1 © 2001, cisco systems, inc. all rights reserved. sec-210 3083_05_2001_c1 voip over ipsec vpns.....

1© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.

SEC-2103083_05_2001_c1

VoIP over IPSec VPNs..and some general Security tips

Kjetil Berge

Systems Engineer

Cisco Norway

SEC-2103083_05_2001_c1 © 2001, Cisco Systems, Inc. All rights reserved. 2© 2001, Cisco Systems, Inc. All rights reserved. 2© 2001, Cisco Systems, Inc. All rights reserved. 2

Agenda

• Why VoIP over VPN ?

• What are the problems ?

• How to solve them ?

• My own VoIP over VPN test


John T. Dryer

History Hack: Captain Crunch and the Origin of “2600”

• Back in the early 70s phone lines did both signaling and regular voice traffic over the same line

• Using a “Captain Crunch” cereal toy whistle it was possible to generate a sound at 2600Hz which allowed signaling data to be sent to “Ma Bell”

• Building on what was learned with the whistle, tones could then be sent using a “blue box” to call anywhere else for free!

• Steve Wozniak even used a “blue box” to call the Pope posing as then Secretary of State Henry Kissinger

• Moral of the story? Security through obscurity is not security (Unauthenticated control channels are bad).

http://www.webcrunchers.com/crunch

4© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.© 2001, Cisco Systems, Inc. All rights reserved.

SEC-2103083_05_2001_c1

General things before we start …


Security in the Enterprise

A

Internet IP WAN PSTN

Use firewalls and IP filters to limit access into the Enterprise

Also, use firewalls to limit access between the user data networks and the IP Telephony, server farm and data center subnets

Perimeter SecurityPerimeter Security

Separate the VoIP devices onto their own subnetworks

RFC 1918 addressing is preferred

NIDS can be used to examine traffic between subnets for potential threats

Network SeparationNetwork SeparationUse non-standard access ports if possible

Eliminate unneeded server OS files, directories and services

A comprehensive Virus Scanning solution is critical

Host-based IDS solutions are recommended

Host SecurityHost Security

Maintain a stringent device/server access policy based on user and subnet

Use of Time-of-Day or temporary ACLs can augment the IP filters

Netmgmt traffic must be allowed only from a secure host

Device AccessDevice Access


• Maintain physical device security

• Use card readers and video surveillance in all data centers and wiring closets

• Restrict telnet access

• Use TACACS+/RADIUS for all devices

• Use SSH or IPsec to protect management and auditing traffic




• Eliminate extraneous router services

HTTP, TCP/UDP Small Servers, Finger, RCP/RSH

• Use neighbor authentication

Routing protocols, HSRP, NTP• Enable Syslog logging

Use NTP synced timestamps• Configure SNMP securely


Topology

Headquarters

PIX

CallManagerCluster

NMS

VoIP GW/GK

CSPMDNS/PDC/

CA

VLAN=160

VLAN=102

VLAN=100

VLAN=101

VLAN=200

AAPSTN

V

DNS, opt. DHCP

Voice network

Data network

Syslog

SiSi

IP WAN


VOIP EnhancementsPAT for SIP and H.323

• Existing H.323 and SIP fixups are enhanced to support PAT

• Allows customers to conserve their IP address space

• The embedded IP address and port in the SIP/H.323 message is translated to the correct PAT, and the correct media connections negotiated during signaling are opened up

• The PIX dynamic PAT timeout value is also modified to be the same as the client registration timeout value that is set when the client registers with the SIP Proxy Server / H.3.23 Gatekeeper

• Existing commands are used

• Static PAT can be used for SIP Server, H.323 GateKeeper or H.323 endpoints when the port that other endpoints will use to reach them is known ahead of time


Agenda






Customers can run VoIP over their Private WAN’s TodayIPSec VPNs are Private WAN Replacements

Customers expect/want to run Voice across IPSec VPNs as well

Central /HQ

RegionalSites

BranchOffices

SOHO

TelecommutersMobile Users

Virtual PrivateNetwork

Customer VPN Expectations

Internet/ServiceProvider

VPN Deployment Models

Site to Site

Site to Site SOHO

Remote Access


VoIP over VPN offers many exiting possibilites• Implement VPN WAN’s to replace traditional WAN

• Connect home offices via VPN

• Implement IP telephony

• Allows IP telephony at zero cost to home offices and

branch offices!

