VoIP Security in the Enterprise

Produced Exclusively for NetIQ by

Introduction

Introduction to Realtimepublishers
by Sean Daily, Series Editor

The book you are about to enjoy represents an entirely new modality of publishing and a major first in the industry. The founding concept behind Realtimepublishers.com is the idea of providing readers with high-quality books about todays most critical technology topicsat no cost to the reader. Although this feat may sound difficult to achieve, it is made possible through the vision and generosity of a corporate sponsor who agrees to bear the books production expenses and host the book on its Web site for the benefit of its Web site visitors. It should be pointed out that the free nature of these publications does not in any way diminish their quality. Without reservation, I can tell you that the book that youre now reading is the equivalent of any similar printed book you might find at your local bookstorewith the notable exception that it wont cost you $30 to $80. The Realtimepublishers publishing model also provides other significant benefits. For example, the electronic nature of this book makes activities such as chapter updates and additions or the release of a new edition possible in a far shorter timeframe than is the case with conventional printed books. Because we publish our titles in real-timethat is, as chapters are written or revised by the authoryou benefit from receiving the information immediately rather than having to wait months or years to receive a complete product. Finally, Id like to note that our books are by no means paid advertisements for the sponsor. Realtimepublishers is an independent publishing company and maintains, by written agreement with the sponsor, 100 percent editorial control over the content of our titles. It is my opinion that this system of content delivery not only is of immeasurable value to readers but also will hold a significant place in the future of publishing. As the founder of Realtimepublishers, my raison dtre is to create dream team projectsthat is, to locate and work only with the industrys leading authors and sponsors, and publish books that help readers do their everyday jobs. To that end, I encourage and welcome your feedback on this or any other book in the Realtimepublishers.com series. If you would like to submit a comment, question, or suggestion, please send an email to feedback@realtimepublishers.com, leave feedback on our Web site at http://www.realtimepublishers.com, or call us at 800-5090532 ext. 110. Thanks for reading, and enjoy! Sean Daily Founder & Series Editor Realtimepublishers.com, Inc.

Table of Contents Introduction to Realtimepublishers.................................................................................................. i Chapter 1: Threats and Challenges to Enterprise VoIP ...................................................................1 The Importance of Design Planning ................................................................................................1 Exposures to Anticipate ...................................................................................................................4 What Is a Target? .................................................................................................................4 Who Are the Attackers?.......................................................................................................5 Attacker Techniques ............................................................................................................5 Confidentiality .................................................................................................................................6 Call Detail Records ..............................................................................................................8 Management Services ..........................................................................................................8 Unified Messaging ...............................................................................................................8 Integrity............................................................................................................................................9 System Integrity .................................................................................................................10 Unauthorized Endpoint Configuration...............................................................................11 Fraud Concerns ..................................................................................................................11 The Man in the Middle ......................................................................................................13 Potential for Malicious Calls .............................................................................................14 Exploits of Protocols, OSs, and Applications....................................................................15 Top 20 Internet Vulnerabilities..........................................................................................15 SIP Overview .........................................................................................................16 SIP Messages and Requests ...................................................................................18 SIP Vulnerabilities and Exploits............................................................................18 Availability ....................................................................................................................................19 Availability and QoS..........................................................................................................19 Viruses and Worms............................................................................................................20 DoS Attacks .......................................................................................................................21 Effects of DOS Attacks..........................................................................................23 Spam Over Internet Telephony..............................................................................24 Summary ........................................................................................................................................24

ii

Copyright Statement

Copyright Statement
2005 Realtimepublishers.com, Inc. All rights reserved. This site contains materials that have been created, developed, or commissioned by, and published with the permission of, Realtimepublishers.com, Inc. (the Materials) and this site and any such Materials are protected by international copyright and trademark laws. THE MATERIALS ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. The Materials are subject to change without notice and do not represent a commitment on the part of Realtimepublishers.com, Inc or its web site sponsors. In no event shall Realtimepublishers.com, Inc. or its web site sponsors be held liable for technical or editorial errors or omissions contained in the Materials, including without limitation, for any direct, indirect, incidental, special, exemplary or consequential damages whatsoever resulting from the use of any information contained in the Materials. The Materials (including but not limited to the text, images, audio, and/or video) may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, in whole or in part, except that one copy may be downloaded for your personal, noncommercial use on a single computer. In connection with such use, you may not modify or obscure any copyright or other proprietary notice. The Materials may contain trademarks, services marks and logos that are the property of third parties. You are not permitted to use these trademarks, services marks or logos without prior written consent of such third parties. Realtimepublishers.com and the Realtimepublishers logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners. If you have any questions about these terms, or if you would like information about licensing materials from Realtimepublishers.com, please contact us via e-mail at info@realtimepublishers.com.

iii

Chapter 1

Chapter 1: Threats and Challenges to Enterprise VoIP

The convergence of voice and data networks has been evolving and gaining momentum for several years. Organizations that are implementing Voice over IP (VoIP) in an effort to cut communications costs or leverage the competitive advantage of integrated services shouldnt overlook the security risks that arise as voice and data converge. VoIP implementers often focus on issues of voice quality, and interoperabilityimportant factors in the delivery of Quality of Service (QoS). VoIP security is a challenge that is inextricably linked with issues such as interoperability with data networks and QoS. To deliver integrated services effectively, organizations must adopt and combine industry best practices from both the voice and data environments. Both technologies bring approaches and management techniques that benefit the other. This guide will highlight the pressing security concerns facing enterprise deployments. The chapters that follow will identify some of the industry best practices and techniques for creating an effective VoIP security plan that balances network security against the VoIP requirements for availability, reliability, and performance. A systematic and holistic approach to managing integrated network performance and security includes working with vendors, service providers, and trusted business partners to ensure that a comprehensive approach to security is followed.

The Importance of Design Planning

Many networks seem poorly designed at first glance. Poor design is never intentional; it comes about as a result of success in most cases. Network growth, whether in services or capacity, is demand driven. Secure, high-performance networks often degrade over time because they grow in response to business needs. This reactive approach often leads to the addition of bandwidth for throughput without full consideration of all the factors involved in network performance. Network security is too frequently a reactive process, incorporated into the network design after service requirements have driven growth. Fundamental design concepts apply to network designnetworks must be solidly built to withstand the constant barrage of potential attacks from malicious intruders inside and out. This concept isnt necessarily forgotten during network design; it is simply overlooked during periods of growth. This oversight is driven by the haste to get a new service up and runningand inappropriate design leaves networks vulnerable to serious exploitation. Planning integration of VoIP into any network starts with the needs assessment and readiness analysis. This network assessment should evaluate all aspects of the network, including requirements from utilization and call quality to security and manageability.
Chapter 3 will explore this type of assessment in more detail.

