-
VoIP security myths & realities
Ishai RosmarinSales Director [email protected]
-
in IPwe donttrustanyone!
-
VoIP security in the news
VoIP Security Alert: Hackers Start
Attacking For Cash (June 2006)
Two Men Charged With Hacking Into
VoIP Networks (June 2006)
The Internet's a Scary Place for Voice(May 2006)
Is Your VoIP Phone Vulnerable?
(June 2006)
Are Hackers Eyeing your VoIP Network?
(Sept. 2006)
VoIP Security: It's More Than Data Security(Aug. 2006)
-
4Security Concerns
Everyone worries
about security
DoS attacks and
overloads are biggest
worry
Source: Service Provider Plans for Next Gen Voice 2006 (July
2006)
29%
75%
75%
63%
79%
54%
42%
33%
0% 20% 40% 60% 80%
Trade performancefor security
SPIT
Illegal wiretapping
Service topology exposure
Service fraud
User privacy and confidentiality
User/device authenticationand authorization
DoS attacks and overloads ofnext gen voice service
infrastructure
Percent of Next Gen Voice
Respondents Rating 6 or 7
-
VoIP security threats & solutions
-
IMS: Is Missing Security
DoS/DDoS
attacks
Traffic
overloads
Viruses &
malware
Service
fraud
Identity
theft
Eves -
dropping
SPIT
Security feature requirement IMS function/feature
Access control - static IP address list Core IMS functions, not
applicable for UE
Access control - dynamic IP address list Not addressed
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
x
Topology hiding (NAPT at L3 & L5) I-BCF only, THIG
sub-function IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Authentication - subscriber & CSCF IPSec, SIP digest
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Authorization - subscriber HSS function
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Signaling encryption IPSec
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Media encryption Not addressed
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Admission control - I/S-CSCF constraints Not addressed
Admission control - network bandwidth constraints PDF/RACS
functionAdmission control - user limits: sessions (#) Not addressed
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Admission control - user limits: bandwidth Not addressed
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
SIP message & MIME attachment filtering/inspection Not
addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Signaling rate monitoring & policing Not addressed
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Bandwidth monitoring & policing Not addressed
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Call gapping - destination number Not addressed
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Call gappping - source/destination CSCF or UE Not addressed
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
QoS marking/mapping control Not addressed
IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
-
Internet
Types_ Malicious attacks_ Non-malicious poor behaving
endpoints, power outages
Solution requirements
_ SBC DoS self-protection Access control - static & dynamic
Trusted & untrusted paths with policed
queues IDS capabilities
_ Service infrastructure DoS prevention Access control - static
& dynamic Topology hiding Signaling rate plicing Bandwidth
policing
DoS/DDoS attacks threatensubscriber retention and revenue
PSTNTransit& O&T
HIP ICServices
O&T
HIP ICServices
1
2
4
3
-
Viruses & malware can threaten ICendpoints and service
infrastructure
SIP MIME attachments are powerful tool for richer call ID- vcard
text, picture or video
Potential Trojan horse for viruses and worms to general-purpose
server-based voice platforms_ SIP softswitch, IMS CSCF, SIP
servers, app servers_ SIP PBX_ SIP phones & PCs
New endpoint vulnerabilities_ Embedded web servers - IP phones_
Java apps liability or asset?
Solution requirements_ Authentication_ SIP message & MIME
attachment filtering_ Secure OS environment
SQL
Slammer
Melissa
Code Red
Nimda
Sobig
Love
Bug
Klez
Michelangelo
-
Internet
Service fraud riskis business model dependant
Business model dimensions_ Internet vs. managed network_ Free
vs. fee based_ Anonymous vs. not anonymous
Types of fraud_ Service theft_ QoS theft_ Bandwidth theft
Solution requirements_ Access control_ Authentication
subscriber
& SIP signaling elements_ Authorization subscriber_
Admission control subscriber
limits - # sessions & bandwidth_ QoS marking/mapping
control_ Bandwidth policing
PSTNMPLS
NONE
NONE
DiffServ-31
2
4
3
A B
-
Identity theft cant beprevented entirely by technology
How do you know you are talking to Bank of America?
