1 Sipera Systems, Proprietary & Confidential IMS Security and Protection Micaela Giuhat VP Product Management Sipera Systems email: [email protected]

1 Sipera Systems, Proprietary & Confidential

IMS Security and Protection

Micaela GiuhatVP Product Management

Sipera Systemsemail: [email protected]


Outline

• Open system security• VoIP security requirements• Industry approach and strategies• IMS security requirements• IMS vulnerabilities• Attack examples• Solution• Summary


• Denial of Service Attacks• Viruses• SPYware• Blended Attacks• E-mail SPAM

Open Systems can be attacked

Internet

External Web Servers

Internal Web Servers

E-mail ServersTraditional voice network is closed systemVSInternet which is open

Core Network

Bad Guys


The Internet Security Industry

Applications Protected• Web Apps• E-mail• Database

Internet



E-mail Servers

IDSFirewall

But… Problems still persist

Core Network

IPS

SPAM Filter

Network Security Logs Correlation


Enter VoIP

Internet



E-mail Servers

IDSFirewall

Communication Servers

IPS

SPAM Filter


VoIP is different …• Real time • Peer-to-peer• Protocol rich • Complex state machine (several dozen states)

• Feature rich (several hundred services)• Separate signaling & media planes • Low tolerance to false positives & negatives

Core Network


Internet



E-mail Servers

IPS

SPAM Filter


IDSFirewall


Current Industry Approach

Approach is unworkable:1. Not real time2. Cannot handle encrypted traffic3. Can’t keep up with new feature addition

Current Industry thinking is to add VoIP sensibilities to all the existing security boxes; Although nothing is actually available yet …

Core Network


• Hard to manage• Will not meet performance specifications• Does not address multi vendor• Cannot keep up with new features• Not available yet

Current Strategies

Core switchPSTN GW Guard

Security Agent

FW/ALG

Certs

IDS/IPS

Protect againstWindows OSvulnerabilities

Opens pinholes

AuthenticationEncryption

Scrub IP DoS/DDoSTraffic

VoIP Traffic analysisSignature/Anomaly Filtering

EventCorrelationRemediation

ALG isvulnerable

Cannot stopSpoofed Caller IDs

Limited signatures

May blockGood calls


Integrated, real time VoIP security solution that comprehensively tackles all VoIP vulnerabilities, both Enterprise & Carrier

Internet



E-mail Servers

IPS

SPAM Filter


IDSFirewall


Desired Approach

IP Communications Security (IPCS) Solution

Core Network


Tolerance for False Negatives: Email Vs Voice

SecurityDevice

Email Server

Store Analyze Forward in near-real timeEmail Delivery Mode:E-mail may not be extracted Immediately;can be deleted fairly easily; low annoyance level

False negative

Low volume Email attack

SecurityDevice

Call delivered in real time;phone rings constantly; high annoyance level

Call Delivery Mode: Analyze Forward in real time

False negative

Call ServerLow volume Voice attack


Anti-SPAM

Firewall

Intrusion Prevention System

Denial of Service Prevention

Network Level Correlation

Intrusion Detection System

Typical Solution vs. Desired Solution

OS IP Web

e-mail

OS IP Web

databaseIP Web

OS IP Web

OS IP Web database

e-mail

VoIP

VoIP

VoIP

VoIP

VoIP

VoIPComprehensive

IntegratedSecurity Solution

for Communications

Applications (VoIP, IM, Video,

Multi-Media)


Comprehensive IMS Security System

• A Comprehensive IMS Security System must:

– Prevent unauthorized usage– Protect end-user privacy– Protect IMS infrastructure from attacks– Protect end-users from attacks – Handle voice SPAM


Protection Techniques

Authentication (SIM)

Encryption (IPSec, TLS)

IMS Aware Firewall (Policy based filters: URL/IMSI/MSISDN/AP/IP white/black lists, etc)

IMS Intrusion Prevention (Call Stateful Deep packet inspection (IMS decode), Behavioral learning (finger

printing), Protocol fuzzing prevention, media filtering, etc.)

IMS SPAM Filter (User control, Behavioral learning (call patterns, trust scores),

Machine Call detection, etc.