When deploying VoIP in the enterprise, granularity of the network becomes both a performance and security element. A common approach is to separate traffic flows by audience, application, and function, or some combination of those three. A layered approach to security is a common practice todaya layered approach to service deployment can enhance both performance and security.

Chapter 1 VoIP is another application integrated into the data network. Designers need to determine whether separation of traffic can improve performance and security in their unique environments. It doesnt make sense everywhere, but in the complex enterprise network, its a design approach that cannot be overlooked. Virtual LANs (VLANs) are widely deployed in business networks. In many enterprise networks today, Multiprotocol Label Switching (MPLS) provides a means of using technology to separate traffic. MPLS provides tremendous advantages in the network: It uses a packet tagging approach that supports both QoS needs and separation of traffic by service type or end user group. MPLS and VLANs used together can provide:

Separation or isolation of voice traffic onto a VLAN or into a separate MPLS domain.
These MPLS domains are often referred to as Virtual Route Forwarding (VRF) groups.

Integration between the network layers creates a scalable, IP-aware networkone in

which the network can respond differently depending on the type of traffic it is carrying. Thus, VoIP traffic can be assured a service level that meets performance requirements for quality. Figure 1.1 shows a single physical network that logically separates VoIP traffic from standard data traffic. Firewalls have been deployed to protect both service types, yet VoIP traffic never traverses a firewall to ensure that security requirements dont degrade service delivery capability.
Call Server
Firewall to control demarcation between the voice and data network services

VoIP Services MPLS Domain (VRF)

Firewall

Unified Messaging & Other VoIP Apps

End User MPLS Domain (VRF) Firewall

MPLS & IP Data Domain (VRF)

Voice traffic never traverses a firewall to ensure high performance throughput.

All Data traffic traverses the firewall. No VoIP traffic traverses the firewall.

VoIP Phone

Workstation

VOICE TRAFFIC DATA TRAFFIC SIGNALING TRAFFIC

Figure 1.1: MPLS design example.

Later, this guide will explore how methodical design approaches can improve or guarantee performance while complementing security requirements. Chapter 3 will discuss a systematic technique for ensuring that service requirements are considered at each stage of the network life cycle.

Chapter 1 There is a danger in oversimplifying the risks of deploying VoIP, or any new service in the enterprise. VoIP deployment brings new network elements and devices into the existing environment. These new devices may bring protocol or application vulnerabilities as well. One example is the consideration of whether to use VoIP hardware phones or a smart phone (or a softphone application running on the users workstation). Both options have merit, but each brings challenges. A hardware phone ensures a controlled set of vulnerabilities. Hardware phones typically contain a TCP/IP stack and the proprietary software used by the VoIP vendor. These are not general-purpose operating system (OS) devices, so they typically dont fall prey to the range of Windows vulnerabilities, for example. A softphone is an application that lets users make and receive calls over the network using a PC workstation. A softphones interface may resemble a traditional phone dial pad or it may look more like an instant messaging client. Whatever form it takes, the softphone runs on the users workstation, which may already be laden with vulnerabilities. The convenience of a single device can be offset by the complexity of securing the environment. Organizational policies combined with a global setting in the VoIP call server to permit only hardware phones is a potential approach that reduces the level of risk in introducing a new VoIP service.
The keys to good design of security rely on three basic principles: Build the network with layers of security so that no single breach impacts multiple areas of the network. Compromise of any single system or network element cannot compromise the network as a whole. In the converged network, VoIP security is dependent on the data security strategy, but it also brings new vulnerabilities. Security must be approached from a systemic view as well as at each individual service. There is no perfect security strategy. Each approach requires a balance between security, performance, and cost.

Throughout, this guide will explore how security and performance guarantees are an integral aspect of network design and require continuous monitoring throughout the life cycle of the network.

Chapter 1

Exposures to Anticipate
When looking at the exposures to security, there are three areas to consider:

Design vulnerabilities are caused by a weakness in the design or specification of

hardware, software, or in some cases the protocol being used. When these weaknesses exist, even a flawless implementation can leave the user vulnerable to exploit.

Implementation vulnerabilities come about as a result of errors during the implementation

of an error-free design. These typically result in vulnerabilities caused by the design of the network overall.

Configuration vulnerabilities are those installation and setup errors that lead to insecure
systems. Some examples include: Leaving accounts in place with default passwords from the manufacturer Allowing inappropriate access permissions to file system elements (world write permissions, for example Leaving vulnerable services enabled; the default services are frequently not the appropriate services to leave running in every environment

Each of these types of vulnerability leaves the system open to security risks and possible exploitation and loss of information. Industry surveys about VoIP deployment are widely presented. Although results vary in percentages, some trends are consistent across the range of surveys. There are four major threats to VoIP that top every list. A Denial of Service (DoS) attack is often the number one fear in customer surveys. Viruses and worms, anxiety about eavesdropping on calls, and toll fraud round out the common top-four concerns. These four threats, and several others, tie directly to design, implementation, or configuration vulnerabilities. What Is a Target? To effectively protect the network and truly understand the threat environment, you need to first understand the targets and where attacks might originate. Targets are both logical and physical. Attackers may exist within the internal network or come from external sources. Logical targets include user accounts, running processes, and the data within the network. User accounts identify the user and define the set of resources accessible to each userthese are often described as permissions. A guest account will have very limited permissions, whereas a domain administration account may have administrative permissions that grant complete control of the network. Running processes encompass everything a program in execution entailsthe program, its data, stack pointers, registers, and so on. Buffer overflow vulnerabilities are a common problem. These all make the processes running within the network a target. The data used by the systemwhether its user profile data, corporate directories, call data records, or simply an organizational chartis also a target.

Chapter 1

Small elements of data may not be viewed as critical to security independently, but when added together, can add up to vital security information. In The Art of Intrusion Kevin Mitnick uses the phrase incremental information leveraging to describe this. For example, an organization chart might seem benign, but to a malicious intruder, it might identify the network administrator, revealing a key account to target in attempting to gain control of the system.

