3 Days Left to Get an iPad Air w/ Smart Keyboard, Surface Go, or $300 Off with OnDemand or vLive Training thru 8/21!

Network Security 2012

Las Vegas, NV | Sun, Sep 16 - Mon, Sep 24, 2012
This event is over,
but there are more training opportunities.

SEC540: VoIP Security

Mon, September 17 - Sat, September 22, 2012

I have a security background and interface with engineers/developers every day in my role, I found SEC540 very useful.

Devika Y, Bloomberg

Thank you. I loved this course! Really informative content, great approach.

Jonathan Gardner, Cisco

If your organization utilizes voice communications or is thinking of migrating to VoIP (Voice over IP), you need to master VoIP security best practices and technologies in order to design, deploy, and audit trusted VoIP infrastructures. The best way to secure a VoIP network is to incorporate security in the design right from the beginning. However, even if you have security concerns about an existing VoIP network, this course will teach you all of the tips and tricks to protect your critical VoIP networks. You will learn practical tasks that you can directly apply when you go back to work.

VoIP has become a widely adopted technology, and it's here to stay. VoIP protocols and technologies, and especially VoIP security, are among the most complex fields in IT today. This course offers the in-depth knowledge required to understand how VoIP technologies work at the protocol level (mainly focusing on SIP and RTP). A detailed in-class analysis of infrastructure, signaling, and media attacks will reveal the security risks of VoIP networks for service providers, carriers, and enterprises, and students will be shown how to mitigate these risks.

By helping you understand how VoIP protocols work and giving you hands-on experience with attack mechanisms that impact your VoIP environment, this challenging course helps you design, build, and assess a secure VoIP architecture.

We will cover various VoIP attacks from VoIP signaling and media eavesdropping, caller ID impersonation, and VoIP authentication cracking to man-in-the-middle call manipulation and media injection. We will then examine multiple cutting-edge solutions, security devices, standards, and countermeasures that can be used to alleviate these vulnerabilities and threats, detailing the strengths and weaknesses of each, while guiding you through the best tools for securing your VoIP network.

As part of the course, you will receive a software VoIP PBX based on Trixbox (Asterisk), an audio headset, and several VoIP analysis and attack tools. This toolkit will help you build your own VoIP infrastructure, gain hands-on experience, and learn the attack tools used to exploit VoIP vulnerabilities from the attacker perspective. You'll learn to understand the insight gained from VoIP penetration testing, which you will be able to apply to protect your VoIP infrastructure from attacks. The extensive hands-on labs, plus the instruction from industry VoIP security experts, provide you with the skills needed to architect and evaluate your VoIP infrastructure.

The course includes an extensive list of references for each module for further analysis and staying up to date in future VoIP security trends.

Course Syllabus

Paul A. Henry
Mon Sep 17th, 2012
9:00 AM - 5:00 PM


The VoIP field is very complex, with multiple technologies, standard and proprietary protocols, and components. This day starts with a brief introductory overview about VoIP concepts and devices and hands-on guidance to build the VoIP infrastructure used in the rest of the course.

  • Overview of the Voice over Internet Protocol (VoIP), its benefits and risks, main concepts, and VoIP devices
  • Understanding key problems, issues, and misconceptions in deploying VoIP
  • Lessons learned and key pitfalls to avoid

In order to gain hands-on experience, students will learn how to configure and secure Asterisk, an open source VoIP PBX. Configuring and designing a real VoIP server will help reinforce the security issues and countermeasures that have to be deployed.

  • Overview of Trixbox and Asterisk
  • Detail on how to build the per-student lab environment used to complete all the course labs
  • Installing and configuring Asterisk and testing the lab
  • Securing Asterisk

CPE/CMU Credits: 6


  • Review of VoIP concepts and components
  • Building a VoIP infrastructure
  • VoIP standard bodies
  • VoIP signaling, media and support protocols
  • VoIP protocols identification
  • Wireshark filters for SIP/SDP and RTP/RTCP identification
  • VoIP signaling protocols analysis
  • SIP requests, methods and responses
  • SIP and SDP message format
  • SIP behavior and call flow diagrams
  • Wireshark techniques for SIP/SDP analysis
  • VoIP media protocols analysis
  • RTP/RTPC message format
  • RTP/RTPC behavior and call flow diagrams
  • Wireshark techniques for RTP/RTCP analysis
  • ARP spoofing and MitM attacks
  • VoIP reconnaissance
  • Google hacking for VoIP infrastructures
  • VoIP network scanning

Paul A. Henry
Tue Sep 18th, 2012
9:00 AM - 5:00 PM


On day two the course directly jumps into the VoIP protocols world, introducing the main VoIP standards bodies and the most important VoIP signaling, media, and support protocols.

