Presentation is loading. Please wait.

Presentation is loading. Please wait.

May 23, 2006 Columbia Verizon Research Security: SIP Application Layer Gateway Eilon Yardeni Columbia University Gaston Ormazabal Verizon Labs.

Similar presentations


Presentation on theme: "May 23, 2006 Columbia Verizon Research Security: SIP Application Layer Gateway Eilon Yardeni Columbia University Gaston Ormazabal Verizon Labs."— Presentation transcript:

1 May 23, 2006 Columbia Verizon Research Security: SIP Application Layer Gateway Eilon Yardeni Columbia University Gaston Ormazabal Verizon Labs

2 2 May 23, 2006 Agenda Team Project Overview –Background  What is the Problem –Goals Technical Overview –Hardware Platform –Software Developed at Columbia –Integrated Testing and Analysis Tool –Large Scale Testing Environment Conclusions

3 3 May 23, 2006 Team Verizon Stu Elby, VP Architecture Jim Sylvester, VP Systems Integration and Testing –Gaston OrmazabalColumbia Prof. Henning Schulzrinne –Jonathan Lennox –Kundan Singh –Eilon Yardeni

4 4 May 23, 2006 Background Columbia likes to work in real life problems and analyze large data sets with the goal of improving generic architectures and testing methodologies Columbia has world-renowned expertise in SIP Verizon needs to solve a perimeter protection problem for security of VoIP Services –Protocol Aware Application Layer Gateway Verizon needs to build a high powered test tool to verify performance and scalability of these security solutions at carrier class rates –Security and Performance are a zero sum game

5 5 May 23, 2006 What is Dynamic Pinhole Filtering SIP calls are stateful RTP media ports are negotiated during signaling, assigned dynamically, and taken down SIP signaling is done over a static port:5060 –INVITE message contains an SDP message indicating the caller’s incoming media port (e.g., 43564 ) –Response 200OK has SDP with the callee’s incoming media port Each port creates a pinhole in firewall Pinholes are kept open only until a BYE message signals closing of both pinholes Firewall must keep a state table with all active pinholes to check if an arriving RTP packet can enter through an open pinhole, otherwise drop packet

6 6 May 23, 2006 SIP/2.0 200 OK From: c=IN IP4 128.59.19.162 m=audio 56432 RTP/AVP 0 INVITE sip:user1@proxy.com From: c=IN IP4 128.59.19.163 m=audio 43564 RTP/AVP 0 Example of Dynamic Pinhole Filtering CAM Table SIPUA User2 SIPUA User1 128.59.19.163:43564 128.59.19.163:56432

7 7 May 23, 2006 Project Goals Program SIP based dynamic pinhole filtering in a parallel processing hardware platform Build an integrated testing and analysis tool that will validate functionality and performance of above device at carrier-class rates –Tool will provide automation of testing (script based) Apply testing tool to evaluate several Session Border Controllers on behalf of Verizon Perform comparative analysis of architectural models and develop architectural improvements Generalize testing methodology

8 8 May 23, 2006 Applicability to Columbia Hands on experience with SIP Application Layer Gateways –Experience some SIP security related challenges –Experiment with carrier class traffic and scale models Hands on experience with a state-of-the-art programmable packet processing hardware Enhance Columbia’s SIP Proxy with Firewall Control Proxy capabilities Formalize security benchmarking methodology for SIP ALGs

9 9 May 23, 2006 Applicability to Verizon Verizon needs this functionality to perform at high rates for use: –In the protection of highly valued network assets  Session Border Controllers for Packet Telephony –In the provision of security services to Enterprise customers for revenue  VADS (SIP Application Layer Gateway) Verizon needs to verify in the lab the performance and scalability of this technology prior to introduction in the network