Physical targets are the components within the network. These network elements might be servers or workstations. They can also be the routers and switches, domain controllers, and management platforms that make up the infrastructure. The VoIP servers and IP phones are also physical targets. All are crucial physical elements of service delivery. Who Are the Attackers? Attackers are people. They may be hackers attacking for challenge, professional criminals seeking financial gain, corporate raiders seeking a competitive advantage, or even your own employees or contractors. Some may be driven to cause damage, others may be voyeurs attempting to access sensitive information. In todays world political climate, for some organizations, attackers may be spies or terrorists looking for information that can be leveraged for political gain. In some cases, information might be leveraged against employees or contractors. Attacker Techniques Attackers dont play by rules. Honor among thieves is a fallacy. Their objective is to gain access, control, or information by any means possible. Attacks may be sophisticated technical efforts or more subtle non-technical approaches. Technical attacks target the fundamental problem of data leakage. Their primary objective is to intercept information through means such as: Wiretapping requires physical access to the cabling. Phone and network equipment closets are frequently left unlocked and provide a point at which the wiring can be tapped to record or capture information. Packet capture using a simple sniffer requires little technical skill. A free sniffer program, such as Ethereal can easily be downloaded. A sniffer might be installed on a USB flash drive so that an intruder with access to a computer on the network can simply insert it and capture datacompletely undetected. Breaching access controls by circumventing security measures can provide access to inappropriate network resources. Intelligent guesswork is often the easiest way to obtain passwords. Its been proven many times that if you know enough about a person, youre likely to be able to guess their passwords. As passwords are difficult to remember, people often use family names, pet names, and significant dates as memory aids. Stealing electronic media or dumpster diving for discarded proprietary information can provide the intruder with a wealth of information. Penetration testing with toolkits or using common tools and scan techniques can easily give an intruder a view of the network topology and critical assets.

Chapter 1 Known exploits, input validation, and file system buffer overflows are becoming easier and easier to use. Many are downloadable from the Internet and freely available to anyone. Wireless communications provide ease of use but also introduce security risks. Wi-Fi access points that do not require strong user authentication or implement encryption algorithms often provide an open entry to the network. Rogue access points installed by end users for convenience frequently omit these security measures. Keyboard logging, or trapping login information, is simple and can be accomplished with malware programs or very inexpensive devices that plug in between the keyboard and CPU.

Non-technical attacks focus on the human element. The most common attacks are often described as social engineering. People want to be helpful. Its human nature. As a result, attackers may use misrepresentation as a means to gain access by impersonating either authorized personnel or some third-party. An intruder with a little knowledge might call the enterprise Help desk posing as an employee and simply ask for help in resetting a password. Intruders often impersonate third-party vendors providing system support. In either case, the natural inclination to be helpful can lead staff into easing the way into the network. Non-technical attacks can also include bribery, seduction, extortion, and blackmail.
Never underestimate the range of human targets. The human element is always the weakest link of any network security architecture.

The key foundation elements of any information system are availability, utility, integrity, authenticity, confidentiality, and possession of the data. Harm to any of these elements may come from intentional malicious acts, accidental occurrences, or uncontrollable physical forces. In managing a secure network, the focus is on three key areas: confidentiality, integrity, and availability.

Confidentiality
Confidentiality is a fundamental precept of information security. The International Standards Organization (ISO) describes confidentiality as ensuring that information is accessible only to those authorized to have access. Confidentiality is frequently tied to the possession of the data. There are many hazards. A malicious user might locate, disclose, monitor, copy, or seize control of propriety data. These actions can lead to information loss, misuse, or inappropriate disclosure. Protecting private information is a major concern in VoIP environments. Eavesdropping in the telephony environment requires a court order and the appropriate equipment. The technical skill needed to eavesdrop on a VoIP call is relatively low. Most VoIP calls are unencrypted. Even an inexperienced attacker can sniff traffic and capture packets. Free, open source programs such as Audacity can be used to easily convert the data stream back into audio format (see Figure 1.2).

Chapter 1

Figure 1.2: Captured packets can be easily reconstructed into a .WAV file. This screenshot was reconstructed using the open source tool Audacity.

Keeping telephone conversations private is important. Users will expect and demand from VoIP communications the same privacy they have in traditional telephony.
Voice Over Misconfigured Internet Telephones There is an open-source UNIX software tool with the distasteful name of VOMIT (Voice Over Misconfigured Internet Telephones) that can easily reconstruct VoIP conversations from TCP dump files. Although VOMIT can be used for network debugging or as a speakerphone utility, its generally associated with VoIP eavesdropping attacks. This tool brings the skill level required to tap VoIP calls down to the skill set of even the novice attacker. VOMIT converts a captured phone call into an ordinary .WAV file, which can then be readily stored, emailed, posted on Web sites, and used to torment or extort money from victims. Although VOMIT isnt the only VoIP tool attackers have to eavesdrop, it is one of the easiest to use. The hacker needs a TCP dump of the call, but that is relatively easy to obtain if network access has been gained. One compromised host anywhere on the path of the VoIP call is all that it takesthat compromised host could be in your network, the call recipients network, or somewhere in between on the Internet. Its important to note that the telephones arent really misconfigured. VoIP phones simply use the same network data stream as the computers. One way to help prevent this type of snooping on VoIP calls is to separate voice and data networks by running them on different VLANs as shown in earlier in Figure 1.1.

Encryption is a way to protect VoIP traffic against eavesdropping. Encryption approaches are readily available and widely used to encrypt email or for Virtual Private Network (VPN) connections for remote users. Although encryption can be used to guarantee privacy, other methods may be required to secure the communications overall. Message integrity and authentication also need to be considered. The design decision between hardware phones and softphones was mentioned earlier. Another barrier to deploying an encryption solution may be the phone itself. IP hardware phones are typically built with minimal RAM and CPU capacity. They are built to handle the voice media stream and simple signaling functions. The performance impact of adding encryption, authentication, and integrity checkingeven in a state-of-the-art VoIP telephone setmay introduce a performance degradation that is unacceptable. In the Public Switched Telephone Network (PSTN), one design point is latency. 150 millisecond (ms) latency has long been the accepted norm. The human ear detects latency above 400ms, and call quality becomes a concrete issue. The performance of the network, and each element within the network, can impact the user experience. Just as users expect privacy, they expect the same performance and call quality theyve received in traditional telephone systems. Protecting call detail records and other system information is also critical. These records are filled with confidential and proprietary information.
7

Chapter 1
Confidentiality and Regulatory Compliance Eavesdropping raises sensitive concerns where compliance with regulatory requirements compels the enterprise to take special measures. If outside parties can target and intercept phone conversations that are thought to be private, the company may find itself in violation of the Sarbanes-Oxley Act requirements leading to serious business consequences. If Health Insurance Portability and Accountability Act (HIPAA) requirements are not met, large fines could be levied. Companies that must adhere to regulations must take special care to ensure the protection of confidential information.

