Automatic Number Identification (ANI)-based security mechanisms can be spoofed
in both directions, although some carriers claim to have clamped down on this practice
(I'm not convinced this can be done).This can be used to create false Caller-ID
data to subscribers. If your organization uses ANI to verify identity (as a very large
credit card user has been known to do), you are asking for trouble. It’s only slightly
more difficult than spoofing an e-mail address if you know what you’re doing, so
tread carefully here.
Other ISUP and QSIG fields have similar problems, so be very careful with any
trust assumptions you make with these protocols. Always assume that CLASS services
like distinctive ringing, selective call acceptance, selective call forward, and so on will
be fooled by ANI spoofing and similar ISUP or SSIG attacks.
Saturday, March 29, 2008
ISUP and QSIG Security
PSTN Protocol Security
If you thought that PSTN protocols are more secure than the IP protocols riding on
PSTN access circuits, then prepare to be shocked. In some respects, one of the
greatest threats to the Internet is the PSTN itself.
SS7 and Other ITU-T Signaling Security
Despite the fact that ITU-T signaling protocols prior to SS7 are notoriously insecure
(see the sidebar on Blueboxing and the Phone Phreaking community earlier in
the chapter), they continue to be deployed around the world along with older
switching equipment that is vulnerable to toll fraud, eavesdropping, and other risks.
If your VoIP system will be interfacing with such equipment, take countermeasures
to reduce potential exposure and liability, set alarms, and review logs.
That is not to suggest that SS7 is particularly secure, but it is much harder for a
subscriber to inject signaling into an SS7 network.That being said, the primary threat
for SS7 networks are the peering arrangements (particularly among CLEC partners)
for injection of false and/or fraudulent signaling and other messaging information.
SS7 as currently defined does not have policy controls built in to address this issue.
The risks and countermeasures were summarized quite well by the 3GPP SA WG3
Technical Specification Group in January 2000 for 3G TR 33.900 V1.2.0:
The security of the global SS7 network as a transport system for
signaling messages e.g. authentication and supplementary services
such as call forwarding is open to major compromise.
The problem with the current SS7 system is that messages can be
altered, injected or deleted into the global SS7 networks in an
uncontrolled manner. In the past, SS7 traffic was passed between
major PTOs covered under treaty organization and the number of
operators was relatively small and the risk of compromise was low
Networks are getting smaller and more numerous. Opportunities
for unintentional mishaps will increase, as will the opportunities for
hackers and other abusers of networks. With the increase in different
types of operators and the increase in the number of interconnection
circuits there is an ever-growing loss of control of
security of the signaling networks.
There is also exponential growth in the use of interconnection
between the telecommunication networks and the Internet. The IT
community now has many protocol converters for conversion of
SS7 data to IP, primarily for the transportation of voice and data
over the IP networks. In addition new services such as those based
on IN will lead to a growing use of the SS7 network for general
data transfers.
There have been a number of incidents from accidental action,
which have damaged a network. To date, there have been very few
deliberate actions. The availability of cheap PC based equipment
that can be used to access networks and the ready availability of
access gateways on the Internet will lead to compromise of SS7
signaling and this will affect mobile operators.
The risk of attack has been recognized in the USA at the highest
level of the President’s office indicating concern on SS7. It is understood
that the T1, an American group is seriously considering the
issue. For the network operator there is some policing of incoming
signaling on most switches already, but this is dependent on the
make of switch as well as on the way the switch is configured by
operators.
Some engineering equipment is not substantially different from
other advanced protocol analyzers in terms of its fraud potential,
but is more intelligent and can be programmed more easily. The
SS7 network as presently engineered is insecure. It is vitally important
that network operators ensure that signaling screening of SS7
incoming messages takes place at the entry points to their networks
and that operations and maintenance systems alert against
unusual SS7 messages. There are a number of messages that can
have a significant effect on the operation of the network and inappropriate
messages should be controlled at entry point.
Network operators or network security engineers should on a regular
basis carry out monitoring of signaling links for these inappropriate
messages. In signing agreements with roaming partners and
carrying out roaming testing, review of messages and also to seek
appropriate confirmation that network operators are also screening
incoming SS7 messages their networks to ensure that no rogue
messages appear.
In summary there is no adequate security left in SS7. Mobile operators
need to protect themselves from attack from hackers and inadvertent
action that could stop a network or networks operating
correctly.
Bottom line: Just because SS7 is harder for subscribers to crack doesn’t mean it is
secure overall. SS7 peering in the PSTN is not nearly as robust as its BGP equivalent
on the Internet, and this has the potential for dire consequences if it were to be
exploited maliciously. It’s not yet clear if or how the ITU-T plans to address these
concerns directly in a revision to SS7, although a T1S1 SS7 Security Standard was
proposed at one time as part of an overall Study Group 17 (SG-17) effort. RFC
3788, Security Considerations for SIGTRAN protocols, was published by the
Internet Engineering Task Force (IETF) in June 2004, and suggests the use of specific
TLS and IPSEC profiles when using SS7 over IP, though it also notes that the
“Peer To Peer” challenge still exists with SS7.The Network Interconnection
Interoperability Forum (NIIF) within the Alliance for Telecommunications Industry
Solutions (ATIS) has published many guidelines on the topic of secure interconnections
(available to members or to the public for a fee).The good news is that unlike
the Internet’s in-band signaling model, which is vulnerable to direct attack, the SS7
signaling network is out of band to the voice and data communication it carries.
PSTN Call Flow
Now that we have discussed what makes up the PSTN, let’s put it all together and
walk through a messaging sequence. Here we will start from a caller picking up the
phone attempting to make a call.The flow will be broken down into off-hook, digit
receipt, ring down, conversation, and on-hook sections.We will start by imagining
someone (Party B) picking up the phone to make the call (to Party A, on the same
CO switch).The following list outlines, in order, the actions performed by the
network:
Party B picks up the phone, and the off-hook sequence begins:
1.The off-hook state is detected by the switch (loop or ground start).
2.The switch establishes the time slot and sends a dial tone on the voice path.
3.The switch awaits digits pressed by Party B.
The digit receipt sequence is as follows:
1. Party B dials digits on the touch pad.
2. Each digit is received by the switch and sends a silence tone and starts Inter
Digit Timer (IDT).
3. IDT starts when the switch is awaiting a dialed digit and stops when the
digit is pressed.
After Party B dials the last number, the ring down sequence begins:
1. When the digit receipt stops (or when the maximum dialed digits are
pressed), the switch sends the request to the called number to allocate a
time slot.
2. When the called switch allocates a time slot the path is switched to the call
handler.
3. Party A’s phone rings (unless it is already off-hook).
Parties A and B can begin their conversation after the following sequence of
steps is completed:
1. Party A picks up the phone.
2.The switch receives an answered call indication (off-hook).
3.The ring-down signals stop.
4. Parties A and B are able to speak on the established voice path.
After the two parties finish their conversation, the on-hook sequence of steps
begins:
1.The conversation ends with either party hanging up the phone.
2.The on-hook indication is received by switches on access networks.
3.The switches release established paths (termination).
4.The call is ended.
During each of these sections there is traffic traveling in both directions to keep
the signal alive.There are numerous acknowledgement requests between the caller
and their access network, and the two access networks and the called party and their
network, to keep this communication path alive. Most of this traffic is happening
along the voice path.
This book is about securing voice over Internet networks, so later in the book
you will be introduced to a protocol called Session Initiation Protocol (SIP).Though
it is early on in the text we will now walk through a SIP to PSTN call. Remember
that PSTN is a voice network and the SIP is originating from a data-only network.
We will follow the sections of off-hook, digit receipt, ring down, conversation, and
on-hook.To better visualize this call sequence we will use the
PSTN: Operational and Regulatory Issues
Public Telephone and Telegraph (PTT) organizations are the highest-level monopoly
(or ex-monopoly) in each country, and generally are expected to comply with ITUT
standards for interoperability. Each PTT is regulated by its country of origin. In
the United States,AT&T was broken up in 1982 into a long distance unit (AT&T as
the Inter-exchange carrier (IXC) was authorized only to carry long distance traffic),
and reorganized groups of regional Bell Operating Companies were given a limited
Local Exchange Carrier (LEC) role that until recently prevented them from selling
interstate (or interLATA) long distance services. Competitive LECs (CLECs), in spite
of regulatory advantages, hold less than 10% of local lines.
ANI Spoofing Services: Think again !
A number of services aimed at private investigators, collections agencies, or law
enforcement have sprung up since 2000 to provide pay-per-call ANI spoofing.
The service works like this: After setting up payment, you choose the 10-digit ANI
you want Caller ID to show (the LEC will typically add the business or individual
associated with the ANI number), plus the target number you want to call, then
the service calls you and initiates the spoofed ANI call to the target number
you’ve selected. Your target thinks you’re Pizza Hut calling back, or their mother,
or whoever you’re spoofing and you’ve just fooled them into picking up.
What you may not know is that this can be done from any PBX with ISDN
trunks that can support ANI. Most LECs have no way of validating the ANI you
present to them and happily pass that information along via CallerID, whether it’s
accurate or not. Note that this is different from the “Caller ID spoofing” that can
be done after a caller picks up on some CallerID equipment (fun with friends, but
not very useful if the caller decides not to answer). Effectively, ANI spoofing “poisons
the well” from which Caller ID gets its data.
Some carriers have suggested that they will crack down on this practice, but
since no comprehensive DID ownership database is kept across all LECs and CLECs
there is no current method to verify an ANI in real-time when it’s been presented.
Signaling Connection Control Part (SCCP)
The SCCP is used mainly for translating 800, calling card, and mobile telephone
numbers into a set single point destination code.
Transaction Capabilities Applications Part (TCAP)
TCAP supports the passing and exchange of data within noncircuit-related communications.
An example of noncircuit-related data is authentication of a user to a
calling card plan.