  • VoIP standard bodies: IETF and ITU
  • VoIP signaling protocols: SIP, H.323, MGCP, and Megaco/H.248
  • VoIP media protocols: RTP and RTCP
  • VoIP support protocols: DNS, DHCP, NTP, HTTP, SNMP, and TFTP
  • VoIP proprietary protocols: Cisco Skinny (SCCP), IAX2, and Skype

One of the most critical skills for network engineers and security professionals is mastering the identification and analysis of network protocols. The course provides hands-on techniques to identify and analyze VoIP signaling and media protocols using Wireshark, focusing on SIP/SDP and RTP/RTCP. In order to understand all further VoIP attacks in detail, it is mandatory to be able to perform an in-depth analysis of the protocols behavior, message types, call flow diagrams, and packet contents. The course dissects the SIP, SDP, RTP, and RTCP protocols to provide you with this in-depth knowledge. The main goal is to understand the details of the signaling and media protocols (SIP and RTP), the packets format, and how to analyze the stages of a SIP and RTP connection.

  • VoIP protocols identification and hands-on analysis using Wireshark: SIP/SDP and RTP/RTCP
  • VoIP signaling protocols analysis: SIP messages (requests, methods and responses), SIP and SDP message format, SIP behavior and call flow diagrams, and hands-on SIP/SDP analysis using Wireshark
  • VoIP media protocols analysis: RTP/RTPC message format, RTP/RTPC behavior and call flow diagrams, and hands-on RTP/RTCP analysis using Wireshark

CPE/CMU Credits: 6


Auditor's role in relation to

  • Policy creation
  • Policy conformance
  • Incident Handling

Benefits of various auditing standards and certifications

  • ISACA and CISA
  • GSNA
  • CIA and the IIA

Basic auditing and assessing strategies

  • Baselines
  • Time based security
  • Thinking like an auditor
  • Developing auditing checklists from policies and procedures
  • Effective risk assessment

The six-step audit process

  • How the steps interrelate
  • How to effectively conduct an audit
  • How to effectively report the rindings

Paul A. Henry
Wed Sep 19th, 2012
9:00 AM - 5:00 PM


Many organizations are deploying VoIP infrastructures, but few take the time to examine their deployment to ensure the infrastructure meets organizational requirements for security. This day examines the various threats that target VoIP environments, and multiple attack techniques and tools that leverage protocol and implementation weaknesses to compromise VoIP security.

Taking an in-depth look at these techniques and tools, understanding how they work and the flaws they exploit, and practicing with them will help you make informed decisions to best accommodate the balance of usability, quality, performance and security that is appropriate for your organization. This day explores in depth tools and techniques focused on the VoIP signaling threats.

CPE/CMU Credits: 6


VoIP signaling attacks: (SIP-based)

  • Identification of VoIP devices
  • SIP enumeration (SIP register, options, and invite methods) and VoIP wardialing
  • VoIP-based vulnerability scanning
  • SIP eavesdropping: number harvesting and call pattern tracking
  • SIP authentication cracking and guessing
  • Caller ID spoofing: techniques, services, and scenarios
  • SIP manipulation attacks: SIP registration (removal, addition, and hijacking methods) and redirection attacks
  • Advanced Man-in-the-Middle (MitM) signaling attacks and scenarios

Paul A. Henry
Thu Sep 20th, 2012
9:00 AM - 5:00 PM


While understanding the attacks against signaling protocols is important, the real threat to a VOIP environment is compromise of the media protocols. The media protocol is where the "live" conversation is transmitted across the wire. Attacks against the media protocols can range from denial of service attacks to unauthorized recording of phone conversations.

CPE/CMU Credits: 6


VoIP Media Attacks: (RTP-based)

  • RTP eavesdropping: voice conversations and DTMF tones
  • RTP recording
  • RTP manipulation: replacing, inserting, and mixing audio in standard and MitM scenarios

Paul A. Henry
Fri Sep 21st, 2012
9:00 AM - 5:00 PM


After these attacks are dissected and understood, it is time to implement mitigation techniques, defenses, and countermeasures surrounding secure VoIP protocols and VoIP security devices. These elements provide multiple options to design and build a secure VoIP architecture. Only through an in-depth knowledge of the available VoIP secure protocols at the network, signaling, media, and key-exchange levels is it possible to protect the VoIP traffic and the sensitive contents exchanged through it. The protocols are complemented by VoIP security devices.

