voip security
DESCRIPTION
VoIP security - myths & realitiesTRANSCRIPT
VoIP security– myths & realities
Ishai RosmarinSales Director – [email protected]
in IPwe don’ttrustanyone!
VoIP security in the news
VoIP Security Alert: Hackers Start
Attacking For Cash (June 2006)
Two Men Charged With Hacking Into
VoIP Networks (June 2006)
The Internet's a Scary Place for Voice(May 2006)
Is Your VoIP Phone Vulnerable?
(June 2006)
Are Hackers Eyeing your VoIP Network?
(Sept. 2006)
VoIP Security: It's More Than Data Security(Aug. 2006)
4
Security Concerns
• Everyone worries
about security
• DoS attacks and
overloads are biggest
worry
Source: Service Provider Plans for Next Gen Voice 2006 (July 2006)
29%
75%
75%
63%
79%
54%
42%
33%
0% 20% 40% 60% 80%
Trade performancefor security
SPIT
Illegal wiretapping
Service topology exposure
Service fraud
User privacy and confidentiality
User/device authenticationand authorization
DoS attacks and overloads ofnext gen voice service
infrastructure
Percent of Next Gen Voice
Respondents Rating 6 or 7
VoIP security threats & solutions
IMS: Is Missing Security
DoS/DDoS
attacks
Traffic
overloads
Viruses &
malware
Service
fraud
Identity
theft
Eves -
dropping
SPIT
Security feature requirement IMS function/feature
Access control - static IP address list Core IMS functions, not applicable for UE
Access control - dynamic IP address list Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII x
Topology hiding (NAPT at L3 & L5) I-BCF only, THIG sub-function IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Authentication - subscriber & CSCF IPSec, SIP digest IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Authorization - subscriber HSS function IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Signaling encryption IPSec IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Media encryption Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Admission control - I/S-CSCF constraints Not addressed
Admission control - network bandwidth constraints PDF/RACS functionAdmission control - user limits: sessions (#) Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Admission control - user limits: bandwidth Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
SIP message & MIME attachment filtering/inspection Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Signaling rate monitoring & policing Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Bandwidth monitoring & policing Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Call gapping - destination number Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Call gappping - source/destination CSCF or UE Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
QoS marking/mapping control Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Internet
Types_ Malicious attacks_ Non-malicious – poor behaving
endpoints, power outages
Solution requirements
_ SBC DoS self-protection• Access control - static & dynamic• Trusted & untrusted paths with policed
queues• IDS capabilities
_ Service infrastructure DoS prevention• Access control - static & dynamic• Topology hiding• Signaling rate plicing• Bandwidth policing
DoS/DDoS attacks threatensubscriber retention and revenue
PSTNTransit& O&T
HIP ICServices
O&T
HIP ICServices
1
2
4
3
Viruses & malware can threaten ICendpoints and service infrastructure
SIP MIME attachments are powerful tool for richer call ID- vcard text, picture or video
Potential Trojan horse for viruses and worms to general-purpose server-based voice platforms_ SIP softswitch, IMS CSCF, SIP servers, app servers_ SIP PBX_ SIP phones & PCs
New endpoint vulnerabilities_ Embedded web servers - IP phones_ Java apps – liability or asset?
Solution requirements_ Authentication_ SIP message & MIME attachment filtering_ Secure OS environment
SQL
Slammer
Melissa
Code Red
Nimda
Sobig
Love
Bug
Klez
Michelangelo
Internet
Service fraud riskis business model dependant
Business model dimensions_ Internet vs. managed network_ Free vs. fee based_ Anonymous vs. not anonymous
Types of fraud_ Service theft_ QoS theft_ Bandwidth theft
Solution requirements_ Access control_ Authentication – subscriber
& SIP signaling elements_ Authorization – subscriber_ Admission control – subscriber
limits - # sessions & bandwidth_ QoS marking/mapping control_ Bandwidth policing
PSTNMPLS
NONE
NONE
DiffServ-31
2
4
3
A B
Identity theft can’t beprevented entirely by technology
How do you know you are talking to Bank of America?
