Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Carrier VoIP Security: Threats and Defenses. 2 Agenda Security Philosophy VoIP Basics (IETF SIP-based) VoIP Threats Fundamental VoIP Security Mechanisms.

Published byDiana Mason Modified over 10 years ago

Similar presentations

Presentation on theme: "1 Carrier VoIP Security: Threats and Defenses. 2 Agenda Security Philosophy VoIP Basics (IETF SIP-based) VoIP Threats Fundamental VoIP Security Mechanisms."— Presentation transcript:

1 1 Carrier VoIP Security: Threats and Defenses

2 2 Agenda Security Philosophy VoIP Basics (IETF SIP-based) VoIP Threats Fundamental VoIP Security Mechanisms and Tasks Enhanced VoIP Security – Session Border Control Enhanced VoIP Security – Application Layer Firewall

3 3 21st Century Security Philosophy Security must be layered, i.e. defenses in depth. Perimeter hardening, like physical measures, is just a first step. All network elements must be hardened as "defensive strong points" in their own right. Deploy multiple security technologies. Deployed assets MUST have integrated security capabilities that support end-to-end protection. NO clear-text passwords, use secure protocols. NO networking link is trustable anywhere!

4 4 Common Services Infrastructure PSTN /SS7 ALF /SBC POTS Phone Circuit Switch Trunk Gateway FiOS Nomadic Customer C BYOBB Internet ILEC LATA IP Network FiOS Customer B FiOS Customer A Softswitch Servers SIP-Based Voice Mail TDM-Based Voice Mail POTS Phone Trunk Gateway Softswitch / SIP SS7 GW ALF /SBC PSTN /SS7 Softswitch / SIP SS7 GW SIP-Based VoIP

5 5 VoIP Threat Taxonomy

6 6 SIP and VoIP Security Concerns VoIP Denial of Service IP Phone Provisioning / Credentialing Caller ID Spoofing VoIP Theft of Service SIP Registration Hijacking SIP Proxy Impersonation SIP and RTP message tampering / injection SIP to SS7 Signaling Conversion IP-Based Voicemail Fraud E911 Availability CALEA / Law Enforcement Oh yes, and that issue with NAT

7 7 VoIP Security – Minimum Defenses Use SIP Digest Authentication Drawn from HTTP MD5 Digest Authentication per RFC 2617 Server sends a nonce to client which client hashes with shared secret This digest is sent back to server for verification and authentication It provides a way to verify a users (claimed) identity without having to send passwords or secrets in the clear. It makes it difficult for an intruder to tamper with a users service by replaying portions of previous messages. (Replay prevention) It supports an optional capability for ensuring that a SIP message has not been altered. (Message integrity)

8 8 VoIP Security – Minimum Defenses The Inputs for Digest Authentication These inputs are sent to the client by the server in the 401 or 407 challenging response: nonce = a random string realm = hostname/domain defining the server qop = quality of protection; can be auth or auth-int (w/ integrity) opaque = server generated string; no well-defined use These are inputs provided by the client: nc-value = nonce count; used in preventing replay cnonce = client generated nonce; used to prevent chosen plaintext attacks, provide some mutual authentication and integrity. method = SIP method (i.e., INVITE, SUBSCRIBE, NOTIFY, …) username password

9 9 VoIP Security – Minimum Defenses After getting challenged and receiving the server inputs (with a specified qop), the client then performs either of the following calculations where H(x) is the hash of x: When qop = auth H ( H(username:realm:password):nonce: nc-value:cnonce:qop:H(method;URI of called party) ) When qop = auth-int H ( H(username:realm:password):nonce: nc-value:cnonce:qop:H(method:URI of calledparty: H(entity-body) ) )

10 10 VoIP Security – Minimum Defenses The security is weakened if the nonces are cached for more than a brief period The security can be enhanced by making use of the nonce-count and the next-nonce values. nonce-count = # of times a nonce has been used including the current request next-nonce = the nonce that the server sends for a client to use in next request The next-nonce mechanism has a negative impact on signaling performance for pipelined requests. The nonce-count provides some good replay security without the performance hit of next-nonce. Dont be a Cache Cow

11 11 VoIP Security – Minimum Defenses SIP Digest Authentication INVITE 407 Proxy Authentication Required INVITE (with the digested credentials) INVITE 200 OK 180 Ringing ACK Media Session BYE 200 OK ACK Alice Proxy Bob

12 12 VoIP Security – Minimum Defenses Use encryption when provisioning IP phones Harden Softswitch (usually multiple servers) Enable rate /session limits within Switch Application Run IPSec on SIP inter-carrier peering Lock down DNS (Lots to do) Vulnerability scanning Dont you dare trust your management network Identify relevant inputs to a Fraud Analysis process