10 10 May 23, 2006 CS-2000 Physical Architecture Deep Packet Processing Module (DPPM)  Executes Network Application Inspecting and Controlling Packet Data  Real-Time Silicon Database (128 bits wide X 512K long) and Unstructured Packet Processing  CAM technology  Single or Dual DPPM Configurations for HA, Performance or Multiple Use  Physical Connectivity: Gigabit Ethernet and OC-3/OC-12/OC-48 POS Application Server Module (ASM)  Hardened Linux Infrastructure  Hosts Analysis Applications  Network Element Management (Web, CLI, SNMP, ODBC)  Mandatory Access Control Auxiliary Slots Future use for  HDD Module  Telemetry Inputs/Outputs  Optical Bypass/HA Module

11 11 May 23, 2006 CloudShield Application Platform Applications written in RAVE and “pushed” to DPPM Dynamic Pinhole Implementation –RAVE based  Complex logic such as SIP call processing is difficult to implement in Regular Expressions (Regex)  Support only a “thin” SIP functionality –SIP Proxy controlling the DPPM (Midcom-like solution)  Introduce SIP Proxy - DDPM data exchange problem  Solved by using a Firewall Control Protocol Columbia developed a breakthrough solution that allowed to use SIP Proxy with performance equal to the “thin” SIP-RAVE –Maximized the use of RAVE –Use full SIP proxy functionality

12 12 May 23, 2006 CS-2000 System with Dual DPPMs 10/100/100010/100 E1E1 E2E2 Backplane F0F0 C3C3 C4C4 Gigabit Ethernet Interconnects D0D0 D1D1 E1E1 E2E2 F0F0 C3C3 C4C4 D0D0 D1D1 3 4 P0P0 P0P0 System Level Port Distribution Application Server Module Pentium 1GHz 1000 DPPM Intel IXP 2800 DPPM Intel IXP 2800 012 ASM

13 13 May 23, 2006 Columbia Developed Modules Software Modules Static Filtering –Filtering of pre-defined ports (e.g., SIP, ssh) Dynamic Filtering –Filtering of dynamically opened ports (e.g., RTP) Switching Layer –Perform switching between the input ports Firewall Control Module –Intercept SIP call setup messages –Get RTP ports from the SDP –Maintain call state Firewall Control Protocol –The way the Firewall Control Module talks with the CloudShield –Push dynamic table updates to the data plane –Could be used by multiple SIP Proxies that control one or more CloudShield firewalls Programmed in RAVE Executed in the DPPM Part of SIP-proxy Executed in the Linux Control plane

14 14 May 23, 2006 Columbia Modules Diagram Control Messages Proxy CPOS Inbound CAM Dynamic Table Outbound Static Table Drop LookupSwitch SIP FCP/UDP Firewall Control Module Linux server sipd

15 15 May 23, 2006 Integrated Testing and Analysis Tool Intelligent Integrated End Point Tool Components SIPUA Test Suite –Loader –Handler Scanning Probes –nmap Automated Script based Control Software Timing Devices Data Analysis Module –Analyze handler’s file for initial and teardown call delays, –Number of packets dropped before pinhole opening –Number of packets crossing after pinhole closing –Scan results for pinhole coverage Protocol Analyzer –SNORT Graphical Displays

16 16 May 23, 2006 Integrated Intelligent End Point SUT 4 IIEP Traffic Analyzer Media Port Scanning/Probing Traffic Traffic Passed through Pinholes TrustedUntrusted Control and Analysis Signaling and Media Generation SIPUA Handler SIPUA Loader Signaling and Media Generation Port Scanning Probes Timing Synchronization SNORT IIEP Traffic Generator

17 17 May 23, 2006 SIPUA Methodology Loader/Handler –Establishes calls using SIP –Sends 160 byte RTP packets every 20ms  Settable to shorter interval if needed for granularity –Starts RTP sequence numbers from zero –Dumps call number, sequence number, current timestamp and port numbers to a file

18 18 May 23, 2006 SIPUA Traffic Generator SIP Proxy SIPUA Loader SIPUA Handler accept call=1 accept call=2 accept call=3 accept call=4 SIP Proxy invite sip:user1@cloudshield