Communication within an SS7 network and its equipment are called signaling
points, of which there are three; Service Switching Points (SSP), Service Transfer
Points (STP), and Service Control Points (SCP).
ITU-T Signaling System Number 7 (SS7)
SS7 (or C7) is an ITU-T (formerly CCITT) standard that defines how equipment
in the PSTN digitally exchange data regarding call setup and routing. Other ITU-T
signaling systems are still in use throughout the world, particularly:
■ ITU-T 4, Channel-Associated Signaling (CAS) with a 2VF (voice frequency)
code in the voice band and a 2040/2400 Hz supervisory tone
■ ITU-T 5 CAS with 2VF and a 2400/2600 Hz supervisory tone, plus interregister
codes with Multi-Frequency (MF) tones
■ ITU-T [5] R2 is a revision of ITU-T 5 but uses different frequencies
What sets SS7 apart above all is the fact that it is Common Channel Signaling
(CCS), not CAS like its predecessors.Throughout the telecommunications industry
the SS7 can be used for call session setup, management and tear down, call forwarding,
caller identification information, toll free, LNP, and other service as implemented
by carriers. Information passed through SS7 networks are communicated
completely out of band meaning that signaling and media do not travel down the
same path.The SS7 was loosely designed around the OSI 7-layer model. Figure 4.6
illustrates their basic similarities.
Message Transfer Parts 1, 2, and 3 (MTP)
MTP level 1 is much the same as the Physical layer (1) of the OSI. Here the electrical
and physical characteristics of the digital signaling are addressed.The physical
interfaces defined here are those such as our previously discussed DS0 and T1. MTP
level 2 aligns with the Data Link layer of the OSI. MTP level 2 takes care of making
sure transmissions are accurate from end to end, just like the Data Link layer issues
such as flow control and error checking are handled in the MTP level 2 area. MTP
level 3 aligns itself with the Network layer of the OSI. MTP level 3 reroutes calls
away from failed links and controls signaling when congestion is present.
Telephone User Part (TUP)
This is an analog system component. Prior to digital signaling the TUP was used to
set up and tear down calls.Today most countries are using the ISDN User Part
(ISUP) to handle this requirement.
ISDN User Part (ISUP)
Most countries are using ISUP to handle basic call components. ISUP works by
defining the protocols used to manage calls between calling and called parties.
Automatic Number Identification (ANI), or—when it’s passed on to a subscriber,
known as Calling Party Identification Presentation (CLIP)—caller ID is
passed to the PSTN (or back again) through ISDN trunks and displays the calling
party’s telephone number at the called party’s telephone set during the ring cycle.
ANI is used for all Custom Local Area Signaling Services (CLASS) such as custom
ringing, selective call forwarding, call blocking, and so on.
The Intelligent Network (IN),
The model drawn up in the 1980s and 1990s for advanced network functionality is
called the Intelligent Network (IN). Services such as 8XX-number lookups as well
as Calling Cards, Private Integrated Services Network (PISNs), and many other
advanced services are all made possible through SS7, ISDN, and IN capabilities.
PISNs are geographically disparate networks that are connected via leased lines that
allow for enhanced services such as multivendor PBX deployments,Voice VPNs
(don’t get these confused with data VPNs, they are a true private network for voice
just like that provided by a PBX), and even certain kinds of VoIP. A Private
Integrated service Network Exchange (PINX) lives within a PISN. Another application
is integration with the QSIG protocol, which allows PBX products from other
vendors be able to be used transparently to integrate all voice networks.
QSIG (a Q.931 ISDN extension) as a protocol has been around since the early
to mid 1990s.We will talk about ISDN in the next section, but QSIG can be used
to integrate systems even without ISDN. QSIG also leverages DPNSS, which was
developed prior to when the final QSIG protocol was agreed upon. Not used much
in U.S. networks, DPNSS had much of its life in the United Kingdom. Modern networks
are using QSIG as the means to interconnect voice channels between PBXs
while preserving critical information about caller and call state in the process.
ISDN is a common-channel signaling (CCS) solution that works with media or
data traveling down one pair of wires while signaling control is handled over
another. Remembering back to our earlier discussions of the channels of 64 kbps in
size, a typical ISDN will hold 23 bearer (B) channels that carry voice and data and
one data (D) channel that carries signaling information. All channels are 64kbps, so
we have 24, 64-kbps channels totaling 1536 Mbps, or equivalent to a T1 and 30 B
channels plus a D channel on an E-1, but in each case we lose one channel for signaling.
Not only was distance from the central office a new issue with ISDN trunks,
but the customer also had to implement new equipment.This Customer Premise
Equipment (CPE) required ISDN terminators in order to access the network.Today
the use of ISDN in the provisioning and delivery of broadband Internet access via
DSL and cable services keep pricing competitive and affordable. Besides its use in
the DSL services, ISDN still has an active share in providing redundant and emergency
data network access to critical servers and services when higher speed lines or
primary access has been disrupted.
Over the last 100 years, signaling has moved from operator-assisted modes to
loop and disconnect modes, from single frequency to multifrequency signaling, and
now to common channel signaling using the ISDN signaling channel.
Blueboxing and the Original Phone Phreaks
Named for the color of the first one found in 1961, blueboxing was the name
given to the first automated toll fraud technique to be employed by U.S. “phone
phreaks.” Author Ron Rosenbaum gave critical mass to the budding movement in
October 1971 through a sensational article in Esquire magazine that attracted the
attention other hobbyists, including Steve Wozniak and Steve Jobs (who for a
short time produced and sold a blue box of their own before moving on to found
Apple Computer). Prior to that point, independent phreaks who would later form
the Internet hacking community consisted of a handful of disconnected hobbyists
that had independently stumbled onto the fact that sending a 2600 Hertz tone
down a long-distance trunk of that era (i.e., one using in-band ITU-T 5 signaling)
would terminate the call, then seize a trunk for reuse once the tone was removed,
allowing free long-distance calling and more. Ironically, the movement might
never have started save for a tiny whistle included in boxes of Cap’n Crunch cereal
during the 1960s that could reproduce a perfect 2600 Hertz tone.
Starring in the Esquire article were John Draper (known as “Cap’n Crunch”
and technical mentor to Steve Wozniak and hundreds of other phreakers), Joe
Engressia (a.k.a. “Joybubbles,” the most prominent of a group of blind
phreakers—and one who could whistle a 2600 Hertz tone thanks to perfect
pitch), and Mark Bernay (another pseudonym for “The Midnight Skulker,” a tireless
missionary of phreaking who spread the word to hundreds along the West
coast but has never been publicly identified to this day). Within a few years, the
community had amassed an enormous knowledge of the phone network and
gathered regularly over voice conferences to share that knowledge.
Furthergrowth and sophistication followed the advent of the personal computer,
the modem-based Bulletin-Board Service (BBS), dedicated hack/phreak magazines
like 2600 and Phrack, and annual conferences like DefCon, each founded in the
early 1980s by the phreaking community.
At its height, the phreaking community had developed dozens of specialized
electronic gizmos designed to defeat PSTN billing or security mechanisms.
Here are the most commonly used “colored boxes’ of that era:
■ Black Box—applies extra voltage to the line to enable free incoming
calls (billing equipment thinks the phone was never answered,
though it does look to the CO like someone was ringing the line for
a long time).■ Beige Box—Lineman’s handset for eavesdropping and all blueboxing
functionality.
■ Blue Box—2600 Hz tone generator with full Multi-Frequency Code
(MFC) generator to generate dialing strings used by an operator.
MFC is like Dual Tone Multi-Frequency (DTMF, a.k.a. “Touch-Tones”)
but uses different frequencies and includes several keys (codes) not
available to DTMF.
■ Red Box—Generates tones corresponding to those used by AT&T’s
Automated Coin Toll System (ACTS) payphones that send specific
tones used when a coin is accepted (still works in many areas).
■ Gold Box—Placed across two phone lines to allow call out on the
other line when one is dialed (makes tracing more difficult).
Among the most notorious phreakers was Kevin Poulsen, who in 1990
decided that he wanted the Porsche 944 S2 being given away by KIIS-FM in Los
Angeles to the 102nd caller on a particular Friday. Taking control of the radio station’s
25 trunks through Pacific Bell’s maintenance system, he blocked out all
calls but his own (a stunt he’s suspected of repeating to block calls into the
Unsolved Mysteries tip line after he was profiled for other cybercrimes, though in
the end it wasn’t enough to prevent his arrest). Kevin apparently became the first
person banned by the U.S. Government from using the Internet (a sentence also
imposed on notorious hacker Kevin Mitnick, who was skilled in PSTN manipulation
as well).
Today the in-band Channel Associated Signaling (CAS) analog switching
equipment loved by phreakers has been replaced by digital switching with out-ofband
Common Channel Interface Signaling (CCIS) in most of the world, and a given
instance of toll fraud is more likely to occur by other means (typically through an
enterprise PBX or voicemail system) and with less risk to the perpetrator.
Electromechanical automated switching equipment first appeared in 1891 following
Almon Strowger’s patented Step by Step (SXS) system, although Bell System
resistance to it would postpone its adoption for decades.The classic rotary dial phone
was another Strowger invention that was finally adopted by the Bell System in 1919
along with SXS switches.Yet it would take until 1938 for Western Electric (the
equipment R&D arm of the Bell system) to develop a superior automatic switching
system, namely the crossbar switch. And not until the 1950s did Bell Labs embark on
a computer-controlled switch project, but the 101 ESS PBX that resulted in 1963
was only partially digital. Also introduced that year was the T1 circuit and Touch
Tones, the Dual-Tone Multi-Frequency (DTMF) dialing scheme that is still with us
today. Despite the fact that switching itself was analog, digital T1 circuits quickly
replaced analog backbone toll circuits and most analog CO interconnect trunks. By
1965 Bell had released the first central office switch with computerized stored
PSTN: Switching and Signaling
As the PSTN’s global reach and capabilities become more extensive, signaling
became the most significant security concern within the PSTN. In its early days, signaling
was no more complicated than taking the phone off-hook to let an operator
know you wanted to make a call. Dialing gradually became more automatic, first for
operators, then later for subscribers.Today’s direct-dial networks,VoIP gateways, and
myriad protocols only serve to increase the complexities and risks when it comes to
signaling.
