Network Security 2012

Las Vegas, NV | Sun, Sep 16 - Mon, Sep 24, 2012
This event is over,
but there are more training opportunities.

SEC540: VoIP Security

The previous generation SEC540 VoIP Security course at SANS has been a great course that focused on an Asterisk PBX environment with soft-client phones. The course taught students valuable lessons in per- forming fundamental penetration tests on a VoIP environment using open-source tools and also taught students how to then remediate the issues that they discovered in the labs.

The updated SEC540 VoIP course has now been expanded to include nu- merous new and updated labs to reflect current threats; VoIP network scanning & enumeration, password attacks & registration hijacking, two-stage dialing, caller ID Spoofing, Metasploit 5 R3 VoIP hacking tools usage, extensive toll fraud coverage including the theft of VoIP minutes, sniffing & unauthorized call recording, call audio injection, covert tunnels over RTP, Vishing & SPAM (SPIT) and TDoS - just to name a few.

Perhaps more importantly, SEC540 is no longer limited only to an Aster-isk PBX & soft-client environment. The class labs now utilizes multiple popular open-source and commercial VoIP / UC platforms. It begins with coverage of Retail VoIP -Vonage, Magic Jack etc. to reinforce the students understanding of VoIP protocol basics, as well as to get students used to working hands on with the tools used in the class. We move on to VoIP for the Small Business with both Asterisk and FreeSwitch implementations using Cisco phones and soft-clients, then on to the Cisco UC320 appliance with Cisco phones over both wired and wireless networks as well as covering Hosted VoIP / UC. Then to bridge the small to medium business and enterprise class VoIP & UC environments we move on to the Barracuda CudaTel appliance using Polycom phones. From here we advance to Enterprise VoIP & UC focusing primarily on Cisco with Unified Communications Manager, Cisco Unity, Cisco Unified Presence and Cisco Unified Contact Center Express and also our lab implementation of a Microsoft Lynx environment. As always at SANS we cover the remediation of each weakness that is demonstrated in the respective hands-on lab!

If you're considering an implementation of a VoIP & UC environment for the first time or adopting hosted VoIP you will learn how to do it securely. If you have already implemented a VoIP & UC solution you will learn how to mitigate the inherent risks of VoIP & UC by properly securing what you already have. If you are considering expanding your VoIP & UC environment to include BYOD devices you will learn to minimize the associated risks. Regardless of your organization's size or where you are in your VoIP & UC implementation roadmap the SANS SEC540 VoIP & UC Security course has something you can literally take away and put to use immediately!

Course Syllabus

Paul A. Henry
Mon Sep 17th, 2012
9:00 AM - 5:00 PM


The VoIP field is very complex, with multiple technologies, standard and proprietary protocols, and components. This day starts with a brief introductory overview about VoIP concepts and devices and hands-on guidance to build the VoIP infrastructure used in the rest of the course.

  • Overview of the Voice over Internet Protocol (VoIP), its benefits and risks, main concepts, and VoIP devices
  • Understanding key problems, issues, and misconceptions in deploying VoIP
  • Lessons learned and key pitfalls to avoid

In order to gain hands-on experience, students will learn how to configure and secure Asterisk, an open source VoIP PBX. Configuring and designing a real VoIP server will help reinforce the security issues and countermeasures that have to be deployed.

  • Overview of Trixbox and Asterisk
  • Detail on how to build the per-student lab environment used to complete all the course labs
  • Installing and configuring Asterisk and testing the lab
  • Securing Asterisk

CPE/CMU Credits: 6


  • Review of VoIP concepts and components
  • Building a VoIP infrastructure
  • VoIP standard bodies
  • VoIP signaling, media and support protocols
  • VoIP protocols identification
  • Wireshark filters for SIP/SDP and RTP/RTCP identification
  • VoIP signaling protocols analysis
  • SIP requests, methods and responses
  • SIP and SDP message format
  • SIP behavior and call flow diagrams
  • Wireshark techniques for SIP/SDP analysis
  • VoIP media protocols analysis
  • RTP/RTPC message format
  • RTP/RTPC behavior and call flow diagrams
  • Wireshark techniques for RTP/RTCP analysis
  • ARP spoofing and MitM attacks
  • VoIP reconnaissance
  • Google hacking for VoIP infrastructures
  • VoIP network scanning

Paul A. Henry
Tue Sep 18th, 2012
9:00 AM - 5:00 PM


On day two the course directly jumps into the VoIP protocols world, introducing the main VoIP standards bodies and the most important VoIP signaling, media, and support protocols.