19 19 May 23, 2006 Large Scale Integrated Testing and Analysis Environment Pair of Intelligent Integrated End Points –Generate traffic for detailed analysis External Traffic Generator –Supplies external stress on SUT –SIPUA in Array Form supplies traffic from an array of 6 computer pairs Controller –Automated Script based Control Software –Connects to the External Traffic Generation and the IIEP over ssh –Invokes traffic generation –Gathers, analyzes and correlates results –Analyzes handler/loader’s files for initial and teardown call delays –Matches port scanning results with handler’s file

20 20 May 23, 2006 Testbed Architecture GigE Switch Loader IIEP SIP Proxy Handler IIEP External Loaders (SIPUA) External Handlers (SIPUA) Controller

21 21 May 23, 2006 Problem Definition Problem parameterized along two independent vectors –Call Rate (calls/sec)  Related to performance of SIP Proxy in Pentium –Concurrent Calls  Related to performance of table lookup in IXP 2800

22 22 May 23, 2006 Testing And Analysis Methodology Generate external load on the firewall –SIPUA Loader/Handler in external load mode –Generates thousands of concurrent RTP sessions –For 30K concurrent calls have 120K open pinholes –CAM table length is 120K entries  Search algorithm finds match in one cycle When external load is established, run the IIEP analysis –SIPUA Loader/Handler in internal load mode –Port scanning and Protocol analyzer –Increment calls/sec rate Measure pinhole opening and closing delays –Opening delay data provided in units of 20 ms packets –Closing delay data provided in units of 10 ms packets Detect pinholes extraneously open

23 23 May 23, 2006 Data Results

24 24 May 23, 2006 Data Results (2)

25 25 May 23, 2006 Benefits to Verizon and Columbia Technology Transfer to Verizon Labs –Set up a replica of Columbia testbed in Silver Spring VoIP lab for rapid SBC evaluation Licensing Agreement with CloudShield –Currently negotiating a Royalty Agreement to take technology to market Intellectual Property –Patents and Publications

26 26 May 23, 2006 Technology Transfer Silver Spring VoIP Lab testbed –Have 12 computer in parallel running SIPUA, SNORT, nmap, protocol analyzers –Set up Controller software –Interoperability testing with local SIP proxy (Broadsoft) –SIPUA can be used for other SIP performance testing with modifications

27 27 May 23, 2006 Intellectual Property Pending Patent Applications –“Fine Granularity Scalability and Performance of SIP Aware Border Gateways: Methodology and Architecture for Measurements”  Inventors: Henning Schulzrinne, Kundan Singh, Eilon Yardeni (Columbia), Gaston Ormazabal (Verizon) –“Architectural Design of a High Performance SIP-aware Application Layer Gateway”  Inventors: Henning Schulzrinne, Jonathan Lennox, Eilon Yardeni (Columbia), Gaston Ormazabal (Verizon) Paper submitted to MASCOTS 2006 – “Large Scale SIP-aware Application Layer Firewall”.  Authors: Henning Schulzrinne, Eilon Yardeni (Columbia), Gaston Ormazabal (Verizon)

28 28 May 23, 2006 Conclusions Have implemented for the first time a SIP ALG that scales up to 30K concurrent calls with 300 calls/sec –This performance should satisfy Verizon “carrier-class” requirements at a reasonable cost Have proved hypothesis that cpu exhaustion will limit scalability because of degradation in performance Have constructed a SIP Proxy based model that will permit modularization, –Hence increasing scalability of future architectures Have built a one of a kind high-powered “black box” testing environment –Will permit Verizon verify this technology for other vendors

29 May 23, 2006 Back up slides

30 30 May 23, 2006 Verizon Future Security Architecture Call Server Network Unsecure signaling protocol ACL-secured signaling protocol Media traffic H.248 MPCP H.248 SIP Shielded CallP VLAN Verizon Packet Telephony Access/Aggregation Network MG9K PVG CPE/Enterprise Network NGSS PP8600 Pkt Filtering Media Proxy Media Proxy GWC CISCO 6509 MS20x0 CPE/Enterprise Network Public Internet Juniper M40


Download ppt "May 23, 2006 Columbia Verizon Research Security: SIP Application Layer Gateway Eilon Yardeni Columbia University Gaston Ormazabal Verizon Labs."

Similar presentations


Ads by Google