Xem mẫu
- ỨNG DỤNG OPENVPN ĐỂ NÂNG CAO BẢO MẬT CHO CÔNG NGHỆ
THOẠI QUA IP (VOICEIP)
Vương Thị Nhung
Trường Đại học Hà Nội
Tóm tắt: Công nghệ thoại qua IP (VoIP) ngày càng phổ biến hiện nay, việc áp dụng các
giải pháp VoIP tại các tổ chức thường nhằm mục đích tối ưu hóa chi phí thoại và cải thiện hiệu
quả công việc. Vì VoIP phụ thuộc vào kết nối Internet, nó sẽ gặp phải các mối đe dọa và tấn
công mà máy tính gặp phải. Do đó, cần phải tìm hiểu các biện pháp bảo mật cho VoIP. Bài viết
này nghiên cứu công nghệ VPN và các giao thức bảo mật của nó để cung cấp phương thức
bảo mật VoIP. Mạng riêng ảo (VPN) là một mạng riêng để kết nối các máy tính của các công ty,
tập đoàn hoặc tổ chức với nhau thông qua cơ sở hạ tầng Internet công cộng, cho phép truyền
dữ liệu an toàn qua Internet. VPN có nhiều tùy chọn và nó có thể được sử dụng với một số giao
thức bảo mật như IPSec, L2TP, PPTP, OpenVPN, IKEv2, SSTP. Bài viết này đề xuất một mô
hình sử dụng VPN và OpenVPN để đảm bảo việc truyền giọng nói một cách an toàn. VPN cung
cấp một đường hầm riêng giữa người gọi và OpenVPN cung cấp tính toàn vẹn dữ liệu, xác thực
dữ liệu, bảo mật dữ liệu và các cuộc tấn công chống phát lại, kết hợp lại các công nghệ này có
thể cung cấp một giải pháp an toàn cho VoIP.
Từ khóa: IPsec, Voice over IP, Voice over IP security, VPN, OpenVPN.
Abstract: Voice over IP (VoIP) technology is increasingly popular nowadays, the
application of VoIP solutions at organizations often aims to optimize voice costs and improve
work efficiency. Since VoIP relies on an Internet connection, it has weaknesses with any threats
and problems that a computer faces. Therefore, security countermeasures against VoIP
vulnerabilities should be open for discussion. This articles investigate VPN and its security
protocols to offer VoIP security. Virtual private network (VPN) is a private network to connect
computers of companies, corporations or organizations together through the public Internet
infrastructure, that allows secure transmission of data over the Internet. VPN has many options
and it can be used with several security protocols such as IPSec, L2TP, PPTP, OpenVPN,
IKEv2, SSTP. This article proposes a model using VPN and OpenVPN for securing the voice
transmission. VPN provides a private tunnel between callers and OpenVPN provides data
integrity, data authentication, data confidentiality and anti-replay attacks, together this suite
could provide a completely secure solution for Voice over the Internet.
Keywords: IPsec, Voice over IP, Voice over IP security, VPN, OpenVPN.
IMPLEMENT OPENVPN TO ENHANCE VOIP
SECURITY
I. INTRODUCTION
Voice over IP (VoIP) technology is increasingly popular nowadays, the
169
- application of VoIP solutions at organizations often aims to optimize voice costs and
improve work efficiency. VoIP (short for Voice over Internet Protocol) means the
technology of transmitting human voice over a computer network using the TCP / IP
protocol suite [1]. It uses existing network infrastructure (on LAN, WAN, Internet) to
transfer voice signals.
This technology is essentially based on packet switching, to replace the old circuit
switching voice transmission. It combines multiple voice channels on a signal line, and
these signals are transmitted over the Internet, so can reduce costs [1]. To do this, IP
phones, often with built-in signaling protocols such as SIP or H.323, connect to an
enterprise's IP PBX (IP PBX) or service provider. IP phones can be regular phones
(except that instead of connecting to the telephone network via RJ11 communication
line, the IP phone connects directly to the LAN via Ethernet cable, RJ45 interface) or
voice software (soft-phone) installed on the computer [2].
VoIP offers several advantages over traditional PSTN telephones [2].