PSTN: Signal Transmission
In the old days, the path an analog voice signal took from your phone to the CO
switch (or switchboard) was simple.With the appropriate cross-connects, each local
loop was half of the analog circuit required for a phone conversation, and the switch
(or operator) simply connected you with a calling or called party that represented
the other half of that circuit. Although loading coils might have been used to reduce
signal attenuation on the circuit, no amplification or signal processing was used.
Since Bell’s original invention, several improvements had been added. Common
battery from the CO with a separate return path instead of the earth eliminated the
need for a battery in each phone and made the phone less noisy. Ringing was
accomplished through magnetos, first added to the phones themselves and later
pulled in to the CO and standardized as 90 Volts of Alternating Current (AC)—all
other phone/PSTN functions on the line use Direct Current (DC). And eventually,
automated electromechanical switching eliminated much of the need for an operator
within the PSTN.
Still, analog transmission and switching had their limits. Until 1915, it wasn’t
possible to go much further than 1,500 miles on an analog long-distance circuit.And
even when that limit was broken thanks to the vacuum-tube amplifier, these longdistance
calls were very noisy. Radio telephony overseas and to ships further
expanded the reach of analog telephony in 1927. And Frequency Division
Multiplexing techniques were developed in the late 1930s that allowed many calls to
pass over a single voice circuit by using frequency shifting techniques equivalent to
those used by FM radio. Each 4 kHz band of voice conversation would be shifted up
or down to a specific slot, allowing many calls to be carried simultaneously over a
single coaxial cable or radio interface. By the 1950s, 79% of the inner-city CO
trunks in the United States were using FDM. But even the microwave systems in use
since the 1950s were analog systems.
T1 Transmission: Digital Time Division Multiplexing
Even though Alec Reeves of Britain had developed Pulse Code Modulation (PCM)
techniques in 1937 for digitizing audio signals, and Bell labs had invented the transistor
in 1948, which was required for the large-scale implementation of digital techniques,
it would take more than a decade to make digital transmission a reality (and
longer still before the advent of digital switching could make the full signal path digital
outside the local loop). 1963 brought the introduction of the T1 or Transmission
One digital carrier using revolutionary signal manipulation techniques that would
forever change telephony.
Unlike all previous carriers, the T1 started in an all-digital format, meaning that
it was structured as a series of bits (193 per frame to be exact, 8 bits per channel, 24
channels, plus the framing bit—moving at the rate of 8,000 frames, or 1,544
Megabits per second) that by design could be completely regenerated again without
data loss over long distances (see Figures 4.3 and 4.4).This provides a 64-kilobit-persecond
digital bitstream for each of the 24 channels, using Time Division
Multiplexing (TDM).
PSTN: Outside Plant
The original premise behind the telephone exchange or Central Office (CO) was to
run only one wire or set of wires into each house and have a centrally located
facility for switching connections via operator (or automated equipment). Even
though new homes today may see six or more wire pairs, plus a coaxial cable for
broadband cable television, the basic principle remains the same: each line to the
customer forms a loop that passes through to the CO.
The collection of cabling and facilities that support all local loops outside the
CO (or “wire center”) is known as the “loop distribution plant” and is owned by the
Local Exchange Carrier (LEC). It starts out from the CO in a large underground
cable vault with primary feeder cable (F1) to reach out over copper (or fiber) to the
Serving Area Interface (SAI) for that area (look for a large grey or green box with
doors mounted on a concrete pedestal in most areas of the United States). F1 cable
is typically 600 to 2000 or more pairs and usually must be buried because of its
weight (although fiber-optic F1 cable can be aerial if needed). It often is armored or
pressurized and generally is enclosed in a concrete trench all the way to the CO,
with manholes or other access points at least every 750 feet to allow for installation
of repeaters (for digital trunks like the T1), loading coils, and other necessary equipment.
In most of the world, the LEC is able to keep F1 and SAI fairly secure
through physical locks, alarms, and so on.
At the SAI, F1 feeds are cross-connected to secondary feeder cable (F2) that
goes out over copper underground to pedestal boxes where the distribution cable is
split out or on poles to aerial drop splitters. Subscriber drop wires are then crossconnected
to the F2 at that point. In rural areas, even lower-level cable facilities (F3,
F4, F5) may exist before a drop wire is terminated. A box is installed where the drop
wire is terminated outside the subscriber’s premises and this box is considered the
demarcation point for the LEC. All wiring from there to the CO is the responsibility
of the LEC, and from there to the phone devices themselves is the subscriber’s
responsibility (or that of the landlord). Physical security of that inside wiring—particularly
in shared facilities—can be an issue in some cases. And F2 or lower feeds
and pedestals are not well secured in general (and present the biggest opportunity to
an eavesdropper).
Where growth or other planning challenges have exhausted the supply of F1 or
F2 pairs, it’s sometimes necessary for the LEC to install Remote Terminal (RT)
equipment (sometimes called “pair gain” systems) that can multiplex multiple local
loops on to a digital T-carrier (using Time-Division Multiplexing (TDM) over a 4-
wire copper or pair of fiber-optic cables), or via older Frequency-Division
Multiplexing (FDM) systems. RT units generally are locked and alarmed, however.
And it is much more difficult to eavesdrop on a digital trunk (such as a T-carrier) or
FDM system because of the costly equipment required. Figure 4.1 shows a diagram
of a central office equipped with outside distribution plant (ODP).
* This classic example assumes no fiber is in use to these SAIs within the CO (see
SONET example in Figure 4.2).
In addition to the loop distribution plant, the LEC will have outside plant for
trunking between central offices, and the LEC and other Inter-exchange Carriers
(IXCs) will have outside plant for long distance connections between COs andother switching centers such as toll centers. And the LEC or other Competitive
Local Exchange Carriers (CLECs) may run fiber for SONET (or SDH) rings
PSTN Architecture
Introduction
In 1876, Alexander Graham Bell patented the telephone and envisioned telephony’s
eventual triumph over the dominant communications network of his day: the telegraph
network. Over the past decade, similar pronouncements have been made
about VoIP and the Public Switched Telephone Network (PSTN) as IP-based communication
becomes more pervasive. In both cases, the overall prediction has proven
correct, even if the path for each was far more gradual and the result more integrated
than originally anticipated. Case in point:Western Union (as a unit of First
Data Corp.) did not discontinue its telegram service in the United States until
January 27, 2006, even as numerous phone-to-telegram and web-to-telegram gateways
continue to operate in conjunction with telegraph, cable, telex, and radio messaging
networks worldwide.
With that in mind, it’s essential to include the PSTN and its associated risks
when examining VoIP security. Don’t forget that today’s Internet hacking community
can trace its roots directly to the “phone phreak” subculture of the 1970s that
first broadly exposed and exploited weaknesses in switch signaling protocols. Ever
since automated long-distance switches were introduced by AT&T in the 1950s,
people have been trying to figure out ways to bypass the toll services and get voice
services for free. And the first known instances of eavesdropping by phone predate
even the Bell System itself.The PSTN has evolved considerably in recent years, but
the addition of VoIP services also has created new and novel vulnerabilities for both
data and voice.
PSTN: What Is It,
and How Does It Work?
Today, the PSTN is the most broadly interconnected communications system in the
world, and is likely to remain so for at least another decade or more. For voice, it has
no equal.VoIP services like Skype have banked on this fact; their business model
depends on a steady flow of PSTN interconnect charges. But the PSTN provides
FAX, data, telex, video, and hundreds of other multimedia services as well. And for
many decades, the PSTN has enjoyed a universal numbering scheme called E.164.
When you see a number that begins with “+” and a country code, you are seeing an
E.164 number. In most of the world, connectivity to the PSTN is considered as
essential as electricity or running water. Even the Internet itself depends on the
PSTN to deliver dedicated access circuits as well as dial-up.
In the early days following Bell’s invention, wired communications at its most
advanced meant two (or more) devices sharing a single iron wire, whether you were
using a telegraph or telephone. A grounded wire to earth completed the circuit running
between phones, each with its own battery to generate the current necessary to
transmit. It was noisy and lines couldn’t run very far, and it would be many decades
before it could truly be called a global network, much less a national one.
To fully define today’s PSTN, we’ll need to focus on several areas in turn. First,
the physical “cable plant” required for signal distribution, from twisted-pair copper
and coaxial electric to the latest fiber-optic cabling. Second, its signal transmission
models, combining analog and digital signal processing and transmission over electrical,
optical, and radio interfaces.This directly affects the kinds of content it can
carry.Third, the increasing sophistication of associated signaling (control) protocols
and “intelligent network” design introduced with the Integrated Services Digital
Network (ISDN). And finally, its associated operational and regulatory infrastructure
on international, national, state, and local levels.
Monday, March 10, 2008
> Authentication: 802.1x
Authentication: 802.1x
802.1x is an authentication (and to a lesser extent, authorization) protocol, whereas
WEP/WPA are encryption protocols. And although 802.1x can be used on wired
networks as well, it is most common today on wireless networks. It acts as an added
layer of protection for existing wireless security implementations like WEP or WPA2
by requiring additional authentication to join a network beyond the shared secret
associated with the encryption key.
802.1x works by forcing users (or devices) to identify themselves before their
traffic is ever allowed onto the network.This happens through the use of the
Extensible Authentication Protocol (EAP) framework. EAP orchestrates password
negotiation and challenge-response tokens, coordinating the user with the authentication
server. 802.1x sticks the EAP traffic inside of Ethernet, instead of over PPP, a
much older authentication protocol used all over the Internet. Keep in mind that
there are a lot of different EAP methods available, so when you are comparing
vendor support for 802.1x in infrastructure and VoIP devices you need to pay careful
attention to the specific methods supported.