Customer VPN Expectations – cont.


Agenda






Why VoIP over IPSec is a problem

• Crypto engine is FIFO only – Unable to prioritize Voice over Data

• Simple to overload crypto engine with too much traffic

• QoS required both in the Enterprise network and in the ISP network


Current Crypto Engine Issues

FIFOFIFOFIFOFIFOIPSec Crypto

EngineIPSec Crypto

Engine

VoIP packet not prioritized in Crypto

Voice quality suffers when Crypto Engine congested

VoIP packet not prioritized in Crypto

Voice quality suffers when Crypto Engine congested

• Crypto Engine performance and throughput varies depending upon

HW

• Different Crypto engine throughputs result in variable/unacceptable

delay when congestion occurs at Crypto Engine

• FIFO entrance queuing is the issue

• Crypto Engine performance and throughput varies depending upon

HW

• Different Crypto engine throughputs result in variable/unacceptable

delay when congestion occurs at Crypto Engine

• FIFO entrance queuing is the issue

Crypto Engine looks like an internal FIFO serial interface inside router


• No support for cRTP for VoIP

• Bandwidth Consumption (50pps)

G.711 + IPSec/GRE = Approx 110kbps per VoIP call

G.729 + IPSec/GRE = Approx 50kbps per VoIP call

• Example – G.729 at 50pps1) Voice Payload: = 8kbps

2) IP + Voice Payload: = 24,000 bps (IP Header = 20bytes)

3) IP + GRE/IPSec + Voice Payload: = 44,800 bps - ESP = 32bytes (Variable)

4) Add Ethernet Header = 51,000bps

Voice over VPN is large!


Current VoIP over VPN Support

• Cisco TAC will not support any Voice Quality related issues with regards to Voice over IPSec VPNs

• Customers running VoIP over IPSec VPNs do so understanding traffic is “best effort” with no guarantee of voice quality


Agenda




– Todays solutions

– What will come later this year



Dual VPN Routers – VoIP and Data through separate Crypto Engines

Service Provider

IOS VPNRouter

IOS VPNRouter

IOS VPNRouter

IOS VPNRouter

Data Tunnel

Voice Tunnel

Separate tunnel for Voice/Data such thatVoice packets do not incur delay, jitter or loss

Requires Service Provider that recognizes ToS/DSCP and provides SLA


VoIP and Data through same Crypto Engine – Today’s efforts

Service Provider

Cisco IOSPlatform

GRE Voice TunnelIPSec Crypto

EngineIPSec Crypto

EngineVoice/Data

Use prioritized traffic limiting techniques such thatencrypted Traffic throughputs are limited to where

voice has Acceptable Delay and jitter(Prevent Crypto Engine Over-Subscription)

Test on per platform basis the Max Cryptorate VoIP can co-exist with Data Such

that VoIP delays are acceptable

Cisco IOSPlatform


Service Provider

GRE Voice Tunnel

IPSec Crypto Engine

IPSec Crypto Engine

Voice/Data

Option 2Police to limit encrypted traffic to limits

Throughputs where Voice has acceptabledelays

Option 1Policing on L3 boundary before

Crypto router(L3 switch or Router)

QoS before Crypto Engine:Prevent over-subscription of Crypto Engine

Cisco IOSPlatform

Cisco IOSPlatform


Service Provider

IPSec Tunnel

External Policing on L3 boundaryBefore Crypto router(L3 switch or Router)

What about PIX/3xxx Platforms with no QoS?How to “best” deploy

Cisco IOSPlatform

Cisco IOSPlatform PIX/3xxxPIX/3xxx

• PIX/3xxx looks like an external IOS Crypto Engine with regards to QoS

• Must provide external IOS means of preventing PIX/3xxx Crypto engine over-subscription

