IPCablecom Security Eric Rosenfeld, CableLabs Sasha Medvinsky, Motorola Simon Kang, Motorola ITU IPCablecom Mediacom Workshop March 13, 2002 Geneva, Switzerland.

Slides:



Advertisements
Similar presentations
Malcolm Taylor (ECB) Luc Martens (tComLabs) Dirk Jaeger (ECCA)
Advertisements

Internet Protocol Security (IP Sec)
David Reed Chief Strategy Officer, CableLabs June 8, 2004
Telephony Troubleshooting in the Home
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
January 23-26, 2007 Ft. Lauderdale, Florida IP Communications, Secure – By Design Roger W. Farnsworth.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Cyber Security and Key Management Models Smart Grid Networks The Network System Key Management and Utilization Why Hardware Security Christopher Gorog,
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
Internet Protocol Security (IPSec)
Network Security. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash Functions Public-Key.
Creating an IPsec VPN using IOS command syntax. What is IPSec IPsec, Internet Protocol Security, is a set of protocols defined by the IETF, Internet Engineering.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Russ Housley IETF Chair Founder, Vigil Security, LLC 8 June 2009 NIST Key Management Workshop Key Management in Internet Security Protocols.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
Protocol Basics. IPSec Provides two modes of protection –Tunnel Mode –Transport Mode Authentication and Integrity Confidentiality Replay Protection.
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 9: Securing Network Traffic Using IPSec.
VoIP security : Not an Afterthought. OVERVIEW What is VoIP? Difference between PSTN and VoIP. Why VoIP? VoIP Security threats Security concerns Design.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Providing Teleworker Services Accessing the WAN – Chapter 6.
32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.
1 Cable Telephony & VoIP: SP-6. Cable Telephony and VoIP SP-6 2 Agenda  Technology choices and issues  CBR (Constant Bit Rate)  Hybrid VoIP  PacketCable.
CHAPTER 14 PSTN and VoIP Interworking. Cisco Packet Telephony: Connection Control Call Control Services.
Cable Modem Overview EEL 4930 – Computer Networks Fall 2002 Bradley C. Spatz.
Copyright ©Universalinet.Com, LLC 2009 Implementing Secure Converged Wide Area Networks ( ISCW) Take-Aways Course 1: Cable (HFC) Technologies.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
An Introduction to Encrypting Messages on the Internet Mike Kaderly INFS 750 Summer 2010.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Cable broadband delivery (Cable modem transport platforms) Richard Catchpole ITU-T Study Group 9 Associate Rapporteur ITU-T Workshop.
Cable network and multimedia services Speaker: 陳羿仲 Advisor: 吳和庭 2012/12/05.
VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.
Introduction to Cable Telephony Larry Greenstein Director of Product Management Nuera Communications
ITU-T Workshop on Multimedia Convergence Broadband Delivery and In-home Distribution Geneva, Switzerland 12 – 15 March 2002 Doug Jones Chief Architect,
IPCablecom - Network and Service Architecture Dipl.-Ing. Volker Leisse Institute for Communications Technology Braunschweig Technical University
Chapter 21 Distributed System Security Copyright © 2008.
Information management 1 Groep T Leuven – Information department 1/26 IPSec IP Security (IPSec)
International Telecommunication Union Eighth Global Standards Collaboration (GSC) Meeting - Ottawa, Canada, 27 April-1 May 2003 Security Standardization.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Generic Routing Encapsulation GRE  GRE is an OSI Layer 3 tunneling protocol: Encapsulates a wide variety of protocol packet types inside.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Network Security David Lazăr.
IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Presents H.323 Forum ITU-T SG16 With Focus on H.323 Activities Presented by Paul E. Jones Rapporteur ITU-T Q2/16 Cisco Systems.
Hands-On Microsoft Windows Server 2003 Networking Chapter 9 IP Security.
Virtual Private Network. ATHENA Main Function of VPN  Privacy  Authenticating  Data Integrity  Antireplay.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 10: Planning and Managing IP Security.
Chapter 14 Network Encryption
“IPCablecom” Global standardisation of IP communication for cable networks Richard Catchpole Study Group 9 Associate Rapporteur
Voice Over IP in Cable Broadband Venture Seminar Doug Jones Chief Architect YAS Broadband Ventures, LLC September 7, 2001 Presented for.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Introduction to Cable Telephony Craig Lee VP of Marketing Nuera Communications
Securing Access to Data Using IPsec Josh Jones Cosc352.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Providing Teleworker Services
Module 8: Securing Network Traffic by Using IPSec and Certificates
Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls
Overview of ETS in IPCablecom Networks
Module 8: Securing Network Traffic by Using IPSec and Certificates
Presentation transcript:

