Posted: June 21st, 2022
Very detailed and no plagiarism or copying Chegg site and last question very interactive
ISEC 610 Homework 6
Provide a summary for the network, server, appliance, and protocol level security vulnerabilities of and remediation actions for VoIP networks in the following format.Provide as many as you can by reviewing your textbook and the Internet resources for the latest attack types.
Provide a summary for the commons risks and security features for mobile devices. Summarize common inherent security problems of IoT devices.
Question 3 – Weekly learning and reflection
In two to three paragraphs of prose (i.e., sentences, not bullet lists) using APA style citations if needed, summarize and interact with the content that was covered this week in class. In your summary, you should highlight the major topics, theories, practices, and knowledge that were covered. Your summary should also interact with the material through personal observations, reflections, and applications to the field of study. In particular, highlight what surprised, enlightened, or otherwise engaged you. Make sure to include at least one thing that you’re still confused about or ask a question about the content or the field. In other words, you should think and write critically not just about what was presented but also what you have learned through the session. Questions asked here will be summarized and answered anonymously in the next class.
25 Securing Mobile Devices
This chapter focuses on mobile platforms such as smartphones and tablets—
devices that contain computing functionality along with messaging and voice
capabilities. Typically including substantial storage capacity as well, these devices
represent a blended threat to the enterprise—through data leakage, malware,
unauthorized applications, and inappropriate access.
Many mobile devices such as smartphones and tablets are typically designed
from a consumer perspective. They’re meant to be user friendly, and they
typically come with a built-in security model as part of the operating system to
protect the user from a variety of threats. They are productivity-focused first; and
security is only a secondary consideration. They do have some built-in security
In this chapter, we will first look at the key risks associated with mobile
devices, both to the devices themselves as well as to the applications that run on
those devices—because a clear understanding of the risks is necessary before you
can determine the appropriate countermeasures. We’ll then examine the built-in
security features of today’s most common mobile platforms, followed by a look at
the enhanced security capabilities that you can gain from third-party mobile
device security management platforms.
Mobile Device Risks
Security risks that affect mobile devices fall into two categories:
•Device risks, which are based on the fact that today’s smartphones and tablets
are a new breed of powerful computer with capabilities of local and cloud-based
storage, and enterprise organizations have less control over these than they do
with more traditional, well-understood desktop and laptop computers.
•Application risks, which originate from third-party apps installed by end users,
apps that often can access corporate data, store it on the device, and upload it
outside the corporate perimeter.
Because smartphones and tablets are basically computers under the hood, they
are susceptible to the same threats as computers. These threats can exploit
vulnerabilities in the underlying operating system to cause data loss and theft,
changes to settings, denial of service, intrusions into protected internal networks,
and the like.
Malware can infect smartphones and tablets just like computers. Malware can
form the platform on which attackers can perform network intrusions and data
theft. A compromised mobile device makes an excellent tool for breaking into a
network and stealing data, especially if it’s not perceived as a significant threat
within an organization and, therefore, not protected as well as a computer
The following sections discuss other threats against devices.
Modern smartphones, cameras, and tablets contain large amounts of flash
memory and are accessible via USB, allowing data thieves to copy files
unobtrusively. Mobile devices have so much storage capacity that they can be
used to steal all the data in many organizations. Data storage on mobile devices
makes it so easy to bulk-download huge amounts of data—like fishing with a
gigantic net—that data thieves are sure to find valuable intellectual property
strewn among the files they collect. These devices can pose a significant risk to an
organization’s data because they are less “obvious” than a hard drive or memory
stick, and any stolen data hiding on them can be hard to detect. The onboard
memory storage on mobile devices typically allows them to be mounted as a
storage device on any computer. This means they can be used to copy data, which
can then be stolen or misused. Once the data gets on the mobile device, it is much
harder for organizations to control. Data can also be stolen or misused through e-
mail attachments and other applications.
As with any computing platform that provides access to data and resources based
on end-user credentials involving a password, mobile devices provide a path of
attack to any resource the user has access to, if the attacker can guess or intercept
the user’s password. This is especially significant for e-mail because getting into a
smartphone or tablet and reading e-mail is relatively easy if you have the
password (or PIN).
Similar to man-in-the-middle attacks discussed in Chapter 2, Wi-Fi hijacking is
done by malicious attackers through the use of free Wi-Fi hotspots set up in
public places where end users would expect to find free wireless—airports, coffee
shops, parks, and downtown areas. These hotspots, however, are often monitored
by attackers looking to harvest personal information, financial data, and
Mobile devices can be used to “tether” a computer or otherwise act as a wireless
network that computers around them can use to access the Internet, just like a
regular Wi-Fi or Bluetooth access point. Attackers nearby could also connect to
the hotspots created by these mobile devices for the end user’s personal use,
without the user’s knowledge, and they can then launch attacks against the local
network and its devices.
Because smartphones contain both networking and voice capabilities, the
network can be used to compromise the voice function. Cellular calls can be
intercepted by a network attacker who compromises the smartphone. These
attacks may exploit vulnerabilities in the underlying hardware of the
smartphone, such as the hardware and firmware used by iPhone and Android
devices. Attacks such as these use the smartphone’s baseband processor to
subvert it into a listening device that allows the intruder to eavesdrop on
conversations, even when a call is not in progress, by using the built-in
Bluetooth Snooping and Fuzzing
Most end users leave their Bluetooth device PINs set at the default PIN (and they
are nearly always set to 0000 or 1234). Even advanced technical specialists may
not know how to change these codes without a lot of research. As a result, an
attacker can easily pair with a phone or a device and use that connection to steal
or intercept data (or eavesdrop on calls). In addition, a type of attack known as
“fuzzing” can be performed via Bluetooth pairing. A fuzzing attack takes
advantage of inherent software vulnerabilities in Bluetooth devices by sending
invalid data to cause abnormal behavior such as crashing, privilege escalation,
and intrusions that can implant malware.
Third-party apps for mobile devices are written by people you don’t know, in
environments you can’t control, and you have no visibility into their process,
development lifecycle, or quality control. Just about anybody can upload an app
to an application store. These apps can be malicious, or they can intentionally or
unintentionally “work around” the security policies and standards that have been
established within your organization.
The following sections discuss risks associated with these apps.
Just as with PCs, seemingly useful applications can be infected with malware.
They can be either realistic-looking apps that compromise the mobile device
directly, or actual apps that contain hidden code that may take over the phone at
a later time. As early as March 2011, a malware outbreak involving a Trojan
called DroidDream took place because the Trojan was hidden in dozens of apps,
some of which were legitimate and productive and available in the authorized
Android Market (now called Google Play).
Hidden Malicious URLs
URL-shortening or redirection is a common method of including a link in a
message or web page without filling the screen with complicated location
information. This makes seeing the end point location impossible until the user
clicks the link to find out where it goes. In addition, the link text that appears on
the screen may be different from the actual link embedded inside page code,
especially in e-mail messages. Attackers can use this technique to send people to
malicious web sites. On mobile devices, it can be very difficult to validate links
before visiting them, unlike on computers where hovering the mouse pointer
over the link text shows the actual link location.
Phishing on mobile devices represents exactly the same risk as with computers.
Phishing uses the classic technique of sending e-mail containing a malicious
attachment or web link, along with some fake but realistic-looking message to
trick the end user into opening the attachment or link. This technique is used to
steal personal information such as bank account numbers, credit card numbers,
or usernames and passwords.
Similar to phishing, smishing uses SMS text messages to lure unsuspecting end
users into calling a voice number to give personal information. These text
messages contain a realistic-seeming (and urgent) request to confirm details for
security reasons or to confirm a purchase, refund, or payment.
Modern automobiles have become computerized, networked, interconnected,
and interoperable with smartphones. As a result, attacks against the smartphone
can give attackers the ability to remotely start, unlock, track, or operate a vehicle
associated with the compromised smartphone. These attacks have been
dubbed war texting.
Mobile Device Security
There are several ways to combat the risks posed by mobile devices. Some are
inherent in the devices themselves—selectable by the end users, generally
intended to protect the user him- or herself (as opposed to the organization).
Others are centrally mandated by an organization’s IT department to enforce
security settings before a device can be connected to the organization’s network.
Built-in Security Features
The most common devices today, based on Apple iOS and Google Android,
associate with application stores that are intended to provide a method by which
developers are supposed to be validated and their apps reviewed by Apple or
Google before they are posted for download. Additionally, iOS and Android as an
operating system are designed to isolate apps from one another on the device, so
that, unless the user allows, apps are prohibited from sharing data with one
another. The intention behind this configuration is that if a rogue or malicious
app were to be downloaded to the device, exposure would be limited to that app
only, and the rogue app would be unable to harvest data from another app on the
Jailbreaking iOS devices or rooting Android devices to bypass the inherent
controls within the operating system software breaks this model, circumventing
the intended application isolation. For this reason jailbroken and rooted devices
pose a significant threat to an enterprise corporate network. If the security of a
mobile device is suspect, both the data on the device, and any network the mobile
device is accessing, are at risk.
Once a device is jailbroken or rooted, users can download or sideload third-
party apps from other services outside of the Apple AppStore, Google Play, or
Android market. Sideloading means installing an app that was not obtained from
the official app source onto a mobile device (especially an Android device).
Because the integrity of these third-party applications has not been vetted, the
user may knowingly or unknowingly download a malicious app that can steal
information and data from the device or possibly the corporate network to which
it is attached.
Mobile Device Passwords
Many devices (including Windows Mobile, Palm, Apple iOS, and Android) provide
the option to set a PIN or password on the device, allowing the device’s owner to
protect it from others who may want to access the data on the device. But you can
also enable encryption on the device, as is the case with most newer iOS devices.
Many mobile device manufacturers also provide enhanced features for setting
passwords as well, including but not limited to
•Screen-lock grace period
•Number of allowed failed login attempts
Many regulatory and industry compliance frameworks (along with generally
recommended best practices) require mandatory passwords, minimum password
lengths, password complexity, password history, screen locks, and other built-in
security settings. Within an organization, a mobile device hardening standard
should be used to specify the options that are required for securely deploying
mobile devices. Many mobile device management and security vendors give
organizations the ability to enforce standardized security settings on devices.
These policies should not only be enforced, but also monitored to determine if
any user has manually disabled a required setting on the device. If a device is
found to be out of compliance with an organization’s policies, the device should
be quarantined by the security management product and the user required to
take appropriate steps to correct the security settings on the device, or to wipe it
to provide a clean install base.
It’s also important to note that a four-digit PIN is not inherently secure and
can be brute-forced. For example, at Defcon 20 in 2012, viaForensics
demonstrated that Android encryption could be bypassed using a PIN/password
brute-force tool.1 Therefore, passwords or alphanumeric passcodes are strongly
preferred over PINs.
Today many mobile devices provide built-in encryption, but the encryption
options are often disabled by default. iOS uses AES 256-bit hardware-based
encryption. Apple has stated that “burning these keys into the silicon prevents
them from being tampered with or bypassed, and guarantees that they can be
accessed only by the AES engine.”2 As an additional layer of security, Apple also
uses Data Protection, which protects flash memory and the hardware keys
(see Figure 25-1 for an example). Data Protection protects e-mail and attachments
by requiring the user to set a passcode on the device, either manually or one
imposed by the enforced security policy.
Figure 25-1 Enabling Data Protection on an iPad
Android provides AES 128-bit full-file-system encryption based on a key
derived from the user password or PIN. The Android encryption can be applied to
the device and, optionally, the SD card as well. The end user must enable the
encryption (see Figure 25-2). If a password or PIN has not been set yet, the user is
required to first set a device password or PIN before he or she can enable
encryption (as the password or PIN provides the seed for the encryption key), and
the user is then warned a final time before encryption is enabled (see Figure 25-
3). As an additional security measure, the organization’s administrator can
leverage the Android APIs to require passwords that meet specific complexity
Figure 25-2 Enabling encryption on Android
Figure 25-3 Android encryption warning
Samsung has a series of Samsung SAFE (Samsung Approved for Enterprise)
Android devices that provide enhanced security for the enterprise. These devices
use FIPS 140-2 compliant AES 256-bit encryption to protect the device. If enabled,
it requires a six-digit alphanumeric passcode, which can be enabled through the
MDM policy, Microsoft’s ActiveSync, or manually.3
Mobile Device Management (MDM)
Mobile Device Management (MDM) products fall into two main categories:
container-based and ActiveSync enhancements. These products rely on some of
the devices’ built-in capabilities, provided through vendor-issued APIs. Native
ActiveSync functions (including e-mail, calendar, contacts, notes, and tasks) can
be secured via MDM, along with additional security features such as application
restriction and tamper detection.
As organizations decide to limit access to applications and control how the
data is stored on mobile devices, investing in a Mobile Device Management
(MDM) platform becomes essential. An MDM can control which devices can
access specific applications on the corporate network. With MDM solutions,
organizations can perform the following activities:
•Device provisioning and configuration
•Encryption and password management
•Remote wipe and lock
MDM products can be characterized as consisting of a standardized set of
centrally managed capabilities, available over-the-air and wirelessly via both the
device’s data plan and over wireless networks that are allowed to connect to the
Internet. These capabilities include
•Policy management The consistent application of security settings across all
•Security management Enforcement of authentication, application controls, and
•Software management Deployment, management, update, deletion, and
blocking of applications on mobile devices
•Inventory management Tracking of devices, owners, and applications along
with remote support
•Remote provisioning and deprovisioning Automated setup of devices when
new users join the organization’s device pool and remote wipe (full or selective)
•Messaging control Restrictions and enforcement of settings for e-mail, calendar,
contacts, notes, and tasks
•Data Loss Prevention (DLP) The ability to detect and/or block certain types of
data from being sent and/or received via the device
These capabilities can be provided from within the organization, based on a
premise solution consisting of servers inside the organization’s network
configured to control the capabilities of mobile devices through ActiveSync or,
increasingly, through cloud or SaaS solutions available on the Internet or over-
The consistent application of security settings across all devices is a core common
requirement among all MDM products. The following settings can be managed
through MDM products:
•Password settings Password required, password complexity, password length,
password lifetime, number of passwords remembered, number of password
failures before lock, number of password failures before the device is wiped
•Services disabled POP and IMAP messaging and SMS and MMS messaging
•Functions disabled Removable storage, camera, Wi-Fi networking, infrared,
•Access disabled Access to ActiveSync
•Applications to block Blocking the execution of individual apps
•Privilege of applications Running apps under regular user or privileged account
•Roles Removing privileged role permission for the user
•Installation restrictions Blocking unsigned installations and blocking unsigned
•Encryption Device encryption, files excluded from encryption, storage device
•Mobile VPN settings Various location and encryption settings
•Software distribution settings Various settings to manage required applications
that must be installed on the device
•Certificates Removing unmanaged certificates
Digital certificates provide an alternative to password- or PIN-based encryption,
especially on tablets and smartphones, and they provide the foundation for
Mobile Device Management and security on Apple’s iOS and Google’s Android.
These certificates can be either user certificates or device certificates and they
can be used instead of LDAP usernames and passwords. As an added benefit, the
certificate can also be revoked if the user leaves the organization, thus revoking
access to the network or e-mail. Certificates can be deployed using an internal CA
such as Microsoft, an external CA such as Symantec/VeriSign, and a built-in CA,
which some MDM vendors offer as well.
Many enterprise networks are plagued by password policies requiring users
to change their password every 60 days. Transcribing these policies to a mobile
device could impact the password used for users’ VPN, Wi-Fi, and, in particular,
their ActiveSync e-mail. As a result, the help desk is overwhelmed with calls from
users who can no longer obtain their e-mail after their credentials expired. To
overcome this obstacle, many enterprises have leveraged the ease of deploying
certificates using their MDM product. Many MDM vendors provide integration
with a certificate authority (C), enabling the use of Simple Certificate Enrollment
Protocol (SCEP) to allow the MDM product to generate a certificate for the user
and push it down to devices automatically (this process is illustrated in Figure 25-
Figure 25-4 Deploying certificates to mobile devices using SCEP
Security management controls provided by MDM solutions include enforcement
of authentication, application controls, and encryption.
Software management options provide control over deploying, managing,
updating, deleting, and blocking applications on mobile devices.
Asset management capabilities include tracking of devices, owners, and
applications along with remote support.
Remote Provisioning and Deprovisioning
Devices can be set up automatically when new users join the organization’s
device pool, and they can be remotely wiped (full or selective) upon termination.
MDM solutions provide secure channels and control over features of standard
office productivity tools by restricting and enforcing settings for e-mail, calendar,
contacts, notes, and tasks.
Data Loss Prevention (DLP)
Data leakage can occur in a variety of ways on a mobile device. Because mobile
devices may be connected to cellular networks, Wi-Fi networks, and Bluetooth
networks along with built-in cloud storage, they can pose a threat to the data
within an organization’s network—in some cases, without even the end user’s
knowledge or consent. To add to the problem, many apps offer data syncing as
part of their software capabilities as well. E-mail also poses a risk for data leakage
when users forward e-mails to other individuals, other personal e-mail accounts
resident on the device, or within third-party applications. In many cases, these
threats occur outside the boundaries of the corporate network and the defense-
in-depth deployed on those networks to prevent data leakage.
Fortunately, Mobile Device Management and security products provide the
means to deter many of these forms of data leakage, using data loss prevention
(DLP). Although not foolproof, they do provide a way to minimize the threat. For
example, Apple allows an administrator to either disable iCloud altogether on the
device, or on a per-app basis when managing iOS applications on the device. On
Android devices, as another example, the camera, Bluetooth, and Wi-Fi can be
Mobile devices that perform multiple functions, including voice communications,
applications, web browsers, and data storage, can represent a serious threat to
the enterprise. These devices are basically powerful computers that make
subverting and circumventing security controls easy.
Risks to mobile devices include the ricks inherent on the devices themselves,
such as data theft and misuse, unauthorized access via weak passwords, and
network threats via Wi-Fi and Bluetooth. They also include risks within the apps
available to the mobile devices, including Trojans, malicious URLs, phishing,
smishing, and war texting.
These threats to smartphones and tablets can be mitigated with controls both
built into the devices themselves and available through third-party products.
Your organization can mandate the use of passwords and require that they be set
using stronger standards, use encryption for stored data, and deploy MDM
platforms to manage security settings in the enterprise. MDM capabilities include
policy management, security management, software management, inventory
management, remote provisioning and deprovisioning, messaging control, and
Dunham, Ken. Mobile Malware Attacks and Defense. Syngress, 2008.
Fried, Stephen. Mobile Device Security: A Comprehensive Guide to Securing Your
Information in a Moving World. Auerbach Publications, 2010.
Gunasekera, Sheran. Android Apps Security. Apress, 2012.
Murray, Kevin. Is My Cell Phone Bugged? Everything You Need to Know to Keep
Your Mobile Conversations Private. Emerald Book Company, 2011.
