavesdropping whenconversations travel over an IP network. Commercial tools exist that allow mediastreams to be reconstructed if packets can be captured, even when using proprietarycoder-decoders (codecs). Network-layer security protections may not be able to preventcall eavesdropping completely, but they can make it much more difficult.MitigationsThe best mitigation against eavesdropping is encrypting all voice and video traffic endto-end. Additionally, limiting access to the traffic can be achieved by enabling portsecurity on all switches. Port security restricts access to the network at the layer 2 level.If a rogue device physically tries to connect to a switch with port security enabled, theswitch disables the port and does not grant the rogue device access to the network.Port security 802.1x device authentication should be enabled to force clients toauthenticate before they are allowed onto the network.Physical access protectionsWith physical access to equipment, a malicious actor can disable the network,eavesdrop, and otherwise compromise the UC/VVoIP call-processing system. Mostdigital safeguards on the network are meaningless if an intruder gains physical accessto the equipment being protected. With physical access to equipment, malicious actorsU/OO/153515-21 PP-21-0827 JUN 2021 Ver. 1.08

National Security Agency Cybersecurity Technical ReportDeploying Secure UC/VVoIP SystemsPart One: Network Guidelinescan often use a simple USB device to install malware. Backdoors can be installed orentire databases containing sensitive information can be downloaded. For thesereasons, it is imperative to put physical protections for the equipment in place.MitigationsGrant physical access to network hardware only to authorized personnel. Place networkhardware in a locked, restricted, and controlled area. A log with timestamps ofpersonnel accessing these areas should be kept, if possible. The hardware equipmentshould be kept in cabinets that can be locked. The cabinets should remained lockedunless there is a need for authorized personnel to physically access the equipment.Video cameras should also be installed to provide video surveillance of the restrictedareas if practicable.Network availability protectionsDenial of service (DoS) impacts take many forms and are difficult to prevent. DoSeffects can be triggered by software vulnerabilities to disable UC/VVoIP devices,consume resources on a UC/VVoIP server, or consume excessive amounts of networkbandwidth. The first two types are addressed by using trusted software and stayingcurrent on patching. However, over-consumption of network bandwidth can often beaddressed at the network level.There are also environmental factors that can disable or degrade availability of thenetwork. Power outages are an example of such a factor. These events must also betaken into account.MitigationsDoS techniques using network bandwidth can directly target UC/VVoIP devices.Limiting the rate of traffic to UC/VVoIP VLANs can reduce the effects of such DoSattempts coming from outside the UC/VVoIP call-processing network. When designingthe UC/VVoIP call-processing network, determine the number of simultaneous incomingexternal calls that can be handled without detrimentally affecting the ability to placeinternal calls. Use network perimeter devices such as firewalls, SBCs, and filteringrouters to limit the bandwidth allocated to incoming external calls. These perimeterdevices typically have built-in features that detect and limit DoS attempts. This reducesthe amount of network traffic allowed into UC/VVoIP call-processing VLANs.U/OO/153515-21 PP-21-0827 JUN 2021 Ver. 1.09

National Security Agency Cybersecurity Technical ReportDeploying Secure UC/VVoIP SystemsPart One: Network GuidelinesUC/VVoIP protocols are time sensitive protocols and vulnerable to jitter, latency, andpacket loss. UC/VVoIP traffic should not be delayed due to lower priority traffic. Thereare mechanisms available to score and prioritize traffic traversing the network. One ofthese is QoS. Quality of service should be enabled on network hardware that routeUC/VVoIP call-processing traffic and given a higher priority than less time-sensitivetraffic.To guard against power outages, a backup power source should be installed. UC/VVoIPendpoints receive power over the network cable using Power over Ethernet (PoE)technology. To ensure telephone service in the event of a power outage, any networkhardware device that provides PoE to any UC/VVoIP client should be attached to abackup power source.Network services and protocols protectionsMany network-based services are required to maintain secure, enterprise-wideUC/VVoIP call-processing. This section covers three of them: DHCP, DNS, and NTP.DHCPDHCP is most often used to assign network settings such as IP addresses, DNS nameservers, and gateway routers to UC/VVoIP clients. DHCP is a good option for assigningIP addresses to UC/VVoIP endpoints and other peripheral IP devices. The other optionis to statically assign IP addresses, but that comes with a higher administrative burdenas each IP address must be manually assigned to each device. Implementation ofDHCP requires careful consideration because DHCP is inherently vulnerable. It doesnot possess security features such as authentication and encryption, which areprevalent in modern protocols. A rogue DHCP server can connect to the network andprovide network settings to a UC/VVoIP endpoint, which could result in a DoS effect orman-in-the-middle interception. In addition, a malicious DHCP client can also cause aDoS effect by continuously requesting IP addresses until the DHCP pool is exhausted.Without an IP address, phone service is unavailable.MitigationsSince UC/VVoIP deployments may contain hundreds or thousands of endpoint needingIP addresses, DHCP may be the only reasonable solution in assigning IP addresses.Manually assigning IP addresses does not scale well in larg

Jun 17, 2021 · To securely deploy Unified Communications / Voice and Video over Internet Protocol (UC/VVoIP) systems, the network is the first critical area to implement security protections. Part I of Deploying Secure Unified Communications/Voice and Video over IP Systems add