International VoIP call charges are often much cheaper than PSTN networks because
voice signals are packaged and transmitted on the same network infrastructure. Fax can
also be used via IP network or some supported VoIP services such as automatic
answering, displaying incoming calls, displaying missed calls, diverting calls, making
lists of phone numbers. Using both conventional phones and IP phones (wired or
wireless) via LAN (Local Area Network) will ensure that business communications are
not interrupted when the problem occurs.
Unlike traditional phone systems, you may even make a call during a power
outage in a VoIP system, if the power is out, VoIP will not be able to make a call [2].
There are also some issues related to that, home security systems or emergency numbers
may not work as expected. Furthermore, VoIP are unable to connect to emergency
services (emergency, fire alarm ...). VoIP also inherits the main problems of routing
over broadband connectivity, too [2]. There are inherent security problems of the
Internet due to shared equipment and data transmission environment. The new protocol
specifically for VoIP has yet to address security issues (for example, the risk of
eavesdropping on VoIP calls is quite high because data packets must be forwarded
through multiple intermediaries before reaching the listener) or with unauthorized
access, hackers can take advantage of security holes to gain access to the network.
VoIP is a new and widely-used technology, therefore, this article addresses some
security issues related to VoIP and propose a model to tackle security issues of phone
calls over the Internet.
II. SECURITY ISSUES OF VOICE OVER IP
Because VoIP relies on an Internet connection, it has weaknesses with any threats
and problems that a computer faces. This technology is also a new technology, so there
is much debate about possible attacks, VoIP may also be attacked by viruses and other
170
- malicious codes. Attackers can block communications, eavesdrop and perform fake
attacks by manipulating IDs and disrupting your service. Actions that consume a lot of
network resources such as downloading files, playing online games, etc. also affect
VoIP services.
A number of researchers [1] [2][3][4] indicates several VoIP security
vulnerabilities. Some of typical attacks to VoIP can be named:
Man in the middle: Eavesdropping via VoIP technology is even more at risks due
to the many nodes sharing the same link between the listener and the receiver. An
attacker can hear the call by capturing IP packets flowing through intermediary nodes.
There are quite a lot of free tools and tools associated with network cards that support
Man in the middle attacks.
Unauthorized access attack: An attacker may invade the network resources due to
subjective reasons of the network administration. For example, the default password of
the gateway and switch is not changed, the attacker may take advantage to invade. Old
switches still use telnet to remote access, and plaintext passwords can be exploited once
an attacker sniffs the network.
Caller ID spoofing: Caller ID is a service that allows user to know the number of
the caller. Caller ID spoofing is an impersonation technique that allows or changes the
caller's ID number with the numbers set by user. Compared to the network
communication phones, it's much easier to spoof VoIP phone numbers, there are quite a
few tools and websites that allow this.
Denial of Service (DoS): DoS attack condition occurs when device in the local
network is the destination of flooding the packets, resulting in loss of communication
between the nodes of the network structure [1], [2]. Attacked by DoS, services are
broken and reduce CPU bandwidth and resources. For example: some IP phones will
stop working if they receive UDP packets greater than 65534 bytes at port 5060.
III. VIRTUAL PRIVATE NETWORK
A. Virtual Private Network
1) Definition
Virtual private network (VPN) is a private network to connect computers of
companies, corporations or organizations together through the public Internet
infrastructure [5]. The growing demand for secure data transmission in an organization
or company leads to the need for VPN solutions. In addition, the tendency of remote,
decentralized network work for enterprise enterprises with many branches and the
growth of mobile employees also increases the demand for accessing information
resources of company. VPN provides remote access to an organization's resources
anytime, anywhere, connects office branches together and controls access of customers,
suppliers and external entities to the organization's resources [5].
171
- VPN provide several advantages [5] including:
- Cost saving: compared to leased line, VPN setup cost is lower due to using
Internet infrastructure.
- Flexibility: VPN has removed the geographical barrier for the network, ready to
connect private networks together easily through the Internet environment.
- Increased security: Transmission data will be hidden for unauthorized users and
only visible to authorized users. VPN use encapsulation protocols, encryption
algorithms and authentication methods to secure data during transmission.
- Secure IP address: because the information sent on the VPN is encrypted, the
addresses inside the private network are shielded and only use public addresses outside
the Internet.
2) Types of VPN
VPN technology can be classified into two basic types: Site-to-Site VPN and
Remote Access VPN [6].