National Institute of Standards and Technology (NIST). Special Publication 800-101
– Guidelines on Cell Phone Forensics. NIST, 2007. http://csrc.nist.gov/publications/
National Institute of Standards and Technology (NIST). Special Publication 800-124
– Guidelines for Managing and Securing Mobile Devices in the Enterprise. NIST,
Raggo, Michael, and Chet Hosmer. Data Hiding: Exposing Concealed Data in
Multimedia, Operating Systems, Mobile Devices and Network Protocols. Syngress,
Siciliano, Robert, Cailin Podiak, and Ginger Marks. 99 Things You Wish You Knew
Before Your Mobile Device Was Hacked. DocUmeant Publishing, 2012.
Zdziarski, Jonathan. Hacking and Securing iOS Applications: Stealing Data,
Hijacking Software, and How to Prevent It. O’Reilly, 2012.
1 Thomas Cannon, “Into the Droid—Gaining Access to the Android User Data,” presented at Defcon 2012
in Las Vegas, Nevada, July 28, 2012, https://viaforensics.com/mobile-security-category/droid-gaining-
2 iOS Security, Apple, May 2012, http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf, p.
3 Samsung Approved for the Enterprise, www.samsung.
Voice over IP (VoIP) and PBX
Although often overlooked even by large organizations, the security of enterprise
voice, telephony, and streaming multimedia systems (such as video conferencing
and webcast and multicast systems) is a critical component of a sound overall
security strategy that deserves special consideration. Attackers have been
targeting computing systems for the last 25 years or so using intentionally
exploitative behavior such as hacking and denial of service attacks. However,
telephony exploits (originally referred to as phone phreaking but now included as
part of mainstream hacking) have been used by clever individuals and
organizations as far back as the 1960s to do everything from gaining free long
distance to secretly passing malicious data right under the sensorial noses of
otherwise diligent security systems. In the worst cases, both low-tech efforts
(cable cuts) and high-tech means (sophisticated SS7 protocol attacks, described in
further detail later in this chapter) have been used, sometimes in conjunction
with each other, to cause massive disruption of public telecommunications
network (PTN), up to and including the crippling or total disruption of critical
infrastructure emergency systems.
In the animal kingdom, the Monarch butterfly is not typically eaten by birds
and other would-be butterfly predators because it has a chemical in its body that
is poisonous and makes it taste horrible. The Viceroy Moth is not at all poisonous
and would be a nice snack for some of the same hunters, but it has adapted to
look almost identical to the Monarch—which makes it less likely to be eaten. By
camouflaging itself an otherwise easy prey protects itself. Similarly, one of the
most practical approaches to both VoIP and non-VoIP telephony system security
is to make yourself the least attractive target. You should also consider the
different threat vectors from which an attacker may target the components of
your telephony infrastructure.
This chapter covers best practices for protecting voice communications. In
modern telecommunication infrastructures, many protocols are used, and nearly
all of them cross over onto the data communication network. There is no longer a
strict delineation between voice and data, and as a result, the risks to both data
networks and voice networks consist of a superset of the risks to each. We will
focus on the various components of modern telecommunication infrastructure,
the threats to those components both old and new, and best practices for securing
each of those components. We’ll also look at what can be done to protect hosted
telecom environments. Rounding up the technology perspective, we’ll consider
securing classic PBX-based telecom systems. Finally, we will look at telecom
expense management systems, and how they can complement security defenses
by providing the ability to detect security problems.
Today businesses of all sizes are compromised in a variety of ways through their
voice systems. Global telecom fraud costs a fortune for carriers and enterprises.
Surprisingly, many “tricks of the trade” from the early days of phone phreaking
still work and are used, often in alarmingly easy ways. When you layer a VoIP
system on top of an IP network, you combine the risks associated with both,
creating a superset of new risks as of result. Here are two examples:
•Many VoIP systems are server-based and rely on common operating systems
(mainly Windows and Linux) to run their hardware interface. Therefore, they are
susceptible to a class of problems that from a voice systems perspective were not
previously a threat.
•IP-based voice protocols, while providing low-cost, advanced end-user features
and reliable transport mechanisms for voice traffic, also give attackers a new
method for exploiting voice systems and additional avenues for compromising
data networks in general.
Consider the components of a modern enterprise IP-based phone or video
•Call control elements (call agents)
•Appliance or server-based call control—Internet protocol private branch
•Session border controllers (SBCs)
•Gateways and gatekeepers
•Multi-conference units (MCUs) and specialized conference bridges
•Other devices and specialized endpoints
•Soft clients and software endpoints
•Unified messaging (UM) integrated chat and voice clients
•Desktop video clients
•IP-based smartphone clients
•Contact center components
•Automated call distribution (ACD) and interactive voice response (IVR) systems
•Call center integrations and outbound dialers
•Call recording systems
•Call center workflow solutions
Also consider the variety of protocols that are used to run enterprise,
consumer, and carrier systems, each with their own unique behaviors,
vulnerabilities, and exploits. Here is an abridged list of protocols commonly used
on enterprise networks, the PTN, and Internet:
•H.248 (also known as Megaco)
•Media gateway control protocol (MGCP)
•Session initiation protocol (SIP)
•Skinny call control protocol (SCCP) and other proprietary protocols
•Session description protocol (SDP), real-time protocol (RTP), real-time control
protocol (RTCP), and real-time streaming protocol (RTSP)
•Secure real-time transport protocol (SRTP)
•Inter-Asterisk eXchange protocols (IAX and IAX2)
•T.38 and T.125
•Integrated services digital network (ISDN)
•Signaling system number seven (SS7) and SIGTRAN
•Short message service (SMS)
In traditional carrier networks (as defined by AT&T to support direct distance
dialing or DDD … this was “in the beginning” for telephony), switches were
defined by a class hierarchy that separated them into five different roles. This
standard was U.S.-centric, but most international models were similar or
identical—consider that the first European exchanges were opened under Bell
patents in London and Manchester in 1878.
•Class 1 International gateways handing off and receiving traffic from outside the
U.S and Canadian networks
•Class 2 Tandem switches interconnecting whole regions
•Class 3 Tandem switches connecting major population centers within a region
•Class 4 Tandem switches connecting the various areas of a city or towns in a
•Class 5 Switches connecting subscribers and end-users
Anything below this level was considered a PBX (private branch exchange,
fully featured but owned and managed by a private entity) or key system (a
small, multiline system with typically less than 50 users). This architecture
allowed very close and effective control of toll centers and long distance, but
limited the availability of extended features such as least-cost routing. Large
companies with networked PBXs and many connects could use least-cost routing,
but it was complicated to set up and manage and, overall, was not really low-cost,
but merely lower cost. It was also primarily a closed system, using the SS7
protocol to manage call control effectively without significant security facilities—
owing to the lack of interaction with non-AT&T (or Bell)-controlled systems.
While this served the population well for many decades, some flaws in the
approach have required new thinking as these entities and the SS7 protocol were
brought into the IP world—many famous SS7 hacks and compromises illustrate
the weaknesses in the approach.
The portability of IP and flexibility of VoIP have allowed enterprises to
provide their own transport across significant geographical distances, as they are
no longer relegated to the functions and features of a PBX. A new set of security
and regulatory concerns not previously encountered has also been introduced.
Some of the main drivers behind the development of VoIP technology are the
opportunities for cost savings, from lowering the cost of structured cabling by
sharing Ethernet connections to advanced features like VoIP backhaul and global
These very same features have introduced new and significant challenges for
the enterprise trying to protect its intellectual property and maintain regulatory
and legal compliance. For example, there is a very thin line between “toll bypass”
(legal) and “toll evasion” (illegal), and businesses need to be mindful of any
regulations in their areas of operation prior to using these types of features.
Entire books are dedicated to understanding these nuances, but here is the
critical point to consider: today’s enterprise VoIP systems perform functions that
span all classes of the legacy switch hierarchy, from end-user connectivity to
international routing, including functionality previously reserved for Local
Exchange Carriers (LECs) and Competitive Local Exchange Carriers (CLECs), the
“official” telephone companies.
By taking a quick walk-through of the evolution of VoIP systems, you can easily
understand how the convergence of fixed wire line, wireless, and mobile
technologies has supported the rapid evolution of VoIP. Let’s examine how the
modern systems are constructed as a first step toward understanding how to
The call control element (the “brains” of the operation) of a VoIP system can be
either a purposed appliance, a piece of software that runs on a common or
specialized server operating system, or a piece of network hardware embedded
or integrated into another networking component such as a switch blade or
software module (soft switch).
In the enterprise, the original IP phone systems were traditional digital time-
division multiplexing (TDM) systems with an IP-enabled component, designed
like digital systems. They eventually evolved into full IP-based systems (IPPBX).
They have now evolved far beyond the early designs that mimicked the “old
thinking” of voice networks by leveraging the tools and resiliency available in IP
networking, high-availability server architecture, and virtualization.
Primarily responsible for call setup and teardown, signaling, device software
serving, and feature configuration, call control is one of the easier pieces of the
voice infrastructure to protect. This does not mean that security for this
component should be taken lightly. Call control is critical to the infrastructure,
particularly if any part of your business’s revenue is dependent on phone calls
(customer service, call centers, etc.). If your shop runs an IP phone system that
you manage internally, this hardware sits well within your physical and logical
security perimeter and should be relatively straightforward to secure. Following
best practices related to patching, backup, and configuration management is
paramount, but as long as this component is not exposed to the outside world, it
is a difficult target to all but internal threats.
If you use a hosted or SaaS-based VoIP system, take the time to analyze how
the provider manages security and ensure that its vulnerability management
program supports the level of risk you are willing to accept. Should your
enterprise require external services for any reason (users’ functional
requirements, you are a VoIP provider, etc.), there are special types of call control
elements such as session border controllers (SBCs) and voice proxies that are
designed to be exposed to or interface with systems under a different
administrative domain. Much like edge or border routers, these elements are
specifically designed to function as border elements interfacing with someone
else’s infrastructure, whether a B2B-type connection to a provider backbone or a
dial tone to customers via the Internet. SBCs can also perform functions
frequently required by regulations such as emergency call prioritization and
lawful intercept. It would be wise to use one of these (read: insane not to) and to
ensure they are hardened, particularly if you allow VoIP-to-PSTN calls.
Network access control lists (ACLs) and firewalls can be employed to help
protect these and other elements of the voice infrastructure that must be
exposed, and many advanced stateful firewalls now have built-in application-
level gateway (ALG) capabilities designed specifically for voice protocols. For
these elements, testing is required to ensure that the security elements function
and interact with the voice systems in the way that you expect and need them to.
More on why this is important in the next section about gateways.
Voice and Media Gateways and Gatekeepers
The voice (or media) gateway is the pathway to the outside world. This
component is what allows termination to a PSTN, transcoding between TDM and
IP networks, media termination, and other types of analog/digital/IP interface
required in today’s multimedia-rich IP infrastructures. Gateways are configured
to use dial peers (defined as “addressable endpoints”) to originate and receive
calls. Some gateways are directly managed by the call control elements via a
control protocol (MGCP or H.248), whereas others operate in a more independent,
stand-alone capacity (H.323 or SIP). Voice gateways can also run soft switches and
perform primary (or survivable) call processing or “all-in-one” functions, an
approach commonly used in the SMB space.
The critical piece to consider about voice gateways is that, in stark contrast to
the call control components, the gateways are nearly always exposed to the
outside world in some way. Although not universally true based on the specific
application, in an enterprise, voice gateways are the termination points for the
PSTN and, as such, need to be carefully protected. Always ensure strong
authentication methods are used to access the device itself, and pay special
attention to disabling unneeded services on a gateway, especially H.323 and SIP,
if they are not being used.
Some systems have these protocols enabled by default, which is a recipe for
disaster if they are exposed unprotected to the Internet. For example, even if you
are not running SIP on your network, a voice gateway with an Internet
connection, a PSTN connection, and SIP services enabled could fall victim to a dial
peer hack, which would allow attackers to compromise the router in such a
fashion that they could make calls to and from the router via the Internet or
PSTN, or bridge one to the other. This could, at best, be an inconvenience,
utilizing resources that would otherwise be available for legitimate purposes and,
at worst, embarrassing or damaging, incurring unanticipated costs in the form of
utilization and long distance. Depending on what country you are in, your local
LEC, CLEC, or ISP may or may not be obligated to help you track down this
fraudulent behavior, potentially leaving an enterprise stuck with huge costs.
Plugging the term “voice gateway hacked” into your favorite search engine will
turn up not only several clever methods for doing this, but also a slew of horror
stories from administrators managing devices that they thought were secure.
Gatekeepers, not to be confused with gateways, provide intelligence and
control certain routing and authentication, authorization, and accounting (AAA)
security functions. They can also perform and assist with certain types of address
translation, and can consolidate administrative control elements such as call
detail records (CDR), communication with monitoring and management systems,
and bandwidth management for a given zone (a term which is used here
generically for illustrative purposes, although “zone” is specific to H.323
terminology). Certain environments do not have a gatekeeper function, such as
pure SIP environments, and others practically require it, such as large video
codec deployments. A compromised gatekeeper would give an attacker full
control over all of your multimedia endpoints registered to that gatekeeper, so
following the same practices as you would for your call control elements is
Conferencing and collaboration is used extensively within and across all
enterprises as part of the fundamental communications capability that connects
all users to each other. At the heart of this technology is the conference bridge, or
multi-conference unit (MCU), a multiport bridging system for audio, video, and
multimedia collaboration. The trend between internally hosted MCUs and
provider-hosted MCUs has been stuck in the yoyo of corporate decision making,
with each specific situation warranting one direction or the other based on cost
to own, cost to operate, features, and security. Special attention should be paid to
MCU functionality, whether they are hosted on premise or externally, in order to
make sure they are secure.
Consider the following:
•The easier it is to use, the more people will use it—even the ones you don’t want
to use it.
One large semiconductor company was famous for having a very easy to use
audio bridge with global dial-in capability, where each department (and some
individuals) had their own bridge codes with no additional unique information
required to join a conference. They used the same bridge codes for everything
from ad-hoc conferences to critical secret strategy meetings. The flaw in this
convenience was pointed out inadvertently by someone dialing in to the wrong
meeting by accident—they found themselves listening to sensitive information
while remaining completely incognito. A Good Samaritan might mention this to
the security team; anyone else would have unauthorized access to confidential
•Convenience and ease of use need to be balanced with secure practices.
A secondary flaw in the same bridge at the same large semiconductor company
was that the codes were rarely or never changed, even when employees left the
company. Some former employees joked that they could always plan ahead of
time what to do with their stock because they could eavesdrop on the finance
calls prior to the earnings release—while it sounds like a no-brainer, this is a real
situation and occurs more frequently than most people would like to imagine.
•A problem with an MCU can affect a lot of users at once.
Like gateways, MCUs are frequently exposed to the outside world, and are
commonly used by everyone in the organization up through executive level. Turn
off those unneeded services; advise business folks of both best practices for using
this service and possible repercussions if they do not maintain proper security
practices while leveraging this functionality.
•MCUs can connect different types of media; require those facilities to be secured.
Although the trend is moving rapidly toward IP video, there are still thousands of
systems with ISDN connections standing by patiently waiting for calls. ISDN is
arguably more secure than IP due to the maturity of implementation and length
of time it has been in service, but this in no way guarantees that administrators
are actually following those best practices for ISDN (CHAP, dial-back, PPP, etc.).
The IP and ISDN sides of a video MCU are susceptible to both annoyances (video
SPAM) and compromises. If you can, hire a reputable outside service to perform
penetration testing specifically on your exposed MCU services on a regular basis
(depending on how often you make changes) to ensure their security.
An off-premise MCU provided by an experienced third party is often more
easily secured than an internally hosted MCU that is exposed, as the service
providers have had some practice at securing MCSs, but that implies you trust
their practices. Like anything, much of the security of the overall system is in how
it is used. If security features are offered—one-time passwords, two-factor
authentication—evaluate what level of security is appropriate for the application
and then ensure it is met.
Endpoint compromises today are frequently targeted at mobile devices, and
much of the attention in the industry right now is focused on how to secure the
mobile environment. The hardware phone or video codec, sitting quietly idle in
the office but running 24/7, may, however, become an important tool for
advanced corporate espionage, eavesdropping, or denial of service attacks.
Modern VoIP phones have a fair bit of intelligence built into them and offer a
previously unavailable avenue—some phones have a built-in layer two switch
and are capable of executing XML scripts or Java code locally. Video codecs run
all kinds of custom code required for video conferencing and content sharing and
are sometimes directly exposed to the Internet. None of these devices have
particularly robust mechanisms for authenticating to their control components,
unless a diligent administrator goes out of his or her way to enable them.
Generally, these local capabilities are used to make the devices more interactive
and functional, but they can be exploited in a variety of ways.
According to the research firm Gartner, XML-based attacks are the next big
thing, based on comments released after a disclosure of vulnerabilities related to
remote code execution and DoS ability from exploited XML code. Part of what
makes this a problem for the enterprise is the sheer number of endpoints
connected to the system—a single phone system may manage tens of thousands
of endpoint devices, offering a massive exploitable base from which to wreak
havoc via DDoS or other types of disruptive attacks. With VoIP in place, this not
only disables your ability to make phone calls and causes productivity loss, but
also can compromise your entire enterprise network from within.
Specialized endpoints are also employed for a variety of situations. Ensure
that the vendors or OEMs supplying these components or devices have a suitable
approach to security and understand their responsibility in the security of the
overall infrastructure. It is important to recognize in this context that one phone
can be the snowflake that starts the avalanche.
Enterprise desktop strategy focuses on convergence and extending simple, useful
technologies to end users. This focus is intended to increase overall productivity
and collaboration. One component of this strategy is the soft phone or voice and
video-enabled chat client. This is a piece of software that runs on a PC or mobile
device and acts like a hardware endpoint by registering to the call control
element(s) as a device.
Why would you install a soft client on a mobile device, which already has
mobile capability? Two reasons: Cost is, of course, the first one. In many places,
data usage on a cell phone is less costly than calling minutes, and by running a
soft client, you convert what would otherwise be cellular usage minutes into an
IP data stream (thank the “unlimited data plan” for this being a viable option).
Second, by running the soft client, you can extend your enterprise features to the
mobile user, including functionality not typically available on mobile devices
such as consolidated extension-based or URI dialing. Some enterprises are even
using direct inward system access (DISA) features or forking in order to make the
mobile device itself an augmentation of the desk phone, creating a Single Number
Reach (SNR) environment and automatically employing intelligent features like
tail-end hop-off without direct user invocation.
System administrators need to consider the fact that, although enabling these
types of features is great for users and allows unprecedented ability to control
cost, the virtual voice security perimeter now extends well beyond the physical
perimeter they are charged with managing, sometimes reaching around the globe
and well outside of the traditional realms of control. Additionally, this trend
mandates that much more granular attention be paid to the end-user computing
As it stands, audio streams are rarely encrypted on a corporate LAN (or
anywhere else for that matter) and can be easily sniffed; with a soft phone, both
the means to eavesdrop and the source of what you want to listen to can be
accessed via the same NIC, even when SRTP is used. Although SaaS-based chat
and IM infrastructure is out of the scope of this chapter, there is a trend toward
federating internal and external systems and enabling cross-federation calling
via soft clients and “pervasive” B2B video. Lock this down as much as possible by
only explicitly allowing the control systems to communicate with each other and
only with the required ports and services.
