Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.

Slides:

Advertisements

Similar presentations

The leader in session border control for trusted, first class interactive communications.

Advertisements

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

IMS and Security Sri Ramachandran NexTone. 2 CONFIDENTIAL © 2006, NexTone Communications. All rights Traditional approaches to Security - The CIA principle.

Voice Security Interop 2009 Mark D. Collier SecureLogix Corporation

Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Nicolas FISCHBACH Senior Manager, IP Engineering/Security - COLT Telecom - version 1.0 Voice over IP (VoIP)

Camarillo / Schulzrinne / Kantola November 26th, 2001 SIP over SCTP performance analysis

The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.

SIP Security & the Future of VoIP Nate Klingenstein APAN 26 Queenstown August 5, ~ndk/apanSIP.pdf.

Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Prof. John C.S. Lui CSE Dept. CUHK.

January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Fast Detection of Denial-of-Service Attacks on IP Telephony Hemant Sengar, Duminda Wijesekera and Sushil Jajodia Center for Secure Information Systems,

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

1 VOIP Network Threats Let the subscribers beware Gerard Wilkes October 24, 2006.

5/3/2006 tlpham VOIP/Security 1 Voice Over IP and Security By Thao L. Pham CS 525.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,

Lecture 15 Denial of Service Attacks

Deployment of the VoIP Servers BY: Syed khaja Najmuddin Ahmed Anil Kumar Marikukala.

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

VoIP Security Sanjay Kalra Juniper Networks September 10-12, 2007 Los Angeles Convention Center Los Angeles, California 3 VoIP Issues.

IT Expo SECURITY Scott Beer Director, Product Support Ingate

Common Misconceptions Alan D. Percy Director of Market Development The Truth of Enterprise SIP Security.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Public IP Telephony Introduction to VoIP Cisco Networking Academy Program.

Ingate & Dialogic Technical Presentation SIP Trunking Focused.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

VoIP security : Not an Afterthought. OVERVIEW What is VoIP? Difference between PSTN and VoIP. Why VoIP? VoIP Security threats Security concerns Design.

 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.

Protecting VoIP networks against denial of service and service theft Henning Schulzrinne with Gaston Ormazabal (Verizon) and IRT graduate students Dept.

VoIP Security Assessment: Methods and Tools H. Abdelnur, V. Cridlig, R. State and O. Festor Madynes, LORIA-INRIA.

1 A high grade secure VoIP using the TEA Encryption Algorithm By Ashraf D. Elbayoumy 2005 International Symposium on Advanced Radio Technologies Boulder,

Laboratory for Advanced Network Systems Department of Computer Science Purdue University.

Call Control with SIP Brian Elliott, Director of Engineering, NMS.

VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.

Detection and Prevention of SIP Flooding Attacks in Voice over IP Networks Jin Tang, Yu Cheng and Yong Hao Department of Electrical and Computer Engineering.

SIP, SDP and VoIP David A. Bryan CSCI 434/534 December 6, 2003.

Voice over IP by Rahul varikuti course instructor: Vicky Hsu.

ﺑﺴﻢﺍﷲﺍﻠﺭﺣﻣﻥﺍﻠﺭﺣﻳﻡ. Group Members Nadia Malik01 Malik Fawad03.

1 Presentation_ID © 1999, Cisco Systems, Inc. Cisco All-IP Mobile Wireless Network Reference Model Presentation_ID.

Requirements for Simulation and Modeling Tools Sally Floyd NSF Workshop August 2005.

Deployment of Snort IDS in SIP based VoIP environments Jiří Markl Jaroslav Dočkal.

1 COPYRIGHT © 2015 ALCATEL-LUCENT. ALL RIGHTS RESERVED. Cognitive Security: Security Analytics and Autonomics for Virtualized Networks Lalita Jagadeesan.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Voice over IP B 林與絜.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

SIP Trunking As a Managed Service Why an E-SBC Matters By: Alon Cohen, CTO Phone.com.

Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.

CSE5803 Advanced Internet Protocols and Applications (14) Introduction Developed in recent years, for low cost phone calls (long distance in particular).

1 Internet Telephony: Architecture and Protocols an IETF Perspective Authors:Henning Schulzrinne, Jonathan Rosenberg. Presenter: Sambhrama Mundkur.

Track A: Network Security 9AM-10AM May 6, 2004 Security And Next Generation VoIP George G. McBride Senior Manager, Security Practice Lucent Technologies.