IMS Network Level Security Management (Event correlation, Network Threat Protection )

Vulnerabilities

Unauthorized use PrivacyAttacks on

InfrastructureAttacks on End-users

IMS SPAM

Well Defined by 3GPP, Addressed by Core IMS infrastructure:

SIM, HSS, AAA, PDG

Not addressed

Security Aspects addressed in IMS


IP Traffic

Characteristics

Non-Real time

Client - Server

Real time

IMS/SIP/H.248/RTP/MPEG aware

Call State & Service aware

Web Database VoIP IMS IP TV

Existing Internet Security Solutions

Not addressed

E-mail

TCP/UDP/ICMP/FTP/HTTP/SQL aware

Peer - Peer

User & Traffic Behavioral Learning

Security Aspects addressed in IMS


IMS reference architecture

IP Transport (Access and Core)

AS HSS

P-CSCF

S-CSCF

BGCF

I-CSCFSLF

ChargingFunctions

UE

Mw

Mw

Mr

Mg

Mj

Mi

Mp Mn

Gq

ISC Cx

Dx

Dh

Sh

Rf/Ro

Cx

MRFC MGCF

MRFP

Mi

Mw

AS HSS

GGSN

P-CSCF

S-CSCF

BGCF

I-CSCFSLF

ChargingFunctions

UE

Mw

Mw

Mr

Mg

Mj

Mi

Mp Mn

ISC Cx

Dx

Dh

Sh

Rf/Ro

Cx

MRFC MGCF

MRFP

Mi

Mw

SIP

DIAMETER

H.248

PDF

MRFPMGW

PSTN

IP Transport (Access and Core)


• IMS & SIP enable a rich feature set of Converged Services ….. but also open up the network to IP based vulnerabilities

• IMS & SIP vulnerabilities include:

• OS level vulnerabilities

• IP Layer 3 vulnerabilities

• IMS Framework related vulnerabilities

• SIP/RTP/H.248/etc. protocol vulnerabilities

• VoIP/Video/PoC/etc. Application vulnerabilities

• VoIP SPAM

Well known in the data world

New, unique &real time sensitiveApplication levelvulnerabilities

P/S/I CSCFSLF/PDF/IBCF/

IWF

MGCFMRFCBGCFSGF

MGWMRFPT-MGF

IMS coreIMS core

IMS Vulnerabilities

SIP ServerCall Server

Media Gateway

HSS Apps Chrg

IP-IP GW

ABGFIBGF


IMS Architecture Vulnerabilities: Some Examples

• Compromised mobile phones– Zombie hard/soft phones– Modified phone with malicious intent

• Malicious/Malformed/Spoofed signaling attacks• Malicious/Malformed/Spoofed media attacks• Spoofed IMS Emergency session attacks• Presence update attacks• Initiating Conferencing to block the network resources

• UE having direct access to the IMS core network– Charging fraud - Signaling directly to S-CSCF to avoid charging

• Misconfigured/partially configured UEs and/or Network elements

• Non-GPRS access such as WLAN or BB can be attacked directly from the internet without a subscription

• SPAM


IMS Application Level Attacks

Zombie attackers

Spoofed Packets Spammer

P/S/I CSCFSLF/PDF/IBCF/IWF

MGCFMRFCBGCFSGF

MGWMRFPT-MGF

MMD coreMMD core

SIP Server Call Server

Media Gateway

HSS Apps Chrg

IP-IP GW

ABGFIBGF

Both Network & Subscribers can be attacked

Human attackers

Attack Types:

• Flood Denial of Service• Signaling• Media

• Distributed DoS• Stealth DoS

• Target individual or group of users

• Blended attacks• Recruit zombies and use them to launch an attack

• SPAM• SPAM over Internet Telephony (SPIT)


IMS Vulnerability Protection System Reference Architecture

Zombie attackers

Human attackers

SpammerIMS

VulnerabilityProtection

System

IMS Vulnerability Protection System is distinct from the IMS core infrastructure

P/S/I CSCFSLF/PDF/IBCF/IWF

MGCFMRFCBGCFSGF

MGWMRFPT-MGF

IMS coreIMS core

SIP ServerCall Server

Media Gateway

HSS Apps Chrg

IP-IP GW

ABGFIBGF


Attack Summary

• An IMS network built to 3GPP or TISPAN specifications compliance has numerous vulnerabilities

• An attack on the network could cause network-wide outages including bringing down HSSs, App Servers, SIP servers, Call Servers, Media Gateways and IP-IP Gateways

• Attacks towards specific targeted individual users could cause them extreme annoyance and disrupt their service in insidious ways

• Sipera Systems research team has identified over 90 distinct categories of attacks

• These attacks require hackers with varying levels of sophistication, but many attacks are possible even by so called “script kiddies”

Documents

1 Sipera Systems, Proprietary & Confidential IMS Security and Protection Micaela Giuhat VP Product Management Sipera Systems email: [email protected]