Call and Contact Center Components
Call centers have made a remarkable evolutionary leap, from initially being used
as a place to take orders and field complaints, to being a strategic asset that most
enterprises cannot survive without. Within the last decade, call centers have
morphed into “contact centers” and “centers of excellence.” Trusted to sustain
24/7/forever operation and provide all levels of support to customers across every
industry imaginable, these highly complex distributed systems, which now
support millions of agents worldwide, have taken advantage of VoIP technologies
in new and exciting ways—or, for the security administrator, in completely
frightening ways. Their complexity has increased exponentially as the
expectations of agents and customers alike have increased in sophistication.
The two core components of any call center are automatic call detection (ACD)
and interactive voice response (IVR). Simply put, the ACD moves calls around,
and the IVR collects information from the caller and queues those calls in the
appropriate places, based on defined variables such as agent skills. Whereas
some systems simply queue calls and route them when an agent is available,
others have advanced speech recognition capability and complicated algorithms
predicting variables such as wait time for the next agent. Because of the
complexity of these systems, it is especially important to ensure that they are
patched and updated on a regular basis. A compromise of ACD or IVR could spell
disaster for the victim, up to and including unrecoverable brand damage.
Increasingly, these systems are being integrated with SaaS-based external
solutions, especially CRM and other customer experience database systems.
Although this offers the ability to drive a valuable and unique customer
experience by having a single source of truth for customer data, it also warrants
heavy scrutiny from a trained security professional. Many call centers employ
predictive dialers or low-tech outbound dialers, which are powerful tools in the
wrong hands unless best practices are followed to ensure that they are only
allowed to call the numbers you want them to dial.
Call recording and workflow management solutions can be very helpful for
the overall productivity of your agent workforce, but they can also present a
liability—these systems should have a known, published policy for how they are
used, how long data is stored, how archives are maintained, and what practices
are used if data must or must not be destroyed.
The last, but certainly not least, major component of a VoIP-based telephony
system is the voicemail system. Auto attendants, direct inward system access
(DISA) features used for manual call forwarding, automatic call forwarding, and
other voicemail features are a “standard” component of enterprise life, which
nearly everyone has come to expect and rely on. Unfortunately, they have
historically been one of the easiest systems to abuse for three main reasons:
•Access to mailboxes is typically numeric-only, and people find long strings of
numbers difficult to remember. Easy (and often default) passwords are
commonplace. War dialers can be set up to target these systems and record
successful logins for attackers to return to later. Anyone who has ever built a
voicemail system knows the practice of initially setting everyone’s default
password to their extension, or perhaps the last four digits of their direct inward
dialing (DID) phone number, or some other easy-to-figure-out formula. This is a
good opportunity to stretch your creative brain muscle and come up with
•Since voicemail systems have never really been considered a “key” component of
an enterprise infrastructure, much less attention has been paid to securing these
systems than to, say, the enterprise ERP or financial systems. Keep in mind,
access to this type of functionality in the wrong hands can cause permanent
damage to an organization in financial (and worse) ways.
•More often than not system-level access to and from the outside world is not
carefully controlled or audited, as some of a voicemail system’s convenience
“features” need outside access in order to work properly.
To preserve the sanctity of your voicemail system, always deactivate (and
preferably delete) unused mailboxes, never leave default passwords in place,
consider requiring more than a four-digit access code (every digit you add makes
a brute-force attack that much harder, but also adds more challenge for your
users), and seriously evaluate how these systems will be used within your
VoIP Vulnerabilities and Countermeasures
Having outlined the components that may fall under your purview in an
enterprise VoIP infrastructure, let’s now consider the three main exploitable
paths from which you may be attacked:
•The “low-tech” hacks
•Attacks on server, appliance, or hardware infrastructure
•Advanced threats directed against specific systems or protocols
Telephony systems are frequently targeted partly because of the maturity of
their services and partly owing to their sheer numbers. Everyone has a phone
system. Here’s what you can do to ensure that you’ve done your due diligence
when it comes to protecting your VoIP and multimedia-rich infrastructure.
The following areas require specific attention from security administrators
and these are the areas we’ll focus on in this section:
•The original hacks—how to protect yourself from the oldest tricks in the book
•Adding insult to injury: consider who tries to exploit voice services
vs. VoIP services?
•Vulnerabilities and exploits
•The “other stuff”
•The protocols—examining specific areas of concern
•System integrators, hosted systems, and TEM as part of an enterprise security
•Putting it all together: process makes perfect
Old Dogs, Old Tricks: The Original Hacks
In the beginning (well … in the 1960s, that is), John Draper discovered (and
exploited) a vulnerability in the Dual-tone multi-frequency signaling (DTMF)
dialing systems of the time, when he found that a toy whistle from a cereal box
could be used to produce a 2600 Hz sound to manipulate the communication
protocol of public phone systems to obtain free long distance. He was sentenced
to two months in prison.
You might think that telephone companies would have immediately fixed the
vulnerability so other people couldn’t repeat the exploit. But, in reality, low-tech
approaches like this worked for many phone systems (including carrier systems)
around the globe well into the 1980s (for instance, Telstra’s “big grey phones,”
which were some of the first mobile phones, were a common target).
While most modern IP-based systems are smart enough not to fall for the old
DTMF tricks (sort of … many voicemail systems are still susceptible), you want to
take precautions against equally simple attacks that will probe your defenses on a
daily basis. Information on exploits of various systems is so readily available, that
taking advantage of open relays is a common recreational and for-profit activity.
In addition, the security of a fixed location, such as a land line, is no longer a
reliable way to ensure that you know where a call is originating from, an
important part of understanding what someone is trying to do.
The portability of public IP address space means that spoofing the physical
location of a phone is a relatively easy matter, and tracking it down can be quite
difficult. The VoIP predator’s basic approach is to sell a VoIP service to end
customers and then use compromised systems to route those calls for free from
and to virtually anywhere. The predator charges for a service on the front end,
but gets a free service (hopefully not from you) on the back end. There’s always a
phone bill—but it is generally left up to the victim to settle, as the victim’s carrier
has to pay their partner provider for the calls regardless.
In the enterprise, the trick is to not become one of those relays. Often, people
or businesses think they are subscribing to a legitimate service, as there are
hundreds, even thousands, of exploited gateways. Of little help is the fact that
hiding voice transit and routing among other IP-based traffic is easy.
Create a risk profile for low-tech hacks in your organization by doing the
•What is your externally facing profile?
•Are there exposed numbers that can reach internal systems and access them?
•If so, do those internal systems have password or PIN protection? What
•If simple access is required for any reason, can you audit access?
•Who is responsible for accepting the risk of a breach? Is this person aware of this
responsibility and what it means to the organization?
•Have you performed an inventory of all voice protocols enabled on your
gateways for use later? If not, do so now.
•Is DISA enabled?
•Given that some organizations prefer a “live answer” experience for their
internal and external customers, have the operators been trained and given
process documentation to follow in the event of a suspected malicious call?
•War dialers are still out there … do you have the capability to determine if
someone is trying to breach your defenses? Then use it. Enlist the phone
company’s help in tracking down malicious behavior before the culprit finds an
•Do you have a Telecom Expense Management (TEM) program that tracks and
reports on the costs of phone usage and identifies which phones have the largest
1.Create a scorecard from the information you’ve gathered from your audit in
order to identify your most significant risks and areas in need of attention;
prioritize high-risk items with a standard likelihood and severity graph or matrix.
2.Know your dial-in numbers; only publish them for those who may need to use
them, and ensure the executive team is aware of the risk of offering this service.
3.Enforce password requirements for system access.
4.Delete old and unused mailboxes as soon as possible.
5.Use restrictions (like secondary authorization codes) to prevent DISA from being
used for long distance and international calling; if not possible or if the feature is
needed, ensure that all calls made via DISA are logged and auditable and users
with access to the service are educated on the risks.
6.Limit exposure where possible by using fewer external dial-in numbers; enforce
a business process that requires security team review and approval prior to
enabling new services.
7.Do not offer all user features to all users by default, unless your security program
can support the ongoing use, auditing, and management of these features for the
full user population.
8.Pay attention to call forwarding and who is allowed to use the feature to send
calls outside of your perimeter.
9.Determine how your TEM program can flag abnormal patterns or utilization in
order to give you visibility into when you may have a problem.
Vulnerabilities and Exploits
For our purposes in this section, vulnerability means a weakness that has not yet
been used to compromise a perimeter, whereas exploit is a compromised
Security administrators need to understand how to strike a balance between
functionality and security, particularly when their peers (network and systems
administrators) have the job of trying to move traffic in an unobstructed fashion
across common multiaccess networks as fast as possible. Inspecting packets takes
resources and adds transit time, which can lead to an adversarial relationship
between the teams working to move packets from place to place seamlessly and
the teams trying to ensure that legitimate data is contained within those packets.
Sit down with the parties responsible for the network and the voice systems, and
using a cooperative approach citing the greater good, discuss the following topics:
•What protocols will be allowed and used for VoIP on the network?
•What protocols should be explicitly blocked?
•How much bandwidth is “normal” for your call volumes?
•If you’re using a G.711 codec, you should expect ~80 kb per call.
•G.729 can vary depending on compression used and specific subprotocol.
•Can you create segregated security areas (zones) for your voice components?
•Subnets for voice control and voice gateways.
•Subnets for phones (many network switches now have a voice VLAN command
that allows the phone to exist on a different VLAN than the device attached
behind the phone).
•Only allow the protocols in and out that you need; if a system integrator (SI) is
implementing the system for you, have them provide this information, or consult
your system documentation from the manufacturer.
•Can you define and configure the system to allow calling only to locations where
needed and warranted by the business?
•Explain the benefits of a permit-by-exception model vs. explicit denial.
•It is much better to start from a more secure configuration and open features or
access once it is requested than to allow all by default and experience a
•Although some users may be frustrated by having to request the ability to call
certain places, you should keep control of this and spend the time educating
people about the risks and why voice security is important, specifically ensuring
that other IT administrators are on the same page
•Do you have a way to determine if any “extra” data is being passed in voice
streams? This is a more advanced capability and implies that an exploit is already
in place allowing an attacker to access your system; visibility may be difficult …
e.g. if an RTP stream is using 768 kb, can you verify if it is video or something else
legitimate, or could it be a malicious embedded data transfer? Determining this
requires deep packet inspection capability to evaluate the UDP payload, which
many modern firewalls can do to some extent via ALGs.
Basic documentation you may want to have in place and keep updated on a
regular change-driven or scheduled basis should include layer one, layer two,
and layer three diagrams indicating the location of all voice system components
in the network, and both physical and logical topology.
As with any server-based system, understand your key weaknesses and most
vulnerable areas. As described in the previous section, having updated diagrams
and an inventory of all of the components of your voice platform will help ensure
that those assets can be secured in a reasonable way. Documentation is a critical
but frequently overlooked part of a security management strategy, which applies
to VoIP as well.
For any server-based system that runs on a commodity OS (typically Windows
or Unix), ensure that your network or server teams are prepared to follow patch
management procedures for these resources along with the rest of the
environment. With companies like Microsoft enabling features like enterprise
voice services and voicemail, system administrators have the added
responsibility of ensuring that Windows servers are patched for these in addition
to the rest of their KB patches. In addition, many contact center and workforce
productivity solutions, some of which have special versions supported only by
the manufacturer, also run on Windows under the hood.
Once upon a time, when DTMF ruled the voice world, dialogic boards were the
key for interpreting dialed digits, and every voice system had them in either the
PBX controller or voicemail system. Back then, nearly all voice systems would
have been considered “custom appliances” by today’s standards. The common
modern practice for many manufacturers today is to buy OEM hardware from
one of the big server suppliers and to run either a proprietary OS or custom
version of a commodity operating system to create their “appliance.” Some voice
hardware providers still make their own application-specific integrated circuit
(ASIC) chips and hardware chassis, but this is becoming less common as
standardization and virtualization gain adoption in the voice space.
The real relevance for security administrators is in the amount of
customization the provider does in order to offer their features. In one sense, a
certain “security by obscurity” is achieved with highly customized platforms
because there are generally fewer of them in the field and they present a less
attractive target than something more widely deployed (which is additionally
true for proprietary protocols). Inversely, an exploit specific to a unique platform
may remain undiscovered for a longer period of time, as you are dependent on
the manufacturer or specific product community to identify such vulnerabilities.
There’s a lot that falls into the “other stuff” category, from hosted systems to all of
the components that are not considered call control. Hosted systems are covered
later, as they require special considerations. The two most commonly exploited
systems in the “other stuff” category are DISA-enabled voicemail servers and
gateways that allow connections from the Internet. No matter what brand of
phone system you are running, keep the following information handy:
For the voicemail system:
•Use a least-privilege model in which administrators do not have mailboxes
accessible via external means; require a VPN and strong authentication.
•Delete unused mailboxes.
•Force complexity requirements for voicemail passwords and access codes.
•Carefully consider the risks of allowing remote call forwarding or other call
forwarding features, particularly those that can be enabled remotely; if a feature
is not absolutely necessary for your users, do not allow it.
•Use strong authentication for “remote destination” calling or calling-card type
For the voice gateways:
•Explicitly disable unused services, especially those with Internet-facing
•Lock down via ACL or firewall what systems are allowed to communicate with
the gateways via IP; use a secondary system (IPS) to watch what the gateways are
doing if you are running SIP or a similar protocol.
At the heart of the family of VoIP technologies are the specific protocols that
enable the transit and real-time conversations that IP networks were not
originally designed to handle. While this book is not an authoritative reference
for VoIP protocols, it is a good primer and guideline for what to consider and
where to look for more information when securing networks leveraging VoIP.
Security filtering and analysis for most network-based communications has
become quite advanced, but VoIP-specific capability has not kept up with the rest
of the industry. While current-generation firewall ALGs can tell you that a VoIP
conversation is, in fact, a valid protocol (RTP, RTSP) and an “audio data stream,”
•Tell you what is taking place in that conversation
•Guarantee that no one else is listening in
•Determine that a voice conversation is the only thing taking place over that
Outside of the U.S. Department of Defense or Department of Homeland
Security (or other state-sponsored and government agencies), advanced heuristic
electronic listening is not widely employed for security purposes.
Realistically and within the reach of ordinary organizations, the following
section lists the mechanics of the protocols you’ll encounter on an enterprise
network, some associated risks, and practical suggestions for protecting them.
Protocol: H.248 (Megaco)
Governing Standards RFC 3015 (obsolete), RFC 3525 (obsolete), RFC 5125
Purpose Gateway control protocol: IETF and ITU-T standards-based method for
meeting the requirements intended to be addressed by the development of a
Media Gateway Control Protocol (MGCP), including security considerations.
Function Controls decomposed multimedia gateways, enabling separation of call
control and media transcoding and conversion; supports a broad range of
Known Compromises and Vulnerabilities DoS attacks using malformed packets
targeted at port 2944 / sctp. This port can also be used to pass H.248 text. A result
of an exposed gateway can lead to DoS via a large number of packets being
directed at the default ports, making the gateway too busy to process legitimate
traffic. H.248 has no built-in security and relies on lower layer protocol support
for security such as IPSec or TLS, but these are frequently not used as crypto
processing introduces latency to a very latency- and jitter-sensitive application
Recommendations Consider the requirements for performance, signaling
security, and media security if you are going to use this protocol for gateway
control. A suitable approach is to use encryption for call setup (signaling
protection), which adds some processing time for call setup, but prevents replay
attacks, spoofing, and barge-in, and to use SRTP to protect the audio streams
(media protection). Remember that both of these will add time and can affect the
number of simultaneous call flows that your system can process.
Governing Standards RFC 2705 (obsolete), RFC 3435 (obsolete), RFC 3660
(current), RFC 3661 (current). Media Gateway Control Protocol (MGCP) is the de
facto standard in the industry for gateway control implementations.
Purpose Packaged gateway control protocol currently deployed and
implemented in many different voice and media systems—RFC 3435 specifically
describes an API and corresponding protocol used between elements of a
decomposed multimedia gateway.
Function Controls decomposed multimedia gateways, enabling separation of call
control and media transcoding and conversion; supports a broad range of
network types. Default port for MGCP devices is UDP 2427.
Known Compromises and Vulnerabilities Interference with authorized calls or
setup of unauthorized calls via barge-in or intercept, and rerouting or dropping
legitimate calls-in-progress. DoS attacks occur via directing a large volume of
traffic to UDP port 2427, preventing the device from processing legitimate
requests. Possibility of a device crash via sending a specifically malformed packet
directed to UDP port 2427. Some vendor-specific implementations have targetable
vulnerabilities (including Cisco’s ASA UDP inspection engine; see Cisco Advisory
Recommendations Because a system will use MGCP if running gateways
controlled by a call agent, ensure that you research the specific platform and any
known bugs or code vulnerabilities that may exist. The OEM or vendor should
also be able to furnish this on request. Many MGCP exploits are targeted at
systems other than the VoIP systems themselves, and as no security mechanisms
are designed into the MGCP protocol itself, it would be wise to consider reviewing
RFC 2705, which refers to using IPSec (AH or ESP) as a protection. In fact, RFC
2705 recommends that MGCP only be implemented with IPSec and that MGCP
messages only be carried over secure connections. In practice, this advice is not
always heeded, so do not assume that a system was implemented according to the
Governing Standard The Session Initiation Protocol (SIP) standards and
extensions are so numerous that an RFC is dedicated to identifying all of the other
SIP RFCs (Hitchhiker’s Guide to SIP, RFC 5411), and there are books to help
navigate the situation. For the basics, RFC 3261 is the core SIP standard. SIP is a
highly complex set of protocols—really a protocol suite with volumes dedicated to
implementing, managing, and securing the entire stack based on different use
cases. This overview is not a substitute for deeper research on how SIP is being
used within an enterprise and the methods required to ensure it has been
securely implemented and suitably protected.
Purpose Application layer control (signaling) protocol for creating, modifying,
and terminating sessions with one or more participants. Sessions include Internet
telephone calls, multimedia calls and distribution, and multimedia conferencing.
In plain English: SIP is used for all kinds of voice and multimedia applications
and is prolific both on corporate networks and the Internet, sometimes appearing
unintentionally in enterprise environments via voice-enable chat clients that are
both sponsored (e.g. Lync, Connect, Jabber, etc.) and unauthorized (Yahoo
messenger, AIM, etc.).
Function SIP is a session-based protocol, using SIP invitations that are used to
create sessions. These carry session descriptions that allow participants to
negotiate a set of compatible media types (in the event that different endpoints or
devices have different capabilities). SIP makes use of proxy servers to route
requests to a user’s registered location (“current” location), authenticate and
authorize services, implement provider call-routing policies, and provide
features. SIP also provides a registration function that allows users to upload
their current locations for use by SIP proxies. SIP runs on top of several different
transport protocols and relies on a variety of different mechanisms for security.
