View
217
Download
0
Embed Size (px)
Citation preview
1 Sipera Systems, Proprietary & Confidential
IMS Security and Protection
Micaela GiuhatVP Product Management
Sipera Systemsemail: [email protected]
2 Sipera Systems, Proprietary & Confidential
Outline
• Open system security• VoIP security requirements• Industry approach and strategies• IMS security requirements• IMS vulnerabilities• Attack examples• Solution• Summary
3 Sipera Systems, Proprietary & Confidential
• Denial of Service Attacks• Viruses• SPYware• Blended Attacks• E-mail SPAM
Open Systems can be attacked
Internet
External Web Servers
Internal Web Servers
E-mail ServersTraditional voice network is closed systemVSInternet which is open
Core Network
Bad Guys
4 Sipera Systems, Proprietary & Confidential
The Internet Security Industry
Applications Protected• Web Apps• E-mail• Database
Internet
External Web Servers
Internal Web Servers
E-mail Servers
IDSFirewall
But… Problems still persist
Core Network
IPS
SPAM Filter
Network Security Logs Correlation
5 Sipera Systems, Proprietary & Confidential
Enter VoIP
Internet
External Web Servers
Internal Web Servers
E-mail Servers
IDSFirewall
Communication Servers
IPS
SPAM Filter
Network Security Logs Correlation
VoIP is different …• Real time • Peer-to-peer• Protocol rich • Complex state machine (several dozen states)
• Feature rich (several hundred services)• Separate signaling & media planes • Low tolerance to false positives & negatives
Core Network
6 Sipera Systems, Proprietary & Confidential
Internet
External Web Servers
Internal Web Servers
E-mail Servers
IPS
SPAM Filter
Network Security Logs Correlation
IDSFirewall
Communication Servers
Current Industry Approach
Approach is unworkable:1. Not real time2. Cannot handle encrypted traffic3. Can’t keep up with new feature addition
Current Industry thinking is to add VoIP sensibilities to all the existing security boxes; Although nothing is actually available yet …
Core Network
7 Sipera Systems, Proprietary & Confidential
• Hard to manage• Will not meet performance specifications• Does not address multi vendor• Cannot keep up with new features• Not available yet
Current Strategies
Core switchPSTN GW Guard
Security Agent
FW/ALG
Certs
IDS/IPS
Protect againstWindows OSvulnerabilities
Opens pinholes
AuthenticationEncryption
Scrub IP DoS/DDoSTraffic
VoIP Traffic analysisSignature/Anomaly Filtering
EventCorrelationRemediation
ALG isvulnerable
Cannot stopSpoofed Caller IDs
Limited signatures
May blockGood calls
8 Sipera Systems, Proprietary & Confidential
Integrated, real time VoIP security solution that comprehensively tackles all VoIP vulnerabilities, both Enterprise & Carrier
Internet
External Web Servers
Internal Web Servers
E-mail Servers
IPS
SPAM Filter
Network Security Logs Correlation
IDSFirewall
Communication Servers
Desired Approach
IP Communications Security (IPCS) Solution
Core Network
9 Sipera Systems, Proprietary & Confidential
Tolerance for False Negatives: Email Vs Voice
SecurityDevice
Email Server
Store Analyze Forward in near-real timeEmail Delivery Mode:E-mail may not be extracted Immediately;can be deleted fairly easily; low annoyance level
False negative
Low volume Email attack
SecurityDevice
Call delivered in real time;phone rings constantly; high annoyance level
Call Delivery Mode: Analyze Forward in real time
False negative
Call ServerLow volume Voice attack
10 Sipera Systems, Proprietary & Confidential
Anti-SPAM
Firewall
Intrusion Prevention System
Denial of Service Prevention
Network Level Correlation
Intrusion Detection System
Typical Solution vs. Desired Solution
OS IP Web
OS IP Web
databaseIP Web
OS IP Web
OS IP Web database
VoIP
VoIP
VoIP
VoIP
VoIP
VoIPComprehensive
IntegratedSecurity Solution
for Communications
Applications (VoIP, IM, Video,
Multi-Media)
11 Sipera Systems, Proprietary & Confidential
Comprehensive IMS Security System
• A Comprehensive IMS Security System must:
– Prevent unauthorized usage– Protect end-user privacy– Protect IMS infrastructure from attacks– Protect end-users from attacks – Handle voice SPAM
12 Sipera Systems, Proprietary & Confidential
Protection Techniques
Authentication (SIM)
Encryption (IPSec, TLS)
IMS Aware Firewall (Policy based filters: URL/IMSI/MSISDN/AP/IP white/black lists, etc)
IMS Intrusion Prevention (Call Stateful Deep packet inspection (IMS decode), Behavioral learning (finger
printing), Protocol fuzzing prevention, media filtering, etc.)
IMS SPAM Filter (User control, Behavioral learning (call patterns, trust scores),
Machine Call detection, etc.