Call Detail Records A Call Detail Record (CDR) in telecommunications contains information about system usage, including the identities of call originators, the identities of call recipients, call duration, any billing information about the call, information about time used during the billing period, and other usage-related information. CDR format varies widely, and many systems allow CDRs to be configured by the user or systems administrator. CDRs are created constantly throughout the business day, with every telephone call. The telephone calling patterns within an enterprise can provide a great deal of information about customers, business partners, and internal relationships. In many VoIP systems, CDRs are stored in databases on the VoIP servers. A SQL Server system in the VoIP segment may be just as vulnerable as one sitting elsewhere in the network. Management Services Many VoIP phones have a Web server engine built in for management. Systems administrators may use this server to set up the layout of buttons for call appearances, speed dial buttons, voicemail notifications and other system features. Access to this Web engine can divulge the IP address, MAC address, system configurationincluding servers used for call processing, voice mail systems, and emergency response systems. The reverse is also true. Many systems allow users to configure their telephones via a simple browser interface to a management server. This simple user convenience could provide yet another avenue for an attacker to gain unwanted access to enterprise network resources. Unified Messaging Unified messaging brings everything together for end users at a single point. The delivery of email, voicemail, and even faxes directly to the desktop eases the information overload problem of information being stored in many locations. VoIP implementation is often the catalytic event that brings unified messaging into the enterprise. Traditional PBXs are replaced with networkconnected servers. The old, perhaps analog, voice mail system is replaced with a new digital system connected to the network. The ease of integrating VoIP systems with email provides incentive to change. Unified messaging systems provide an aggregation point that appeals to attackers. They may be able to gain access to voicemail, email, faxes, and the system itself may provide clues to other servers and network topology.

Chapter 1 VoIP deployment may lead to unified messaging, but what really becomes apparent is that the network is a very complex organism. One of the most common buzzwords of the past few years has been convergence. VoIP brings convergence at many levels. The voice and data networks converge to a single physical network. Support staff may converge into a single team providing telephony, data, and security services. For users, the services may converge at the desktop to a single devicethe workstation. This converged network is a very target-rich environment to attackers.

Integrity
There is plenty of proprietary information associated with your VoIP service that must be protected. Not all attackers are nosy eavesdroppers. Some dont even want your information. Some want to disrupt the flow of business by breaking down the integrity of major systems. Integrity focuses on the prevention of erroneous or unauthorized modification of information, and is frequently tied to authentication practices. System integrity can fall prey to the insertion or use of false data. It often leads to modification, removal, repudiation, or misuse of the data. Integrity of system information means that unauthorized users cannot make changes. Passwords should be changed only by the end user or reset by an authorized systems administrator. Only authorized staff personnel should perform configuration changes of servers, switches, and routers in the infrastructure. Configuration capability on the network is the attackers paradise. If the attacker can configure the network elements, activity can continue undetected and unchecked. Configuration control equates to ownership of the network. If the attacker gains configuration access, you no longer own your network. In many enterprises, a call center is a key business component. Customer service agents spend the entire day on the phone with customers discussing confidential information. In the call center environment, its common for the supervisor to have the ability to monitor calls for quality purposes. An attacker with configuration access could easily route that ability to some other extension. Anything that might damage data or disrupt system functionality is a threat to integrity. Integrity isnt just compromised by malicious intruders. A legitimate employee might take some unauthorized action out of human error. A disgruntled employee might change system settings maliciously. User access level permissions must provide access to the resources people need, but no more.
Authorized users are probably the greatest cause of errors and omissions and the alteration of data. Storing incorrect data within the system can be as damaging as losing data. Malicious attackers modify, delete, or corrupt information that is vital to the correct operation of business functionsuser error can bring about the same damage.

Figure 1.3 shows a very simple example of a breach to system integrity. A legitimate user has placed a phone call to the bank and simply deposited $100 into his or her account. The attacker in the middle has tampered with the data in transit, and the message the bank received was an instruction to deposit $1.

Chapter 1 The outcome of this simple illustration is a complete breakdown of system integrity. Once the users checks start bouncing because of the corrupted deposit, the user will lose all faith in the system. When this happens, the VoIP network ceases to be a trusted resource in the enterprise. Although this example is a simple one, imagine the same scenario involving hundreds of daily credit card transactions through a call center. The impact of integrity loss cannot be overstated.

Deposit $100

Deposit $1

Customer

Bank

Figure 1.3: A simple illustration of the loss of integrity.

System Integrity Integrity of the system elements is just as critical as the integrity of every call or transaction. If an intruder gains access to a port on the VoIP switch masquerading as an authorized user, the attacker might

Disclose confidential data Modify the switch configuration data causing degradation of service Shut down the switch or crash it Modify the logs to remove all traces of any intrusion, escaping detection
Network elements such as servers, switches, and routers are particularly vulnerable at system restart. When a system reloads, it may be in an insecure state because it loaded an obsolete configuration file. Human error can lead to insecure system startup. Changes may have been made to the configuration but not written to memory and out to the startup files. In this case, expected changes are deactivated and the system might behave the way it did previously. Manufacturer default security profiles may be re-enabled.