CPE/CMU Credits: 6


VoIP security devices:

  • NAT devices/firewalls scenarios and issues
  • Solutions to overcome NAT/Firewall traversal VoIP scenarios through protocols like STUN, TURN or ICE, or security gateways
  • Application-Layer Gateways (ALG's) analysis
  • Session Border Controllers (SBC's) analysis

New VoIP security standards are still being designed and ratified. The course dissects and compares all of them and their specific details because this is what makes the difference to determine the best solution for your environment. The current state-of-the-art and best practices for all these secure VoIP protocols is analyzed. This VoIP defenses analysis is complemented with questions addressed to your VoIP vendor and service provider that guide you to select the best VoIP security solution based on your needs.

Secure VoIP protocols:

  • Network protocols: VLANs, port security controls, and 802.1x/EAP
  • Signaling protocols: SIP MD5 authentication, Secure SIP (SIPS or SIP/TLS), SIP over DTLS, S/MIME, SIP over IPSec, and SIP identity
  • Media protocols: SRTP, secure call recording, and RTP over IPSec
  • Key-exchange protocols: MIKEY, SDescriptions, ZRTP, and DTLS-SRTP

Paul A. Henry
Sat Sep 22nd, 2012
9:00 AM - 5:00 PM


The last day covers the most relevant VoIP infrastructure and network attacks with the goal of emphasizing how important it is to build a secure VoIP infrastructure on top of a secure network architecture. Some of the network-based attacks with a higher impact on the VoIP infrastructure are analyzed as well as the best architecture practices to protect the VoIP infrastructure against these threats.

CPE/CMU Credits: 6


  • VoIP supporting infrastructure: VoIP-related overview, attacks and countermeasures for DNS, DHCP, TFTP, HTTP, SNMP, ARP and Man-in-the-Middle (MitM), port scanning, and banner grabbing
  • The risks of unified communications and how to mitigate them through network segregation: VLAN's, the VoIP softphone paradox, VLAN's attacks, VLAN's and VoIP hardphones, VoIP hopping attacks, and network segregation countermeasures
  • VoIP environment awareness: publicly available information and intelligence gathering through Google hacking VoIP, WHOIS, Netcraft, Google groups, Job boards, etc.

The VoIP security lectures are supplemented by hands-on labs focused on identifying devices on a VoIP infrastructure and complementing the initial reconnaissance results with more advanced vulnerability scanning and VoIP usernames and phone extensions enumeration techniques. Additionally, the signaling labs are rounded out with SIP-based manipulation attacks using advanced MitM tools and techniques.

VoIP media vulnerabilities are demonstrated and practiced using eavesdropping and advanced RTP manipulation attacks. Finally, the VoIP countermeasures modules contain technical security checklists aimed to evaluate the VoIP security capabilities and supported features and protocols offered by your VoIP vendor(s) or service provider(s).

Additional Information

"The SANS SEC540 VoIP class is quite technical, but I would highly recommend it for any manager considering the implementation of VoIP in their network. Many are simply blinded by the huge potential savings from VoIP and fail to understand or recognize the inherent risks associated with it. SANS clearly outlines the risks literally hands-on that every manager must be aware of when implementing VoIP." Paul A. Henry

To get the most value out of the course, you are required to bring your own laptop so that you can complete all the labs and hands-on exercises. It is your responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network and follows the prerequisites below.

It is critical that you have administrator access to the operating system and all security software installed. Changes need to be made to personal firewalls and other host based software in order for the labs to work.

Mandatory Laptop Hardware Requirements

  • x86-compatible 1.5 GHz CPU Minimum or higher
  • CD/DVD Drive
  • 4GB RAM minimum or higher
  • Ethernet adapter
  • 16 Gigabyte available hard drive space
  • Free USB port for the audio headset (provided by SANS)

Operating System

You are required to have Windows 7 or alternatively Windows XP installed and configured. An understanding of both Windows and Unix/Linux is required to understand the labs.


VMware Player or VMware Workstation is required for the class. You will use VMware running on either Windows 7 or Windows XP as the native laptop OS and guest operating systems Linux (virtual machine OS) operating systems simultaneously when performing exercises in class. If you're not using Windows as a base operating system on the laptop, you must bring a licensed virtual machine for Windows XP or Windows 7.