IMS Network Level Security Management (Event correlation, Network Threat Protection )
Vulnerabilities
Unauthorized use PrivacyAttacks on
InfrastructureAttacks on End-users
IMS SPAM
Well Defined by 3GPP, Addressed by Core IMS infrastructure:
SIM, HSS, AAA, PDG
Not addressed
Security Aspects addressed in IMS
13 Sipera Systems, Proprietary & Confidential
IP Traffic
Characteristics
Non-Real time
Client - Server
Real time
IMS/SIP/H.248/RTP/MPEG aware
Call State & Service aware
Web Database VoIP IMS IP TV
Existing Internet Security Solutions
Not addressed
TCP/UDP/ICMP/FTP/HTTP/SQL aware
Peer - Peer
User & Traffic Behavioral Learning
Security Aspects addressed in IMS
14 Sipera Systems, Proprietary & Confidential
IMS reference architecture
IP Transport (Access and Core)
AS HSS
P-CSCF
S-CSCF
BGCF
I-CSCFSLF
ChargingFunctions
UE
Mw
Mw
Mr
Mg
Mj
Mi
Mp Mn
Gq
ISC Cx
Dx
Dh
Sh
Rf/Ro
Cx
MRFC MGCF
MRFP
Mi
Mw
AS HSS
GGSN
P-CSCF
S-CSCF
BGCF
I-CSCFSLF
ChargingFunctions
UE
Mw
Mw
Mr
Mg
Mj
Mi
Mp Mn
ISC Cx
Dx
Dh
Sh
Rf/Ro
Cx
MRFC MGCF
MRFP
Mi
Mw
SIP
DIAMETER
H.248
MRFPMGW
PSTN
IP Transport (Access and Core)
15 Sipera Systems, Proprietary & Confidential
• IMS & SIP enable a rich feature set of Converged Services ….. but also open up the network to IP based vulnerabilities
• IMS & SIP vulnerabilities include:
• OS level vulnerabilities
• IP Layer 3 vulnerabilities
• IMS Framework related vulnerabilities
• SIP/RTP/H.248/etc. protocol vulnerabilities
• VoIP/Video/PoC/etc. Application vulnerabilities
• VoIP SPAM
Well known in the data world
New, unique &real time sensitiveApplication levelvulnerabilities
P/S/I CSCFSLF/PDF/IBCF/
IWF
MGCFMRFCBGCFSGF
MGWMRFPT-MGF
IMS coreIMS core
IMS Vulnerabilities
SIP ServerCall Server
Media Gateway
HSS Apps Chrg
IP-IP GW
ABGFIBGF
16 Sipera Systems, Proprietary & Confidential
IMS Architecture Vulnerabilities: Some Examples
• Compromised mobile phones– Zombie hard/soft phones– Modified phone with malicious intent
• Malicious/Malformed/Spoofed signaling attacks• Malicious/Malformed/Spoofed media attacks• Spoofed IMS Emergency session attacks• Presence update attacks• Initiating Conferencing to block the network resources
• UE having direct access to the IMS core network– Charging fraud - Signaling directly to S-CSCF to avoid charging
• Misconfigured/partially configured UEs and/or Network elements
• Non-GPRS access such as WLAN or BB can be attacked directly from the internet without a subscription
• SPAM
17 Sipera Systems, Proprietary & Confidential
IMS Application Level Attacks
Zombie attackers
Spoofed Packets Spammer
P/S/I CSCFSLF/PDF/IBCF/IWF
MGCFMRFCBGCFSGF
MGWMRFPT-MGF
MMD coreMMD core
SIP Server Call Server
Media Gateway
HSS Apps Chrg
IP-IP GW
ABGFIBGF
Both Network & Subscribers can be attacked
Human attackers
Attack Types:
• Flood Denial of Service• Signaling• Media
• Distributed DoS• Stealth DoS
• Target individual or group of users
• Blended attacks• Recruit zombies and use them to launch an attack
• SPAM• SPAM over Internet Telephony (SPIT)
18 Sipera Systems, Proprietary & Confidential
IMS Vulnerability Protection System Reference Architecture
Zombie attackers
Human attackers
SpammerIMS
VulnerabilityProtection
System
IMS Vulnerability Protection System is distinct from the IMS core infrastructure
P/S/I CSCFSLF/PDF/IBCF/IWF
MGCFMRFCBGCFSGF
MGWMRFPT-MGF
IMS coreIMS core
SIP ServerCall Server
Media Gateway
HSS Apps Chrg
IP-IP GW
ABGFIBGF
19 Sipera Systems, Proprietary & Confidential
Attack Summary
• An IMS network built to 3GPP or TISPAN specifications compliance has numerous vulnerabilities
• An attack on the network could cause network-wide outages including bringing down HSSs, App Servers, SIP servers, Call Servers, Media Gateways and IP-IP Gateways
• Attacks towards specific targeted individual users could cause them extreme annoyance and disrupt their service in insidious ways
• Sipera Systems research team has identified over 90 distinct categories of attacks
• These attacks require hackers with varying levels of sophistication, but many attacks are possible even by so called “script kiddies”