10

Chapter 1 Old passwords may have been reactivatedeven manufacturer default passwords. The default system passwords provided by manufacturers are common knowledge and readily accessible to attackers. System manufacturers put their manuals online, and information about managing every hardware platform imaginable is available to anyone on the Internet. Just as messages in transit are at risk of manipulation, messages at reststored in the voicemail systemneed to be protected from intrusion. Because servers are physical devices, they often seem easier to protect than data in transit, but you cant discount the danger of stored messages being manipulated or corrupted. Configuration change control processes need to be followed to ensure systems are secure when restarting. Unauthorized Endpoint Configuration One of the biggest differences between the PSTN and VoIP is the endpoint. A telephone set in the PSTN has no intelligence. It expects some type of electrical power and a dial tone. All the intelligence of the PSTN resides in the telecommunications companys central office. VoIP introduces intelligent endpoints into the network. These smart endpoints have configuration capabilities, house Web servers, and run both services and applications. With this endpoint intelligence comes vulnerabilities. Many threats apply regardless of whether the endpoint is a hardware VoIP phone or a softphone. Unauthorized access to endpoint configuration can lead to serious repercussions. An unauthorized user on the network might be able to compromise a telephone set that has no password configured or one that is easily guessed. The intruder may be able to reconfigure the VoIP phone or might simply plug in an unauthorized device. Even in an enterprise that implements hardware phones, a user might download and install VoIP softphone software. This threat brings several risks and attack vectors into the network. For example, configuration access to the phone could lead to inappropriate features being enabled. Speakerphone capability might be turned on and speed dial lists might be changed. Alternatively, calls might be misrouted to a rogue server or destination. A Dynamic Host Configuration Protocol (DHCP) or Trivial File Transfer Protocol (TFTP) server could be inserted into the network spreading a rogue application exploiting some known vulnerability. Phones could be forced to repeatedly reboot. Fraud Concerns Toll fraud has been a major issue in traditional telecommunications. In the past, PBX dialthrough capability was used fraudulently by placing a call to a business and then requesting to be transferred to 9-0 or some other outside toll number. The call appears to originate from the business instead of the original fraudulent caller. PBX remote access features may allow employees to call into the PBX, then enter an authorization code to gain a second dial tone for the outside call. The call will be billed to the outgoing telephone line connected to the PBX and appears on the companys phone bill.

11

Chapter 1 Abusers impersonating installers and telco personnel testing the system were common many years ago. As PBXs evolved and connected to the network, toll fraud attracted attackers who, by gaining administrative rights to the PBX, added phantom extensions with permission to make or transfer long distance calls. This abuse led to many disputes between the telephone companies and their business customers. Voicemail systems have also been used for toll fraud. Some voicemail systems have features that provide a link to a PBX remote access feature or give a caller a dial tone after the main voicemail function has completed. These features can also be used to make outgoing long-distance calls. VoIP may reduce internal costs, but the enterprise VoIP system will still interconnect to the PSTN for calls outside the VoIP network coverage area. The potential for toll fraud abuse doesnt diminish with the deployment of VoIP.
To put toll fraud in perspective, the commercial telecommunications providers estimated toll fraud to be a $3 to 4 billion problem in the 1990s. Telecom and Network Security Review cited consistent losses in the United States telecommunications industry ranging between 4 and 6 percent of revenue. Enterprises must consider the possibilities of toll fraud.

Another possibility is that the unauthorized user can pretend to be affiliated with company. This behavior brings both internal and external threats into play. Misrepresentation to an outside thirdparty could have a number of consequences

Fraudulent orders may be placed with outside vendors. An attacker might leave a
voicemail message for a vendor with false purchase order information, even directing that products be shipped to some alternative address. A return phone call may be enough for some vendors to assume validity and generate a shipment of the fraudulent order. Nobody will be the wiser until the bill arrives.

Inappropriate conversations with customers could result. Everyone in business quickly

learns to recognize an area code and prefix as a trusted business partner. Even longstanding customers can be duped by what seems to be a familiar telephone number. Internally, the consequences may be far more disastrous, as information can be redirected to the attacker (see Figure 1.4). Being on the inside grants the attacker some status as an apparently trusted individual. In a large company, nobody knows everyone. A call coming from an obviously inside line may induce employees to divulge confidential information to someone they believe is another employee.

12

Chapter 1

Im Steve, the new lawyer on the merger team. Can you send me all the files on that acquisition project?

Figure 1.4: An example of impersonation.

Finally, an unauthorized device may have functions enabled that have been explicitly restrictedcustom code might be installed and run or conference bridging functionality might be enabled. The unauthorized device might even present itself as an operators console, granting access to reconfigure other phones. The Man in the Middle In the unauthorized endpoint example described earlier, the intruder attaches to the network masquerading as a legitimate user. Another approach might be for the intruder to intrude into the network between authorized endpoints, allowing a man-in-the-middle attack. The attacker in the middle can exploit a wide range of vulnerabilities:

Eavesdropping is simplified because the intruder either appears to be on the network or is

listening in transparently. In network terminology, this method is called promiscuous listening.

Call interception is easier. The intruder may be right in the call path. The intruder might redirect traffic through spoofing or broadcasting alternative addresses,
and insert into the network between two authorized users. This method can lead to a number of types of problems.

Information about the call may be altered. Call setup information could be modified,
corrupting CDRs and invalidating billing information.

The attacker might spoof Session Initiation Protocol (SIP) responses and redirect the
caller to a rogue SIP address that intercepts the call.

13

Chapter 1 A man-in-the-middle attack, which Figure 1.5 illustrates, allows the intruder easy access to manipulate the data stream for both callers and call recipients. System integrity and message or call integrity are lost if the intruder is able to gain a position in the middle of the network.

Figure 1.5: A simple illustration of a man-in-the-middle attack.

Potential for Malicious Calls VoIP systems provide a rich feature set with many benefits to users. Some phones have a malicious call button to help the enterprise deal with problem calls. The user can press the button at any time during the call to flag the call record. In many businesses, this feature might seem trivial. Large call center operations receive thousands of calls daily. Some are malicious or prank calls. Being able to identify the source provides information about the calling or offending party.

14

Chapter 1 An intruder might disrupt system integrity two ways by abusing this feature:

The intruder might make offensive calls from within the enterprise. This behavior might
be accomplished using false telephone number information or by spoofing a legitimate users telephone number. In either case, call records are inaccurate and misdirect research to an innocent party.
A simple analogy to illustrate malicious calls is the common college dorm prank of calling several pizza delivery companies ordering pizzas delivered to some other student. Beyond being just a nuisance, some financial harm follows to either the receiver or to the pizza kitchenone of which will absorb the cost of the fraudulently ordered pizzas.