As soon as the access point, called an authenticator, detects that the link is active, it
sends an EAP Request Identity packet to the user requesting access, known as the
supplicant.The user then responds with an EAP Response Identity packet, which the
authenticator passes to the authentication server, who grants or denies access (see
Figure 3.2).
Think of the supplicant as the guy trying to get into “Club WLAN,” who asks
the guy at the door if he’s on the list.The authenticator then flags down the bouncer
(authentication server) to see if he’s “on the list.” If he is, the bouncer lets him in to
party with the rest of the party-packets. If not, it’s to the curb he goes!
Figure 3.2 A Basic 802.1x Implementation for a Wireless Network*
* If this were a wired 802.1x solution, the supplicant would be connected directly
to the authenticator (typically a LAN switch).
Because of its moderately complex nature, 802.1x is not as quick to catch on
with home users.The involvement of an authentication server (such as a RADIUS
server) puts this technology just out of reach for most. However, 802.1x is ideal for
businesses and public hot spots looking for more security than WEP or WPA2 alone
provide.
Power-Supply Infrastructure
Often overlooked as part of the infrastructure required for secure VoIP is how power
issues will be addressed. PBX and PSTN phones run on a common battery system
that provides availability for free in the face of a power outage, but VoIP phones and
the infrastructure that powers them must be carefully designed to meet equivalent
requirements.
Power-over-Ethernet (IEEE 802.3af )
Like the name implies, Power-over-Ethernet (POE) eliminates the need to run a
separate power supply to common networking appliances. POE works by injecting
power using a switch or special power injector that pushes Direct Current (DC)
voltage into the CAT5 cable. POE can be used directly with devices specifically
designed for POE or with other DC-powered devices with a converter installed.
This converter, called a picker or a tap, diverts the extra voltage from the CAT5
cable and redirects it to a regular power jack.
The major advantage of POE is that it allows greater flexibility in installing networking
equipment. Access points can be set up in remote locations that normally
would be limited to its proximity to a power outlet. It’s often easier to route cat5
cable outdoors (on an antenna or in a tree, for instance) when only network cable is
required. POE is also very popular with supplementary low-power devices, such as
IP telephones and webcams, even computers!
POE is regulated by the IEEE 802.3af standard.This standard dictates the device
must provide 48 volts of direct current, split over two pairs of a four-pair cable.The
maximum current is limited at 350 mA and a maximum load of 16.8 watts. Several
vendors have created proprietary (prestandard) implementations of POE, however in
most cases newer equipment from these vendors is now available that is compliant
with the IEEE standard (although at least one of these vendors now advertises an
ability for the client to request a lower or higher amount of current through a proprietary
process of negotiation above and beyond specifications within the standard).
To properly address VoIP phone availability concerns using POE, be sure that
the power injector, network equipment, and voice servers (and gateways) can all
operate on battery power for a sufficient length of time, and consider use of a generator
when appropriate.
POE in action is pretty simple.The power source checks to see if the device on
the other end of the wire is capable of receiving POE. If it is, the source then checks
to see on which pairs of wires the device will accept power. If the device is capable,
it will operate in one of two modes, A or B. In mode A, power is sent one way over
pins 1 and 2, and is received over pins 3 and 6. In mode B, power is sent over pins 4
and 5 and is received over pins 7 and 8. Although only one mode will be used at a
time, a device must be able to use both A or B to be IEEE 802.3af compliant.
UPS
No availability strategy can be considered complete without appropriate use of
Uninterruptible Power Supply (UPS) technology. Mission critical equipment such as
PBX systems and servers need to be protected from unscheduled power outages and
other electrical maladies. Because of the sensitive nature of electronic equipment,
safeguards need to be put in place to ensure the safety of this equipment.A UPS
protects against several availability threats:
■ Power surges When the power on the line is greater than it should be,
the UPS acts as a buffer, ensuring that no more power reaches the machine
than is supposed to. If a power surge were to occur without a UPS inline,
sensitive electronics literally could be zapped out of life.
■ Partial loss of power A brownout occurs when the power on the line is
less than is required to run an appliance. In many cases a brown out is considered
to be more dangerous than a total power failure, as electrical circuitry
is very sensitive to power requirements.
■ Complete loss of power A blackout occurs when power is completely
lost to an area.This is very common during natural disasters, where severe
weather may topple the electrical infrastructure of an area. Gas or battery
powered UPS systems allow for equipment to continue functioning for a
set period of time after the lights have gone out.This is ideal for finicky
gear that needs to be completely shut down before going dark, lest system
integrity be compromised.
In a call-center environment, downtime to the phone system can be fatal to
business.With a properly implemented disaster recovery plan including a network of
UPS devices, the phones can continue to work when standard computer systems
might not be able to.This may mean the difference between success and doom for
some companies.
Energy and Heat Budget Considerations
Given the heat and energy crisis being faced in many data centers due to the rapid
increase in equipment densities (without a corresponding decrease in energy effi-
ciency), planning for VoIP availability must include consideration for heat and power
capacities in the room where VoIP servers and gateways will be housed. Don’t omit
this step only to discover after you’ve deployed that you have no power or cooling
headroom for the additional equipment!
> IP Switches and Routers
IP Switches and Routers
Although their position is defined by a standard data network rather than VoIP, a
router’s purpose in life is to connect two or more IP subnetworks at layer 3. An IP
switch performs a similar function at layer 2. Routers and switches operate on the
network and data-link layers, respectively, investigating the IP address or MAC
address for each packet to determine its final destination and then forwarding that
packet to its recipient. For VoIP, the biggest consideration at these levels are QoS
markings and treatment such as DiffServ and RSVP, which should be supported by
this infrastructure in a way that allows legitimate voice packets through with high
priority and shuts out malicious packets, particularly those aimed at causing DoS
attacks.This may be easier said than done in some cases. If an attacker can inject
QoS-marked packets into your network, will your QoS scheme create a DoS condition
for both voice and data?
Wireless Infrastructure
Wireless access points and associated infrastructure are similarly considered an extension
of the data network. However, the increasing use of VoIP clients within this
infrastructure creates several unique security considerations (particularly DoS given
that wireless is a shared medium). In addition, wireless VoIP devices in the marketplace
have lagged in implementation of the most current wireless encryption recommendations.
All this should be taken into consideration in the design and operation
of wireless VoIP.
Wireless Encryption:WEP
When wireless networking was first designed, its primary focus was ease of implementation,
and certainly not security. As any security expert will tell you, it’s
extremely difficult to secure a system after the fact.WEP, the Wired Equivalent
Privacy encryption scheme, initially was targeted at preventing theft-of-service and
eavesdropping attacks. WEP comes in two major varieties, standard 64-bit and 128-
bit encryption. 256-bit and 512-bit implementations exist, but they are not nearly as
supported by most vendors. 64-bit WEP uses a 24-bit initialization vector that is
added to the 40-bit key itself; combined, they form an RC4 key. 128-bit WEP uses a
104-bit key, added to the 24 bit initialization vector. 128-bit WEP was implemented
by vendors once a U.S. government restriction limiting cryptographic technology
was lifted.
In August of 2001, Fluhrer, Mantin, and Shamir released a paper dissecting cryptographic
weaknesses in WEP’s RC4 algorithm.They had discovered that WEP’s 24-bit
initialization vectors were not long enough, and repetition in the cipher text existed
on busy networks.These so-called weak IVs leaked information about the private key.
An attacker monitoring encrypted traffic long enough was able to recreate the private
key, provided enough packets were gathered. Access Point Vendors responded by
releasing hardware that filtered out the weak IVs.
However, in 2004 a hacker named Korek released a new statistical-analysis attack
on WEP, which led the way to a whole new series of tools.These new wireless
weapons broke WEP using merely IVs, and no longer just IVs were considered
weak. On a 64-bit WEP encrypted network, an attacker need gather only around
100,000 IVs to crack in (although more certainly increases the chance of penetration)
and only 500,000 to 700,000 for 128-bit WEP. On a home network, it can
take days, even weeks to see enough traffic to make cracking the key possible.
However, clever attackers discovered a way to stimulate network traffic by replaying
encrypted network level packets at the target. By mimicking legitimate network
traffic, the target network would respond over and over, causing a flood of network
traffic and creating IVs at an accelerated rate.With this new attack, a 128-bit WEP
network can be broken in as little as 10 minutes.
Wireless Encryption:WPA2
WPA,WiFi Protected Access, was created to address overwhelming concerns with
WEP’s inadequacy.WPA uses RC4; however, it uses a 128-bit key appended to a 48-
bit initialization vector.This longer key defeats the key recovery attacks made popular
against WEP using the Temporal Key Integrity Protocol (TKIP), which changes keys
mid-session, on the fly. Additionally, the Message Integrity Code (MIC) includes a
frame counter in the packet, which prevents the replay attacks that cripple WEP.
WPA2 was the child of the IEEE group, their certified form of 802.11i. RC4
was replaced by the favorable AES encryption scheme, which is still considered
secure.WPA’s MIC is replaced by CCMP, the Counter Mode with Cipher Block
Chaining Message Authentication Code Protocol. CCMP checks to see if the MIC
sum has been altered, and if it has, will not allow the message through.
Perhaps the most beneficial attribute of WPA2 is its ease of implementation. In
most cases, hardware vendors needed only reflash the firmware of their Access Points
to allow for WPA2 compatibility.
Although considerably stronger than its older brother,WEP,WPA2 is not without
guilt.WPA2 encrypted traffic is still susceptible to dictionary attacks since WPA2 uses
a hashing algorithm that can be reproduced. Joshua Wright released a tool called
coWPAtty, which is a brute-force cracking tool that takes a list of dictionary words
and encrypts them using WPA2s algorithms, one at a time.The encrypted value of
each word then is compared against the encrypted value of captured traffic, and if the
right password is found, POOF! The packet becomes intelligible.