IPCablecom Security Eric Rosenfeld, CableLabs Sasha Medvinsky, Motorola Simon Kang, Motorola ITU IPCablecom Mediacom Workshop March 13, 2002 Geneva, Switzerland

Agenda IPCablecom Overview How it Works Services and Capabilities Security Goals of IPCablecom IPCablecom Security Architecture Security Mechanisms & Component Summary

What is IPCablecom? IPCablecom is a set of standards that define protocols and functional requirements for the purpose of providing Quality-of- Service (QoS) enhanced secure communications using the Internet Protocol (IP) over the cable television Hybrid Fiber Coax (HFC) J.112 network

IPCablecom Framework Broadband Modem Physical LayerMedia Access ControlInternet ProtocolIPCablecom Protocols Voice/Video Telephony Conferencing Video/Data Applications J.112 IPCablecom

Servers PSTN IPCablecom How it Works HFC J.112 Cable Modem CMTS (J.112 AN) Cable IP Network Internet Upgrade to IPCablecom + MTA

IPCablecom Architecture Managed IP Backbone (QoS Features) (Headend, Local, Regional) PSTN Media Gateway Signaling Gateway Call Management Server HFC access network (J.112) MTA Embedded MTA CMTS HFC access network (J.112) Cable Modem MTA Embedded MTA CMTS Media Gateway Controller OSS Back Office Media Servers Announcement Servers Conference Mixing Bridges... Billing Provisioning Problem Resolution DHCP Servers TFTP Servers Key Distribution Center (KDC) Cable Modem

IPCablecom : What Equipment? Home: –Embedded Multimedia Terminal Adapter (MTA) -- cable modem with RJ-11 jacks Headend: –Cable Modem Termination System (CMTS): J.112 AN –IPCablecom Servers: Call Management Server (CMS), Record Keeping Server (RKS), Device Provisioning Server, Key Distribution Center (KDC) –Gateways: To link IP calls to backbone or PSTN

And now the security…

Why do we need security? Threats to the IPCablecom Network –Threats exist because: Shared network Access in the users home Valued functionality –Types of threats: Network attacks Theft of service Eavesdropping Denial of Service

Security Services provided by J.112 Baseline Privacy Interface + (BPI+) –Privacy between the Cable Modem and CMTS DES encryption –Protection from theft of Service Authentication of Cable Modems via X.509 digital certificates –Enable secure code download to the Cable Modem Authentication of Cable Modem software image via X.509 Code Verification Certificate

BPI+ Applicability to IPCablecom Embedded MTAs rely on Cable Modem for secure code download Privacy of J.112 QoS messages prevents some denial of service attacks Theft of Service protection doesn’t apply: –CPEs behind a CM are not authenticated –IP Telephony servers also not authenticated Additional security at application layer is needed to protect IPCablecom services

IPCablecom Security Objectives End-to-end secure communication –Must be at least as secure as PSTN networks Protection for the user –Ensure privacy of media sessions Protection for the operator –Combat theft-of-service –Protect infrastructure Comprehensive plan –Who/What needs to protect and why? –When/Why do we protect this information? –How will we incorporate security?