  • VoIP standard bodies: IETF and ITU
  • VoIP signaling protocols: SIP, H.323, MGCP, and Megaco/H.248
  • VoIP media protocols: RTP and RTCP
  • VoIP support protocols: DNS, DHCP, NTP, HTTP, SNMP, and TFTP
  • VoIP proprietary protocols: Cisco Skinny (SCCP), IAX2, and Skype

One of the most critical skills for network engineers and security professionals is mastering the identification and analysis of network protocols. The course provides hands-on techniques to identify and analyze VoIP signaling and media protocols using Wireshark, focusing on SIP/SDP and RTP/RTCP. In order to understand all further VoIP attacks in detail, it is mandatory to be able to perform an in-depth analysis of the protocols behavior, message types, call flow diagrams, and packet contents. The course dissects the SIP, SDP, RTP, and RTCP protocols to provide you with this in-depth knowledge. The main goal is to understand the details of the signaling and media protocols (SIP and RTP), the packets format, and how to analyze the stages of a SIP and RTP connection.

  • VoIP protocols identification and hands-on analysis using Wireshark: SIP/SDP and RTP/RTCP
  • VoIP signaling protocols analysis: SIP messages (requests, methods and responses), SIP and SDP message format, SIP behavior and call flow diagrams, and hands-on SIP/SDP analysis using Wireshark
  • VoIP media protocols analysis: RTP/RTPC message format, RTP/RTPC behavior and call flow diagrams, and hands-on RTP/RTCP analysis using Wireshark

CPE/CMU Credits: 6


Auditor's role in relation to

  • Policy creation
  • Policy conformance
  • Incident Handling

Benefits of various auditing standards and certifications

  • ISACA and CISA
  • GSNA
  • CIA and the IIA

Basic auditing and assessing strategies

  • Baselines
  • Time based security
  • Thinking like an auditor
  • Developing auditing checklists from policies and procedures
  • Effective risk assessment

The six-step audit process

  • How the steps interrelate
  • How to effectively conduct an audit
  • How to effectively report the rindings

Paul A. Henry
Wed Sep 19th, 2012
9:00 AM - 5:00 PM


Many organizations are deploying VoIP infrastructures, but few take the time to examine their deployment to ensure the infrastructure meets organizational requirements for security. This day examines the various threats that target VoIP environments, and multiple attack techniques and tools that leverage protocol and implementation weaknesses to compromise VoIP security.

Taking an in-depth look at these techniques and tools, understanding how they work and the flaws they exploit, and practicing with them will help you make informed decisions to best accommodate the balance of usability, quality, performance and security that is appropriate for your organization. This day explores in depth tools and techniques focused on the VoIP signaling threats.

CPE/CMU Credits: 6


VoIP signaling attacks: (SIP-based)

  • Identification of VoIP devices
  • SIP enumeration (SIP register, options, and invite methods) and VoIP wardialing
  • VoIP-based vulnerability scanning
  • SIP eavesdropping: number harvesting and call pattern tracking
  • SIP authentication cracking and guessing
  • Caller ID spoofing: techniques, services, and scenarios
  • SIP manipulation attacks: SIP registration (removal, addition, and hijacking methods) and redirection attacks
  • Advanced Man-in-the-Middle (MitM) signaling attacks and scenarios

Paul A. Henry
Thu Sep 20th, 2012
9:00 AM - 5:00 PM


While understanding the attacks against signaling protocols is important, the real threat to a VOIP environment is compromise of the media protocols. The media protocol is where the "live" conversation is transmitted across the wire. Attacks against the media protocols can range from denial of service attacks to unauthorized recording of phone conversations.