The intruder might also abuse the system by flagging multiple benign calls as malicious.
If your enterprise processes 10,000 phone calls a day through the system, how many on average should be flagged as malicious? For the sake of argument, suppose 10 calls a day are truly malicious calls that should be flagged. Consider the impact of an intruder tagging several hundred calls. The staff that researches and investigates these problem calls has to research through far more information, wasting time and resources. Exploits of Protocols, OSs, and Applications Exploits may focus directly on specific elements of the VoIP service. The most widely deployed OS in the enterprise today is Microsoft Windows in some version. Exploits and vulnerabilities in the Windows environment are widely discussed in the industry. Microsoft regularly releases system updates and security patches. Application-level vulnerabilities are unique to a specific software vendor. In most cases, these vulnerabilities relate to specific versions of a software package. Its important to work with your vendors to receive notification updates of any patches or vulnerabilities. Another excellent resource is the Common Vulnerabilities and Exposures (CVE) dictionary maintained by Mitre Corporation and funded by the United States Department of Homeland Security. You can find the CVE online at http://www.cve.mitre.org/. Attacks against the VoIP protocols are of direct concern for any enterprise deploying voice services. SIP is widely used and supported by most vendors. To understand the vulnerabilities and threats in the SIP environment, lets take a brief look at how SIP works. Top 20 Internet Vulnerabilities The SANS Institute has long been recognized as a leading security information and training resource. SANS regularly publishes the Top 20 Internet Security Vulnerabilities, which Table 1.1 shows. This table is included as a tool for comparison with your network environment. The vulnerabilities listed, and their mitigation strategies, may be unique to each enterprise environment. What all enterprises share is the prevalence of applications and services impacted by this list.
As an exercise, check each that applies in your enterprise. Its a rare enterprise that touches less than ten of these vulnerabilities. Twelve or more is quite common.

15

Chapter 1
Top Vulnerabilities to Windows Systems W1 Web Servers & Services W2 Workstation Service W3 Windows Remote Access Services W4 Microsoft SQL Server (MSSQL) W5 Windows Authentication W6 Web Browsers W7 File-Sharing Applications W8 LSAS Exposures W9 Mail Client W10 Instant Messaging Top Vulnerabilities to UNIX Systems U1 BIND Domain Name System U2 Web Server U3 Authentication U4 Version Control Systems U5 Mail Transport Service U6 Simple Network Management Protocol (SNMP) U7 Open Secure Sockets Layer (SSL) U8 Misconfiguration of Enterprise Services NIS/NFS U9 Databases U10 Kernel

Table 1.1: SANS top-20 Internet vulnerabilities list.

SIP Overview Protocol vulnerabilities are always a concern. To understand these vulnerabilities, you need to understand a little about how the protocol works. Since 1999, the Internet Engineering Task Force (IETF)-SIP working group has led work on SIP. Full technical specifications are described in IETF Request for Comment (RFC) 2543. SIP is a text-based protocol, similar to HTTP and SMTP, for initiating interactive communication sessions between users. These sessions include voice, video, and chat. SIP provides end-to-end services and features whenever possible. It was designed with a focus on simplicity, reusing existing IP protocols and architectures where possible to ease integration with other IP applications and services. SIP provides services including:

Call forwarding under a variety of scenarios (no answer, busy, and so on) Calling party and called party number identification using any naming scheme Personal mobility, allowing a single address that is location and terminal independent Capabilities negotiation between terminals Call transfer Instant messaging Event notification Control of networked devices

16

Chapter 1 There are also extensions to SIP that provide for fully meshed conferences and connections to multipoint control units (MCUs). SIP uses an addressing scheme similar to email addressing. As users can connect to the Internet from anywhere, and will likely be given a dynamic IP address via DHCP, mechanisms were needed to resolve the active IP address. People are familiar and comfortable with email addresses, so this structure seems suitable. SIP is text-based like HTTP or SMTP, so the addresses, which are SIP URLs can be embedded in email messages or Web pages using the callto: tag. SIP addresses are network-neutral. Thus, the URL can point to a SIP URL, an H.323 address, or a PSTN telephone number. The ITU-T E.164 standard defines the telephone numbering structure. SIP supports forking to multiple destinations, giving the capabilities of forwarding, Automatic Call Distribution (ACD) groups for call centers, and redirecting a call to multiple alternative locations. Figure 1.6 provides an illustration of the SIP model.
SIP User Agent SIP User Agent

SIP User Agent

SIP Server
Registrar Proxy Server Redirect Server

Figure 1.6: The SIP model.

The SIP model from RFC 2543 provides four distinct components:

User agents can either initiate call requests or are the destination of those requests. A user
agent can be a VoIP hardware phone or a VoIP softphone on a workstation.

The registrar keeps track of users within the network or domain. User agents register as
members of the network.

The proxy server is an application layer routing process that directs SIP requests and
replies within the network.

The redirect server receives requests for user agents and provides the location of other
SIP user agents or servers where the called party can be reached. Within the SIP server, the registrar, proxy server, and redirect server may be implemented in a single software package or multiple components on either single or multiple servers.

17

Chapter 1 Using SIP, a user initiates a call. The user agent transmits a SIP message in plain text to the SIP server(s). When the destination user agent information has been retrieved, actual message transfer (the phone call) takes place directly between the user agents. In this regard, SIP is a peer-to-peer technology. If one end of the call is located on the PSTN, a gateway is required to connect the call between the IP network and the PSTN. SIP Messages and Requests All SIP messages are either requests from a server or client or responses to a request. They follow the RFC 822 Standard for the format of ARPA internet text messages format. These messages use six types of request:

INVITEIndicates a user or service is being invited to participate in a call session. ACKConfirms that the client has received a response to an INVITE request. BYETerminates a call and can be sent by either the caller or the called party. CANCELCancels any pending searches but does not terminate a call that has already
been accepted.