Web site techniques dont work for IC- work for many-one, not
many-many
Solution requirements Authentication, access control Trust
chains - pre-established technical & business relationships
-
Eavesdropping threat is over hyped
Less risk than email, who encrypts email?_ Email is information
rich (attachments), voice not_ Email always stored on servers, only
voice mail_ Email always stored on endpoints, voice not
Who is at risk?_ Bad guys - Osama, drug cartels,
pedophiles, etc._ Law enforcement_ Money, love, &
health-related
insider trading, adultery, ID theft,
Solution requirements_ Authentication subscriber_ End-to-end
encryption (EXPENSIVE)
Signaling (TLS, IPSec) Media (SRTP, IPSec)
-
SPIT will be annoying,& possible tool for ID theft
Will anonymous, cheap Yahoo subscriber (aka SPITTER)be able to
call money-paying Verizon subscriber to solicit- phone sex, penis
enlargement, Viagra pill purchase?
Techniques that wont work_ Access control static_ Content
filtering_ Charging - $/call_ Regulation
Solution requirements_ Access control
dynamic, IDS-like_ Authentication_ Admission control
subscriber limits (#)_ Trust chains - pre-established
technical & business relationships
-
Who is responsible for security?
The individual The organization
-
The future IC net?
The Internet
I
The Federnet
FF
F
F F
-
Net-Net
Security issues are very complex and multi-dimensional
Security investments are business insurance decisions_ Life DoS
attack protection_ Health SLA assurance_ Property service theft
protection_ Liability SPIT & virus protection
Degrees of risk_ Internet-connected ITSP ` High_
Facilities-based HIP residential services_ Facilities-based HIP
business services
_ Peering Low
_ NEVER forget disgruntled Malcom, OfficeSpace
Session border controllers enable service providersto insure
their success
-
Monitor, report & recordattacks & attackers;provide
audit trails
Net-SAFE security requirementsframework for session border
control
Protect against SBC DoS attacks & overloads(malicious &
non-malicious)
Session-awareaccess control
for signaling& media
Prevent DoSattacks on serviceinfrastructure &subscribers
Completeservice
infrastructurehiding & user
privacy support
Support for L2 and L3 VPNservices and security
Prevent misuse & fraud;protect againstservice theft
-
Acme Packet Net-Net SD flawlessly passedall of CT Labs grueling
attack tests
Total of 34 different test cases, using over 4600 test
scripts
No failed or dropped calls, even for new callsmade during
attacks
No lost RTP packets during attacks
Protected the service provider equipment did notallow flood
attacks into core, stopped packets at edge
SD performance not impacted during attack
SD CPU utilization - only10% increase
Signaling latency - only2 ms average increase
RTP jitter lessthan 1 ms increase(not measurable bytest
equipment)
-
Acme Packet SBCDoS/DDoS protection
Network processor (NPU) -based protection L3/4 (TCP, SYN, ICMP,
etc.) & signaling attack detection & prevention - Dynamic
& static ACLs (permit & deny) to SPU Trusted &
untrusted paths to SPU w/configurable bandwidth allocation
&
bandwidth policing per session Trusted devices - guaranteed
signaling rates & access fairness Untrusted devices can access
unused
trusted bandwidth Separate queues for ICMP, ARP, telnet, etc.
Reverse Path Forwarding (uRPF)
detection - signaling & media Overload prevention - 10
Gbps
NPUs > 8 Gbps network interfaces
Signaling processor (SPU)-based protection Overload protection
threshold
(% SPU) w/graceful call rejection Per-device dynamic
trust-binding
promotes/demotes devicesNetwork
processor
Intelligenttraffic
manager
Networkprocessor
Signalingprocessor
Securityprocessor
-
The leaderin session border control
for trusted, first classinteractive communications