• PIX/3xxx max Crypto rates for voice and data not tested yet (future)

Headend Remote/SOHO

PC data traffic throttled to SOHO WANLink speed so oversubscribing HW PIX/3xxx

unlikely – IOS QoS must be performed onSOHO CPE device


Agenda




– Todays solution




What is Coming:Crypto LLQ - 1H 2002 CY

IPSec Crypto Engine

IPSec Crypto Engine

• Entrance Queuing to Crypto Engine

• Queue Entrance Criteria must be based on ToS/DSCP

• Crypto-LLQ is required on IOS and new VPN products

• No need for external CAR mechanisms to prevent Crypto Engine

Over-subscription

• Entrance Queuing to Crypto Engine

• Queue Entrance Criteria must be based on ToS/DSCP

• Crypto-LLQ is required on IOS and new VPN products

• No need for external CAR mechanisms to prevent Crypto Engine

Over-subscription

HighHigh

LowLow

LLQLLQLLQLLQ

LLQ on “front end” of Crypto Engine to prevent over-subscriptionLLQ on “front end” of Crypto Engine to prevent over-subscription


VoIP+VPNBaseline

VoIP+VPNBaseline

Basic VoiceQuality

Basic VoiceQuality

EnhancedVoice

EnhancedVoice

Voice-VPN Design GuideVoice-VPN Design Guide

Functional QoS (LLQ for CE)Functional QoS (LLQ for CE)

Multicast Voice/VideoMulticast Voice/Video

Voice-VPN Platform TestingVoice-VPN Platform Testing XX

Other enhancements

Call Bandwidth MinimizationCall Bandwidth Minimization

Features/Features/Features/Features/ActivitiesActivities

RemoteAccessRemoteAccess

VoIP+VPN Resiliency (IPSec Stateful Failover)VoIP+VPN Resiliency (IPSec Stateful Failover)

Remote Access Voice-VPN(IOS)Remote Access Voice-VPN(IOS)

1Q02CY1Q02CY 1H02CY1H02CY 2H02CY2H02CY 2H02CY2H02CY

XX

XX

XX

XX

XX

XX


Agenda




– Todays solution




Local VoIP over VPN testing

Service Provider

ADSL

PIX 506

VPN/No QoS

ADSL router

Home office Service Provider

No QoS

PIX 501

No QoS

VPN/No QoS

Cisco Norway

ADSL router


Home office PIX configuration 1/2

Specify which traffic to send via the VPN tunnel

1) Traffic to CCM network 10.1.1.0

2) Traffic to IP telephones centrally (10.1.120.0)

access-list VPN-acl permit ip 10.200.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list VPN-acl permit ip 10.200.1.0 255.255.255.0 10.1.120.0 255.255.255.0

Specify that traffic between

1) local network and CCM network

2) local network and IP phones is not to be NAT-ed

access-list no-nat-acl permit ip 10.200.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list no-nat-acl permit ip 10.200.1.0 255.255.255.0 10.200.1.0 255.255.255.0

Enable the No NAT acl

nat (inside) 0 access-list no-nat-acl

Enable Skinny fixup

Fixup protocol skinny 2000


Home office PIX configuration

Specify transform sets (I am using DES only)

crypto ipsec transform-set des-transform esp-des esp-md5-hmac

crypto map CiscoAVVID 1 ipsec-isakmp

crypto map CiscoAVVID 1 match address VPN-acl

crypto map CiscoAVVID 1 set peer X.X.X.X

crypto map CiscoAVVID 1 set transform-set des-transform

crypto map CiscoAVVID interface outside

isakmp enable outside

Set up shared key with central PIX

isakmp key ******** address X.X.X.X netmask 255.255.255.255

Set up ISAKMP policy

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 36000

1 © 2001, cisco systems, inc. all rights reserved. sec-210 3083_05_2001_c1 voip over ipsec vpns.....

Documents