Known Compromises and Vulnerabilities Because there are so many SIP-
related vulnerabilities that exist based on the different implementations of the
protocol and extensions, it is worth classifying them into the following categories:
•Control-system and SIP proxy
•Device-based (including mobile device)
•DoS, DDoS, flooding
•SPAM over Internet Telephony (SPIT)
•Vishing (the criminal practice of using social engineering over a telephony
system, widely facilitated by VoIP and SIP-based systems)
•Spoofing, barging, and redirection
•Replay and interception
Recommendations If you’re going to allow SIP on the network or enable SIP-
based enterprise applications, either for voice and video (or other converged
services) or for less specific uses (third-party IM clients, etc.), seriously consider
the minimum level users need in order to function. Discuss this with whoever in
your organization is responsible for the services that use SIP and ensure that they
understand the risks of this highly dynamic protocol.
If your policy doesn’t allow use of third-party IM clients and there is no
requirement to support a SIP-based enterprise function, turn SIP services off on
all network devices and explicitly block it at your edge inbound and outbound.
SIP can use a variety of ports statically or dynamically depending on the
application (the defaults are typically TCP and UDP 5060 or 5061, but, like HTTP,
SIP can be configured to use any ports), so, if possible, block it via protocol
If SIP is required, and particularly if such a requirement includes SIP services
be available via the Internet, ensure you are using a device that has the capability
to inspect the traffic (a firewall with inspection or ALG capability, an IDS, or other
sniffer or analyzer) and validate that the information in the SIP header is
correctly formed and is accurate (SIP header construction is alarmingly easy to
spoof). This is the easiest way to tell if there is a spoof attempt or other malicious
activity in process.
Because SIP adoption is increasing owing to its ease of use, ability to
implement quickly, and compatibility with a variety of devices, the pressure to
secure the protocol itself and know how it is being used is increasing. SIP is
possibly the single easiest threat vector to exploit due to lack of awareness and
attention paid to what it is being used for on a network. Complete books are
dedicated to SIP and securing it; consider getting one of these if you have critical
services delivered via SIP or if you are going to allow it to run on the network.
Best practices are always to turn off any unneeded services for any protocol,
which is certainly true for SIP as well, but as adoption continues to increase more
attention needs to be paid to how and where this particular protocol is being
Governing Standard H.323 may actually have more reference material than SIP,
as it is itself a “standard” currently in ITU-T revision 7 (H.323 v7). It is a
component of the “H-series” ITU-T recommendations for Audiovisual and
Multimedia Systems specifically addressing systems and terminal equipment for
audiovisual services. The overall H-series recommendations cover a wide variety
of different aspects of multimedia networking.
Purpose Standardized approach for terminals and other entities that provide
multimedia communications services over packet-based networks that may not
provide a guaranteed quality of service. Audio support is mandatory, but entities
may support real-time video and/ or data communications as well. If video and
data are supported, the ability to use a common mode of operation is required, so
that all terminals supporting the media type can interact. H.323 has dozens of
subprotocols, including a specific security subprotocol, H.235 (currently in
revision .9 which is the 13th revision of the protocol—note, the numbering scheme
was changed mid-lifecycle; the order of numbering is H.235v1, H.235v2, H.235v3,
H235.0 [which was v4], H.235.1, H.235.2, H.235.3 … etc. to current, H.235.9).
Function H.323 entities may be integrated into PCs or implemented in standalone
devices (videoconferencing codecs, IP cameras, MCUs, for example) and support
many types of networks and internetworking, including point-to-point,
multipoint, broadcast, or multiaccess networks (see ITU-T H.332). Methods for
internetworking with other networks are supported, including terminals on B-
ISDN, N-ISDN, guaranteed quality-of-service LANs, GSTN, and wireless networks,
and other specific types of terminals and networks through the use of gateways.
Today, H.323 is the most commonly used approach for videoconferencing over IP,
and it is gaining traction as more enterprises focus on saving costs by reducing
travel, replacing the face-to-face interactions with room-based videoconferencing
Known Compromises and Vulnerabilities Like SIP, there are far too many
compromises and vulnerabilities to list them specifically … there are no less than
50 different implementations of H.323 by different vendors—and there are
probably many, many more. Several of these implementations contain vendor-
specific intellectual property to enable certain features or functions. In general,
you will want to dig in if you support H.323-based services and understand what
the specific risks are around the supported devices and platforms. Also, like SIP,
there are full volumes addressing H.323 security, but the most common and
impacting types of H.323 vulnerabilities are
•DoS, DDoS, flooding
•Gateway compromises (probably the most common, relevant, dangerous, and
potentially damaging from a risk perspective)
•Remote code execution and arbitrary code execution
Recommendations If you’re not using it—turn it off! Do not assume that the
capability to communicate via this protocol suite over your network is disabled
by default. Many devices are shipped with these protocols enabled for
convenience—so it will “just work” if you introduce a new device into the
network. Leaving H.323 enabled on an Internet-facing gateway can lead to
disaster—a specific compromise is covered earlier in this chapter to which H.323
gateways are particularly susceptible. Although SIP is an IEEE-provided set of
recommendations and H.323 is from the ITU-T, they have many overlapping
capabilities and functions. If it is at all possible to standardize on the use of one
versus the other for the enterprise, focus on security, but it is unlikely that this
will be the case in today’s vendor-centric multimedia technology world.
Protocol: SCCP and Other Proprietary Protocols
Governing Standard Skinny Call Control Protocol (SCCP) (aka “skinny”) is a
Cisco-proprietary protocol; other vendors have also developed closed protocols
implemented ahead of or outside of the IETF, IEEE, and ITU-T standards.
Purpose Lightweight protocol for session signaling and endpoint call control in a
Cisco Call Manager environment. There are many protocols specific to an OEM or
Function Call control, signaling, and other functions as defined on a per-vendor
Known Compromises and Vulnerabilities Because SCCP is a category of
protocol, the specific SCCP vulnerabilities are not listed. It is, however, critical to
engage the supplier or manufacturer and require them to disclose and keep you
apprised of all specific vulnerabilities or exploits that their platforms are
susceptible to, including from the open standard protocols.
Recommendations Although not a common practice, it would be wise to require
an SLA for an OEM to fix any exploitable vectors that exceed a specified or
defined level of severity within an agreed (preferably, contractually agreed)
amount of time. At a minimum, find out what the OEM or manufacturer’s
processes are around patching, vulnerability management, and exploit discovery
in their products. When it comes to large vendors like Cisco and Avaya, they have
mechanisms in place to publish alerts related to vulnerabilities in their products
via specific community support forums or dedicated support sites. Visit these on a
regular basis or sign up for email-based notification if they offer it in order to
stay on top of vulnerabilities that may affect platforms on your network.
•Session Description Protocol (SDP) RFC 2327 (obsolete), RFC 3266 (obsolete),
RFC 4566 (current)
•Real-Time Protocol (RTP) RFC1889 (obsolete), RFC 3550 (current, but updated by
RFC 5506, RFC 5761, RFC 6051, RFC 6222)
•Real-Time Control Protocol (RTCP) RFC 3605
•Real-Time Streaming Protocol (RTSP) RFC 2326 (extensions part of RFC 6064)
•SDP A format description for standardized conveyance of media details,
transport addresses, and session description metadata (relies on other protocols
for actual transport).
•RTP A protocol providing end-to-end network transport functions for real-time
data applications over unicast or multicast networks.
•RTCP An extension of SDP supporting NAT traversal
•RTSP A protocol for streaming audio and video multimedia
Function Various; these form a core set of protocols used for describing how
media transport should work and actually moving the media across the network.
Known Compromises and Vulnerabilities Most specific vulnerabilities related
to these protocols will either be related to a particular piece of equipment or
exploited via a method (e.g., RTP interception and redirection). As advised
previously, ensure that whichever VoIP or multimedia platform you are using is
regularly evaluated, tested, patched, and audited, along with the rest of the
Recommendations Use secure protocols where available, such as SRTP, to
support the functionality requirements provided by the listed protocols. In some
cases, no secure transport protocols are available as built-in options, so other
protocol suites or families such as IPSec should be used to protect the required
VoIP and multimedia control traffic.
Governing Standard RFC 3711 (current)
Purpose Secure Real-Time Transport Protocol (SRTP) is a profile of RTP, which
can provide authentication, confidentiality, replay protection, and protection to
the RTCP traffic.
Function SRTP provides a framework for authenticating and encrypting RTP and
RTCP streams, including definition of a default set of transforms and extensibility
for inclusions of future transform sets. SRTP offers high throughput and low
packet expansion, both critical considerations for any protection mechanism of a
real-time media capability.
Known Compromises and Vulnerabilities Although using SRTP is significantly
better than not using anything, it is not by itself a catch-all or complete security
mechanism for protecting voice or multimedia traffic. The default settings are
susceptible to brute-force attacks, as in many implementations, SRTP only
requires DES encryption, which is relatively easy to crack by modern computing
standards. On top of this, key management is critical, as a compromised key
negates the relevance of even strong encryption.
Recommendations Following security best practices ensures that the default
encryption requirements that SRTP negotiates are suitably strong to prevent
brute-force attacks, and a key management program helps guarantee that keys
are changed frequently to preserve the integrity of the encryption in place.
Protocol: IAX and IAX2
Governing Standard RFC 5456 (IAXv2, current), RFC 5457 (IANA considerations
for IAX). All modern references to IAX refer to IAX2.
Purpose Inter-Asterisk eXchange Protocol (IAX) was developed to minimize
bandwidth utilization over slower network links, with support for trunking and
multiplexing, and ability to traverse firewalls and NAT.
Function IAX is an “all-in-one” application layer control protocol for creating,
modifying, and terminating multimedia sessions over IP networks from server-to-
server and server-to-client. Although primarily targeted at VoIP, IAX can be used
for other multimedia applications including streaming video. IAX is somewhat
unique in its “in-band” approach, delivering both control and media services
together. IAX uses a single static-port UDP data stream that simplifies NAT
traversal, a problem for some other voice control protocols. The intent is to
simplify firewall and network management. IAX is also compact and efficient,
and as an open protocol, supports future additional payload types and services,
although to be incorporated, features have to be added to the protocol.
Known Compromises and Vulnerabilities As with all real-time systems, risks of
resource exhaustion or DoS-type attacks are ever present. For IAX, because of the
well-known single static port and risk of added processing time to the nonlatency-
tolerant media streams, this risk should not be taken lightly. Additionally, some
known vulnerabilities for the IAX2 libraries allow remote code execution via a
truncated frame exploit. However, the most significant risk from IAX, in
particular, is also one of the protocol’s main benefits—its efficiency and ability to
support many different traffic streams in a multiplexed fashion over a firewall.
While most IAX issues will be a result of the implementation versus the capability
of the protocol, organizations with sensitive data or intellectual property that
may be subject to corporate espionage or other commercial for-profit
exploitation should carefully evaluate whether they want to support a protocol
that makes it easier for someone to smuggle data outside the walls in an almost
Recommendations IAX was designed for use with Asterisk but is also available
for use with some other IPPBX systems. If deploying Asterisk as an enterprise
VoIP solution, it would be wise to consult one of the many volumes available
relating specifically to Asterisk, some of which have entire sections or chapters
covering security. If deploying IAX as a protocol solution for a non-Asterisk-based
system, seriously consider the risk of not being able to determine whether the
streams contain audio or something else (without access to very advanced
equipment and software, that is. If you’re working for the DoD, these capabilities
may be available to you). Alternatively, evaluate the functional balance of using
IAX with what it might take to support other protocols such as H.323 or SIP and
what your overall exposure profile might look like. Your VoIP security posture
must include both the risk of running this protocol, along with consideration of
having run other protocols instead. After modeling any realistic situations you
may encounter, which leaves you with the least amount of residual risk?
Governing Standard RFC 3362 (T.38, current), ITU Recommendation T.38
Purpose SDP media descriptor for transmitting MIME subtype image and T.38
facsimile transmissions over an IP network.
Function Allows fax over IP in real time via either TCP or UDP.
Known Compromises and Vulnerabilities This is worth researching in some
detail for your particular application. Some known Asterisk vulnerabilities allow
a remote system crash while negotiating T.38 parameters over SIP.
Recommendations Although a less commonly exploited mechanism, ensure that
your OEM or provider can detail any T.38 issues you may face prior to
Governing Standard Too many to list
Purpose Integrated Systems Digital Networks (ISDN) are the foundation of many
of the modern TDM networks that support the PTN and PSTN, and while not
really part of VoIP technologies, are worth a mention.
Function As related to VoIP, ISDN networks are either used for IP-based
transport or are linked via gateways to VoIP networks for PSTN access.
Known Compromises and Vulnerabilities ISDN has been around for some time
and is a cornerstone of today’s global voice transport capabilities; consider how
ISDN might play into your overall VoIP and multimedia systems. Although dozens
of books, magazines, and research papers are dedicated to ISDN and many of
them cover security in detail, the main security consideration for an enterprise is
the touch point the between internal VoIP networks and the PSTN: the gateway. It
is common to see exploits tried from IP-networks attempting to bridge the PSTN
network; but it is also possible to compromise a gateway from the PSTN and
create a hairpin, which is just as damaging to long-distance bills (and can be
worse if you pay for inbound minutes as well).
Recommendations Audit all gateways on a regular basis that have both VoIP
networks and PSTN networks connected to them. If using ISDN for
videoconferencing, utilize the stronger authentication methods built in to the PPP
protocol (CHAP), and preferably control who is allowed to dial in via ISDN. You
can also use well-documented features like call back in order to prevent spoofing.
Protocol: SS7 and SIGTRAN
Governing Standard Too many to list
Purpose Signaling System No. 7 (SS7) is the signaling standard for the PTN, and
SIGTRAN is the adoption for allowing SS7 to function over IP networks.
Function Signaling and control for PTN voice networks, largely outside the scope
of VoIP considerations, but worth mentioning for awareness and familiarity.
Known Compromises and Vulnerabilities Research this if the environment is
actually running these protocols. Many published vulnerabilities and exploits for
SS7 are addressable via best practices.
Recommendations Typically, you will not have to support these types of
protocols unless you are an exchange or voice carrier, although sometimes these
protocols are used specifically for backhaul over IP networks, which should be
specifically understood and addressed in relation to the overall security posture.
Governing Standard 3GPP TS 23.040 (sort of … SMS was developed as part of the
international cooperative GSM project)
Purpose Short Message Service (SMS) is a methodology for sending text messages
via cellular or other mobile technologies, but is now being adopted and
integrated into other multimedia applications.
Function Everyone today uses SMS with or without realizing it, but adoption in
enterprise environments is increasing at an incredible rate for business
Known Compromises and Vulnerabilities While SMS is not strictly related to
enterprise VoIP, understanding the trend toward owning and operating
corporate SMS gateways is relevant. Direct text marketing and other methods of
text SPAM/unsolicited/unregulated SMS messaging will become a tool in the black
hat’s toolkit in the near future (if it has not already come to pass). The same
sophisticated social engineering tricks that can leverage SIP so easily can also use
SMS as another convenient launch medium.
Recommendations Specifics related to securing the operation of SMS are unique
and need special consideration. The IP multimedia subsystem (IMS), part of the
next-generation network (NGN) developed as a replacement for GSM by 3GPP,
added support for SMS in release 11, and both this and other cellular network
technologies (4G LTE for example) either support today or will support SMS. If
interacting with or supporting cellular networks, ensure that the considerations
for SMS make it into the overall risk assessment, and the specifics of the
installation are defined, measured for risk, and evaluated on an ongoing basis as
the services and uses evolve.
Security Posture: System Integrators and Hosted VoIP
How much does the system integrator or vendor that’s chosen really know about
the selected VoIP or multimedia platform? Are they experts on security or on
securing this specific system? How many times have they implemented a similar
system, and have any of those systems been compromised? If deploying an off-
premise solution, how will we guarantee the integrity of sensitive corporate
conversations? What capabilities do we have to ensure that our phone bills are
actually correct? These questions—and many more—need to be answered if your
organization is in the process of evaluating or deploying a new VoIP technology.
The three specific areas alluded to in these questions can be outlined as detailed
in the following sections.
For hosted VoIP:
•Should I consider a hosted option for enterprise use?
•Where does the responsibility lie for the security of a hosted system?
•Is it possible to integrate an off-premise solution with something internally
hosted and managed, and is this a good idea?
•What is TEM and what does it do for the enterprise?
•How does TEM relate to security?
The trend across IT departments today seems to be toward perpetually figuring
out how to do more with less. Although running lean can provide some benefits
to the financial bottom line, it also creates new risks to the environment. Using a
system integrator (SI) can be cost-effective, but how can you ensure that you will
improve your security rather than create additional vulnerabilities that will need
to be addressed? There are a few questions you should ask your vendors that will
help ensure you that they both know what it will take to provide a secure system
and keep your best interests in mind. Before starting, ask yourself these
•How can I choose a quality integrator and determine if the integrator has the
necessary skills to implement the system?
•What questions can I ask in order to determine if one integrator is more security-
aware than another if they are both technically competent?
•Does the network require other attention prior to a VoIP deployment?
When evaluating a new system, if you don’t already have one, create a
scorecard by which you can measure vendors against each other. It does not need
to be complicated, but should give you the ability to rate vendors relative to their
ability to implement the solution via a point system and one versus another. You
want both objective and subjective metrics—if you’ve used a vendor in the past
and had great experiences, then that should count for something. Alternatively, if
you have had poor experiences with an SI in the past but they have proven to
your satisfaction that they can do a better job for you, that thinking should be
incorporated as well. The Balanced Scorecard approach offers an easy-to-use
template, or you can create something simple, like the one shown in Figure 19-1.
Figure 19-1 Vendor scorecard
In addition to the scorecard, carefully evaluate the vendor’s Statement of
Work (SOW) and understand exactly what they are proposing they do and what
they are asking you to do. Often, small items are included in an SOW that are
expected of the customer but aren’t necessarily considered up front—these can
become a big deal later. Make sure the responsibilities and tasks that the vendor
needs you to complete to be successful are spelled out in very clear detail,
preferably in one place.
For example, is the vendor providing project management, or will you handle
it internally? Project management (PM) may not seem to be directly related to
security, but in the bigger picture, having PM involvement helps ensure that
things are organized in a way that explicitly defines the task-level expectations
from a security perspective, and can ensure that things like suitable
documentation are delivered after the project is closed. Quiz the vendors about
their general practices around security, get a feel for their general approach, and
ensure that you discuss what your expectations are from a baseline security
perspective. You can ask things like:
•How many deployments of the specific system have you completed?
•Are you familiar with this code revision and any security-related release notes
and default setting changes for the version to be deployed?
•Have any of the systems you’ve previously installed been compromised?
•If so, why? Were you involved in the root cause analysis?
•What did you learn and what internal processes have you changed as a result of
•At what point do you change passwords during the install process?
•What are the basic ACLs or protections you put in place for every deployment, by
default, without specific customer request?
•Which sets of security standard practices are you familiar with and which do you
employ in your planning, installation, and deployment processes?
•A question for yourself: Since you’re going to rely on this SI to perform work that
you will have to put your seal of approval on and possibly attach your name to …
do you have a sense of confidence that the vendor will to “do the right thing” or
do what you would do given a difficult choice?