Although brute-force cracking is not guaranteed to yield results, it leverages a
weakness found in almost all security mechanisms—the user. If a user chooses a password
that is not strong enough, or uses semipredictable modifications (the use of the
number 3 instead of “e”), the network will fall. It is recommended that users install a
pass-phrase instead of a traditional password. A pass-phrase longer than eight characters,
which includes nonalphanumeric characters, is much less likely to be discovered
by brute-forcing methods. And never, ever, use a dictionary word as a password, as
these will often be discovered within minutes using freely available software from the
Internet.
When implementing wireless VoIP, always use WPA2 or use an alternative means
for protecting the VoIP stream (i.e., media and signaling encryption or IPSEC tunneling).
Given the speed with which WEP can be cracked, it’s almost pointless to use
it since it adds encryption latency and creates a false sense of security.
> Clients
IM Clients
Instant messaging is perhaps the dominant means of real-time communication on
the Internet today. IM’s roots can be traced back to the Internet Relay Chat (IRC)
networks, which introduced the chat room concept but did not track online presence
and never reached the popularity of IM. Just as IM is the next logical step from
IRC, voice chat is the next leap from text-based chat. Most of today’s most popular
IM clients have included voice functionality, including AOL’s Instant Messenger,
Yahoo! Messenger, and MSN Messenger. Skype took the opposite approach and created
a chat client that focuses on voice as the star and text chat as an afterthought.
Even Google jumped aboard the IM bandwagon, releasing Google Talk. Let’s take a
look at these clients to see what makes them similar, and what makes them different.
AIM,AOL’s IM service, surely wasn’t the first on the scene, but it has the largest
base of users. Initially AIM was limited to users of the AOL Internet service, but
eventually it was opened up to the Internet as a whole.With the addition of a proprietary
voice capability in late 1999,AOL was a VoIP pioneer of sorts. (although
voice chat was first available through Mirablis’s ICQ).Yahoo! Chat jumped aboard
the voice bandwagon soon after, and Google’s more recent client has included voice
from the beginning. In 2005,Yahoo announced interoperability with Google and
MSN (who also has a voice chat plug-in for messenger that is also used with its Live
Communication Server product). In addition, Microsoft’s popular Outlook e-mail
client (and entire Office suite in the case of LCS) can be linked to Microsoft
Messenger. Also worth mentioning is the Lotus Domino IM client that competes
with Microsoft LCS in the enterprise instant messaging (and presence) space, as well
as Jabber, which can be used to tie together both public and private IM services
using the XMPP protocol.
Google Talk is the newest comer to the IM game.Though Google Talk is still in
its infancy, it stands to succeed due largely to a philosophical stand point, embracing
open standards over proprietary voice chat. Google Talk aims to connect many different
voice networks over a series of peering arrangements, allowing users to minimize
their need to run several IM clients. Like Skype, Google seeks to bridge
traditional phone calls with Internet telephony, promising to federate with SIP networks
that provide access to an ordinary telephone dial tone. Google recently
released a library called libjingle to programmers, allowing them to hack new functionality
into Google Talk. It will be interesting to see where Google takes Google
Talk in the future.
Video Clients
Most of us can probably think back and recall seeing episodes of The Jetsons when
we were younger. Or pictures of the AT&T PicturePhone from the 1964 World’s
Fair. Movies have all but promised these devices to be a staple of every day life in
the future. And for decades, the video conference has been pushed by enterprises
seeking to save money on travel (though investments in video conferencing equipment
tend to sit around gathering dust). Live video on the Internet has its adherents,
and today we see yet another wave of marketing aimed at the business use of video.
So, will video finally take off around VoIP just like audio, or is there something different
going on here?
The video phone has been tomorrow’s next big technology for 50 years but the
issue has been more sociological than technological. Certainly, popular instant messaging
clients have included video chat capabilities for some time now, although
each client typically supports only video between other users of the same client or
messaging network. And although it always gives me a kick to see someone else
announcing that they’ve solved the gap with technology, the point is well taken that
video is here to stay in VoIP systems—even if it doesn’t get as much use as VoIP.
The latest on the video bandwagon is the Skype 2.0 release. At only 15 frames
per second and 40 to 75 kbps upload and download, Skype Video works well on a
standard home DSL line or better. Other popular IM clients with video include
Microsoft’s Messenger and Yahoo Instant Messenger.AIM now offers video as well.
H.323-based IP videoconferencing systems have been available in hardware and
software from many sources for almost a decade at this point, so there’s no shortage
of vendors in this space. And SIP video phones are available from many of these
same vendors and from startup companies in the SIP space.
Wireless VoIP Clients
Over the past few years, an explosion of wireless VoIP solutions has hit the marketplace.
Most of these solutions are immature and if broadly deployed can completely
overrun the available bandwidth on 802.11b (or g) networks that were not engineered
for high-density voice, even with QoS prioritization.And although 802.11a networks
can handle higher wireless VoIP densities, they present other backward-compatibility
issues of their own.And we haven’t even gotten to the security issues yet! Still, the
promise of WiFi VoIP is tantalizing, and most enterprises that have deployed VoIP
solutions seem to have experimented with it.The idea of a combined cellphone/WiFi
phone (and maybe PDA too) seems just too compelling to ignore, even if power consumption
issues sideline keep the concept sidelined in the short term.
> Application Proxies
Application Proxies
A Proxy server acts as a translator for transactions or calls of different types. If
Johnny’s phone speaks IAX and Jen’s phone speaks only SIP, the proxy sits between
them and translates the message as necessary. Even if both sides speak the same protocol,
be it HTTP or SIP, there are security or NAT or other boundaries that call
for either a proxy or packet manipulation in an Application Layer Gateway (ALG)
within a firewall.The benefit of an application proxy is that it can be designed
specifically for a protocol (or even a manufacturer’s implementation of a protocol).
In addition to allowing boundary traversal, a proxy can also be used as a means of
access control, ensuring that a user has the rights to place a call before allowing it to
proceed. And the best proxies can even guard against malformed packets and certain
types of DoS attacks. Depending on the complexity of your call requirements, a
proxy may be integrated into a PBX or Media Server, or it may be an entirely different
piece of hardware.
Endpoints (User Agents)
In a phone system, an endpoint on the network was known as a terminal, reflecting
the fact that it was a slave to the switch or call-control server. But today’s endpoints
may possess much more intelligence, thus in the SIP world the term User Agent is
preferred.This could be a hardware IP telephone, a softphone, or any other device or
service capable of originating or terminating a communication session directly or as
a proxy for the end user.
Softphones
With the advent of VoIP technology, users are able to break free of classical physical
restrictions of communication, namely the special-purpose telephone terminal. A softphone
is a piece of software that handles voice traffic through a computer using a standard
computer speaker and microphone (or improved audio equipment that is
connected through an audio or multimedia card). Softphones can emulate the look
and feel of a traditional phone, using the familiar key layout of a traditional phone and
often even emulating the DTMF sounds you hear when you dial a call. Or it may
look more like an instant messaging (IM) client, and act like audio chat added to IM.
In fact, a softphone doesn’t even need a computer microphone or speaker: my
favorite doesn’t need to send media through the computer at all in telecommuter
mode—it just uses H.323 signaling to tell my media server which PSTN number (or
extension) to dial for sending and receiving the audio.This lets me turn any phone
into a fully featured clone of my work extension without regard to QoS available to
me on my Internet connection.
Because a soft phone resides on a PC, the principle of logically separating voice
and data networks is defeated as the PC must reside in both domains.You will need
to consider this trade-off as you design appropriate security policy for your VoIP
network, although the long-term trends favor voice-data integration, so at best
maintaining physical separation can be only a temporary strategy.
Consumer softphones have exploded over the past few years and nothing is
hotter than Skype in that space. Skype is the brainchild of the people who brought
us the Kazaa file sharing framework. Utilizing peer-to-peer technology and an
encrypted signaling and media channel, Skype has proven to be both easy to set up
and use securely by end users, while simultaneously being a thorn in the side of network
administrators. Because it aggressively jumps past firewalls to create call traffic,
it is considered to be a threat by many enterprise security groups.
One of Skype’s major enhancements over instant-messaging-based voice is its
superb codec, which is actually better than that used within traditional telephone
infrastructure.This provides superior call quality when contacting other Skype users.
Another major benefit of Skype is the ability to reach any phone in the PSTN by
way of SkypeOut gateways.With its PSTN gateway, Skype has become an attractive
alternative for small overseas call centers and other Internet businesses.
Are You 0wned?
Consumer Softphone Gotchas
Many consumer-oriented softphones contain advertising software that “phones
home” with private user information. Several popular softphones (such as X-Lite)
store credentials unencrypted in the Window’s registry even after uninstallation
of the program. Softphones require that PC-based firewalls open a number of
high UDP ports as part of the media stream transaction. Additionally, any special
permissions that the VoIP application has within the host-based firewall rule set
will apply to all applications on that desktop (e.g., peer-to-peer software may use
SIP for bypassing security policy prohibitions).
Also consider that malware affecting any other application software on the
PC can also interfere with voice communications. The flip-side is also true—malware
that affects the VoIP software will affect all other applications on the PC and
the data services available to that PC (a separate VoIP phone would not require
access to file services, databases, etc.).
> interactive Media Service: Media Servers
Interactive Media Service: Media Servers
On the other hand, there is another kind of media server that actually contains DSP
resources that it uses to process speech or video (and perhaps one or more additional
form of media).These may be involved with generating and receiving DTMF tones,
executing the logic of an IVR system, converting text-to-speech or handling
streaming or document content in response to speech or DTMF input. Or it may
orchestrate multiway call traffic, conference calls, handle translation between codecs,
or even fax processing. Media servers of this class may provide VoiceXML interpretation
for interactive, dynamic voice applications.