IPCablecom Security Objectives Use open standards whenever possible Conduct a risk assessment Provide a reasonable level of security Specify Interface security –No device or operator network security Assume operators must have reasonable network management security policy Require J.112 networks with BPI+ enabled

IPCablecom Security Architecture

Security Mechanisms Kerberos –Centralized network authentication via a Key Distribution Center (KDC) –Public Key Initialization (PKINIT) Digital Certificates are used to authenticate the MTA to the KDC and KDC to MTA –Key Management Allows MTAs and CMSs to agree on cryptographic keys for secure communications

Security Mechanisms IPsec –IP-layer security protocol (IETF standard) –Encapsulating Security Payload (ESP) Transport mode for end-to-end security Privacy/authentication/integrity of payload –3DES, HMAC SHA1 or HMAC MD5 –Initial Authentication & Key Management provided by: Kerberos+PKINIT for MTAs Internet Key Exchange (IKE) with pre-shared keys for infrastructure components (CMS, CMTS, RKS, Gateways)

Security Mechanisms SNMPv3 security –SNMPv3 is used to monitor & manage MTAs –Initial Authentication & Key Management Kerberos+PKINIT –Message Authentication & Integrity HMAC MD5 algorithm –Privacy (optional) DES algorithm

Security Mechanisms Call Signaling Security –NCS, TCAP/IP, ISTP, and TGCP Protocols –Protocol security provided by IPsec –Mix of authentication & key management technologies: IKE with pre-shared keys for servers –Default for IPsec, comes bundled with off- the-shelf implementations Kerberos+PKINIT for MTAs –Needed to address scalability issues on the CMS-MTA interface

Security Mechanisms RTP/RTCP (Media Stream) –Initial Authentication Each end-point (MTA or MG) authenticated by the Call Management Server –Key Management Via IPsec-secured Network-based Call Signaling (NCS) –Privacy Advanced Encryption Standard (AES) –Authentication & Integrity (optional) MMH (Multilinear Modular Hash)

Key Distribution Center (KDC) The only standalone security component in IPCablecom Acts as a trusted third-party authentication service Implements: –Kerberos version 5 –PKINIT w/X.509 digital certificates

Multimedia Terminal Adapter X.509 Digital Certificates for authentication –IP Telephony Root CA Certificate –MTA Manufacturer CA Certificate –MTA Device Certificate MTA Private Key FIPS Cryptographic Module –Level 1 required (minimal physical security) –Additional physical security recommended for higher value services Random Number Generator AES, MMH, IPsec, Kerberos+PKINIT Embedded J.112 CM with BPI+

Device Provisioning Server Authentication & Key Management –Kerberos+PKINIT authentication Integrity & Privacy –SNMPv3 security Authentication –HMAC MD5 Privacy (optional) –DES

PSTN Gateways Media Gateway Controller (MGC) –IPsec,IKE w/pre-shared keys for call signaling Media Gateway (MG) –AES, MMH for media stream –IPsec, IKE w/pre-shared keys for call signaling Signaling Gateway (SG) –IPsec, IKE w/pre-shared keys for call signaling

Other Components Cable Modem Termination System (CMTS) –J.112 Access Node (AN) w/BPI+ –IPsec w/pre-shared keys and RADIUS authentication for QoS interface with CMS Call Management Server (CMS) –IPsec w/pre-shared keys –IPsec w/Kerberized Key Management for MTAs Record Keeping Server (RKS) –IPsec w/pre-shared keys for billing events

On-Net to Off-Net Media Path PSTN Cable Modem MTA Media Gateway Hi Mom. How are you today? HmDMSmB7HTKgEwLE3aSmttcBY AizqPicdTZKyXxVp7A4GxaPw/BH7 kwYtuKxEr3nPS70i15nB+z7miTw2 TXwrc+pYGO+FNvIScRQIrlaOqwY UMLF+5LjagzZSlbX8rrw+Y2uE21Y ZJxIirVuTX/tZI9af16nz75VcF5x0N4 YRAjtjwpo3GW0CK+B4ihcg/6 MTA Encrypts MG Decrypts Hi Mom. How are you today? CMTS RTP / RTCP AES, MMH

Summary IPCablecom provides QoS-enhanced secure communications Security is a major component and is integrated into the architecture A range of security protocols and services are used IPCablecom security architecture is fully defined in the J.170 recommendation

For More Information… Eric Rosenfeld CableLabs PacketCable Security Architect Sasha Medvinsky Motorola Senior Staff Engineer Simon Kang Motorola International Regulatory and Standards Specialist

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.