13 13 Enchanced VoIP Security – SBCs Using Session Border Controllers SIP layer and RTP alternate routing Inbound / Outbound SIP Proxy Call Admission Control RTP firewall pinhole management SIP layer rewriting for NAT Traversal SIP layer rewriting for topology hiding SIP Call State awareness for optimizing softswitch assets Point of collection for CALEA / LI targets

14 14 VoIP Security – Robustness Testing SIP is both simple and quite complex Format borrows heavily from HTTP and is easy to read Session state awareness and protocol timers are complex SIP Robustness test tools are available Protos, Codenomicon, SIP Bomber, PacketCrafter Essentially a Protocol Stresser and Reliability Tester Several SIP network elements were crashed Some SIP stacks are poorly built No input validation, poor memory management,… Gosh, maybe we need a SIP Application Layer Firewall

15 15 Enhanced VoIP Security – SIP ALF ALF = Application Layer Firewall In VoIP context - the ALF is really a SIP Intrusion Prevention System Selling management on the additional expense Show and Tell Demonstrated SBCs and Softswitches crashing Avoiding exposures due to the risks Next generation direction is to combine SBC and ALF functions in one device to gain economies

16 16 Lessons Learned

17 17 Industry Challenges: Service Providers: Collaborate on accumulating security related actuarial information Standards Bodies: ANSI/ITU developed architectural security framework Technology standards groups follow ANSI/ITU framework and leverage existing standard technologies (IPsec, PKI) Accommodate today's reality (NAT, Firewalls, untrusted networks) Vendor Community: Consider current best practices (e.g.. RFCs 2196, 2504, 3365) Build on standards (IPsec, PKI, NIST Common Criteria, ATIS, ITU-T, ISO) Support future needs (IPsec, IPv4 to IPv6 migration, PKI) Adjust product plans to today's security realities (NAT is a fact and everywhere, NO network segments can be assumed trustable)

18 18 In Conclusion Verizon is addressing today's very real threats. Standards organizations must address carrier class security issues and architectures. The vendor community needs to produce equipment & software that meet Verizon's security objectives. Our customers and peer carriers need to work with us to mitigate security risks.

19 19 Questions?

Download ppt "1 Carrier VoIP Security: Threats and Defenses. 2 Agenda Security Philosophy VoIP Basics (IETF SIP-based) VoIP Threats Fundamental VoIP Security Mechanisms."

Similar presentations

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1 NG 9-1-1 security: What is a BCF.

Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1 NG security: What is a BCF.
The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
www.dynamicsoft.com U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP 2000-05-10-00 SIP Security Jonathan Rosenberg Chief Scientist.

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.
Security Issues In Mobile IP

Security Issues In Mobile IP
SURA/ViDe 4th Annual Workshop SIP, Security & Threat Models Dr. Samir Chatterjee School of Information Science Claremont Graduate University Claremont,

SURA/ViDe 4th Annual Workshop SIP, Security & Threat Models Dr. Samir Chatterjee School of Information Science Claremont Graduate University Claremont,
IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.

IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.
Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.
Colombo, Sri Lanka, 7-10 April 2009 Preferential Telecommunications Service Access Networks Lakshmi Raman, Senior Staff Engineer Intellectual Ventures.

Colombo, Sri Lanka, 7-10 April 2009 Preferential Telecommunications Service Access Networks Lakshmi Raman, Senior Staff Engineer Intellectual Ventures.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.

1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Pune, India, 13 – 15 December 2010 ITU-T Kaleidoscope 2010 Beyond the Internet? - Innovations for future networks and services Ivan Gaboli, Virgilio Puglia.

Pune, India, 13 – 15 December 2010 ITU-T Kaleidoscope 2010 Beyond the Internet? - Innovations for future networks and services Ivan Gaboli, Virgilio Puglia.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation
1 IP Telephony (VoIP) CSI4118 Fall 2005. 2 Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.

1 IP Telephony (VoIP) CSI4118 Fall Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.
Figure 7-1 Softswitch Components Signaling Gateway Feature Server Softswitch Universal Media Gateway SGCP SIP MGCP MGCP (Media Gateway Control Protocol)

Figure 7-1 Softswitch Components Signaling Gateway Feature Server Softswitch Universal Media Gateway SGCP SIP MGCP MGCP (Media Gateway Control Protocol)
Addressing Security Issues IT Expo East 2011. Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.
Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.

Johan Garcia Karlstads Universitet Datavetenskap 1 Datakommunikation II Signaling/Voice over IP / SIP Based on material from Henning Schulzrinne, Columbia.
VoIPhreaking How to make free phone calls and influence people by the grugq.

VoIPhreaking How to make free phone calls and influence people by the grugq.
CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006.

CANTO – 2006 Information Security and Voice over IP (VoIP) Robert Potvin, CISSP VP - Strategic Consulting June 21st, 2006.
SIP Explained Gary Audin Delphi, Inc. Sponsored by

SIP Explained Gary Audin Delphi, Inc. Sponsored by

Similar presentations

Ads by Google