Call or Resource Control: Media Servers
This class of media server is responsible for managing communications resources at a
higher level, such as handling call control while managing media gateways that have
DSP and other gateway resources for the actual media manipulation. Most Media
Servers support VoIP protocols but are likely also to support others as well, such as
digital voice or video trunks, or even analog voice through media gateways.
Examples of this kind of media server include call control servers from PBX vendors
that control separate gateways, voice processing servers that manage and redirect DSP
resources located elsewhere, and call distribution systems that manage off-board call
handling resources such as switches and IVR systems.
The H.323 Gatekeeper
This gatekeeper is the manager of one or more gateways, and is responsible for providing
address translation (alias to IP address) and access control to VoIP terminals
and gateways. A gatekeeper acts as the central authority for other gateways, allowing
an administrator to quickly and authoritatively roll out changes across a voice network.
Gatekeepers limit the number of calls at a given time on a network by implementing
control over a proxy. A gatekeeper works something like this: A user wants
to make a call to another user at a different physical location, and his phone registers
with a local gateway.The gateway then passes on his call information to the gatekeeper,
which acts as a central hub to other gateways and users.The gatekeeper then
passes call setup information to the gatekeeper at the other office, which in turn
hands it to the appropriate destination gateway, and finally to the desktop of the
called party. Many call control media servers include an H.323 gatekeeper.
Registration Servers
In a traditional PSTN or PBX switching system, where each user is at a fixed location,
usually tied in place by copper wires, routing calls is (relatively speaking)
simple. So-called find-me/follow-me services on PSTN or PBX switches can add
PSTN mobility. Forwarding or extension-to-cellular features can increase this sense
of mobility, but all these solutions require active user programming or rely on fixed
forwarding algorithms and are rooted in the PSTN.
But with VoIP, a user can be geographically located virtually anywhere on the
planet (as long as minimum QoS conditions are present). A registration server acts as
a point of connection for mobile users. Johnny can log in to the registration server
from his hotel room in Amsterdam with an unknown IP address and the registration
server will let the gateways know where to route his traffic.That way, Johnny can
keep the same phone number no matter where he is physically located. A similar
example can be seen with instant messaging networks. A user can log in using his
screen name from home and be reachable to the same users as if he had logged in
from work. In the H.323 world, registration is a function of a gatekeeper; however,
this can be a separate function in the SIP realm.
Redirect Servers
A SIP redirect server acts as the traffic light at the VoIP intersection.Very much like
a web page with a redirect tag built in, a redirect server will inform a client if the
destination the caller is trying to reach had changed. Armed with the updated information
from the redirect server, the client will then rerequest the call using the new
destination information.This takes some of the load off proxy servers and improves
call routing robustness. In this way, a call can quickly be diverted from a proxy, rather
than require the proxy to complete the connection itself.
Media Gateways
A gateway is a device that translates between protocols in general by providing logic
and translation between otherwise incompatible interfaces. A voice or media gateway
in particular tends to translate between PSTN (trunking) protocols and interfaces
and local line protocols and interfaces (though that’s not universally true). In addition,
the potential protocols and interfaces that a voice gateway now might support
include Ethernet and VoIP protocols as well.The voice gateway could have H.323
phones on one side and an ISDN trunk on the other (both digital) or a VoIP phone
on one side and an analog loop to the carrier, or even VoIP on both sides (say,
H.323 to the station and SIP trunking to the carrier).The point is that there are literally
hundreds of different equipment classes that all fall under the voice gateway
moniker and thousands of classes that fall under gateway to begin with.
One class of VoIP media gateway connects traditional analog or digital phone
equipment or networks to VoIP equipment or networks. A simple home-user implementation
of a VoIP gateway like this is an ATA, or Analog Telephone Adaptor. At a
minimum a VoIP media gateway will have both a phone interface (analog or digital)
and an Ethernet interface. For an ATA, a regular analog phone is connected to the
adaptor, which then translates the signal to digital and passes it back over the
Ethernet. Of course, media gateways can get much more complex than this. PBX
vendors have split out the line-card cabinet portion of their product and recast it as a
media gateway, with the gateway under the control of a media server. IP routing
companies have added analog and digital voice/video interfaces to routers and recast
them as media gateways. And in many respects these products do contain overlapping
functionality even though they may not be equivalent.
Firewalls and Application-Layer Gateways
Within a firewall, special code for handling specific protocols (like ftp, which uses
separate control and data paths just like VoIP) provides the logic required for the IP
address filtering and translation that must take place for the protocol to pass safely
through the firewall. One name for this is the Application Layer Gateway (ALG).
Each protocol that passes embedded IP addresses or that operates with separate data
(or media) and control streams will require ALG code to successfully pass through a
deep-packet-inspection and filtering device. Due to the constantly changing nature
of VoIP protocols, ALGs provided by firewall vendors are constantly playing a game
of catch-up. And tests of real-time performance under load for ALG solutions may
reveal that QoS standards cannot be met with a given ALG solution.This can cause
VoIP systems to fail under load across the perimeter and has forced consideration of
VoIP application proxies as an alternative.
> Wireless PBX Solutions
Wireless PBX Solutions
Several solutions for adding wireless extensions to PBX systems have been commercialized.
Most PBX vendors have implemented proprietary 900 MHz-band solutions
in the United States as well as the 1900 MHz Digital Enhanced Cordless
Telecommunications (DECT) ETSI standard in Europe, which has driven
widespread adoptions of vendor-neutral wireless there. More recently, a number of
WiFi solutions have become available, as well as combination WiFi/GSM solutions
that let a single device work with both Cellular and Enterprise PBX infrastructure.
See the warnings about WEP later in this chapter.
Other PBX Solutions
Two other PBX solutions with security considerations bear some discussion: Call
Detail Recording (CDR) systems and Voice Firewalls. CDR systems enable every
call on a PBX to be recorded after it is complete using a standardized format.This
allows special reporting software to analyze this data for forensic or diagnostic purposes.
It is worth noting, however, that a CDR system will not allow you to stop a
fraudulent call still in progress. For this, you would need a voice firewall such as that
sold by SecureLogix. Such a firewall allows you to see current calls in real-time,
apply policy based on type of call (voice, fax, or data), and set notifications, authentication
requirements, or other policy based on rules very similar to those you might
set for data traffic on a data firewall.
PBX Alternatives
Long before the appearance of VoIP, nonswitched alternatives to the PBX have been
available. For systems of less than 50 users, Key Telephone Systems (KTS) share outside
lines directly and have dedicated intercom lines to talk between stations. Current generation
key systems are more PBX-like than ever, so it may be hard to find that distinction
anymore. But older key systems won’t support advanced switching features
like trunk-to-trunk transfer that can lead to toll fraud. Still, so-called hybrid key systems
should be treated like a regular PBX when it comes to security.
Centrex, IP Centrex, and Hosted IP-telephony services are carrier-based PBX
alternatives that provide a private dial plan plus the more popular switching features
that an on-site PBX system might. However, the switching equipment stays in the
carrier’s infrastructure and is managed by the carrier.This is a mixed blessing since
it’s likely to reduce the overall functionality and access policy tailoring available to
you if your organization uses such a service, but it does mean that the carrier shoulwww.
ders a larger share of the responsibility for any toll fraud that may result (and consequently
won’t provide high-risk services like trunk-to-trunk dialing without extra
security measures).
More recently, the appearance of IP telephony has provided an opportunity for
some manufacturers like Avaya to rearchitect their overall PBX approach and separate
the functionality once provided in a single device into multiple devices. In particular,
call control and signaling can be separated from media processing and gateway services;
this approach makes possible an architecture where a few call control servers can provide
redundant services across an entire organization with media gateways located in
every geographic location that contains their physical presence.We’ll treat this
approach along with other similar VoIP architectures in the next section.
VoIP Telephony and Infrastructure
With the introduction of VoIP came a new architectural flexibility that in theory
can completely distribute PBX functionality across an entire infrastructure.We’ll
review those concepts in this section and discuss examples of this in action, but keep
in mind that few VoIP solutions take full advantage of every aspect described here
(and it wouldn’t surprise me to discover that none of them did, but today’s VoIP
market is moving so fast that it’s difficult if not impossible to prove that kind of negative).
Regardless, these concepts each have significant security implications.
Media Servers
The term media server is totally overloaded in the VoIP world (and even more so
within the IT industry as a whole). If we restrict ourselves to VoIP-related definitions
only, a server so named still could be any of the following:
■ Interactive voice response (IVR) server or media slave, possibly running
VoiceXML or MRCP
■ Signaling Media Server (Media Gateway Controller) to handle call control
in Voice/VoIP network
■ Call distribution (ACD) for receiving and distributing calls in a contact
center
■ Conferencing Media Server for voice, video, and other applications
■ Text-to-speech server (TTS) for listening to e-mail, for instance
■ Automated voice-to-e-mail response system
■ Voice or video applications server
■ Streaming content server
■ Fax-on-demand server
Sure, some of these are similar and can roughly be grouped together, but at best
you’ll get this down to semi-overlapping groups that center on two general areas:
interactive media services and call or resource control.The point here is that in the
VoIP world, we haven’t standardized architectures and naming conventions yet so we
are left with technically vague terms like media server, media gateway, and the worst
offender, softswitch (a marketing term we will not spend more time on in this chapter
except to note that it was intended to conjure up the image of a class 5 switch being
displaced by a software blob that runs these media servers and media gateways but
has become so overloaded that it has completely lost any technical meaning it once
may have enjoyed).
> PBX Adjunct Servers
PBX Adjunct Servers
Most PBX systems have an adjunct server or two, providing voice messaging or call
center functionality that isn’t part of the core PBX switching capabilities.The larger
and more complex a network gets, the more demanding traffic becomes to the
underlying hardware. Given the modularity of voice networks, we can off load some
of this functionality to other hardware that can be set to handle a specific task, rather
than attempt to do everything itself. Of course, this also complicates the overall security
model, so make sure you know how this offloading impacts security.