Do some advance research to understand what the best practices are for
baseline security for whatever system you’re about to deploy. Particularly with
voice, security is important and often neglected. Ask the vendor about past
mistakes or things that didn’t go so well—if the vendor is willing to be open and
humble about things that they’ve learned from in the past, you may get an idea of
how well the vendor will address anything that does fall through the cracks.
There are conflicting ideas between VoIP functionality and preserving
perimeter security, and sometimes a network needs to be “prepped” for voice.
This consideration isn’t strictly about how to configure your QoS—you also want
to be aware of your visibility into what voice protocols are being used on the
network and how they are being used. The SI should document and provide
exactly what the net add is going to be, both in traffic volume and type, along
with recommendations for anything that needs to be investigated or completed in
the security systems (firewalls, IDS and IPS, analyzers, monitoring platforms,
Hosted VoIP and Off-Premise Systems
Between the cost of capital, the capital itself, and the ongoing cost of operations,
many organizations are looking at ways to stretch the dollars spent on their
telecommunication systems. Phones and telecom are part of the bottom-line
functionality that business cannot survive without, which sounds obvious, but
frequently means that many assumptions are made about the cost aspects for
procuring and operating voice platforms.
Thanks to the extensibility and low cost of VoIP technologies, the cost of
computing power to support multitenancy, the “cloud” movement, and Moore’s
law basically holding true for the cost of bandwidth (which means you can get
double the bandwidth for the same cost every 18 months), a relatively new
market has emerged—the hosted VoIP phone system. Off-premise solutions
available to businesses offer a complete suite of enterprise features and
functionality previously reserved for only enterprise-level highly complex PBX
For most organizations, cost is often a primary decision driver. Because low
cost and high security are often competing ideas, defining a set of “relevance
factors” may help you qualify whether a hosted system is a good idea for your
organization. Understanding what is important to your business helps you make
a recommendation as to whether a cloud-based or off-premise VoIP solution is a
suitable choice for your environment.
Questions you should ask both yourself and the prospective provider include
the following: Should I consider a hosted system for my organization? What
security methods or solutions are available to ensure that these systems are
protected? How security-aware is the provider? Can administrative functions be
segregated? Some voice hosting providers, specifically smaller start-up types,
provide cost-effective solutions by offering multitenancy on the back-end
systems. Considering that business process is the last thing to be developed in a
small shop and human error is responsible for most outages and security
breaches of any type globally, are you willing to bet on the robustness of your
provider’s processes and the skill of its administrators to protect your data from
Some providers do have high-quality solutions that preserve the integrity and
confidentiality of each of their customers’ information from each other, but how
can they demonstrate this? Build a questionnaire for potential providers that
helps you drill in to how they operate the systems you’re signing up for. Pay
special attention to the following:
•How is multitenancy managed?
•Where are the separations between customers?
•Are they logical or physical?
•How are the provider’s networks built and protected?
•Is there firewalling between different customers’ environments?
•Is a dedicated circuit required to deliver its services?
•Is this on a private network or delivered via the Internet?
•If delivered via the Internet, is it a dedicated Internet link or shared with other
•Are techniques like IPSec employed for header and payload encryption of the
actual voice traffic, or is only payload protection available?
•Are SLAs being offered, and do they cover security events?
•Do the provider’s work processes and change processes preserve the segregation
between your environment and someone else’s?
•Is the staff of the hosting provider able to maintain a least-privilege model and
other best practices for supporting the back end?
Based on answers to some of the previous questions, if the system is
administered largely outside of the organization’s walls and outside the realm of
administrative control by badged employees, with only endpoints actually on
your network, who is responsible for the overall security of the system? This can
be a sticky question, especially if you’re ever in a data-breach situation. Ensuring
you have strong underpinning contracts supporting the internal customer-facing
SLAs will ensure that the vendor is accountable for simple things like moves,
adds, and changes, but a data breach will still land squarely in the lap of the
Understanding the needs of your organization’s unique security environment
and matching those with provider capabilities is an important exercise. Not
everyone needs DoD levels of protection, so balancing your actual requirements
against cost considerations and stakeholder interests is critical. If involved in the
front end of the project or deployment, develop a risk profile with the potential
threats you could face. If joining mid-cycle, consider performing an audit of the
system and its functions, review the tickets for suspicious or security-related
items, and generate an audit findings report that gets everyone (especially
executives, customers, stakeholders) on exactly the same page.
Implementing a new system from the ground up, either on premise or hosted,
is relatively straightforward (not simple … but straightforward). It can be
significantly more complicated, however, to integrate an existing internally
managed solution with a hosted one. A few typical scenarios would warrant such
•Scenario A Your organization is planning to migrate from one system to another
over a period of time, and the situation does not allow for a direct cutover; user
functionality and consolidated dialing must be preserved during the migration. In
this scenario, you control both systems with the same group of administrators.
•Scenario B A new organization or interest has been acquired, and cost and/or
other reasons dictate preserving both systems, but you are required to allow
direct calling and dialing between the systems. You may, at some point, control
both systems with the same group, but initially they are separately administered.
•Scenario C There are enough dollars spent on telecom services with a particular
organization (perhaps a customer or major supplier) that it makes sense to
perform some level of integration in order to save money on both sides but
bypassing the PTN. You only control one system but still need to integrate with
•Scenario D Some users within your environment do not have the same set of use
requirements for the system, and you can deliver packaged services to a group or
type of user more cost effectively by delivering certain types of user access via a
third-party system versus an internal system (or vice versa). You have a cost
advantage in offering different levels of service to different types of users either
by function or geography.
Each of these four scenarios has certain specific details that you need to pay
attention to in order to protect the sanctity of your environment.
In scenario A, where you control both systems in the long term and you’re
only supporting integration for dial-plan purposes for some period of time, pay
the most attention to which services will be run on which system and when, and
how those services will affect the rest of the environment, but both systems are
technically within your electronic perimeter—a direct integration may be
possible (for example, if the old system and new system are of the same type, you
may be able to use system tools and features to integrate them securely).
Scenario B, which could be a merger or acquisition situation, may dictate that
you have some level of segregation or a trust boundary between the systems for a
defined period of time, which you could choose to keep in place indefinitely
depending on the specifics. In this situation, you really want to consider the use
of a gateway or SBC and a security device of some type sitting between the
systems and offering some type of stateful inspection (SBCs and other devices can
do both). Even if you have a clearly defined plan for network integration, this can
be an unintended early data connection between networks that can allow nasty
things in under your nose. SIP gateways are being used more and more often in
this type of situation, so remember that SIP does not carry any of its own security
mechanisms, relying on IPSec (which, in turn, relies on your practices and
implementation) for security.
Scenario C—two systems permanently under different administrative
domains—most certainly requires both a gateway and firewall, and you may
want to look carefully at which traffic you allow and how it is accessed. A trunk
access code via a gateway is one way to easily and securely connect to a third-
party system, where calls to the other entity are allowed based on a specific
dialed digit sequence (and an optional but recommended forced authorization
code), or there may be other methods or features based on your system. When
connecting to a third party like this, also consider where within your
environment the other party needs to be able to call, as you could inadvertently
become a remote gateway for someone to exploit—any connection like this
creates an implied trust relationship between you and whatever system you are
connecting to. As much as possible, make these allowed pathways explicit and
specifically controlled by IP address, port, protocol, and service type.
Scenario D is really gaining popularity as globalization continues to grow and
penetrate industries previously never considered “worldwide,” with voice and
data communication capability being the cornerstone enabler for this
multinational corporate foundation. Whereas the term “global company” was
once only used to refer to the megalopolis or huge transnational organization of
the Fortune 500, SMBs and enterprises of any size are now able to globalize with
a mix of creative in- and outsourcing. Understanding what it costs to deliver
complete enterprise telephony services on a per-head basis can be difficult but is
worth understanding, as someone will inevitably ask the question, “What are we
getting for those dollars?” This question is often followed by “This set of workers
does not need all of those features; how can we deliver a subset of services to
them at a lower price point?” The aware security administrator will hopefully see
this thinking on the horizon and be in a position to offer some proactive advice
on the matter as soon as it comes up: yes, we can securely integrate with a third-
party system on a permanent basis in the following ways:
•We need to understand what the third party will provide—a phone only? Any
integration to other systems? Voicemail? Remote access and DISA?
•We need to develop a suitable “interface” that preserves our security perimeter
and have a firewall with ALG capability proposed as part of the design.
•We need to create dial-plan space or use a trunk access code to dial between the
systems, and carefully evaluate whether we will allow features like tail-end hop-
off (remember, toll bypass and toll evasion are similar, but one is illegal and one
is not … be aware of the laws in the country or state you’ve provided dial tone to).
When it comes down to it, you need to evaluate your overall mission and
understand if the features and services a hosted VoIP provider is offering fit in
with the expectations of your stakeholders. Not everyone needs their voice
system to be run from Fort Knox, and paying attention to the other relevant
details, in addition to how the back end is hosted, will help you preserve a
suitable overall security posture.
A Private Branch Exchange (PBX) is a computer-based switch that can be thought
of as a local phone company. Following are some common PBX features:
•Remote control (for support)
Hacking a PBX
Attackers hack PBXs for several reasons:
•To gain confidential information (espionage)
•To place outgoing calls that are charged to the organization’s account (and thus
free to the attacker)
•To cause damages by crashing the PBX
This section briefly reviews some common attacks, without delving into details.
Administrative Ports and Remote Access
Administrative ports are needed to control and diagnose the PBX. In addition,
vendors often require remote access via a modem to be able to support and
upgrade the PBX. This port is the number one hacker entry point. An attacker can
connect to the PBX via the modem; or if the administrative port is shared with a
voice port, the attacker can access the port from outside the PBX by calling and
manipulating the PBX to reach the administrative port. Just as with
administrative privileges for computers, when attackers have remote
administrative privileges, “they own the box” and can use it to make
international calls or shut down the PBX.
An attacker can gain information from voicemail or even make long-distance
phone calls using a “through-dial” service. (After a user has been authenticated
by the PBX, that user is allowed to make calls to numbers outside the PBX.) An
attacker can discover a voicemail password by running an automated process
that “guesses” easy passwords such as “1111,” “1234,” and so on.
Denial of Service
A PBX can be brought down in a few ways:
•PBXs store their voicemail data on a hard drive. An attacker can leave a long
message, full of random noises, in order to make compression less effective—
whereby a PBX might have to store more data than it anticipated. This can result
in a crash.
•An attacker can embed codes inside a message. (For example, an attacker might
embed the code for message rewinding. Then, while the user listens to the
message, the PBX will decode the embedded command and rewind the message
in an endless loop.)
Securing a PBX
Here is a checklist for securing a PBX:
•Connect administrative ports only when necessary.
•Protect remote access with a third-party device or a dial-back.
•Review the password strength of your users’ passwords.
•Allow passwords to be different lengths, and require the # symbol to indicate the
end of a password, rather than revealing the length of the password.
•Disable all through-dialing features.
•If you require dial through, limit it to a set of predefined needed numbers.
•Block all international calls, or limit the number of users who can initiate them.
•Block international calls to places such as the Caribbean that fraudsters tend to
•Train your help desk staff to identify attempted PBX hacks, such as excessive
hang-ups, wrong number calls, and locked-out mailboxes.
•Make sure your PBX model is immune to common DoS attacks.
TEM: Telecom Expense Management
Phone bills can be more complex to read than ancient hieroglyphs, and there has
been little progress made on simplifying or decoding them for the average
consumer or telecom manager. Understanding what is on your phone bill so you
can tell whether your voice providers are doing the right thing is important
(there are alarming statistics on the error percentage in consumer and corporate
phone bills). But that’s the job of your telecom group—why would a security
professional care about phone bills? Your phone bill can have some clues to other
problems in your environment, and a TEM program can help automate the
process of getting to the goodies, the high-quality information you need to tell
quickly if you have a security problem related to your phone system.
TEM is a relatively new discipline in the telephony space, gaining major
adoption within the last decade. There are many firms armed with specialized
software ready to help you collect, organize, understand, interpret, and audit
your telephone bills, all for a modest gain-share or percentage of savings fee (an
interesting side note and case in point, that’s how bad telecom bills are—
companies will guarantee that they will save you so much money that they will
derive their compensation purely from a percentage of the money they save you
or get back for. And TEM firms are doing quite well, illustrating the level of
opportunity out there). While effort (hopefully someone else’s) is involved in the
setup and optimization of the billing, once you’ve reached the point where a TEM
firm can actually audit bills, you’re likely to have a useful tool to spot irregular or
suspicious activity that may otherwise be tough to catch.
At some point in his or her career, every security professional gets pulled into
a conversation about some malicious phone calls or fraudulent billing. Even if the
administrator hasn’t had much to do with telecom prior to that, suddenly he or
she has to figure out how the telephone fraud happened. With TEM in place, the
security administrator has a powerful tool to search for precursors or other
suspicious activity that could be related to the exploited vector the attacker used
and can help identify where it may happen again.
If, for example, an unexpected $100,000 phone bill arrives out of nowhere
with calls to countries your users have no reason to call, and through
investigation you determine that it was the result of a gateway compromise, you
could use the TEM capability to check the rest of the PRI or voice services globally
to determine if any of the same suspicious or exploited numbers were being
called and to help determine if there are other potentially compromised
gateways. You would, of course, also want to do an internal network audit of the
services and security on the gateways themselves, as you’ll want to plug the holes
you know about at the same time that the TEM and audit function is checking for
leaks elsewhere for you.
Although phone bills are generally not directly related to the security group’s
main role, it is the objective of every security group to protect stakeholder
interests, and TEM can help a security group detect anomalous behavior and
operate more quickly and effectively when they are called in to action for this
type of an issue.
“Process makes perfect.” Similar to the maxim “location, location, location” for
realtors, successful security administrators should keep this mantra in mind in
all things that they do: process, process, process. Having solid, repeatable
processes to support any efforts on which they embark can not only help to build
trust in the security group, but also help elevate the level to which security
supports and enables the business. Specifically with voice systems, investing the
time to create a process cycle for evaluating new voice initiatives and
maintaining updated documentation will pay dividends in the long run. There
are arguably more exploitable threat vectors in modern converged multimedia
platforms than any other area of technology, and this area is also the least
understood and most often neglected. Having defined, documented processes
established to support decisions that capture the relevant risk factors will provide
a tangible ongoing value. Voice systems warrant special attention from security
groups, and this chapter attempts to identify some areas that require thorough
consideration when introducing this family of technologies into an environment.
Androulidakis, Iosif. PBX Security and Forensics. Springer, 2012.
Dwivedi, Himanshu. Hacking VoIP: Protocols, Attacks, and Countermeasures. No
Starch Press, 2008.
Endler, David, and Mark Collier. Hacking Exposed VoIP: Voice over IP Security
Secrets & Solutions. McGraw-Hill, 2006.
Kuhn, Richard. PBX Vulnerability Analysis: Finding Holes in Your PBX Before
Someone Else Does. Diane Publishing, 2003.
Park, Patrick. Voice over IP Security. Cisco Press, 2008.
Porter, Thomas, and Jan Kanclirz, Jr. Practical VoIP Security. Syngress, 2006.
Thermos, Peter, and Ari Takanen. Securing VoIP Networks: Threats,
Vulnerabilities, and Countermeasures. Addison-Wesley, 2007.
table of contents
• Sign Out
Intrusion Detection and Prevention
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are
important tools in a computer security arsenal. Often thought of as a tertiary
extra after antivirus software and firewalls, an IDS is often the best way to detect
a security breach. As useful as they can be, however, successfully deploying an
IDS or IPS is one of the biggest challenges a security administrator can face.
This chapter will introduce IDS/IPS concepts, describe the different IDS and
IPS types available, identify features to help you evaluate different solutions, and
discuss real-life deployment considerations. By the end of this chapter, you
should have a rich understanding of both systems and be prepared to navigate
the toughest operational issues.
An IDS can be network based or host based: a network IDS is referred to as a
NIDS, whereas a host-based IDS is referred to as a HIDS. Additionally, a NIDS and
HIDS can detect traffic of interest, or if they are further configured to prevent a
specific action from happening, they are referred to as intrusion prevention
systems: NIPS and HIPS. Keep in mind, no matter what the form, NIDS, HIDS,
NIPS, or HIPS, they are generically referred to as IDS.
Intrusion detection (ID) is the process of monitoring for and identifying specific
malicious traffic. Most network administrators do ID all the time without
realizing it. Security administrators are constantly checking system and security
log files for something suspicious. An antivirus scanner is an ID system when it
checks files and disks for known malware. Administrators use other security
audit tools to look for inappropriate rights, elevated privileges, altered
permissions, incorrect group memberships, unauthorized registry changes,
malicious file manipulation, inactive user accounts, and unauthorized
applications. An IDS is just another tool that can monitor host system changes
(host based) or sniff network packets off the wire (network based) looking for
signs of malicious intent.
An IDS can take the form of a software program installed on an operating
system, but today’s commercial network-sniffing IDS/IPS typically takes the form
of a hardware appliance because of performance requirements. An IDS uses
either a packet-level network interface driver to intercept packet traffic or it
“hooks” the operating system to insert inspection subroutines. An IDS is a sort of
virtual food-taster, deployed primarily for early detection, but increasingly used
to prevent attacks.
When the IDS notices a possible malicious threat, called an event, it logs the
transaction and takes appropriate action. The action may simply be to continue to
log, send an alert, redirect the attack, or prevent the maliciousness. If the threat is
high risk, the IDS will alert the appropriate people. Alerts can be sent by e-mail,
Simple Network Management Protocol (SNMP), pager, SMTP to a mobile device,
or console broadcast. An IDS supports the defense-in-depth security principle and
can be used to detect a wide range of rogue events, including but not limited to
•Installation of rootkits
•Software vulnerability exploits
•Malicious code, like viruses, worms, and Trojans
•Illegal data manipulation
•Unauthorized file access
•Denial of service (DoS) attacks
To really understand an IDS, you must understand the security threats and
exploits it can detect and prevent. Threats can be classified as attacks or misuse,
and they can exploit network protocols or work as malicious content at the
Attacks or Misuse
Attacks are unauthorized activity with malicious intent using specially crafted
code or techniques. Attacks include denial of service, virus or worm infections,
buffer overflows, malformed requests, file corruption, malformed network
packets, or unauthorized program execution. Misuse refers to unauthorized
events without specially crafted code. In this case, the offending person used
normally crafted traffic or requests and their implicit level of authorization to do
something malicious. Misuse can also refer to unintended consequences, such as
when a hapless new user overwrites a critical document with a blank page.
Another misuse event could be a user mapping a drive to a file server share not
intended by the network administrator.
Regardless of how an alert is detected, the administrator groups all alerts into
one of four categories:
•True positives (correct escalation of important events)
•False positives (incorrect escalation of unimportant events)
•True negatives (correct ignorance of unimportant events)
•False negatives (incorrect ignorance of important events)
An easy way to remember these principles is by thinking about the concepts of
“alert” and “condition.” A simple fire alarm can serve as a good illustration:
•A true positive happens when the alert is positive (the alarm sounded) and the
condition it represents is true (meaning there actually is a fire). That’s a good
thing—it’s what the fire alarm is supposed to do.