OPTIONSQueries the capabilities of servers. REGISTERRegisters the address with a SIP server.
SIP Vulnerabilities and Exploits Protocols are designed to serve a purpose and by nature have a defined or expected set of inputs. Problems arise when unexpected inputs generate unpredictable results. SIP attacks can be seen in a variety of approaches. A SIP packet contains two SIP URLs, identifying both the calling and called parties. At the protocol level, these URLs arent crosschecked against one another. Billing companies often only check the contact portion to identify the call recipient. SIP packets can be manipulated so that calls are billed to someone else. In parts of Florida, residents can pay their gas utility bill by telephone. If this payment were performed in a VoIP system, manipulating packets could allow malicious users to charge their gas bill to someone else. As noted earlier, SIP supports forwarding calls to an alternative destination. Most systems have a max forwards setting to limit how many forwards the system will tolerate. This number is typically high, and often set to 70 as a default. By manipulating packets, a caller can trick the system into thinking the original caller disconnected then reconnected. The intruder can seize control of a call in process by tricking the system using this approach. Imagine a caller calling his or her bank, inputting all account and PIN information, then having the call seized by an intruder. Now the intruder has access to the real callers bank account and has assumed the true callers identity over the telephone. Other attacks might include bombarding the VoIP server with repetitive commands. A continual barrage of BYE or CANCEL commands can overload the server causing unpredictable results. ICMP port unreachable messages can have the same affect.

18

Chapter 1

Availability
Availability is simply a utility loss. The data may be unavailable as a result of corruption or destruction. Access may be denied due to delays caused by congestion. Data might also have been moved or obscured in some manner. Anything that makes the resource difficult to access impedes availability whether it is a file on a network drive, an email server, or a component of the VoIP system. Information should be as freely available as possible to authorized users. In VoIP networks, performance impairments can degrade call quality so that users view the service as unusable or unavailable. Availability and QoS In the traditional telecommunications world, providers always strive for Five Nines reliability, or 99.999% uptime for availability. In the telephone network, a dial tone is reliable. This reliability is built on a foundation of more than 100 years of experience and traffic engineering by the former Bell System and other telecommunications providers. The network and LAN environment is much newer, and the Internet Protocol (IP) is built with a fundamental concept of providing best efforts at delivery. In the developing years of networking technologies, QoS was less of a concern than that the network is up and running. In native Ethernet and IP, there are no guarantees of delivery at all, let alone with assurances as to quality. To obtain QoS to support quality assurances, you need to introduce other methods and technologies. Over the past 20 years, network technology has advanced tremendously. Hardware components that were common sources of failure are now far more reliable. Spinning disks are more frequently being replaced with flash memory. Integrated circuits have replaced boards and large heat sinks. As network elements move to an appliance-based approach, in many devices, the fan is the only electromechanical component left. Meantime between failure (MTBF) has been extended to years, and in a well-designed network, high availability and reliability is quite achievable. To engineer a network to provide what has often been called carrier class service, several factors come into play. Resiliency and redundancy come at a pricethey add cost and complexity to the network. Added costs need to be offset by cost recovery mechanisms. Added complexity can be detrimental to troubleshooting efforts. To create an environment that supports continuous uptime, a meshed topology incorporating hot-swappable modules, load sharing or load balancing capabilities, and even sharing information about the state of ongoing sessions all must be carried on that same network infrastructure. The redundant environment that Figure 1.7 shows provides uptime of the network but not across all the layers that deliver the service. Redundant VoIP servers and business continuity requirements add still more complexity to the network design. As with all design efforts, a balance between security, performance, and cost must be maintained for a sustainable business model.

19

Chapter 1

Router

Redundancy Routing Protocol

Router

Session State

Load-balancing Switch
Session State

Load-balancing Switch

Firewall

Firewall

Session State

Load-balancing Switch

Load-balancing Switch

Figure 1.7: Building a network to support Five Nines reliability and availability.

Viruses and Worms A computer worm is a self-replicating computer program. Worms are similar to computer viruses. A virus generally attaches itself to an executable program; a worm is self-contained and can propagate on its own. Worms are usually designed to exploit the file transmission capabilities of network computers. Besides replicating itself, a worm will typically attempt any number of other unwanted activities. It may delete files on a host system or send documents via email. Recent worms may carry other executables as a part of the payload. Even in the absence of a malicious payload, the traffic a worm generates replicating itself can wreak havoc on network performancethe MyDoom worm affected Windows systems worldwide. It caused a noticeable worldwide Internet slowdown at the peak of its spread in January 2004. Its impact exceeded that of the Sobig worm in 2003. The worm payload can install a bot zombie or backdoor in the infected computer. Both Sobig and MyDoom installed malicious components. Today, worms often deliver zombie components that are used to build botnets. Spammers can use a botnet to send massive volumes of junk email. A more disruptive use of botnets is to launch a distributed DoS (DDoS) attack or as part of identity theft efforts.

20

Chapter 1 Worms tend to consume massive network resources and overload servers. The malicious payload often targets domain controllers and network servers today, but the VoIP resources bring a new rich target into view. The payload distributed by a worm may attempt to learn which users are on the network by exploring directories. A domain controller may reveal a list of all valid user accounts on the network. Once a domain controller is identified, the malicious program may then try to log on over and over. These attempts are often hundreds of times per minute. User ID upon user ID may be tried over and over with hundreds or thousands of passwords in an effort to find a way in to the system. The number of incoming requests can overwhelm servers. Endpoints, or user workstations, present a different attack vector. Malicious programs may steal information from end users. Password files may be harvested. Key logging software may be installed in the background to capture system logins. Once the intruder has control of a process on the workstation, some level of network access is available. Information gathering and continual attempts to connect to more resources are common. These attacks often take place through commonly used TCP/IP ports and services. In a Windows environment, ports 135 and 445 are widely used to provide a variety of network services, such as file sharing. These ports are very common attack vectors for worms because they are so often left unprotected to ease sharing of network resources in the enterprise. DoS Attacks Network security specialists are often asked what keeps you awake at night? A DoS attack is always among the top fears. DoS is a resource exhaustion attack. Because the resources available are numerous, the vectors of the attack can vary. IP addresses, network bandwidth, and processor memory are common attack vectors. DoS attacks take on many different forms, but they all focus on depriving computers and networks of scarce, limited, or non-renewable resources critical to operation:

Destructive devices such as email bombing exhaust network and processor resources Buffer overflows, exhausting system memory or CPU capacity Bandwidth consumption attacks degrade the networks ability to deliver traffic Routing and DNS attacks disrupt delivery information and cause lost or misdirected
packets; Telnet and HTTP attacks against the router infrastructure will have the same impact

SYN flooding can exhaust server resources Resource starvation can result from attacks against multiple vectors at the same time
Transmission Control Protocol (TCP) uses a three-way handshake to guarantee delivery of messages. This three-way handshake is performed by transmitting a SYN command, receiving an ACK, then acknowledging the ACK with a SYN ACK. Every SYN request is a signal to the receiver to allocate resources to handle incoming session activity. A flood of SYNs may allocate more resources than the recipient can process. In some earlier Windows systems, 512 active SYNs was a pre-defined limit. The receipt of the 513th SYN could cause the receiving system to fail, resulting in the infamous blue screen of death.

