3 CUESTIONES RELATIVAS A LAS POLÍTICAS COMERCIALES Y RELACIONADAS
3.8 Sinopsis de los exámenes de las políticas comerciales
The most significant security concerns in a VoIP environment are mentioned in chapter 3.3.1.
Countermeasures to these threats include:
• Secure Real-time Transport (SRTP), which provides confidentiality, message authentication, and replay protection for RTP and Real-time Transport Control Protocol (RTCP) traffic [5].
• Authentication: Mechanisms should be activated to ensure the integrity of the voice packets to ensure that what is presented at the destination node is identical to what was issued from the source node.
• Access control: This is supported by a tool suite to enable blocking of unauthorized users from invoking voice services
NIST SP 800-58 [1] discusses the impact of these and related issues on VoIP over private and public networks, for which it recommends the following:
• Appropriate network architecture SHOULD be developed
• Voice and data SHOULD be separated on logically different networks. • Multimedia protocols SHOULD be isolated from the data network. Strong
authentication and access control SHOULD be used on the voice gateway system, which interfaces with the PSTN, SIP, H.323, or MGCP [15] connections from data network.
• Mechanisms SHOULD be deployed for allowing VoIP traffic to traverse firewalls (e.g., Application Level Gateways, Session Border Controllers).
• Stateful packet filters SHOULD be implemented to track connections and deny non-compliant packets.
• IPSec [9] [10] [11], MPLS [20], and tunnelling technologies SHOULD be used to secure network and link layers and TLS [7] SHOULD be used to protect
multimedia protocol signalling for upper layers.
• To enhance performance, encryption at the router or gateway SHOULD be invoked, not at the endpoints, to provide for IPSec tunnelling.
• Uninterruptible Power Supplies (UPS) and other mechanisms SHOULD be used to enhance availability and integrity.
• Separate Dynamic Host Configuration Protocol (DHCP) servers SHOULD be provided to ease the incorporation of intrusion-detection and VoIP firewall protection [17].
• Softphone systems SHOULD be avoided when security and privacy is a concern. • Although the thrust of this document is to establish security policy for VoIP ATM
communications, practitioners SHOULD analyse the tradeoff of implementing security mechanisms with their impact on ATM operational performance.
CHAPTER III REFERENCES
[1] Special Publication 800-58, NIST Security Considerations for Voice Over IP Systems; D. Richard Kuhn, Thomas J. Walsh, Steffen Fries
http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
[2] IETF RFC 791: Internet Protocol (IP) version 4; http://www.ietf.org/rfc/rfc791.txt
[3] IETF RFC 2460: Internet Protocol (IP) version 6 Specification; http://www.ietf.org/rfc/rfc2460.txt
[4] IETF RFC 2827: Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing; RFC 3704: Ingress Filtering for Multihomed Networks
http://www.ietf.org/rfc/rfc2827.txt, http://www.ietf.org/rfc/rfc3704.txt
[5] IETF RFC 3711: The Secure Real-Time Transport Protocol (SRTP); http://www.ietf.org/rfc/rfc3711.txt
[6] IETF RFC 4301: Security Architecture for the Internet Protocol; http://www.ietf.org/rfc/rfc4301.txt
[7] IETF RFC 4346: The TLS Protocol Version 1.1; IETF RFC 4366: TLS Extensions; IETF RFC 4680: TLS Handshake Message for Supplemental Data; IETF RFC 4681: TLS User Mapping Extension
http://www.ietf.org/rfc/rfc4346.txt, http://www.ietf.org/rfc/rfc4366.txt,
http://www.ietf.org/rfc/rfc4680.txt, http://www.ietf.org/rfc/rfc4681.txt
[8] IETF RFC 4443:Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification; IETF RFC 4884: Extended ICMP to Support Multi-part Messages
http://www.ietf.org/rfc/rfc4443.txt,http://www.ietf.org/rfc4884.txt
[9] IETF RFC 4302: IP Authentication Header (AH); IETF RFC 4835: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)
http://www.ietf.org/rfc/rfc4302.txt, http://www.ietf.org/rfc/rfc4835.txt
[10] IETF RFC 4303: IP Encapsulating Security Payload (ESP); IETF RFC 4835: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)
http://www.ietf.org/rfc/rfc4303.txt, http://www.ietf.org/rfc/rfc4835.txt
[11] IETF RFC 4306: Internet Key Exchange (IKEv2) Protocol http://www.ietf.org/rfc/rfc4306.txt
[12] IETF RFC 3550: RTP: A Transport Protocol for Real-Time Applications; http://www.ietf.org/rfc/rfc3550.txt
[13] IETF RFC 3261: SIP: Session Initiation Protocol; IETF RFC 3265: Session Initiation Protocol (SIP)-Specific Event Notification; IETF RFC 3853: S/MIME
Advanced Encryption Standard (AES) Requirement for the Session Initiation Protocol (SIP); IETF RFC 4320: Actions Addressing Identified Issues with the Session Initiation Protocol's (SIP) Non-INVITE Transaction
http://www.ietf.org/rfc/rfc3261.txt, http://www.ietf.org/rfc/rfc3265.txt,
http://www.ietf.org/rfc/rfc3853.txt, http://www.ietf.org/rfc/rfc4320.txt
[14] IETF RFC 3265: Session Initiation Protocol (SIP) – Specific Event Notification; http://www.ietf.org/rfc/rfc3265.txt
[15] IETF RFC 3435: Media Gateway Control Protocol version 1.0 (section 5); IETF RFC 3661: Media Gateway Control Protocol (MGCP) Return Code Usage
http://www.ietf.org/rfc/rfc3435.txt, http://www.ietf.org/rfc/rfc3661.txt
[16] IETF RFC 2764: A Framework for IP Based Virtual Private Networks; http://www.ietf.org/rfc/rfc2764.txt
[17] IETF RFC 3315: DHCP for IPv6; IETF RFC 4361: Node-Specific Client Identifiers for DHCPv4
http://www.ietf.org/rfc/rfc3315.txt, http://www.ietf.org/rfc/rfc4361.txt
[18] IETF RFC 4251: The SSH Protocol Architecture; http://www.ietf.org/rfc/rfc4251.txt
[19] IETF STD 62: An Architecture for Describing SNMP Management Frameworks;
http://www.ietf.org
[20] IETF RFC 3031 “Multiprotocol Label Switching Architecture”, RFC 3032 “MPLS Label Stack Encoding”, RFC 3443 “TTL Processing in MPLS Networks”, RFC 4182 “Removing a Restriction on the Use of MPLS Explicit NULL”
http://www.ietf.org/rfc/rfc3031.txt, http://www.ietf.org/rfc/rfc3032.txt,
http://www.ietf.org/rfc/rfc3443.txt, http://www.ietf.org/rfc/rfc4182.txt
[21] IETF RFC 3414, User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)