Site to Site VPN: is also known as Router to Router VPN. It is commonly used in
companies and large enterprise. Today, many companies have branches all over the
country or the world; therefore, they use the Site to Site VPN network to connect the
main office's network to other branches. This form of connection is called "Intranet". In
addition, the Site to Site network is also useful in establishing links between companies
and external parties, called "Extranets". In simple terms, Site to Site VPN builds a
virtual bridge that connects remote networks together over an Internet connection,
ensuring the transmission of information is safe and secure.
Remote Access VPN: This type usually applies to mobile workers or home
workers who want to connect to the corporate network securely. It is also applicable to
small remote offices connected to the company's Central Office. Remote Access VPN is
also known as User-to-Server, allowing remote users to use the VPN Client software to
connect to the VPN Server.
B. VPN protocols
1) PPTP
Developed by Microsoft Corporation, Point-to-Point Tunneling (PPTP) creates a
virtual private system based on dial-up connection, also known as VPN. Since it
appeared PPTP is widely used as a standard VPN protocol. It is the first VPN protocol
supported by Windows, PPTP operates based on authentication standards such as
MS_CHAP v2 which is currently the most popular [5]. The advantage of PTTP is the
ability to set up easily and not consume a lot of system resources. And this is why many
businesses choose this VPN as the solution. Although using the 128-bit encryption
standard, PPTP only has a few vulnerabilities such as MS-CHAP v2 Authentication is
172
- the most severe [5]. So PPTP can be cracked in round 2 seconds here. Although the
vulnerability has been overcome by Microsoft, the tech giant also recommends
alternative protocols such as SSTP or L2TP.
2) LT2P
Before the introduction of the L2TP standard (August 1999), Cisco used Layer 2
Forwarding (L2F) as the standard protocol for creating VPN connections. L2TP came
later with features integrated from L2F. L2TP is a combination of Cisco L2F and
Mircosoft Point-to-Point Tunneling Protocol (PPTP). Microsoft supports the PPTP and
L2TP standards in WindowNT and 2000 versions. L2TP is used to create independent,
multi-protocol connection for dial-up virtual private network (Virtual Private Dial-up
Network). L2TP allows users to connect through corporate security policies to create
VPN or VPDN as an extension of the corporate intranet [5]. However, L2TP does not
provide encryption. L2TP is a combination of PPP (Point-to-Point protocol) with
Cisco's L2F (Layer 2 Forwarding) protocol so it is very effective in connecting dial,
ADSL, and other remote access networks. This extended protocol uses PPP to allow
VPN access by remote users.
3) IPSec
IPsec is integrated in many "standard" VPN solutions, especially in Site-to-Site
VPN solutions to connect two LANs together. IPSec in tunnel mode secures packets
exchanged between two gateways or between the clients and the gateway. IPSec
operates at the Network layer, it does not depend on the Data-Link layer like the
protocols used in other VPNs such as L2TP, PPTP [5] [7].
IPSec supports many algorithms used to ensure data integrity, consistency,
confidentiality and authentication of data transmission on a public network
infrastructure. The techniques that IPSec uses provide the following 4 common features:
data confidentiality, data authentication, data integrity and anti-replay [5] [7].
Authentication is done via Internet Key Exchange (IKE) or with digital certificates,
which is a more secure method or via a shared key (preshared key). IPSec VPN can
protect against most common attacks including Denial of Service (DoS), replays and
"man-in-the-middle".
4) IKEv2
IKEv2 stands for English-Internet Key Exchange Version 2, a protocol based on
IPsec tunneling technology, developed by Cisco and Microsoft. The protocol appears on
Windows 7 onwards as well as Linux and other platforms including Blackberry. This
protocol is also known as VPN Connect as the name of Microsoft Corporation. It works
to recreate the VPN connection automatically when the connection is temporarily
closed. IKEv2, also known as Mobility and Multi-homing protocol, is a standard that
makes network roam easily. In addition, it is also quite useful with Blackberry devices
173
- because it is the few protocol that supports this platform. Although it supports fewer
operating systems compared to IPsec, IKEv2 is not inferior to stability, security and
performance [6].
5) OpenVPN
OpenVPN is an open source commercial software that implements virtual private
network (VPN) techniques to create secure point-to-point or site-to-site connections [5]
[7]. It uses a customized security protocol that uses SSL/TLS for key exchange. It was
written by James Yonan and released under the GNU General Public License (GPL).
