ims04-giuhat-sipera

7/29/2019 ims04-giuhat-sipera

1/19

1Sipera Systems, Proprietary & Confidential

IMS Security and Protection

Micaela GiuhatVP Product Management

Sipera Systemsemail: [email protected]


2/19


Outline

Open system security

VoIP security requirements

Industry approach and strategies

IMS security requirements IMS vulnerabilities

Attack examples

Solution

Summary


3/19


Denial of Service Attacks Viruses SPYware Blended Attacks E-mail SPAM

Open Systems can be attacked

Internet

External

Web Servers

Internal

WebServers

E-mail ServersTraditional voice network

is closed system

VS

Internet which is open

Core Network

Bad Guys


4/19


The Internet Security Industry

Applications Protected

Web Apps

E-mail

Database

Internet

External

Web Servers

Internal

WebServers

E-mail Servers

IDSFirewall

ButProblems still persist

Core Network

IPS

SPAM

Filter

Network SecurityLogs Correlation


5/19


Enter VoIP

Internet

External

Web Servers

Internal

WebServers

E-mail Servers

IDSFirewall

Communication Servers

IPS

SPAM

Filter


VoIP is different

Real time

Peer-to-peer

Protocol rich

Complex state machine

(several dozen states)

Feature rich (severalhundred services)

Separate signaling &

media planes

Low tolerance to false

positives & negatives

Core Network


6/19


Internet

External

Web Servers

Internal

WebServers

E-mail Servers

IPS

SPAM

Filter


IDSFirewall


Current Industry Approach

Approach is unworkable:

1. Not real time

2. Cannot handle

encrypted traffic

3. Cant keep up with

new feature addition

Current Industry thinkingis to add VoIP sensibilitiesto all the existing securityboxes; Although nothing isactually available yet

Core Network


7/197Sipera Systems, Proprietary & Confidential

Hard to manage

Will not meet performancespecifications

Does not address multi vendor

Cannot keep up with new

features

Not available yet

Current Strategies

Core

switchPSTN GW

Guard

Security Agent

FW/ALG

Certs

IDS/IPS

Protect against

Windows OSvulnerabilities

Opens

pinholes

Authentication

Encryption

Scrub IP DoS/DDoS

Traffic

VoIP Traffic analysis

Signature/AnomalyFiltering

Event

Correlation

Remediation

ALG is

vulnerable

Cannot stop

Spoofed Caller IDs

Limited

signatures

May block

Good calls



Integrated, real time

VoIP security solution

that comprehensively

tackles all VoIP

vulnerabilities, both

Enterprise & Carrier

Internet

External

Web Servers

Internal

WebServers

E-mail Servers

IPS

SPAM

Filter


IDSFirewall


Desired Approach

IP CommunicationsSecurity (IPCS) Solution

Core Network



Tolerance for False Negatives: Email Vs Voice

Security

Device

Email Server

Store Analyze Forward in near-real timeEmail Delivery Mode:E-mail may not

be extracted

Immediately;

can be deleted

fairly easily; low

annoyance level

False negative

Low volume

Email attack

Security

Device

Call delivered

in real time;

phone rings

constantly; high

annoyance levelCall Delivery Mode: Analyze Forward in real time

False negative

Call ServerLow volume

Voice attack



Anti-SPAM

Firewall

Intrusion Prevention System

Denial of Service Prevention

Network Level Correlation

Intrusion Detection System

Typical Solution vs. Desired Solution

OS IP Web

e-mail

OS IP Web

databaseIP Web

OS IP Web

OS IP Web database

e-mail

VoIP

VoIP

VoIP

VoIP

VoIP

VoIPComprehensive

Integrated

Security Solution

for

Communications

Applications

(VoIP, IM, Video,

Multi-Media)



Comprehensive IMS Security System

A Comprehensive IMS Security System must:

Prevent unauthorized usage

Protect end-user privacy Protect IMS infrastructure from attacks

Protect end-users from attacks

Handle voice SPAM



Protection Techniques

Authentication (SIM)

Encryption (IPSec, TLS)

IMS Aware Firewall (Policy based filters:URL/IMSI/MSISDN/AP/IP white/black lists, etc)

IMS Intrusion Prevention (Call Stateful Deep packetinspection (IMS decode), Behavioral learning (finger

printing), Protocol fuzzing prevention, media filtering, etc.)

IMS SPAM Filter(User control,Behavioral learning (call patterns, trust scores),

Machine Call detection, etc.