•A false positive happens when the alert is positive (the alarm sounded) but the
condition it represents is false (meaning there is no fire). That’s not so great—it
wastes time and annoys people.
•A true negative is when the alert is negative (the alarm is not sounding) and it is
reporting a true condition (there is no fire). That’s a good situation, and it’s what
you’d expect the majority of the time.
•A false negative is when the alert is negative (no alarm sounded), but the
condition it represents is false (there is fire). This is a truly dangerous condition,
whether in the case of a building fire or in an IDS.
You can also think about these examples in the context of other detection
systems, such as car alarms. Some people get so annoyed by false positives (car
alarms going off for no apparent reason) that they learn to ignore all car alarms,
even when they are true positives (there was a reason for the alarm, but nobody
paid attention). This phenomenon can also happen with an IDS. If not properly
tuned, it can generate so much “noise” that it’s ignored.
Most IDSs are deployed to detect intentionally malicious attacks coming from
external locations, but they are also proving of value within the corporate world
for monitoring behaviors and violations by internal users. Security surveys often
reveal internal misuse events as a leading cause of corporate data loss, and an
IDS tool can track internal maliciousness (intentional or unintentional) almost as
well as external attacks. In one case, a sharp security officer working in an IT
department used an IDS to catch a fellow employee cracking passwords and
reading confidential e-mail.
Network Protocol Attacks
Many of the security threats detected by an IDS exploit network protocols (layers
two and three of the OSI model). Network protocols such as TCP/IP define
standard ways of transmitting data to facilitate open communications. The data is
sent in a packet (layer three), which is then encapsulated into a layer two frame,
which is then transmitted as packages of electronic bits (1s and 0s) framed in a
particular format defined by a network protocol—but the protocols do not
contemplate the consequences of malicious packet creation. This is because
protocols are designed to perform functions, not to be secure.
When information is sent between network hosts, commands and data sent by
higher-layer application processes (such as FTP clients, web servers, and IM chat
programs) are placed as payload content into discrete containers
(called datagrams or packets), numbered, and sent from source to destination.
When the packets arrive at the destination, they are reassembled, and the content
is handed off to the destination application. Network protocols define the packet’s
formatting and how the datagram is transmitted between source and destination.
Malicious network protocol attacks interfere with the normal operation of this
Flag Exploits Abnormally crafted network packets are typically used for DoS
attacks on host machines, to skirt past network perimeter defenses (bypassing
access control devices), to impersonate another user’s session (attack on
integrity), or to crash a host’s IP stack (DoS). Malicious network traffic works by
playing tricks with the legitimate format settings of the IP protocol. For instance,
using a specially crafted tool, an attacker can set incompatible sequences of TCP
flags, causing destination host machines to issue responses other than the normal
responses, resulting in session hijacking or more typically a DoS condition. Other
examples of maliciously formed TCP traffic include an attacker setting an ACK
flag in an originating session packet without sending an initial SYN packet to
initiate traffic, or sending a SYN and FIN (start and stop) combination at the same
time. TCP flags can be set in multiple ways and each generates a response that
can either identify the target system, determine if a stateful packet-inspecting
device is in front of the target, or create a no-response condition. Port scanners
often use different types of scans to determine whether the destination port is
open or closed, even if firewall-like blocking mechanisms are installed to stop
normal port scanners.
Fragmentation and Reassembly Attacks Although not quite the security threat
they once were, IP packets can be used in fragmentation attacks. TCP/IP
fragmentation is allowed because all routers have a maximum transmission unit
(MTU), which is the maximum number of bytes that they can send in a single
packet. A large packet can be broken down into multiple smaller packets (known
as fragments) and sent from source to destination. A fragment offset value located
in each fragment tells the destination IP host how to reassemble the separate
packets back into the larger packet.
Attacks can use fragment offset values to cause the packets to maliciously
reassemble and intentionally force the reassembly of a malicious packet. If an IDS
or firewall allows fragmentation and does not reassemble the packets before
inspection, an exploit may slip by. For example, suppose a firewall does not allow
FTP traffic, and an attacker sends fragmented packets posing as some other
allowable traffic. If the packets act as SMTP e-mail packets headed to destination
port 25, they could be passed through, but after they are past the firewall, they
could reassemble to overwrite the original port number and become FTP packets
to destination port 21. The main advantage here for the attacker is stealth, which
allows him or her to bypass the IDS.
Today, most IDSs, operating systems, and firewalls have antifragmentation
defenses. By default, a Windows host will drop fragmented packets.
Although network protocol attacks abound, most security threats exploit the
host’s application layer. In these cases, the TCP/IP packets are constructed
legitimately, but their data payload contains malicious content. Application
attacks can be text commands used to exploit operating system or application
holes, or they can contain malicious content such as a buffer overflow exploit, a
maliciously crafted command, or a computer virus. Application attacks include
misappropriated passwords, cross-site scripting, malicious URLs, password-
cracking attempts, rootkit software, illegal data manipulation, unauthorized file
access, and every other attack that doesn’t rely on malformed network packets to
The major problem is that the majority of these attacks are allowed by the
firewall because they are carried over legitimate services like port 80 (HTTP) or
port 25 (SMTP) without their contents being checked.
Content Obfuscation Most IDSs look for known malicious commands or data in a
network packet’s data payload. A byte-by-byte comparison is done between the
payload and each potential threat signature in the IDS’s database. If something
matches, it’s flagged as an event. This is how “signature-based” IDSs work.
Someone has to have the knowledge to write the “signature.”
Because byte scanning is relatively easy to do, attackers use encoding schemes
to hide their malicious commands and content. Encoding schemes are non-
plaintext character representations that eventually get converted to plaintext for
processing. The flexibility of the coding for international languages on the
Internet allows ASCII characters to be represented by many different encoding
schemes, including hexadecimal (base 16, in which the word “Hello” looks like
“48 65 6C 6C 6F”), decimal notation (where “Hello” is “72 101 108 108 111”), octal
(base 8, in which “Hello” appears as “110 145 154 154 157”), Unicode (where
“Hello” = “0048 0065 006C 006C 006F”), and any combination thereof. Web URLs
and commands have particularly flexible syntax. Complicating the issue, most
browsers encountering common syntax mistakes, like reversed slashes or
incorrect case, convert them to their legitimate form. Here is an example of one
URL presented in different forms with syntax mistakes and encoding. Type them
into your browser and see for yourself.
•http://www.mcgraw-hill.com (normal representation)
•http:\\22.214.171.124 (IP address and wrong slashes)
%63%6F%6D (hexadecimal encoded)
NOTE It is not unusual to see a few characters of encoding in a legitimate URL. When
you see mostly character encoding, however, you should get suspicious.
Encoding can be used to obscure text and data used to create malicious
commands. Attackers employ all sorts of tricks to fool IDSs, including using tabs
instead of spaces, changing values from lowercase to uppercase, splitting data
commands into several different packets sent over a long period of time, hiding
parameters, prematurely ending requests, using excessively long URLs, and using
Data Normalization An IDS signature database has to consider all character
encoding schemes and tricks that can end up creating the same malicious pattern.
This task is usually accomplished by normalizing the data before inspection.
Normalization reassembles fragments into single whole packets, converts
encoded characters into plain ASCII text, fixes syntax mistakes, removes
extraneous characters, converts tabs to spaces, removes common hacker tricks,
and does its best to convert the data into its final intended form.
Threats an IDS Cannot Detect
IDSs excel at catching known, definitive malicious attacks. Although some experts
will say that a properly defined IDS can catch any security threat, events
involving misuse prove the most difficult to detect and prevent. For example, if
an outside hacker uses social engineering tricks to get the CEO’s password, not
many IDSs will notice. If the webmaster accidentally posts a confidential
document to a public directory available to the world, the IDS won’t notice. If an
attacker uses the default password of an administrative account that should have
been changed right after the system was installed, few IDSs will notice. If a
hacker gets inside the network and copies confidential files, an IDS would have
trouble noticing it. That’s not to say you can’t use an IDS to detect each of the
preceding misuse events, but they are more difficult to detect than straight-out
attacks. The most effective way for an attacker to bypass the visibility of an IDS is
to encrypt the traffic at many layers (layers two, three, and through seven). For
example, using OpenSSH or SSL would encrypt most of the data, whereas using
IPSec would encrypt the traffic in transit.
IDS development as we know it today began in the early 1980s, but only started
growing in the PC marketplace in the late 1990s. First-generation IDSs focused
almost exclusively on the benefit of early warning resulting from accurate
detection. This continues to be a base requirement of an IDS, and vendors
frequently brag about their product’s accuracy. The practical reality is that while
most IDSs are considered fairly accurate, no IDS has ever been close to being
perfectly accurate. Although a plethora of antivirus scanners enjoy year-after-
year 95 to 99 percent accuracy rates, IDSs never get over 90 percent accuracy
against a wide spectrum of real-world attack traffic. Most are in the 80 percent
range. Some test results show 100 percent detection rates, but in every such
instance, the IDS was tuned after several previous, less accurate rounds of testing.
When an IDS misses a legitimate threat, it is called a false negative. Most IDS are
plagued with even higher false positive rates, however.
IDSs have high false positive rates. A false positive is when the IDS says there
is a security threat by “alerting,” but the traffic is not malicious or was never
intended to be malicious (benign condition). A common example is when an IDS
flags an e-mail as infected with a particular virus because it is looking for some
key text known to be in the message body of the e-mail virus (for example, the
phrase “cheap pharmaceuticals”). When an e-mail intended to warn readers
about the virus includes the keywords that the reader should be on the lookout
for, it can also create a false positive. The IDS should be flagging the e-mail as
infected only if it actually contains a virus, not just if it has the same message
Simply searching for text within the message body to detect malware is an
immature detection choice. Many security web services that send subscribers
early warning e-mails complain that nearly 10 percent of their e-mails are kicked
back by overly zealous IDSs. Many of those same services have taken to
misrepresenting the warning text purposely (by slightly changing the text, such
as “che4p_pharmaceut1cals”) in a desperate attempt to get past the subscribers’
poorly configured defenses. If the measure of IDS accuracy is the number of
logged security events against legitimate attacks, accuracy plummets on most IDS
products. This is the biggest problem facing IDSs, and solving it is considered the
holy grail for IDS vendors. If you plan to get involved with IDSs, proving out false
positives will be a big part of your life.
In an effort to decrease false positives, some IDSs are tuned to be more
sensitive. They will wait for a highly definitive attack within a narrow set of
parameters before they alert the administrator. Although they deliver fewer false
positives, they have a higher risk of missing a legitimate attack. Other IDSs go the
other route and report on almost everything. Although they catch more of the
legitimate threats, those legitimate warnings are buried in the logs between tons
of false positives. If administrators are so overwhelmed with false positives that
they don’t want to read the logs, they can create a “human denial of service”
attack. Some attackers attempt to do just this by generating massive numbers of
false positives, hoping the one legitimate attack goes unnoticed.
Which is a better practice? Higher false positives or higher false negatives?
Most IDS products err on the side of reporting more events and requiring the
user to fine-tune the IDS to ignore frequent false positives. Fine-tuning an IDS
means configuring sensitivity up or down to where you, the administrator, are
comfortable with the number of false negatives and false positives. When you are
talking with vendors or reviewing IDS products, inquire about which detection
philosophy the IDS follows. If you don’t know ahead of time, you’ll know after
you turn it on.
The net effect of most IDSs being fairly accurate and none being highly accurate
has resulted in vendors and administrators using other IDS features for
differentiation. Here are some of those other features that may be more or less
useful in different circumstances:
•IDS type and detection model
•Logging and alerting
•Reporting and analysis
All of these are discussed in this chapter.
First-generation IDSs focused on accurate attack detection. Second-
generation IDSs do that and work to simplify the administrator’s life by offering a
bountiful array of back-end options. They offer intuitive end-user interfaces,
intrusion prevention, centralized device management, event correlation, and
data analysis. Second-generation IDSs do more than just detect attacks—they sort
them, prevent them, and attempt to add as much value as they can beyond mere
Experienced IDS administrators know that half of the success or failure of an
IDS is determined by time consuming, and very complicated, technical work.
Catching an attacker hacking in real-time is always exciting, as is snooping on the
snooper, so first-time implementers often spend most of their time learning about
and implementing detection patterns. In doing so, though, they often breeze
through or skip the reading on setting up the management features, configuring
the database, and printing reports. They turn on their IDS and are quickly
overwhelmed because they didn’t plan ahead.
TIP To increase your odds of a successful IDS deployment, remember this: For every
hour you spend looking at cool detection signatures, spend an hour planning and
configuring your logging, reporting, and analysis tools.
IDS Types and Detection Models
Depending on what assets you want to protect, an IDS can protect a host or a
network. All IDSs follow one of two intrusion detection models—anomaly (also
called profile, behavior, heuristic, or statistical) detection or signature (knowledge-
based) detection—although some systems use parts of both when it’s
advantageous. Both anomaly and signature detection work by monitoring a wide
population of events and triggering based on predefined behaviors.
A host-based IDS (HIDS) is installed on the host it is intended to monitor. The host
can be a server, workstation, or any networked device (such as a printer, router,
or gateway). A HIDS installs as a service or daemon, or it modifies the underlying
operating system’s kernel or application to gain first inspection authority.
Although a HIDS may include the ability to sniff network traffic intended for the
monitored host, it excels at monitoring and reporting direct interactions at the
application layer. Application attacks can include memory modifications,
maliciously crafted application requests, buffer overflows, or file-modification
attempts. A HIDS can inspect each incoming command, looking for signs of
maliciousness, or simply track unauthorized file changes.
A file-integrity HIDS (sometimes called a snapshot or checksum HIDS) takes a
cryptographic hash of important files in a known clean state and then checks
them again later for comparison. If any changes are noted, the HIDS alerts the
administrator that there may be a change in integrity.
A behavior-monitoring HIDS performs real-time monitoring and intercepts
potentially malicious behavior. For instance, a Windows HIDS reports on
attempts to modify the registry, manipulate files, access the system, change
passwords, escalate privileges, and otherwise directly modify the host. On a Unix
host, a behavior-monitoring HIDS may monitor attempts to access system
binaries, attempts to download password files, and change permissions and
scheduled jobs. A behavior-monitoring HIDS on a web server may monitor
incoming requests and report maliciously crafted HTML responses, cross-site
scripting attacks, or SQL injection code.
Real-Time or Snapshot?
Early warning and prevention are the greatest advantages of a real-time HIDS.
Because a real-time HIDS is always monitoring system and application calls, it
can stop potentially malicious events from happening in the first place. On the
downside, real-time monitoring takes up significant CPU cycles, which may not be
acceptable on a high-performance asset, like a popular web server or a large
database server. Real-time behavior-monitoring only screens previously defined
threats, and new attack vectors are devised several times a year, meaning that
real-time monitors must be updated, much like databases for an antivirus
scanner. In addition, if an intrusion successfully gets by the real-time behavior
blocker, the HIDS won’t be able to provide as much detailed information about
what happened thereafter as a snapshot HIDS would.
Snapshot HIDSs are reactive by nature. They can only report on maliciousness,
not stop it. A snapshot HIDS excels at forensic analysis. With one report, you can
capture all the changes between a known good state and the corrupted state. You
will not have to piece together several different progressing states to see all the
changes made since the baseline. Damage assessment is significantly easier than
with a real-time HIDS because a snapshot HIDS can tell you exactly what has
changed. You can use comparative reports to decide whether you have to rebuild
the host completely or whether a piecemeal restoration can be done safely. You
can also use the before and after snapshots as forensic evidence in an
Snapshot systems are useful outside the realm of computer security, too. You
can use a snapshot system for configuration and change management. A snapshot
can be valuable when you have to build many different systems with the same
configuration settings as a master copy. You can configure the additional systems
and use snapshot comparison to see if all configurations are identical. You can
also run snapshot reports later to see if anyone has made unauthorized changes
to a host. The obvious disadvantage of a snapshot HIDS is that alerting and
reporting is done after the fact. By then, the changes have already occurred, and
the damage is done.
Network-Based IDS (NIDS)
Network-based IDSs (NIDSs) are the most popular IDSs, and they work by
capturing and analyzing network packets speeding by on the wire. Unlike a HIDS,
a NIDS is designed to protect more than one host. It can protect a group of
computer hosts, like a server farm, or monitor an entire network. Captured
traffic is compared against protocol specifications and normal traffic trends or
the packet’s payload data is examined for malicious content. If a security threat is
noted, the event is logged and an alert is generated.
With a HIDS, you install the software on the host you want monitored and the
software does all the work. Because a NIDS works by examining network packet
traffic, including traffic not intended for the NIDS host on the network, it has a
few extra deployment considerations. It is common for brand-new NIDS users to
spend hours wondering why their IDS isn’t generating any alerts. Sometimes it’s
because there is no threat traffic to alert on, and other times it’s because the NIDS
isn’t set up to capture packets headed to other hosts. A sure sign that the network
layer of your NIDS is misconfigured is that it only picks up broadcast traffic and
traffic headed for it specifically. Traffic doesn’t start showing up at the NIDS
simply because it was turned on. You must configure your NIDS and the network
so the traffic you want to examine is physically passed to the NIDS. NIDSs must
have promiscuous network cards with packet-level drivers, and they must be
installed on each monitored network segment. Network taps, a dedicated
appliance used to mirror a port or interface physically, and Switch Port Analysis
(SPAN), are the two most common methods for setting up monitoring on a
Network packets are captured using a packet-level software driver bound to a
network interface card. Many Unix and Windows systems do not have native
packet-level drivers built in, so IDS implementations commonly rely on open
source packet-level drivers. Most commercial IDSs have their own packet-level
drivers and packet-sniffing software.
For a NIDS to sniff packets, the packets have to be given to the packet-level driver
by the network interface card. By default, most network cards are
not promiscuous, meaning they only read packets off the wire that are intended
for them. This typically includes unicast packets, meant solely for one particular
workstation, broadcast packets, meant for every computer that can listen to them,
and multicast traffic, meant for two or more previously defined hosts. Most
networks contain unicast and broadcast traffic. Multicast traffic isn’t as common,
but it is gaining in popularity for web-streaming applications. By default, a
network card in normal mode drops traffic destined for other computers and
packets with transmission anomalies (resulting from collisions, bad cabling, and
so on). If you are going to set up an IDS, make sure its network interface card has
a promiscuous mode and is able to inspect all traffic passing by on the wire.
Sensors for Network Segments
For the purposes of this chapter, a network segment can be defined as a single
logical packet domain. For a NIDS, this definition means that all network traffic
heading to and from all computers on the same network segment can be
You should have at least one NIDS inspection device per network segment to
monitor a network effectively. This device can be a fully operational IDS interface
or, more commonly, a router or switch interface to which all network traffic is
copied, known as a span port, or a traffic repeater device, known as
a sensor or tap. One port plugs into the middle of a connection on the network
segment to be monitored, and the other plugs into a cable leading to the central
NOTE Like a tap, a span port does not readily reveal itself to attackers who might
otherwise note the IDS’s presence.