OpenVPN allows parties to authenticate each other using a pre-shared key, public key
infrastructure or username/password. When used in a multiclient-server configuration, it
allows the server to issue one authentication certificate to each client. It uses the
OpenSSL encryption library as well as the TLS protocol and contains many security and
control features.
The speed of OpenVPN depends on the encryption algorithm it uses but is usually
faster than IPsec. Although OpenVPN is included by default in many VPN services, it is
not supported in any operating system. Some 3rd party software supports both Android
and iOS. In terms of setup, it is not easy to compare OpenVPN with L2TP / IPsec and
PPTP, since there are many types of OpenVPN software being used today. Currently,
OpenVPN has not been cracked by the NSA. It appears that OpenVPN when combined
with strong encryption is the only VPN protocol that is completely secure.
6) SSTP
Launched by Microsoft Corporation in Windows Vista Service Package 1, SSTP
(secure socket tunneling) now appears on SEIL, Linux and RouterOS, but mostly for
Windows versions. Using SSL v3, the feature is quite similar to OpenVPN such as the
ability to reduce the state of NAT firewall. SSTP is a fairly stable and easy to use VPN
protocol, especially for Windows operating systems. However, owned by Microsoft and
and in cooperation with NSA so the security is still not high [6].
IV. THE PROPOSED MODEL
This article proposes a model of using OpenVPN to secure Voice transmission
over the public Internet after making comparison of different security VPN protocols.
VPN protocols provides a private tunnel between senders/receivers or callers. If VPN is
deployed, it provides not only VoIP security but also other security features that comes
along with VPN such as: local email, file sharing and many more in a secure manner.
Data and voice would be encrypted to protect the intrusion from attackers. Man in the
middle cannot eavesdrop because data is encrypted and visible to only authorized users.
OpenVPN offers higher performance and faster speed than other VPN technologies
where speed is an important consideration in voice transmission. Furthermore, other
VPN protocols use popular security algorithms, that is standardized and available for
174
- many platforms. However, it is also the problem. It has been studied and invented for a
long time, easily a target for an attacker or security specialists.
A typical model of Site-to-Site OpenVPN for VoIP is depicted as in Figure 1.
Figure 8: OpenVPN model for VoIP
An OpenVPN server is set up at the Cental Office together with VoIP server.
Remote connections might be Remote worker that installs OpenVPN client, or use IP
phone or a network of analog phone to make VoIP call to the main office. Branches
could use OpenVPN to both remote access to the Central Office, together with features
of VoIP, fax and local applications or services. With OpenVPN, users from any places,
any branches could make a VoIP calls in secure manner through a private tunnel where
data is encrypted and users are authenticated to protect voice/data transmission.
V. CONCLUSION
This article proposes an OpenVPN model to secure VoIP transmission, although
OpenVPN has some deficiencies such as: complex configuration, model suited for large
enterprises, it is still a good solution to VoIP security with data security, confidentially
and authentication and provides cheap-cost and secure phone calls for the organizations
compared to conventional phone calls.
REFERENCES
[1]. Shaw, U. & Sharma, B. (2016). A survey paper on voice over internet
protocol (VOIP). International Journal of Computer Applications, 139(2), 16-22.
175
- [2]. Ransome, J. F. & RittingHouse, J. (2005). VoIP Security. Elsevier Digital
Press.
[3]. Hasan, M. Z., & Hussain, M. Z. (2017). Collective Study On Security Threats
In VOIP Networks. International Journal of Scientific and Technology Research, 6(01).
[4] Mentsiev, A. U. & Dzhangarov, A. I. (2019). VoIP security
threats. Инженерный вестник Дона, (1 (52)).
[5]. Angelo, R. (2019). Secure protocols and virtual private networks: An
evaluation. Issues in Information Systems, 20(3).
[6]. Wu, Z., & Xiao, M. (2019, May). Performance Evaluation of VPN with
Different Network Topologies. In 2019 IEEE 2nd International Conference on
Electronics Technology (ICET) (pp. 51-55). IEEE.
[7]. Novickis, T., Poll, E., & Altan, K. (2016). Protocol state fuzzing of an
OpenVPN (Doctoral dissertation, MS thesis, Fac. Sci. Master Kerckhoffs Comput.
Secur., Radboud Univ. Nijmegen, Nijmegen, The Netherlands).
176
nguon tai.lieu . vn