IMS Network Level Security Management(Event correlation, Network Threat Protection )

Vulnerabilities

Unauthorized use PrivacyAttacks on

Infrastructure

Attacks on

End-usersIMS SPAM

Well Defined by 3GPP,

Addressed by Core

IMS infrastructure:

SIM, HSS, AAA, PDG

Not addressed

Security Aspects addressed in IMS



IP Traffic

Characteristics

Non-Real time

Client - Server

Real time

IMS/SIP/H.248/RTP/MPEG aware

Call State & Service aware

Web Database VoIP IMS IP TV

Existing Internet

Security Solutions

Not addressed

E-mail

TCP/UDP/ICMP/FTP/HTTP/SQL aware

Peer - Peer

User & Traffic Behavioral Learning

Security Aspects addressed in IMS



IMS reference architecture

IP Transport (Access and Core)

AS HSS

P-CSCF

S-CSCF

BGCF

I-CSCFSLF

Charging

Functions

UE

Mw

Mw

Mr

Mg

Mj

Mi

Mp Mn

Gq

ISC Cx

Dx

Dh

Sh

Rf/Ro

Cx

MRFC MGCF

MRFP

Mi

Mw

AS HSS

GGSN

P-CSCF

S-CSCF

BGCF

I-CSCFSLF

Charging

Functions

UE

Mw

Mw

Mr

Mg

Mj

Mi

Mp Mn

ISC Cx

Dx

Dh

Sh

Rf/Ro

Cx

MRFC MGCF

MRFP

Mi

Mw

SIP

DIAMETER

H.248

PDF

MRFPMGW

PSTN

IP Transport (Access and Core)



IMS & SIP enable a rich feature

set of Converged Services ..

but also open up the network to

IP based vulnerabilities

IMS & SIP vulnerabilities include: OS level vulnerabilities

IP Layer 3 vulnerabilities

IMS Framework related vulnerabilities

SIP/RTP/H.248/etc. protocol vulnerabilities

VoIP/Video/PoC/etc. Application vulnerabilities

VoIP SPAM

Well known in the data world

New, unique &

real time sensitive

Application level

vulnerabilities

P/S/I CSCFSLF/PDF/IBCF/IWF

MGCF

MRFC

BGCF

SGF

MGW

MRFP

T-MGF

IMS core

IMS Vulnerabilities

SIP ServerCall Server

Media Gateway

HSS Apps Chrg

IP-IP GW

ABGF

IBGF



IMS Architecture Vulnerabilities: Some Examples

Compromised mobile phones Zombie hard/soft phones

Modified phone with malicious intent Malicious/Malformed/Spoofed signaling attacks

Malicious/Malformed/Spoofed media attacks

Spoofed IMS Emergency session attacks

Presence update attacks Initiating Conferencing to block the network resources

UE having direct access to the IMS core network Charging fraud - Signaling directly to S-CSCF to avoid charging

Misconfigured/partially configured UEs and/or Network elements

Non-GPRS access such as WLAN or BB can be attacked directly fromthe internet without a subscription

SPAM



IMS Application Level Attacks

Zombie attackers

Spoofed PacketsSpammer

P/S/I CSCFSLF/PDF/IBCF/IWF

MGCF

MRFC

BGCF

SGF

MGW

MRFP

T-MGF

MMD core

SIP Server Call Server

Media Gateway

HSS Apps Chrg

IP-IP GW

ABGF

IBGF

Both Network & Subscribers

can be attacked

Human attackers

Attack Types:

Flood Denial of Service Signaling

Media

Distributed DoS

Stealth DoS Target individual or group

of users

Blended attacks

Recruit zombies and usethem to launch an attack

SPAM SPAM over Internet

Telephony (SPIT)

IMS V lnerabilit Protection



IMS Vulnerability Protection

System Reference Architecture

Zombie attackers

Human attackers

SpammerIMS

Vulnerability

Protection

System

IMS Vulnerability Protection System is distinct from the IMS core infrastructure

P/S/I CSCF

SLF/PDF/IBCF/IWF

MGCF

MRFC

BGCFSGF

MGW

MRFP

T-MGF

IMS core

SIP ServerCall Server

Media Gateway

HSS Apps Chrg

IP-IP GW

ABGF

IBGF


19/19

19Sipera Systems Proprietary & Confidential

Attack Summary

An IMS network built to 3GPP or TISPAN specifications compliance hasnumerous vulnerabilities

An attack on the network could cause network-wide outages including bringingdown HSSs, App Servers, SIP servers, Call Servers, Media Gateways and IP-IPGateways

Attacks towards specific targeted individual users could cause them extremeannoyance and disrupt their service in insidious ways

Sipera Systems research team has identified over 90 distinct categories ofattacks

These attacks require hackers with varying levels of sophistication, but manyattacks are possible even by so called script kiddies

Documents

ims04-giuhat-sipera