CPE/CMU Credits: 6


VoIP Media Attacks: (RTP-based)

  • RTP eavesdropping: voice conversations and DTMF tones
  • RTP recording
  • RTP manipulation: replacing, inserting, and mixing audio in standard and MitM scenarios

Paul A. Henry
Fri Sep 21st, 2012
9:00 AM - 5:00 PM


After these attacks are dissected and understood, it is time to implement mitigation techniques, defenses, and countermeasures surrounding secure VoIP protocols and VoIP security devices. These elements provide multiple options to design and build a secure VoIP architecture. Only through an in-depth knowledge of the available VoIP secure protocols at the network, signaling, media, and key-exchange levels is it possible to protect the VoIP traffic and the sensitive contents exchanged through it. The protocols are complemented by VoIP security devices.

CPE/CMU Credits: 6


VoIP security devices:

  • NAT devices/firewalls scenarios and issues
  • Solutions to overcome NAT/Firewall traversal VoIP scenarios through protocols like STUN, TURN or ICE, or security gateways
  • Application-Layer Gateways (ALG's) analysis
  • Session Border Controllers (SBC's) analysis

New VoIP security standards are still being designed and ratified. The course dissects and compares all of them and their specific details because this is what makes the difference to determine the best solution for your environment. The current state-of-the-art and best practices for all these secure VoIP protocols is analyzed. This VoIP defenses analysis is complemented with questions addressed to your VoIP vendor and service provider that guide you to select the best VoIP security solution based on your needs.

Secure VoIP protocols:

  • Network protocols: VLANs, port security controls, and 802.1x/EAP
  • Signaling protocols: SIP MD5 authentication, Secure SIP (SIPS or SIP/TLS), SIP over DTLS, S/MIME, SIP over IPSec, and SIP identity
  • Media protocols: SRTP, secure call recording, and RTP over IPSec
  • Key-exchange protocols: MIKEY, SDescriptions, ZRTP, and DTLS-SRTP

Paul A. Henry
Sat Sep 22nd, 2012
9:00 AM - 5:00 PM


The last day covers the most relevant VoIP infrastructure and network attacks with the goal of emphasizing how important it is to build a secure VoIP infrastructure on top of a secure network architecture. Some of the network-based attacks with a higher impact on the VoIP infrastructure are analyzed as well as the best architecture practices to protect the VoIP infrastructure against these threats.

CPE/CMU Credits: 6


  • VoIP supporting infrastructure: VoIP-related overview, attacks and countermeasures for DNS, DHCP, TFTP, HTTP, SNMP, ARP and Man-in-the-Middle (MitM), port scanning, and banner grabbing
  • The risks of unified communications and how to mitigate them through network segregation: VLAN's, the VoIP softphone paradox, VLAN's attacks, VLAN's and VoIP hardphones, VoIP hopping attacks, and network segregation countermeasures
  • VoIP environment awareness: publicly available information and intelligence gathering through Google hacking VoIP, WHOIS, Netcraft, Google groups, Job boards, etc.

The VoIP security lectures are supplemented by hands-on labs focused on identifying devices on a VoIP infrastructure and complementing the initial reconnaissance results with more advanced vulnerability scanning and VoIP usernames and phone extensions enumeration techniques. Additionally, the signaling labs are rounded out with SIP-based manipulation attacks using advanced MitM tools and techniques.

VoIP media vulnerabilities are demonstrated and practiced using eavesdropping and advanced RTP manipulation attacks. Finally, the VoIP countermeasures modules contain technical security checklists aimed to evaluate the VoIP security capabilities and supported features and protocols offered by your VoIP vendor(s) or service provider(s).

Additional Information

"The SANS SEC540 VoIP class is quite technical, but I would highly recommend it for any manager considering the implementation of VoIP in their network. Many are simply blinded by the huge potential savings from VoIP and fail to understand or recognize the inherent risks associated with it. SANS clearly outlines the risks literally hands-on that every manager must be aware of when implementing VoIP." Paul A. Henry

To get the most value out of the course, you are required to bring your own laptop so that you can complete all the labs and hands-on exercises. It is your responsibility to make sure that the system is properly configured with all drivers necessary to connect to an Ethernet network and follows the prerequisites below.