Routers are the edge points of network segments, and you must place at least
one sensor on each segment you wish to monitor. Most of today’s networks
contain switch devices. With the notable exception of broadcast packets, switches
only send packets to a single destination port. On a switched network, an IDS will
not see its neighbor’s non-broadcast traffic. Many switches support port
mirroring, also called port spanning or traffic redirection. Port mirroring is
accomplished by instructing the switch to copy all traffic to and from a specific
port to another port where the IDS sits.
Anomaly-Detection (AD) Model
Anomaly detection (AD) was proposed in 1985 by noted security laureate Dr.
Dorothy E. Denning, and it works by establishing accepted baselines and noting
exceptional differences. Baselines can be established for a particular computer
host or for a particular network segment. Some IDS vendors refer to AD systems
as behavior-based since they look for deviating behaviors. If an IDS looks only at
network packet headers for differences, it is called protocol anomaly detection.
Several IDSs have anomaly-based detection engines. Several massively
distributed AD systems monitor the overall health of the Internet, and a handful
of high-risk Internet threats have been minimized over the last few years because
unusual activity was noticed by a large number of correlated AD systems.
The goal of AD is to be able to detect a wide range of malicious intrusions,
including those for which no previous detection signature exists. By learning
known good behaviors during a period of “profiling,” in which an AD system
identifies and stores all the normal activities that occur on a system or network, it
can alert to everything else that doesn’t fit the normal profile. Anomaly detection
is statistical in nature and works on the concept of measuring the number of
events happening in a given time interval for a monitored metric. A simple
example is someone logging in with the incorrect password too many times,
causing an account to be locked out and generating a message to the security log.
Anomaly detection IDS expands the same concept to cover network traffic
patterns, application events, and system utilization. Here are some other events
AD systems can monitor and trigger alerts from:
•Unusual user account activity
•Excessive file and object access
•High CPU utilization
•Inappropriate protocol use
•Unusual workstation login location
•Unusual login frequency
•High number of concurrent logins
•High number of sessions
•Any code manipulation
•Unexpected privileged use or escalation attempts
An accepted baseline may be that network utilization on a particular segment
never rises above 20 percent and routinely only includes HTTP, FTP, and SMTP
traffic. An AD baseline might be that there are no unicast packets between
workstations and only unicasts between servers and workstations. If a DoS attack
pegs the network utilization above 20 percent for an extended period of time, or
someone tries to telnet to a server on a monitored segment, the IDS would create
a security event. Excessive repetition of identical characters in an HTTP response
might be indicative of a buffer overflow attempt.
When an AD system is installed, it monitors the host or network and creates a
monitoring policy based on the learned baseline. The IDS or installer chooses
which events to measure and how long the AD system should measure to
determine a baseline. The installer must make sure that nothing unusual is
happening during the sampling period that might skew the baseline.
Anomalies are empirically measured as a statistically significant change from
the baseline norm. The difference can be measured as a number, a percentage, or
as a number of standard deviations. In some cases, like the access of an unused
system file or the use of an inactive account, one instance is enough to trigger the
AD system. For normal events with ongoing activity, two or more statistical
deviations from the baseline measurement creates an alert.
AD systems are great at detecting a sudden high value for some metric. For
example, when the SQL Slammer worm ate up all available CPU cycles and
bandwidth on affected servers and networks within seconds of infection, you can
bet AD systems went off. They did not need to wait until an antivirus vendor
released an updated signature. As another example, if your AD system defines a
buffer overflow as any traffic with over a thousand repeating characters, it will
catch any buffer overflow, known or unknown, that exceeds that definition. It
doesn’t need to know the character used or how the buffer overflow works. If
your AD system knows your network usually experiences ten FTP sessions in a
day, and suddenly it experiences a thousand, it will likely catch the suspicious
Because AD systems base their detection on deviation from what’s normal, they
tend to work well in static environments, such as on servers that do the same
thing day in and day out, or on networks where traffic patterns are consistent
throughout the day. On more dynamic systems and networks that, therefore,
have a wider range of normal behaviors, false positives can occur when the AD
triggers on something that wasn’t captured during the profiling period.
Signature-detection or misuse IDSs are the most popular type of IDS, and they
work by using databases of known bad behaviors and patterns. This is nearly the
exact opposite of AD systems. When you think of a signature-detection IDS, think
of it as an antivirus scanner for network traffic. Signature-detection engines can
query any portion of a network packet or look for a specific series of data bytes.
The defined patterns of code are called signatures, and often they are included as
part of a governing rule when used within an IDS.
Signatures are byte sequences that are unique to a particular malady. A byte
signature may contain a sample of virus code, a malicious combination of
keystrokes used in a buffer overflow, or text that indicates the attacker is looking
for the presence of a particular file in a particular directory. For performance
reasons, the signature must be crafted so it is the shortest possible sequence of
bytes needed to detect its related threat reliably. It must be highly accurate in
detecting the threat and not cause false positives. Signatures and rules can be
collected together into larger sets called signature databases or rule sets.
Rules are the heart of any signature-detection engine. A rule usually contains the
following information as a bare minimum:
•Unique signature byte sequence
•Protocol to examine (such as TCP, UDP, ICMP)
•IP port requested
•IP addresses to inspect (destination and source)
•Action to take if a threat is detected (such as allow, deny, alert, log, disconnect)
Most IDSs come with hundreds of predefined signatures and rules. They are
either all turned on automatically or you can pick and choose. Each activated rule
or signature adds processing time for analyzing each event. If you were to turn
on every rule and inspection option of a signature-detection IDS, you would likely
find it couldn’t keep up with traffic inspection. Administrators should activate the
rules and options with an acceptable cost/benefit tradeoff.
Most IDSs also allow you to make custom rules and signatures, which is
essential for responding immediately to new threats or for fine-tuning an IDS.
Here are some hints when creating rules and signatures:
•Byte signatures should be as short as possible, but reliable, and they should not
cause false positives.
•Similar rules should be near each other. Organizing your rules speeds up future
•Some IDSs and firewalls require rules that block traffic to appear before rules
that allow traffic. Check with your vendor to see if rule placement matters.
•Create wide-sweeping rules that do the quickest filtering first. For example, if a
network packet has a protocol anomaly, it should cause an alert event without
the packet ever getting to the more processor-intensive content scanning.
•To minimize false positives, rules should be as specific as possible, including
information that specifically narrows down the population of acceptable packets
to be inspected.
Some threats, like polymorphic viruses or multiple-vector worms, require
multiple signatures to identify the same threat. For instance, many computer
worms arrive as infected executables, spread over internal drive shares, send
themselves out with their own SMTP engines, drop other Trojans and viruses, and
use Internet chat channels to spread. Each attack vector would require a different
Advantages of Signature Detection
Signature-detection IDSs are proficient at recognizing known threats. Once a
good signature is created, signature detection IDSs are great at finding patterns,
and because they are popular, a signature to catch a new popular attack usually
exists within hours of it first being reported. This applies to most open source and
Another advantage of a signature-detection IDS is that it will specifically
identify the threat, whereas an AD engine can only point out a generality. An AD
IDS might alert you that a new TCP port opened on your file server, but a
signature-detection IDS will tell you what exploit was used. Because a signature-
detection engine can better identify specific threats, it has a better chance at
providing the correct countermeasure for intrusion prevention.
Disadvantages of Signature Detection
Although signature-detection IDS are the most popular type of IDS, they have
several disadvantages as compared to an AD IDS.
Cannot Recognize Unknown Attacks Just like antivirus scanners, signature-
detection IDSs are not able to recognize previously unknown attacks. Attackers
can change one byte in the malware program (creating a variant) to invalidate an
entire signature. Hundreds of new malware threats are created every year, and
signature-based IDSs are always playing catch up. To be fair, there hasn’t been a
significant threat in the last few years that didn’t have a signature identified by
the next day, but your exposure is increased in the so-called zero-hour.
Performance Suffers as Signatures or Rules Grow Because each network
packet or event is compared against the signature database, or at least a subset of
the signature database, performance suffers as rules increase. Most IDS
administrators using signature detection usually end up only using the most
common signatures and not the less common rules. The more helpful vendors
rank the different rules with threat risks so the administrator can make an
informed risk tradeoff decision. Although this is an efficient use of processing
cycles, it does decrease detection reliability.
Some vendors are responding by including generic signatures that detect more
than one event. To do so, their detection engines support wildcards to represent a
series of bytes, like this:
Virus A has a signature of 14 90 90 90 56 76 56 64 64
Virus B has a signature of 14 80 90 90 56 76 56 13 10
A wildcard signature for viruses A
and B is
14 ? 90 90 56 76 56 * *
Of course, the use of wildcard signatures increases the chance of false
positives. Antivirus vendors faced a similar dilemma last decade and called
viruses generic boot sector or generic file infectors. Some vendors went so far
that they rarely identified any threat by its specific name. Security administrators
were not happy with the results, and vendors had to return to using signatures
that are more specific.
Because a signature is a small, unique series of bytes, all a threat coder has to
do is change one byte that is identified in the signature to make the threat
undetectable. Threats with small changes like these are called variants. Luckily,
most variants share some common portion of code that is still unique to the
whole class of threats, so that one appropriate signature, or the use of wildcards,
can identify the whole family.
What Type of IDS Should You Use?
There are dozens of IDSs to choose from. The first thing you need to do is survey
the computer assets you want to protect and identify the most valuable computer
assets that should get a higher level of security assurance. These devices are
usually the easiest ones to use when making an ROI case to management. New
IDS administrators should start small, learn, fine-tune, and then grow. Don’t try
to boil the ocean. A HIDS should be used when you want to protect a specific
valuable host asset. A NIDS should be used for general network awareness and as
an early warning detector across multiple hosts.
You need to pick an IDS that supports your network topology, operating
system platforms, budget, and experience. If you have a significant amount of
wireless traffic exposed in public areas, consider investing in a wireless IPS. If
you have high-speed links that you need to monitor, make sure your IDS has been
rated and tested at the same traffic levels.
Should your IDS be based on anomaly or signature detection? When possible,
use a product that does both. The best IDSs utilize all techniques, combining the
strengths of each type to provide a greater defense strategy.
As discussed earlier in the chapter, IDSs are more than detection engines.
Detection is their main purpose, but if you can’t configure the system or get the
appropriate information out of the IDS, it won’t be much help. This section
discusses the end-user interface, IDS management, intrusion prevention,
performance, logging and alerting, and reporting and data analysis.
IDS End-User Interfaces
IDS end-user interfaces let you configure the product and see ongoing detection
activities. You should be able to configure operational parameters, rules, alert
events, actions, log files, and update mechanisms. IDS interfaces come in two
flavors: syntactically difficult command prompts or less-functional GUIs.
Historically, IDSs are command-line beasts with user-configurable text files.
Command-line consoles are available on the host computer or can be obtained by
a Telnet session or proprietary administrative software. The configuration files
control the operation of the IDS detection engine, define and hold the detection
rules, and contain the log files and alerts. You configure the files, save them, and
then run the IDS. If any runtime errors appear, you have to reconfigure and
rerun. A few of the command-line IDS programs have spawned GUI consoles that
hide the command-line complexities.
NOTE A frequent complaint of new GUI IDS users is that once the IDS is turned on,
“nothing happens!” This is because the IDS is not detecting any defined threats,
not placed appropriately in the network topology to be able to sniff traffic, or not
configured to display events to the screen (because doing so wastes valuable CPU
Although text-based user interfaces may be fast and configurable, they aren’t
loved by the masses. Hence, more and more IDSs are coming with user-friendly
GUIs that make installation a breeze and configuration a matter of point-and-
click. With few exceptions, the GUIs tend to be less customizable than their text-
based cousins and, if connected to the detection engine in real time, can cause
slowness. Many of the GUI consoles present a pretty picture to the end-user but
end up writing settings to text files, so you get the benefits of both worlds.
Intrusion-Prevention Systems (IPS)
Since the beginning, IDS developers have wanted the IDS to do more than just
monitor and report maliciousness. What good is a device that only tells you
you’ve been maligned when the real value is in preventing the intrusion? That’s
like a car alarm telling you that your car has been stolen, after the fact. Like
intrusion detection, intrusion prevention has long been practiced by network
administrators as a daily part of their routine. Setting access controls, requiring
passwords, enabling real-time antivirus scanning, updating patches, and
installing perimeter firewalls are all examples of common intrusion-prevention
controls. Intrusion-prevention controls, as they apply to IDSs, involve real-time
countermeasures taken against a specific, active threat. For example, the IDS
might notice a ping flood and deny all future traffic originating from the same IP
address. Alternatively, a host-based IDS might stop a malicious program from
modifying system files.
Going far beyond mere monitoring and alerting, second-generation IDSs are
being called intrusion-prevention systems (IPSs). They either stop the attack or
interact with an external system to put down the threat.
If the IPS, as shown in Figure 18-1, is a mandatory inspection point with the
ability to filter real-time traffic, it is considered inline. Inline IPSs can drop
packets, reset connections, and route suspicious traffic to quarantined areas for
inspection. If the IPS isn’t inline and is only inspecting the traffic, it still can
instruct other network perimeter systems to stop an exploit. It may do this by
sending scripted commands to a firewall, instructing it to deny all traffic from the
remote attacker’s IP address, calling a virus scanner to clean a malicious file, or
simply telling the monitored host to deny the hacker’s intended modification.
Figure 18-1 IDS placed to drop malicious packets before they can enter the network
For an IPS to cooperate with an external device, they must share a common
scripting language, API, or some other communicating mechanism. Another
common IPS method is for the IDS device to send reset (RST) packets to both sides
of the connection, forcing both source and destination hosts to drop the
communication. This method isn’t seen as being very accurate, because often the
successful exploit has happened by the time a forced reset has occurred, and the
sensors themselves can get in the way and drop the RST packets.
A well-known consequence of IPSs is their ability to exacerbate the effects of a
false positive. With an IDS, a false positive leads to wasted log space and time, as
the administrator researches the threat’s legitimacy. IPSs are proactive, and a
false positive means a legitimate service or host is being denied. Malicious
attackers have even used prevention countermeasures as a DoS attack.
Is It a Firewall or an IPS?
With the growing importance of intrusion prevention, most firewalls are
beginning to look a lot like IPSs, and IPSs can look a lot like firewalls. Although
there is no hard and fast rule, one way of distinguishing the two is that if the
device inspects payload content to make its decision or identifies the exploit by
name, it’s an IPS. Historically, firewalls make decisions by IP address and port
number (both source and destination) at layers three and four. IPSs can do that,
but they can also identify the particular exploit if there is a previously defined
pattern within layer 5 through layer 7.
An IPS can compile several different connection attempts, recognize that they
were part of one port-scan event, and perhaps even identify the port-scanning
tool that was used. A firewall would report each separate connection attempt as a
separate event. IPSs have more expert knowledge and can identify exploits by
Central to the IDS field are the definitions of management console and agent. An
IDS agent (which can be a probe, sensor, or tap) is the software process or device
that does the actual data collection and inspection. If you plan to monitor more
than two network segments, you can separately manage multiple sensors by
connecting them to a central management console. This allows you to concentrate
your IDS expertise at one location.
IDS management consoles usually fulfill two central roles: configuration and
reporting. If you have multiple agents, a central console can configure and
update multiple distributed agents at once. For example, if you discover a new
type of attack, you can use the central console to update the attack definitions for
all sensors at the same time. A central console also aids in determining agent
status—active and online or otherwise.
NOTE If the management console and sensors run on different machines, traffic
between the two should be protected. This is often accomplished using SSL or a
proprietary vendor method.
In environments with more than one IDS agent, reporting captured events to a
central console is crucial. This is known as event aggregation. If the central
console attempts to organize seemingly distinct multiple events into a smaller
subset of related attacks, it is known as event correlation. For example, if a
remote intruder port-scans five different hosts, each running its own sensor, a
central console can combine the events into one larger event. To aid in this type
of correlation analysis, most consoles allow you to sort events by
•Destination IP address
•Source IP address
•Type of attack
•Type of protocol
•Time of attack
You can also customize the policy that determines whether two separate
events are related. For example, you can tell the console to link all IP
fragmentation attacks in the last five minutes into one event, no matter how
many source IP addresses were involved. Agents are configured to report events
to the central console, and then the console handles the job of alerting system
administrators. This centralization of duties helps with setting useful alert
thresholds and specifying who should be alerted. Changes to the alert notification
list can be made on one computer instead of on numerous distributed agents.
A management console can also play the role of expert analyzer. A lightweight
IDS performs the role of agent and analyzer on one machine. In larger
environments with many distributed probes, agents collect data and send it to the
central console without determining whether the monitored event was malicious
or not. The central console manages the database, warehousing all the collected
event data. As shown in Figure 18-2, the database may be maintained on a
separate computer connected with a fast link.
Figure 18-2 Example of a distributed IDS topology
Of course, having a central management console means having a single point
of failure. If the management console goes down, alerts will not be passed on, and
malicious traffic may not be recorded. Despite this risk, however, if you have
more than one sensor, a management console is a necessity. Moreover, if a
central console is helpful for managing multiple IDS sensors, it can also be
helpful for managing information from even more computer security devices.
IDS Logging and Alerting
When security events are detected by an IDS, they generate alerts and log files.
Alerts are high-priority events communicated to administrators in real time. The
IDS’s policy determines what security threats are considered high risk, and the
priority level is set accordingly. Typically, you would not want an IDS
administrator to respond as quickly to a NetBIOS scan against your appropriately
firewalled network as you would to a successful DoS attack against your
company’s primary web server. When an event is considered high risk against a
valuable asset, it should be communicated immediately.
Carefully contemplate what method should be used for communication. For
example, most IDS alerts are sent via e-mail. In the case of a fast-spreading e-mail
worm, the e-mail system will be severely taxed, and finding an alert message
among thousands of other messages might be daunting. In fact, the alert may not
even be delivered at all. SMS (text) messages can be a viable alternative, if they
are delivered over a different path. In any case, it’s a good idea to make sure
alerts can get to you in more than one way.
Alerts should be quick and to the point; however, they need to contain enough
information for the incident responder to track down the event. They should
describe location, event, information about the source of the event and priority,
and they should fit on a small display, like these two examples:
More advanced IDS systems allow you to combine identical alerts occurring in
a given time period as the same event. Although this might not seem important as
you read this book, it becomes important to the administrator at 3 a.m. when one
port scan turns into over a thousand different alerts in under a minute.
Correlation thresholds allow a security administrator to be appropriately alerted
for an event without feeling like the whole network is under siege.
IDS log files record all detected events regardless of priority and, after its
detection engine, have the greatest influence on the speed and use of an IDS. IDS
logs are used for data analysis and reporting. They can include just a barebones
summary of events or a complete network packet decode. Although complete
network traces are preferable for forensics, they can quickly take up a lot of hard
drive space. A small network can generate hundreds of events a minute, and a
mid-sized network can generate tens of thousands. If you plan to store multiple
days’ worth of logs with full packet decoding, make sure your IDS’s hard drive is
Regardless of the log format an IDS uses, all log files must be rotated out
frequently in order to maintain performance and to prevent lockups.