Voice Messaging
It’s hard to remember that voicemail was once a completely optional capability for
PBX systems, but it’s still implemented as a separate server by most vendors using
analog, digital, or IP trunks to integrate with the PBX. Some settings on that voice
messaging server can open the door to fraud and abuse, so be sure to follow manufacturer
recommendations for security—especially when it comes to changing
default administrator passwords! Are mailboxes using strong enough PINs? Are old
mailboxes closed down? Make sure you can answer these questions.
Notes from the Underground…
Voice Messaging: Swiss Army Knife for Hackers?
Voice messaging is not without its share of security considerations, though. Many
vendors ship voice mail systems with default passwords installed, which some
users opt to never change. These passwords are often as simple as the number
of the voice mailbox itself, or a simple string of numbers like 12345. Hackers love
it when it’s this easy to get in. But that’s only the beginning when it comes to
security attacks you may need to protect against within your voice messaging systems.
Here are a few other scenarios:
■ When attachers gain control over a compromised PBX system that
supports DID and voice-mail, they might change the outbound
greeting to something like “Hello? Yes, yes, that’s fine.” Or just “Yes
(pause) yes (pause) yes…” They then call that number collect and the
operator hears what appears to be someone more than willing to
accept charges! Some PBX and voice-mail systems send a special
tone when a line is forwarded to voice-mail that may discourage this
tactic since a savvy operator would recognize the tone. Does your
organization know what’s happening with old or unused mailboxes?
■ Another security issue can arise when mobile phone providers offer
voicemail to their subscribers, but don’t require a password to access
messages when the voicemail server receives the subscriber ANI (indicating
that subscriber is calling from the mobile phone associated
with that extension). But by offering their users the “convenience” of
Continued
quick access to their messages, these carriers may be opening the
door to eavesdropping through ANI spoofing (which is discussed in
more detail in Chapter 4) unless they have other means of verifying
the origin of a given call.
■ Eavesdropping on potentially confidential messages is certainly a
threat, but an attacker may potentially hijack phone calls intended
for a victim as well. This can be done by changing their outbound
message greeting to say “Hi, this is Corey. Please call me at my new
number at…” and leave a number that they control, performing a
man-in-the-middle attack on the intended recipient.
■ Another successful social engineering technique involves leaving
messages within a voicemail system requesting passwords (for
“testing” or “administrative purposes”) on another internal extension,
lulling the victim into believing that the attacker is a legitimate
employee at the target company.
■ The latest voice-messaging systems can be used to read e-mail using
text-to-speech. Attackers know that a PIN for the voice messaging
system is easy to guess, and this may be the easiest way for them to
get to an e-mail system.
■ And don’t forget toll fraud that can happen through out-dial capabilities
on voicemail systems. Consider turning off this feature if it
isn’t needed in your organization. Associated risks can also be mitigated
through carefully crafted PBX dial policy.
Interactive Voice Response Servers
Perhaps you first ran into an IVR when you noticed an incorrect charge on your
phone bill, and you decide to speak with a customer service representative to clear
things up. But when you dial the toll-free number on the bill, you’re greeted with a
labyrinth of options allegedly to help you self-navigate to the appropriate agent.This
maze of menus is brought to you through an Interactive Voice Response (IVR)
system. An IVR is a series of recorded greetings and logic flows that provide a caller
with a way to route through the phone system as a means of convenience. Personal
feelings about speaking with a recorded voice aside, IVRs are actually a pretty clever
way of providing a caller with speedy call placement, taking much of the burden
away from agents or operators.
Today’s latest-generation IVR systems are built on VoiceXML interpreters, and
may have sophisticated development environments. IVR security is a largely unexplored
topic since each IVR system is like a unique application, but we occasionally
hear about poorly written IVR applications that are insecure or not sufficiently robust.
> Asterisk: The Open-Source
Asterisk: The Open-Source PBX
PBX servers were notoriously expensive to justify when an organization wasn’t
ready for a major capital outlay, plus they tended to rely on closed or proprietary
architecture, which made PBX systems more expensive than they might otherwise
have been. Then along came Asterisk, from the mind of Mark Spencer. Asterisk is
an open-source PBX software package that runs on many operating systems,
including Linux, BSD, Mac, and even Windows. Asterisk requires very little in the
way of hardware, with old Pentium 100MHz boxes with 64MB of RAM still ample
enough to power a small business. Aside from the relatively low hardware horsepower
requirements, Asterisk doesn’t necessarily need any additional hardware,
aside form what’s already in your computer. Utilizing the popular Session
Initiation Protocol (SIP) and the Inter-Asterisk Exchange Protocol (IAX), two
Continued
increasingly ubiquitous VoIP technologies, Asterisk can make and take calls completely
over the Internet or operate with special hardware like PCI T1/E1 cards for
PSTN connectivity. Users may purchase DIDs from the VoIP provider to dial in to
their PBX from their normal phones, or they may dial in using a special software
phone. We discuss softphones later in this chapter.
The appeal of a PBX system is obvious to not only businesses and campuses but
also attackers, who have taken an increased interest in them as well, since most PBX
systems can support trunk-to-trunk transfer (i.e., dial-out again from the PBX after
coming in on another line). PBX security often is overlooked by enterprises until a big
phone bill arrives, and oftentimes the hackers have no challenge at all when settings
are never changed from the manufacturer’s default.Try a Google search for “default
password” and a PBX vendor and you’ll see just how easy this information can be to
obtain. It is important to note that because PBX vendors typically have provided
detailed instructions on how to secure the PBX, the remaining security responsibility
lies completely on the operator of the PBX system, and any toll charges that may be
obtained by fraud are left to be paid by the PBX owner. Attackers who have compromised
a PBX system may set up their own private conference room, a “party-line”
where they may hang out and exchange illicit information on your dime.
Other features can be a double-edged sword as well. Many PBX systems also
provide a call-monitoring feature for managers to supervise their agents (or to record
calls).You know those recordings that go,“Your call may be monitored for quality
assurance and training purposes”? Well, if you’re not careful, they might also be
monitored for humorous or larcenous purposes. And it may not be just calls to your
call center that get monitored; if your monitoring system wasn’t properly designed
or an intruder gets access to PBX administration at a high enough level, any call can
be monitored.
The bottom line when it comes to PBX features is that you need to read the
associated security recommendations carefully. Some vendors have assembled detailed
security guides for addressing toll fraud and feature access that are well over 100
pages, and you would be wise to find out what kind of documentation exists.And
don’t forget to back up your PBX regularly so that you don’t lose the security policy
you create! More critically, if a VoIP vendor does not have these kinds of capabilities,
you would be wise to find out what can be done to reduce exposure to toll fraud. In
some cases, the lack of feature-functionality in many VoIP solutions is a blessing
because it reduces the opportunities for security-affecting misconfiguration.Yet at
best this is a temporary benefit since VoIP solutions are becoming more sophisticated
each and every year.
Notes from the Underground…
Toll Fraud
Attackers have discovered a myriad of ways to make all the long distance calls
they want from your PBX system, leaving you with the hefty collect-call charges.
Here are a few:
■ Even with good security elsewhere, a caller can ask to transfer to
extension to 9011 on a system where dialing 9 goes to an outside
line and 011 is the international direct dial access code. Make sure
your employees (particularly those that answer many external calls)
know about this ruse and consider using your PBX’s trace feature to
track down the source of such calls (you can even have the call transferred
to your security department as part of the trace feature).
■ Attackers can read the same manuals online that your systems
administrators can, and the smart ones will figure out how to get
around the obvious restrictions. For instance, if trunk access codes
aren’t restricted, it really won’t matter how well you’ve locked out
other dial restrictions. And just because you don’t use your local
trunks for long distance doesn’t mean an attacker won’t.
■ Adding support for IP softphones or WiFi phones to a PBX means
that a softphone or wireless phone could be used by a remote
attacker who can get onto your IP network (by wire or wireless) for
toll fraud or other nefarious purposes. In this case, defense of your IP
network overall is what will minimize exposure to the PBX, but it’s
important that the PBX not weaken overall IP security (by allowing
WEP-based security on wireless networks shared by voice and data,
for instance).
> PBX Features
PBX Features
PBX systems provide a plethora of features typically offered by a telephone provider,
such as call waiting, three-way calling, conference calling, voicemail, additional call
appearances, and many other routing features. Some vendors count 600 or more separate
features among their capabilities, far more than is offered by any carrier on a
central office switch as subscriber services. But often overlooked in this list are those
used for access control.The PBX is effectively the firewall to the PSTN and because
voice access has per-minute and geographic costs associated with each call, this
aspect of PBX capability should be a critical consideration for product selection,
configuration, and ongoing operations.Yet at the same time, the data security community
is rarely concerned with this characteristic because it’s not a ppure data security
issue, yet even in a VoIP system there will be PSTN connectivity; why gamble
with this?
Say a company has 200 employees, each with a phone on their desk.
Without a PBX, each employee would require their own pair of copper wires from
the CO, each with their own phone number that routes to their desk. However, it’s a
safe bet that not all 200 employees will be on the phone all the time, and it’s likely
that most of those calls will be to other employees.This is where a PBX really pays
off. A business or campus will need many fewer lines from the Local Exchange
Carrier (LEC); in the previous example, the company might require only 40 outside
lines, routing those calls onto the PSTN trunk lines as necessary on a per call basis.
They also could rent 200 Direct Inward Dial (DID) numbers from the LEC, which
terminate though those trunk lines.The PBX will then route the inbound call based
upon which DID number was dialed to reach it.