It is critical that you have administrator access to the operating system and all security software installed. Changes need to be made to personal firewalls and other host based software in order for the labs to work.

Mandatory Laptop Hardware Requirements

  • x86-compatible 1.5 GHz CPU Minimum or higher
  • CD/DVD Drive
  • 4GB RAM minimum or higher
  • Ethernet adapter
  • 16 Gigabyte available hard drive space
  • Free USB port for the audio headset (provided by SANS)

Operating System

You are required to have Windows 7 or alternatively Windows XP installed and configured. An understanding of both Windows and Unix/Linux is required to understand the labs.


VMware Player or VMware Workstation is required for the class. You will use VMware running on either Windows 7 or Windows XP as the native laptop OS and guest operating systems Linux (virtual machine OS) operating systems simultaneously when performing exercises in class. If you're not using Windows as a base operating system on the laptop, you must bring a licensed virtual machine for Windows XP or Windows 7.

You must have either the free VMware Player 1.0 or later or the commercial VMware Workstation 5.0 or later installed on your system prior to coming to class. You can download VMware Player for free at the VMware web site. Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation from the VMware web site. VMware will send you a time-limited license number for VMware Workstation if you register for the trial at their Web site. No license number is required for VMware Player.

Additional Software


Some of the course exercises are based on Windows, while others focus on Linux. We will provide a Linux virtual machine (customized Trixbox version) with all the Linux-based tools pre-installed, that runs within VMware Player or VMware Workstation, to complete the Linux exercises. We will also give you a CD with tools and traffic capture files to experiment during the class and take home for later analysis.

If you have any questions regarding these requirements, please contact

If you have additional questions about the laptop specifications, please contact

  • Network professionals who are responsible for designing and deploying secure VoIP infrastructures.
  • Security professionals who are concerned about the weaknesses of VoIP environments.
  • Members and leaders of incident handling teams who are interested in adding VoIP to their analysis and response capabilities.
  • Service provider professionals who are interested in adding security to their VoIP offerings.
  • Penetration testers who want to include VoIP security assessments in their organization's services offerings.
  • Auditors who must evaluate VoIP infrastructures to ensure they meet an acceptable level of risk.

Students should have a working knowledge of TCP/IP networks and protocols, general security attacks and defenses, and VoIP concepts and experience in the design or deployment of network and security technologies.

Author Statement

Whenever VoIP is part of a conversation in the majority of cases the primary topic is the huge savings available by minimizing or in many cases, eliminating toll charges. Obviously, VoIP is best known for providing a lot of advantages versus legacy PSTN voice infrastructures; cost reduction, computer application integration, and unified communications. This is perhaps the primary reason that organizations fail to consider and for that matter address security when they plan and implement their VoIP system. VoIP does of course offer many benefits but it also really changes the rules when it comes to security. It is interesting to analyze the level of trust we have in the legacy telephony infrastructures, like the PSTN or cellular networks (GSM, GPRS, or UMTS). We believe they are completely secure and that only law enforcement, or high-technology spies (like those in the movies), would be able to monitor or control our voice calls. This level of trust is associated with its closed and proprietary nature, versus the open and distributed nature of VoIP infrastructures, and it is what sets our expectation of privacy and level of trust in these networks that make many believe that a VoIP alternative is inherently insecure. However, nothing could be further from the truth. If implemented properly and securely, VoIP infrastructures can be more secure and trustworthy than a legacy PSTN voice network. A couple of basic scenarios can exemplify this statement. Nowadays, caller ID spoofing is trivial and unavoidable in the PSTN; however, strong authentication methods are available in VoIP to mitigate impersonation attacks. Similarly, voice conversations crossing the PSTN travel in the clear, so anyone in the path between caller and callee can intercept and listen to the conversation. VoIP allows applying strong encryption techniques to protect the audio (and video) contents of a VoIP call to avoid eavesdropping attacks. The solutions are available; you only need to learn them and know how to deploy them. This advanced course is designed to provide you with the skills required to do so and master VoIP security.

---Paul A. Henry