Unfortunately, when you rotate a log file out, it complicates threat analysis,
because you will have to merge multiple files to cover a greater time period.
At a minimum, a log file should record the event location, timestamp (date and
time to the hundredth of a second, which is typically provided by your internal
NTP server), description of the action attempted, criticality, and IDS response, if
any. If the event was recorded using network packets, then the following
additional information should be noted: source and destination IP addresses,
protocol, and port number. The log should provide a short description of the
attack and give links to the vendor or other vulnerability web sites for a more
NOTE Reporting event timestamps in Coordinated Universal Time (UTC), also known
as Greenwich Mean Time (GMT) or Zulu time, will simplify your task when
reporting events to external authorities in different time zones. UTC is the
worldwide standard for time reporting based on the “0” longitude meridian. All
other time zones are based on adding or subtracting from UTC.
Most vulnerability databases describe the security event as if it can only be a
malicious attack, when, in fact, this is often not true. IDS vendor databases should
also list reasons why the reported event may be a false positive. For example, if
the IDS reports an IP spoof event, it’s helpful to read that IP spoofs can be created
by poorly configured, but legitimate, VPN links. If you keep receiving port-
scanning alerts that you trace to your ISP’s DNS servers, learning that it is a
normal behavior for them as they attempt to respond to misconfigured client
workstations is helpful.
IDS Deployment Considerations
IDSs are beneficial tools, but they have weaknesses. They need to be fine-tuned if
you want to maximize their usefulness, and if you intend to deploy one, you’ll
need to come up with a deployment plan to do so successfully. Creating this
usually represents a substantial amount of work. This section summarizes these
Fine-tuning an IDS means doing three things: increasing inspection speed,
decreasing false positives, and using efficient logging and alerting.
Increasing Inspection Speed
Most IDS administrators start off monitoring all packets and capturing full packet
decodes. You can narrow down what packets an IDS inspects by telling it to
include or ignore packets based on source and destination addresses. For
example, if you are most concerned with protecting your servers, modify the
IDS’s packet inspection engine so it only captures packets with server destination
addresses. Another common packet filter is a rule that excludes broadcast
packets between routers. Routers are always busy chatting and broadcasting to
learn routes and reconstruct routing tables, but if you aren’t worried about
internal ARP poisoning, don’t capture ARP packets. The more packets the IDS can
safely ignore, the faster it will be.
Another strategy is to let other faster perimeter devices do the filtering.
Routers and firewalls are usually faster than IDSs, so, when possible, configure
the packet filters of your routers and firewalls to deny traffic that should not be
on your network in the first place. For example, tell your router to deny IP
address spoofs, and tell your firewall to drop all NetBIOS traffic originating from
the Internet. The more traffic that you can block with the faster device, the higher
performing your IDS will be. That’s the way it should be—each security device
should be configured to excel at what it does best, at the layer from which it does
Decreasing False Positives
Because IDS have so many false positives, the number one job of any IDS
administrator is to track down and troubleshoot false positives. In most instances,
false positives will outweigh all other events. Track them all down, rule out
maliciousness, and then appropriately modify the source or IDS to prevent them.
Often the source of the false positive is a misbehaving program or a chatty router.
If you can’t stop the source of the false positive, modify the IDS so it will not track
the event. The key is that you want your logs to be as accurate as they can be, and
they should only alert you to events that need human intervention. Don’t get into
the habit of ignoring the frequently occurring false positives in your logs as a way
of doing business. This will quickly lead to your missing the real events buried
inside all the false positives—or to the logs not being read at all.
Using Efficient Logging and Alerting
Most vendor products come with their own preset levels of event criticalities, but
when setting up the IDS, take the time to customize the criticalities for your
environment. For instance, if you don’t have any Apache web servers, set Apache
exploit notices with a low level of prioritization. Better yet, don’t track or log
them at all.
IPS Deployment Plan
So you want to deploy your first IPS. You’ve mapped your network, surveyed
your needs, decided what to protect, and picked an IPS solution. Here are the
steps to a successful IPS deployment:
1.Document your environment’s security policy.
2.Define human roles.
3.Decide the physical location of the IPS and sensors.
4.Configure the IPS sensors and management console to support your security
5.Plan and configure device management (including the update policy).
6.Review and customize your detection mechanisms.
7.Plan and configure any prevention mechanisms.
8.Plan and configure your logging, alerting, and reporting.
9.Deploy the sensors and console (do not encrypt communication between sensors
and links to lessen troubleshooting).
10.Test the deployment using IPS testing tools (initially use very broad rules to make
sure the sensors are working).
11.Encrypt communications between the sensors and console.
12.Test the IPS setup with actual rules.
13.Analyze the results and troubleshoot any deficiencies.
14.Fine-tune the sensors, console, logging, alerting, and reporting.
15.Implement the IPS system in the live environment in monitor-only mode.
16.Validate alerts generated from the IPS.
17.One at a time, set blocking rules for known reliable alerts that are important in
18.Continue adding blocking rules over time as your confidence in each rule
19.Define continuing education plans for the IPS administrator.
20.Repeat these steps as necessary over the life of the IPS.
As you can see, installing and testing an IPS is a lot of work. The key is to take
small steps in your deployment, and plan and configure all the parts of your IPS
before just turning it on. The more time you spend on defining reporting and
database mechanisms at the beginning, the better the deployment will go.
During the initial tests, in step 10, use a test rule that is sure to trigger the IPS
sensor or console on every packet. This ensures that the physical part of the
sensor is working and lets you test the logging and alerting mechanisms. Once
you know the physical layer is working, you can remove that test rule (or
comment it out or unselect it, in case you need it later). Do not turn on
encryption, digital signing, or any other self-securing components until after
you’ve tested the initial physical connections. This reduces troubleshooting time
caused by mistyped passphrases or incorrectly configured security settings.
Finally, keep on top of your logs, and research all critical events. Quickly rule
out false positives, and fine-tune your IPS on a regular basis to minimize false
positives and false negatives. Once you get behind in your log duty, catching up
again is tough. Successful IPS administrators track and troubleshoot everything
as quickly as they can. The extra effort will pay dividends with smaller and more
Security Information and Event Management
Multiple security systems can report to a centralized Security Information and
Event Management (SIEM) system, bringing together logs and alerts from several
disparate sources. You may find different combinations of references to the
acronym SIEM, owing to the evolution of capabilities and the consequent variety
of names attached to SIEM products over the years, such as “Security Incident
and Event Management” or “Security Incident and Event Monitoring.” These are
all the same thing—a technology to collect, analyze, and correlate events and
alerts generated by monitoring systems.
SIEM platforms take the log files, find commonalities (such as attack types and
threat origination), and summarize the results for a particular time period. For
example, all logs and alerts from all IDSs, perimeter firewalls, personal firewalls,
antivirus scanners, and operating systems can be tied together. Events from all
logs are then gathered, analyzed, and reported on from one location. SIEMs offer
the ultimate in event correlation, giving you one place to get a quick snapshot of
your system’s security or to get trend information. SIEMs can also coordinate
signature and product updates.
SIEMs have a huge advantage over individual IDS systems because they have
the capability to collect and analyze many different sources of information to
determine what’s really happening. As a result, the SIEM can significantly reduce
false positives by verifying information based on other data. That data comes
from many sources, including workstations, servers, computing infrastructure,
databases, applications, network devices, and security systems. Because all those
sources generate a vast amount of real-time data, SIEM products need to be fast
and effective, with a significant amount of storage and computing power.
Today’s network attacks are often complex—slow, multifaceted, and stealthy.
Attackers use many techniques to circumvent security controls. Slow attacks can
spread malicious network traffic over days, weeks, or even months, hiding inside
the massive data streams experienced on any given network. Multifaceted attacks
use a variety of techniques in the hope that at least one will succeed, or that the
distributed nature of the attacks will distract attention away from the source.
Stealthy attacks use obscure or nonstandard aspects of network technologies and
protocols to slip past traditional monitoring capabilities that have been
programmed based on the assumption that network traffic will always follow the
normal standards. An IDS needs a SIEM to detect these advanced attacks.
A SIEM is one of the most important tools used by security operations and
monitoring staff, because it provides one-stop visibility into many different areas
of the information processing environment and attacks against those areas. Let’s
take a look at what a SIEM can do.
SIEMs collect information from every available source that is relevant to a
security event. These sources take the form of alerts, real-time data, logs, and
supporting data. Together, these provide the correlation engine of the SIEM with
information it can use to make decisions about what to bring to the security
administrator’s attention. Consider the following examples of specific data
sources consumed by a SIEM.
When is an alert real, and when is it a false positive? This is the key question
associated with an IDS, and a source of frustration for security administrators in
charge of tuning IDSs. This is where a SIEM enters the picture. The SIEM’s key
function is to validate security alerts using many different sources of data to
reduce false positives, so only the most reliable alerts get sent on to the security
administrator. Thus, the alerts from all IDS sources as well as all other security
monitoring systems should be given only to the SIEM, so it can decide which ones
to pass along.
Real-time data such as network flow data (for instance, Cisco’s NetFlow and
similar traffic monitoring protocols from other vendors) gives the SIEM
additional information to correlate. Streaming this data into the SIEM provides
important information about normal and abnormal traffic patterns that can be
used in conjunction with alerts to determine whether an attack is in progress. For
example, an unusually high amount of SMTP traffic that accompanies several
malware alerts may result in a high confidence alert that an e-mail worm is on
the loose. Similarly, an abnormally high amount of inbound Internet traffic,
combined with a high number of firewall deny events, can indicate a denial of
service attack. Another example is fragmented or truncated network packets,
which may indicate a network-based attack. Each of these real-time data
elements gives the SIEM important validation data for IDS alerts.
Logs are different from events, in that they are a normal part of system activity
and usually meant for debugging purposes. Logs can be an important additional
data source for a SIEM, however. Logs contain valuable information about what’s
happening on a system, and they can give the SIEM a deeper view into what’s
happening. For example, login failures that may otherwise go unnoticed by a
system administrator because they are buried in a system log might be of great
interest to a SIEM, especially if there are many login failures for a single account
(indicating a possible focused attempt to break into that account) or, similarly, if
there are login failures on many different accounts, which may indicate a broad-
based attempt to break into accounts using common passwords. System errors
that are logged and collected by a SIEM are also a valuable source of correlating
In addition to providing the SIEM itself with detailed information, logs can be
used to make decisions about the validity of IDS alerts and they are easier for
humans to view in a SIEM. The system administrator who needs to find a
particular log entry may find the SIEM is the best option for searching and
finding that log entry.
Ideal log sources for any SIEM include the following:
•Windows and Unix servers
•DNS and DHCP servers
•Switches and routers
•Web filters and proxies
Logs can be sent to the SIEM in a couple of different ways: they can be pushed
to the SIEM by the individual devices that collect the logs, or they can be pulled in
by the SIEM itself. The syslog protocol, which is widely used by Unix systems as
well as network devices, is an example of a push technique. When the IP address
of the SIEM is configured in the syslog service of a server or device, each log entry
that device produces will be sent over the network to the SIEM. For systems that
don’t support syslog, such as Windows, third-party software can be used to collect
static log information and send it to the SIEM. The third-party software agent can
be installed directly on the reporting server, or on a central server built for log
collection, in which case the software periodically connects to the server, grabs
the latest log entries, and pushes them to the SIEM.
Whether pushed or pulled, log entries need to be parsed. Every vendor has a
different format for the fields in their syslog data. Even though they all use the
same protocol, the information contained within the log is not standardized.
Modern SIEM products come with dozens of parsers that have been
preconfigured to convert the syslog fields of different manufacturers into a
format the SIEM can use. In the rare cases where a built-in parser is not available
for a particular vendor’s syslog format, the SIEM allows the administrator to
define a custom mapping.
You can enhance the quality of a SIEM’s correlation even more by providing the
SIEM with supporting data that has been previously collected. Data can be
imported into the SIEM, and it will use that data to make comparative
For example, asset management data containing names, IP addresses,
operating systems, and software versions gives the SIEM valuable information it
can use to determine whether an IDS alert makes sense within the context of the
software environment. Coupled with risk weighting data, the SIEM can use this
information to prioritize and escalate alerts that pertain to high-risk systems. You
can also use vulnerability scans to give the SIEM information it can use to
compare an alert about an exploit with an associated vulnerability to determine
if the exploit is real and whether it was successful. Moreover, geolocation
information can be used to prioritize alerts from high-risk countries, or even
local areas such as the datacenter or public hotspots in which mobile devices
might be attacked.
A SIEM takes all the data given to it and makes decisions, so the security
administrator can focus on the most important alerts. For this reason, event
correlation is a SIEM’s most important feature. The correlation engine of every
SIEM product is its most distinguishing feature. The better the analysis, the
cleaner the end result. In effect, a SIEM is a sort of artificial intelligence system,
working much like the human brain in putting together different elements that
individually may not be important, but taken together form a picture of a critical
security situation. And a SIEM does this at a much faster rate than any human
possibly could, giving the security administrator a time advantage so he or she
can react quickly to attacks in progress.
Real-time analysis of security events is only made possible with a SIEM.
Thousands, or even millions, of events occur every second across most networks.
No human can hope to see, absorb, and understand all of them at once. By
comparison, forensic investigations in which the investigator looks at a few
different data sources to decide who did what and when often take weeks of
intense, focused effort. That’s too long a timeframe for effective response to an
attack. To stop an attack in progress, real-time analysis is required.
Because it collects so much data from across the enterprise, a SIEM can do
more than alert. It can provide system and network administrators with
advanced search capabilities they will not find on any other platform. For this
reason, the SIEM represents an excellent shared platform that can make every
administrator’s job easier and more efficient. Thus, the SIEM is not just a security
tool; it’s also a valuable IT management tool.
The SIEM can also perform historical and forensic analysis based on the log
information it collects. Depending on how much storage is allocated to the SIEM,
either on-board or over the network, it can retain logs and alerts for a long
enough period of time that it can investigate past events. Security investigators
can dig into the logs to find out what happened in a prior situation, and system
administrators can look at past events to troubleshoot and evaluate functional
For all the data collected by the SIEM and its resulting alerts to be human-
readable, it must present the information in a way that an administrator can
understand at a glance. SIEMs do this with a dashboard. A dashboard is a
graphical and organized representation of alerts, event data, and statistical
information that allows the administrator to see patterns, understand trends,
identify unusual activity, and perceive the current threat landscape quickly at
any point in time. The quality of a SIEM’s dashboard is a key differentiator among
the various SIEM products on the market.
Alerting is the other way the SIEM interacts with humans. Whereas the
dashboard performs a pull type of data transfer to the administrator (because the
administrator must go to the SIEM, log in, and intentionally look for the
information), alerts represent a push technique that doesn’t require human
diligence to notice something important is happening. When a SIEM scores a
series of events and the associated correlation of supporting information to be
high enough, it sends an alert. The threshold for alerts should be set properly to
ensure that only events that require action get the attention of the administrator,
without excessive false positives. This is another reason a SIEM complements an
IDS–the SIEM is more sophisticated than the IDS at creating appropriate alerts.
Additional SIEM Features
SIEMs provide additional value beyond collecting data and sending alerts.
Because they collect and store so much data, SIEMs provide a natural advantage
for offline log storage and retention, root cause analysis, advanced searching, and
Offline log storage and retention is an important protection against tampering.
Any time a system is compromised by an attacker, the attacker generally attempts
to delete the traces of his or her activities by removing log entries, or even entire
log files. When these logs are transmitted immediately from servers and devices
to offline storage, in this case the SIEM, they cannot be tampered with because
the SIEM stores them in a protected location that attackers cannot access. Log
retention is also a compliance requirement for some organizations.
Analyzing the root cause of IT problems can be facilitated by all the
information collected by a SIEM. Because it parses the log information into a
standard format regardless of which product or technology produced the data,
administrators can easily search individual data fields to find what they’re
looking for. In addition, because the timestamps are all normalized, you can
easily see groups of events that happened together, even across disparate
The SIEM’s advanced search capabilities provide another valuable advantage
to system administrators. Imagine searching through individual system logs to
find a particular piece of data you need on several different systems. Because
system logs are generally not easily searchable, and systems don’t typically
provide sophisticated search capabilities, this can be a lot of work. And many
technologies are standalone, without centralized log search ability. SIEMs provide
administrators with that centralized ability to sift through the mountains of data
produced by individual systems and devices to find what they’re looking for
without spending a lot of time and effort.
Finally, a SIEM can be employed to collect and report on compliance data for
systems on the network. Because the SIEM has the most complete set of
information about various aspects of the network that need to be monitored,
reported, and audited, a SIEM’s compliance reports are a great way to automate
An intrusion detection system should be a part of every network security
administrator’s protection plan. An IDS provides the “detection” aspect of the
three Ds of security mentioned in Chapter 1, by providing visibility into activities,
incidents, and intrusions. Along with other ID tools and methods, an IDS can
monitor a host for system changes or sniff network packets off the wire, looking
for malicious intent. A NIDS uses the same technology to make decisions about
blocking network traffic. An IDS can be installed purely as a monitoring and
detection device that sends alerts to administrators, who would then evaluate the
situation and potentially take some action.
An IDS in blocking mode is known as IPS. Security administrators should
consider using a combination of HIPS and NIPS, with both signature-detection
and anomaly-based engines. An IPS’s biggest weaknesses are the high number of
false positives and the significant maintenance effort needed to keep it up to date
and finely tuned so it doesn’t block legitimate activities on systems and networks.
A HIPS would be appropriate on strategically valuable hosts, an IDS across the
network for general early-warning detection, and an IPS for critical networks
that need active protection. Central management consoles are helpful when
multiple distributed agents are involved.
SIEM systems greatly enhance the accuracy, effectiveness, and completeness
of IDS alerts. By themselves, individual IDS sensors can only see constrained
segments of a network. Used in conjunction with a SIEM, multiple IDS sensors can
provide much greater visibility. Reliability is also improved when a SIEM is used
to collect and correlate alerts from IDSs and other sources, along with supporting
data that has either been preconfigured into the SIEM or fed to it in real time.
SIEMs also provide advanced capabilities that enhance the effectiveness of
system, network, and security administrators.
Carter, Earl, and Jonathan Hogue. Intrusion Prevention Fundamentals. Cisco Press,
Fry, Chris, and Martin Nystrom. Security Monitoring: Proven Methods for Incident
Detection on Enterprise Networks. O’Reilly Media, 2009.
Miller, David, and Shon Harris. Security Information and Event Management
(SIEM) Implementation. McGraw-Hill, 2010.
National Institute of Standards and Technology. Special Publication 800-94: Guide
to Intrusion Detection and Prevention Systems (IDPS). NIST,
Rash, Michael, and Angela Orebaugh. Intrusion Prevention and Active Response:
Deploying Network and Host IPS. Syngress, 2005.
Trost, Ryan. Practical Intrusion Analysis: Prevention and Detection for the Twenty-
First Century. Addison-Wesley, 2009.
Place an order in 3 easy steps. Takes less than 5 mins.