> PBX Trunks
PBX Trunks
A trunk is a special kind of line that connects two telephone switches. If one of the
two switches is the PBX, the other could be a local or long-distance switch for
PSTN access, in which case we would call these local trunks or long-distance
trunks, respectively (though it’s worth pointing out that even if you don’t have dedicated
long-distance trunks you likely are able to get long distance services through
local trunks). On the other hand, if the other end of the trunk is another privately
owned PBX, we would call these private trunks or tie lines, even if they happen to
be routed through the PSTN (since the telephone numbers they can reach can only
be dialed from within the private network).There are also trunks that can act like
both types through the use of Centrex or something called a Virtual Private
Network (VPN—but it’s not the remote access VPN you may be familiar with from
the data world—this VPN is created by a carrier to let you keep a private dial plan
across many sites on the same trunks that you use for regular PSTN access).
Some say trunks are so named because in the old days, Ma Bell saw fit to use
thick, lead-covered cables to connect the switches.These cables resembled an elewww.
phant’s trunk. Others claim the word’s origin is derived from the way the local loop
network resembles the branches of a tree, with the trunks having similarity to…
well, a tree trunk. Regardless, trunks are the main lines of the communications
system, and the only case where a trunk is not connecting to a switch is when an
adjunct server is involved (like a voice messaging server, an Automatic Call
Distribution (ACD) server, an Interactive Voice Response (IVR) system, or similar
system). In some cases, these servers may use station emulation instead of trunking,
so you’ll need to verify what actually is being used.
Trunks can be analog, digital, or VoIP-based, just like station lines. Analog trunks
can be as simple as a regular 2-wire POTS line to the local CO switch, or a 4-wire
analog E&M trunk that provides improved signaling response (less glare).
Channelized digital T1 trunks come in two main flavors.The first and oldest type of
T1 can have 24 channels of 64 kilobit per second voice with robbed-bit signaling
(signaling bits are stolen from the voice stream in a way that’s not noticeable to the
ear).This type of T1 sends much less signaling data but cannot be used with 64 kbps
switched data because of the robbed bits used for signaling, but can pass 56 kbps
switched data. ISDN T1 trunks have 23 channels of voice (bearer, or B channels) and
a separate 64 kbps channel for signaling (the data, or D channel) that can support
ISDN User Part (ISUP) messages, including Automatic Number Identification,
which allows calling and called number information to be sent (although it can be
spoofed; this is discussed in Chapter 4). In Europe and internationally, the E1 is the
typical digital interface, with an ISDN BRI carrying 30 bearer channels (30B+D) as
opposed to the 23 channels supported by ISDN over T1 (23B+D).
VoIP trunks also come in various flavors, including H.323, SIP, and proprietary
protocols like Inter-Asterisk eXchange (IAX). In some cases, IP-enabled PBX systems
also use gateway control protocols with VoIP trunks, such as Simple Gateway
Control Protocol (SGCP), H.248/Megaco/Media Gateway Control Protocol
(MGCP), Skinny Gateway Control Protocol. One of the difficult problems with
VoIP trunks, however, is feature transparency between vendors. ISUP/Q.931 or its
private line equivalent (QSIG) has the most complete feature interworking capability,
and standards for mapping these onto H.323 and SIP exist, but these are not
evenly supported by PBX vendors at this point. Robust, reliable interworking
between different PBX vendors over VoIP is not easy to find today (and is still a
challenge over private tie lines).
>> The Hardware infrastructure
Traditional PBX Systems
Business telephony in large organizations has revolved around the private branch
exchange (PBX) for over a century, and given that length of time, it’s easy to see
why VoIP often is positioned as a modern alternative to the PBX. However, this
comparison is the wrong one to make, as the PBX concept itself is transport-neutral.
It would be just as wrong to say “analog vs. PBX” or “digital vs. PSTN,” so let’s
make sure we’ve got this basic principle down first.A PBX—or PABX internationally
(the “A” stands for “Automated”) is a communications switch that (1) replaces
PSTN switching functionality for a set of associated extensions, (2) provides access
trunks to carriers for routing PSTN calls, and (3) may provide additional communications
feature-functionality based on configuration settings and equipment capabilities
(see Figure 3.1).
Figure 3.1 A Basic PBX Diagram*
* All PBX systems provide PSTN-like switching services between endpoints and
adjuncts, the PSTN, and other private PBX switches (and associated private networks).
Only a few of the possible adjunct systems are mentioned here. An ACD is
an Automatic Call Distribution server (for use in call centers to direct calls to groups
of agents), and an IVR is an Interactive Voice Response server (also commonly used
in call centers to let callers use touch tones and voice prompts to select services).
So a PBX could be all IP or all analog or anything in the middle as long as it
switches calls between extensions and the PSTN as needed. In the end you will find
that despite the marketing hype, most VoIP systems are just PBX systems with different
combinations of support for IP lines and trunks. In some cases, the call control
part of the system is split out from the gateway that handles the non-IP electrical
interfaces. Or it’s pushed out to a service provider. But the basic switching concept is
preserved somewhere across the system as a whole. Regardless, understanding basic
PBX terminology will help you understand the underlying architecture of the VoIP
systems you may encounter, so let’s start there.
PBX Lines
In telephony, a line (or station line) connects endpoint equipment (digital terminals,
analog phones, fax machines, modems, or even an IP phone through an IP network)
to the PBX (or central office) for switching. An analog line is the private equivalent
of a local loop or loop transmission facility.
NOTE
A PBX is more likely than your phone company to support ground start phones
and trunks on analog interfaces. Your phone at home seizes control of the line
by using loop start, which involves shorting the two ends of the line together to
activate the circuit. Ground start sends one of the leads to ground (typically
ring) to seize the line, which is much less likely to cause glare (a condition that
arises when both sides on a line or trunk simultaneously seize control of the
line).
Typically, a PBX supports analog lines (and trunks) through a line card with 8,
12, 16, 24, or more lines per card, which are then wired to a patch panel for interconnection
through a structured cabling system to the analog phone or device. Most
of the security concerns around analog lines center on how well protected the
equipment and cabling systems are from eavesdropping and tampering. Ground start
loops will make theft of service less likely because a special phone is required, but
otherwise the same basic rules for protecting a PSTN line from tampering apply.
Of course, line is also a generic term that may apply to power lines providing
electricity to homes and businesses. But when we talk about an analog telephone
line, we are talking specifically about the two wires involved: the tip (the first wire in
a pair of phone wires, connected to the + side of the battery at the central office or
PBX; it is named tip because it was the at the tip of an operator’s plug) and the ring
(connected to the – side of the switch battery and named because it was connected
to the slip ring around the jack).Any equipment that works with Plain Old
Telephone Service (POTS) lines will work with a PBX analog line configured for
loop start. From a PBX, an analog line will nearly always be 2-wire although 4-wire
lines with Earth & Magnet (E&M, sometimes also called Ear and Mouth) interfaces
are supported from the same card for analog trunks.
TIP
If you’ve ever taken a peek behind the phone jacks that litter the walls of your
home, you are likely to see two (or three) pairs of wires, one Green/Red, the
next Yellow /Black, then White/Blue, but for our purposes only the first pair is
important. The Green wire, referred to as the Tip, is the positively charged terminal.
The Red terminal, the Ring, is the neutral, which completes the circuit,
enabling electrical signals to flow freely. Note that newer homes may use a
more recent color scheme that is also used for Ethernet cabling. The first pair is
White/Blue, then White/Orange, then White/Green and finally White/Brown. This
scheme is what you’re most likely to see in structured cabling systems within
buildings
Analog PBX systems supported only analog lines, but with the introduction of
digital switching, a new class of line was developed: the digital line. In most PBX
systems, a proprietary format for digital line signaling (and media) was created that
requires the use of digital phones manufactured by that vendor. Some vendors, however,
also support Integrated Services Digital Network (ISDN) standard phones
directly (or through the PSTN) via the ITU-standardized ISDN BRI. Most proprietary
digital formats use a 2-wire system with 8-wire plugs and jacks, although some
are 4-wire systems. ISDN uses a 2-wire system from the CO switch, but is 8-wire to
the interface used by a phone terminal, so the actual number of wires used will
depend on several factors (such as whether the phone has a built-in NT-1 interface).
Also, many proprietary switch features will not be supported on ISDN phones, particularly
when the phone is manufactured by a different vendor. And even within a
vendor product line, you may discover that newer features are supported only on
newer phones or phone firmware. In any case, digital lines for proprietary digital terminals
typically are supported by digital line cards with 8, 12, 16, 24, or more lines
per card, and ISDN lines for ISDN phones are supported by either ISDN trunk
cards or special ISDN BRI line cards, which may come in several flavors depending
on the ISDN BRI type.
In the case of the modern hybrid PBX or IP-PBX, there is an equivalent concept
for IP lines to IP phones, but unlike analog or digital lines the IP line isn’t necessarily
tied down to a single electrical interface on the PBX. In fact, the PBX can
use multiple Ethernet ports to support an IP line, and IP phones can fail over to
multiple IP-enabled PBX systems.The first IP line support built into most PBX systems
leveraged the H.323 suite of protocols or proprietary protocols like Cisco
“skinny,” but almost all new development on PBX systems today uses Session
Initiation Protocol (SIP).The bottom line is that the concept of an IP line exists in
virtually every VoIP system out there, and understanding how the line concept is
expressed in a specific VoIP system will give you an important handle with which to
analyze its architecture and security.
This flexibility and versatility is a huge advantage to VoIP, but it does come at a
price. Because the phones are now sharing infrastructure and bandwidth with other
devices (and perhaps the entire data network), quality-of-service (QoS) guarantees
for packet loss, latency (how long each packet takes to arrive from the phone to the
PBX), and jitter (variability of latency across packets in a stream) now become the
responsibility of the party providing the network infrastructure. Additional vectors
for Denial-of-Service attacks on IP lines (either to the phone or the PBX) and
Man-In-The-Middle (MITM) attacks must be considered. In my experience, the
resulting loss of accountability from a single organization or vendor to multiple entities
rarely is included in planning (or ROI calculations) for VoIP deployments.