21

Chapter 1 DDoS represent another threat. The infection of a zombie or bot engine allowing an outside intruder to take some control over the endpoint or workstation was mentioned earlier. DDoS attacks involve four elements:

The intruder or worm delivers the malicious payload into the network. A daemon zombie or agent grants outside control of the users system. The outside controller is the master or handler, controlling the actions of the botnet. The victim is the target on the receiving end of the attack.
The first documented DDoS attack was Trin00 in 1999. It was a distributed SYN attack. This attack was followed by Tribe Flood Net, which evolved to exploit remote procedure call (RPC) services. Later, a DDOS attack called Stacheldraht (barbed wire) blended these two techniques. Further in the DDOS evolution, TFN2K began disguising traffic to make detection and mitigation even more difficult. Although there is no documented evidence of an enterprise network being compromised as the primary attack tool, the threat remains. Imagine the impact of your corporate network being overrun by bots controlled by a malicious outsider and being used as the launch point for a DDoS attack against another company or government entity. Figure 1.8 shows many points of attack in a VoIP network. This visual shows only the service infrastructure. Although only a single call agent is shown, every VoIP endpoint on the network contains call agent software. DoS attacks can be launched against any or all of these elements in the VoIP network. Customer Network Access Network Trunking Gateway Access Gateway

IP Network

PSTN Switch
PSTN Signaling Network

Media Servers Application Servers Call Agent

Signaling Gateway

Figure 1.8: DOS attack vector points.

22

Chapter 1 The trunking gateway, signaling gateway, access gateway, and media and application servers are all server-based resources on the network. In most implementations, these platforms are installed on general-purpose OSs, often Windows servers. As Windows servers, these systems are potentially vulnerable to many Windows exploits. In the traditional telephone environment, a DOS attack against a single telephone is easily achievable. A persistent attacker with a roll of quarters at a bank of pay phones can easily deny service to a single telephone. All it takes is a barrage of continuing phone calls from multiple phones, redialing each time the called party answers. VoIP opens the previously closed telephone architecture to network-based attacks that can be overwhelmed with high volumes of requests. Effects of DOS Attacks A DoS attack against the VoIP infrastructure can degrade and disrupt the delivery of calls. Attacks against the system almost always include some form of traffic flooding. Network elements susceptible to a single vulnerability may suffer resource exhaustion and be unable to provide some aspect of VoIP service. Symptoms can manifest themselves in a number of ways:

Unavailable or degraded serviceVoIP phones may not be able to register with the
network. Internal calls might work, but calls to the PSTN might fail, or vice versa. Voicemail messages may not be accessible.

Lack of dial tone or fast busyUsers may pick up the phone and not get a dial tone.
They may attempt calls and be blocked by the system due to lack of available resources.

Inability to complete a callUsers may be able to dial, but calls may never complete.
The caller might hear nothing but silence after dialing.

Dropped callsCalls may complete and then be disconnect mid-conversation. Calls may
disconnect when the answering party picks up the phone.

Poor qualityVoice quality may degrade. Delay and jitter may make conversations
unacceptable or even unintelligible. Each VoIP network element presents an attack vector that can be exploited to disrupt service. VoIP application servers support registration, signaling, and redirection services. Loss of registration can prevent users from all network access. Signaling impairments disrupt the ability to make or complete calls. Redirection services help ensure calls get delivered to the intended recipient. Trunking gateways provide conversion between IP networks, or in many cases, to the PSTN. DoS attacks on these services can result in limited reachability. Calls to other connected networks or the PSTN may fail. The IP network and customer access network may be congested and unable to provide the quality of traffic delivery necessary to carry on voice conversation. An overloaded network that adds 500ms delay to packet may still be perfectly usable for email and Web services, but voice services quickly become unusable.

23

Chapter 1 Spam Over Internet Telephony Spam is a troublesome problem for anyone who uses email today. Although it might be more appropriately called Unsolicited Commercial Email (UCE), the spam moniker has stuck for quite some time. There are countless reports of lost time and productivity to the thousands of spam messages per day. Imagine those messages filling not only your email inbox but also your voicemail inbox as spam moves to VoIP systems. The barrier to entry for spammers is very low. Anyone with a PC and connection can become a spammer. The cost per message for delivery is immeasurably small, unlike the postage costs for even third-class junk mail in the traditional sense. This low cost means that the return on investment (ROI) for spam is very high. A .01% return on postal junk mail would quickly bankrupt a traditional mailing house. A spammer getting a .01% return on spam on 10 million electronic messages that cost nothing, is a very high rate of returnenough incentive to keep spammers in the game. There is great fear in the industry that once an Internet address is obtained for phones, such as the SIP URL, telemarketers and advertisers, both legitimate and questionable, will use automated tools to deliver unsolicited commercial messages in mass quantities. The VoIP market is growing quickly. Once critical masses of users are reachable via VoIP, bulk messaging could become a real problem. Spam Over Internet Telephony (SPIT) resembles spam more closely than it resembles those friendly telemarketing calls that always seem to come at dinnertime. But people, frustrated people, often just hang up on telemarketers. SPIT has the potential to fill voice mailboxes with junk messages that have to be manually deleted or somehow filtered out. Assuming the worst, VoIP SPAM software could easily deliver thousands of 30-second messages every few seconds. SPIT could become a new DoS, overwhelming the resources of the enterprise voicemail system. For now, documented cases of VoIP spam remain isolated and few, but even the United States Telephone Association (USTA) has identified SPIT as one of the next major headaches for daily operations. Telemarketers using VoIP may not have to comply with the Federal Trade Commissions Do-Not-Call list, leaving a future problem for regulators to address. Although real-world examples remain slim in this area, its certainly an area of concern.

Summary
The enterprise network is a complex system. Implementing VoIP brings a new level of complexity into the mix. Security threats are real and many. Assuring QoS delivery is a technical challenge. The next chapters will identify industry best practices and techniques to address some of these concerns so that you can deliver the performance expected by end users and a secure, reliable, available VoIP service across the enterprise.

24