The Session Initiation Protocol - SIP

3/10/2016 Subject Name: Computer Networks - II Subject Code: 10CS64 Prepared By: Madhuleena Das Department: Computer Science & Engineering Date :

Juniper Networks Mobile Security Solution Nosipho Masilela COSC 356.

Presented By Hareesh Pattipati.  Introduction  Firewall Environments  Type of Firewalls  Future of Firewalls  Conclusion.

11 CS716 Advanced Computer Networks By Dr. Amir Qayyum.

Team: Aaron Sproul Patrick Hamilton

IP Telephony (VoIP).

Long-haul Transport Protocols

The study and demonstration on SIP security vulnerabilities

網際網路電話系統期中考重點整理.

Ingate & Dialogic Technical Presentation

Presentation transcript:

Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David K. Y. Yau DNS server Proxy / redirect server VoIP phone POTS Media gateway IP network Legacy phone Mobile VoIP phone SIP signaling / TLS / TCP User registration Media: RTP/RTCP/UDP SIP flood and spoofing / theft-of- service / authentication attack Media eavesdropping, UDP / RTP flood, encryption attack, faked ToS (theft-of-service) Device Threats Virus, misconfiguration, compromise (phone) TLS flood, authentication / encryption (proxy) RTP port starvation (media gateway) Wireless attack, jamming, RTS / CTS attack 2. VoIP Network Architecture INVITE 180 Ringing BYE 200 OK INVITE 180 Ringing ACK Media Stream 200 OK 3. SIP: Security Issues SIP requires: Proxy server, Redirection Server, Firewall …etc These servers can be subjected to (1) DDoS attack (2) Low-Rate TCP attack (3) Jamming attack If not handled carefully, VoIP won’t fly. Server To S Aggressive flow Throttle for S’ To S’ Throttle for S Securely installed by S Deployment router Server  Sufficiently large attack burst  Packet loss at congested router  TCP time out & retransmit after RTO  Attack period = RTO of TCP flow,  TCP continually incurs loss & achieves zero or very low throughput.  Sufficiently large attack burst  Packet loss at congested router  TCP time out & retransmit after RTO  Attack period = RTO of TCP flow,  TCP continually incurs loss & achieves zero or very low throughput. Avg BW= lR/T Case 3. Wi-Fi Jamming Wireless VoIP using Wi-Fi Security problems :  Common Jamming  Low-rate attack on the control plane  Exploiting the protocol :RTS-CTS AP AB time RTS(A) CTS(A) defer RTS(A) CTS(A) 4. Conclusion  Security solutions  Initial focus will be on denial-of-service, considering security protocols like SRTP, TLS, S/MIME, SSL, etc  Protocol design and analysis (solutions must be scalable despite encryption, authentication, etc)  Seek experimental evaluation  Realistic testbed network  Hope to evolve into international scope: Bell Labs (NJ), Purdue (IN), Chinese University (Hong Kong), … Protocol Stack Session Initiation Protocol (SIP) Case 1. Flooding Attack Solution: Router Throttle Example Max-min Rates (L=18, H=22) Case 2. Low-rate DoS Attack on TCP Flow RTS-CTS Jamming  Attack flows V.S. legitimate flows  Expect a separation between them.  Attack flows V.S. legitimate flows  Expect a separation between them.  Probability distribution of DTW values threshold Robustness of Detection  Sample recent instantaneous throughput at a constant rate  Each time of detection consists of a sequence of instantaneous throughput  Normalization is necessary  The background noise of samples need to be filtered  Background noise (UDP flows and other TCP flows that less sensitive to attack)  For simplicity, a threshold filter can be used.  Autocorrelation is adopted to extract the periodic signature of input signal. periodic input => special pattern of its autocorrelation. (Autocorrelation can also mask the difference of time shift S)  Unbiased normalization M: length of input sequence m: index of autocorrelation  Similarity between the template and input should be calculated.  We use the Dynamic Time Warping (DTW). (The detail algorithm of DTW is provided in our research work)  The smaller the DTW value, the more similar they are.  DTW values will be clustered; threshold can be set to distinguish them. Pattern match Extract the signature Filter the noise Sample the traffic Algorithm of Detection 1. Security Challenges:  Traditional telephone network  Highly reliable, voice specific, closed and physically secure system  VoIP network  Unpredictable/open transport, data/voice convergent, publicly connected (intelligent but untrusted/malicious systems)  Security should not be an afterthought  Media, signaling, infrastructure attacks