You must have either the free VMware Player 1.0 or later or the commercial VMware Workstation 5.0 or later installed on your system prior to coming to class. You can download VMware Player for free at the VMware web site. Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation from the VMware web site. VMware will send you a time-limited license number for VMware Workstation if you register for the trial at their Web site. No license number is required for VMware Player.

Additional Software


Some of the course exercises are based on Windows, while others focus on Linux. We will provide a Linux virtual machine (customized Trixbox version) with all the Linux-based tools pre-installed, that runs within VMware Player or VMware Workstation, to complete the Linux exercises. We will also give you a CD with tools and traffic capture files to experiment during the class and take home for later analysis.

If you have any questions regarding these requirements, please contact laptop_prep@sans.org.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • Network professionals who are responsible for designing and deploying secure VoIP infrastructures.
  • Security professionals who are concerned about the weaknesses of VoIP environments.
  • Members and leaders of incident handling teams who are interested on adding VoIP to their analysis and response capabilities.
  • Service providers professionals who are interested in adding security to their VoIP offerings.
  • Penetration testers who want to include VoIP security assessments in their organization's services offerings.
  • Auditors who must evaluate VoIP infrastructures to ensure they meet an acceptable level of risk.

Students should have a working knowledge of TCP/IP networks and protocols, general security attacks and defenses, and VoIP concepts and experience in the design or deployment of network and security technologies.

Author Statement

Author Statement

When VoIP is mentioned, two main concepts emerge into people's minds: lowering telecommunication costs, and security. Obviously, VoIP provides a lot of advantages versus the legacy voice infrastructures, where reduction, computer application integration, and unified communications cost seem to be the most notorious. However, many organizations do not think of security when they implement VoIP. While VoIP has many benefits, it changes the rules on security. At the same time, it is interesting to analyze the level of trust we have in the legacy telephony infrastructures, like the PSTN or cellular networks (GSM, GPRS, or UMTS). We believe they are completely secure and that only law enforcement, or high-technology spies (like those in the movies), would be able to control our voice calls. This level of trust is associated with its closed and proprietary nature, versus the open and distributed nature of VoIP infrastructures, and it is what sets our expectation of privacy and level of trust in these networks making us think VoIP is inherently insecure.

However, nothing could be further from the truth. If implemented properly and securely, VoIP infrastructures can be more secure and trustworthy than the legacy voice networks. A couple of basic scenarios can exemplify this statement. Nowadays, caller ID spoofing is trivial and unavoidable in the PSTN; however, strong authentication methods are available in VoIP to mitigate impersonation attacks. Similarly, voice conversations crossing the PSTN travel in the clear, so anyone in the path between caller and callee can intercept and listen to the conversation. VoIP allows applying strong encryption techniques to protect the audio contents of a voice call and avoid eavesdropping attacks. The solutions are available; you only need to learn them and know how to deploy them. This advanced course is designed to provide you with the skills required to do so and master VoIP security.

---Dr. Eric Cole

Voice Over IP (VoIP) has become commonly used by enterprises, service providers and consumers. In particular, enterprises are converting their legacy PBXs, phones, adjunct systems, and even public trunking to VoIP. While VoIP offers many advantages, including new features, potentially lower costs, easier administration, and so on, it does introduce new security challenges.

Voice security issues, whether they are with legacy or VoIP, continue to be a major concern for enterprises. These issues are present whether VoIP is used or not. VoIP itself can make voice application issues a greater concern and introduces new vulnerabilities, which are inherent in any IP-based application. VoIP introduces new systems, applications, and protocols, each of which adds new vulnerabilities.

The class introduces voice and VoIP, along with the key VoIP protocols, such as SIP, H.323, and RTP. The class covers the different types of attacks, including scanning, social/application attacks, and IP network infrastructure attacks, as well as entirely new attacks unique to VoIP. The class wraps up with a discussion on countermeasures, including VoIP security devices, standards-based protocols, architectures and best practices. After attending the class, you will understand the basics of VoIP, the attacks you need to worry about the most, and how to address them in your enterprise.

-- Mark Collier

As VoIP deployments continue to increase in enterprises, the opportunity and likelihood to exploit the VoIP resources will continue to increase. This will include toll fraud attacks, denial of service attack s and other exploits of opportunity that will result in loss of data, privacy or potentially revenue.

One of the things we can do as information security professionals is to raise awareness of VoIP security issues within our organization and to ensure that we practice good VoIP security as we would practice good network security. The goal of the SEC540 VoIP Security class is to provide organizations with tools and a methodology necessary to both assess and secure VoIP networks against common attacks.

-- Brian Lutz