1

Carrier VoIP Security:Threats and Defenses

2

Agenda

•Security Philosophy•VoIP Basics (IETF SIP-based)•VoIP Threats•Fundamental VoIP Security Mechanisms and Tasks•Enhanced VoIP Security – Session Border Control•Enhanced VoIP Security – Application Layer Firewall

3

21st Century Security Philosophy

• Security must be layered, i.e. defenses in depth.

• Perimeter hardening, like physical measures, is just a first step.

• All network elements must be hardened as "defensive strong points"

in their own right.

• Deploy multiple security technologies.

• Deployed assets MUST have integrated security capabilities that

support end-to-end protection.

• NO clear-text passwords, use secure protocols.

• NO networking link is trustable anywhere!

4

Common Services Infrastructure

PSTN /SS7

ALF /SBC

POTSPhone

Circuit Switch

TrunkGateway

FiOS Nomadic

Customer C

BYOBB

Internet ILEC LATAIP Network

FiOS Customer B

FiOS Customer A

Softswitch Servers

SIP-BasedVoice Mail

TDM-BasedVoice Mail

POTSPhone

TrunkGateway

Softswitch /SIP SS7 GW

ALF /SBC

PSTN /SS7

Softswitch /SIP SS7 GW

SIP-Based VoIP

5

VoIP Threat Taxonomy

6

SIP and VoIP Security Concerns

•VoIP Denial of Service•IP Phone Provisioning / Credentialing•Caller ID Spoofing•VoIP Theft of Service•SIP Registration Hijacking•SIP Proxy Impersonation•SIP and RTP message tampering / injection•SIP to SS7 Signaling Conversion•IP-Based Voicemail Fraud•E911 Availability•CALEA / Law Enforcement•Oh yes, and that issue with NAT

7

VoIP Security – Minimum Defenses

•Use SIP Digest Authentication

• Drawn from HTTP MD5 Digest Authentication per RFC 2617• Server sends a nonce to client which client hashes with shared

secret• This digest is sent back to server for verification and authentication• It provides a way to verify a user’s (claimed) identity without having

to send passwords or secrets “in the clear”.• It makes it difficult for an intruder to tamper with a user’s service by

“replaying” portions of previous messages. (Replay prevention)• It supports an optional capability for ensuring that a SIP message

has not been altered. (Message integrity)

8

VoIP Security – Minimum Defenses

The Inputs for Digest Authentication

These inputs are sent to the client by the server in the 401 or 407 challenging response: nonce = a random string realm = hostname/domain defining the server qop = quality of protection; can be “auth” or “auth-int” (w/ integrity)

opaque = server generated string; no well-defined use

These are inputs provided by the client: nc-value = nonce count; used in preventing replay cnonce = client generated nonce; used to prevent chosen plaintext attacks, provide some

mutual authentication and integrity. method = SIP method (i.e., INVITE, SUBSCRIBE, NOTIFY, …) username password

9

VoIP Security – Minimum Defenses

After getting challenged and receiving the server inputs (with a specified qop), the client then performs either of the following calculations where H(x) is the hash of x:

When qop = “auth”

H ( H(username:realm:password):nonce:

nc-value:cnonce:qop:H(method;URI of called party) )

When qop = “auth-int”

H ( H(username:realm:password):nonce:

nc-value:cnonce:qop:H(method:URI of calledparty:

H(entity-body) ) )

10

VoIP Security – Minimum Defenses

The security is weakened if the nonces are cached for more than a brief period

The security can be enhanced by making use of the nonce-count and the next-nonce values. nonce-count = # of times a nonce has been used including the current request

next-nonce = the nonce that the server sends for a client to use in next request

The next-nonce mechanism has a negative impact on signaling performance for pipelined requests.

The nonce-count provides some good replay security without the performance hit of next-nonce.

Don’t be a Cache Cow

11

VoIP Security – Minimum Defenses

SIP Digest Authentication

INVITE

407 Proxy Authentication Required

INVITE (with the digested credentials)INVITE

200 OK180 Ringing

180 Ringing

ACK

Media Session

BYE

200 OK

200 OK200 OK

ACK

Alice Proxy Bob

12

VoIP Security – Minimum Defenses

•Use encryption when provisioning IP phones•Harden Softswitch (usually multiple servers)•Enable rate /session limits within Switch Application•Run IPSec on SIP inter-carrier peering•Lock down DNS (Lots to do)•Vulnerability scanning•Don’t you dare “trust” your management network•Identify relevant inputs to a Fraud Analysis process

13

Enchanced VoIP Security – SBCs

Using Session Border Controllers

•SIP layer and RTP alternate routing•Inbound / Outbound SIP Proxy•Call Admission Control•RTP firewall pinhole management•SIP layer rewriting for NAT Traversal•SIP layer rewriting for topology hiding•SIP Call State awareness for optimizing softswitch assets•Point of collection for CALEA / LI targets

14

VoIP Security – Robustness Testing

•SIP is both simple and quite complex•Format borrows heavily from HTTP and is easy to read•Session state awareness and protocol timers are complex

•SIP Robustness test tools are available•Protos, Codenomicon, SIP Bomber, PacketCrafter•Essentially a Protocol Stresser and Reliability Tester

•Several SIP network elements were crashed•Some SIP stacks are poorly built

•No input validation, poor memory management,…

•Gosh, maybe we need a SIP Application Layer Firewall

15

Enhanced VoIP Security – SIP ALF

•ALF = Application Layer Firewall•In VoIP context - the ALF is really a SIP Intrusion

Prevention System•Selling management on the additional expense• Show and Tell• Demonstrated SBCs and Softswitches crashing• Avoiding exposures due to the risks•Next generation direction is to combine SBC and ALF

functions in one device to gain economies

16

Lessons Learned

17

Industry Challenges:

• Service Providers:• Collaborate on accumulating security related actuarial information

• Standards Bodies:• ANSI/ITU developed architectural security framework• Technology standards groups follow ANSI/ITU framework and

leverage existing standard technologies (IPsec, PKI) • Accommodate today's reality (NAT, Firewalls, untrusted networks)

• Vendor Community:• Consider current best practices (e.g.. RFCs 2196, 2504, 3365)• Build on standards (IPsec, PKI, NIST Common Criteria, ATIS, ITU-T,

ISO)• Support future needs (IPsec, IPv4 to IPv6 migration, PKI)• Adjust product plans to today's security realities (NAT is a fact and

everywhere, NO network segments can be assumed trustable)

18

In Conclusion

• Verizon is addressing today's very real threats.

• Standards organizations must address carrier class security issues and architectures.

• The vendor community needs to produce equipment & software that meet Verizon's security objectives.

• Our customers and peer carriers need to work with us to mitigate security risks.

19

Questions?