Web site techniques don’t work for IC- work for many-one, not many-many
Solution requirements– Authentication, access control– Trust chains - pre-established technical & business relationships
Eavesdropping threat is over hyped
Less risk than email, who encrypts email?_ Email is information rich (attachments), voice not_ Email always stored on servers, only voice mail_ Email always stored on endpoints, voice not
Who is at risk?_ Bad guys - Osama, drug cartels,
pedophiles, etc._ Law enforcement_ Money, love, & health-related
– insider trading, adultery, ID theft,
Solution requirements_ Authentication – subscriber_ End-to-end encryption (EXPENSIVE)
• Signaling (TLS, IPSec)• Media (SRTP, IPSec)
SPIT will be annoying,& possible tool for ID theft
Will anonymous, cheap Yahoo subscriber (aka SPITTER)be able to call money-paying Verizon subscriber to solicit- phone sex, penis enlargement, Viagra pill purchase?
Techniques that won’t work_ Access control – static_ Content filtering_ Charging - $/call_ Regulation
Solution requirements_ Access control
– dynamic, IDS-like_ Authentication_ Admission control
– subscriber limits (#)_ Trust chains - pre-established
technical & business relationships
Who is responsible for security?
The individual The organization
The future IC net?
The Internet
I
The Federnet
FF
F
F F
Net-Net
Security issues are very complex and multi-dimensional
Security investments are business insurance decisions_ Life – DoS attack protection_ Health – SLA assurance_ Property – service theft protection_ Liability – SPIT & virus protection
Degrees of risk_ Internet-connected ITSP ` High_ Facilities-based HIP residential services_ Facilities-based HIP business services
_ Peering Low
_ NEVER forget disgruntled Malcom, OfficeSpace
Session border controllers enable service providersto insure their success
Monitor, report & recordattacks & attackers;provide audit trails
Net-SAFE – security requirementsframework for session border control
Protect against SBC DoS attacks & overloads(malicious & non-malicious)
Session-awareaccess control
for signaling& media
Prevent DoSattacks on serviceinfrastructure &subscribers
Completeservice
infrastructurehiding & user
privacy support
Support for L2 and L3 VPNservices and security
Prevent misuse & fraud;protect againstservice theft
Acme Packet Net-Net SD “flawlessly passedall of CT Labs’ grueling attack tests”
Total of 34 different test cases, using over 4600 test scripts
No failed or dropped calls, even for new callsmade during attacks
No lost RTP packets during attacks
Protected the service provider equipment – did notallow flood attacks into core, stopped packets at edge
SD performance not impacted during attack
– SD CPU utilization - only10% increase
– Signaling latency - only2 ms average increase
– RTP jitter – lessthan 1 ms increase(not measurable bytest equipment)
Acme Packet SBCDoS/DDoS protection
Network processor (NPU) -based protection– L3/4 (TCP, SYN, ICMP, etc.) & signaling attack detection & prevention -– Dynamic & static ACLs (permit & deny) to SPU– Trusted & untrusted paths to SPU w/configurable bandwidth allocation &
bandwidth policing per session– Trusted devices - guaranteed signaling rates & access fairness– Untrusted devices – can access unused
trusted bandwidth– Separate queues for ICMP, ARP, telnet, etc.– Reverse Path Forwarding (uRPF)
detection - signaling & media– Overload prevention - 10 Gbps
NPUs > 8 Gbps network interfaces
Signaling processor (SPU)-based protection– Overload protection threshold
(% SPU) w/graceful call rejection– Per-device dynamic trust-binding
promotes/demotes devicesNetwork
processor
Intelligenttraffic
manager
Networkprocessor
Signalingprocessor
Securityprocessor
The leaderin session border control
for trusted, first classinteractive communications