Security model-of-sip-d2-05 at kishore

594 views
495 views

Published on

Presentation by AT Kishore in SIP International Forum at Paris called
SIP2008 International, a global seminar

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
594
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security model-of-sip-d2-05 at kishore

  1. 1. “Security Model” of SIPA T KishoreJanuary 31st, 2008 Alcatel-Lucent - Proprietary
  2. 2. Agenda1. Security is Ever Pervasive2. SIP is no exception3. Introducing SIP CIA Model4. ‘Always ON’5. Call Flow Scenarios Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  3. 3. Security is Ever Pervasive Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  4. 4. About Alcatel-Lucent Leadership and Expertise in SecurityAlcatel-Lucent’s resources are pioneersin the knowledge that drives security innovations Patents and standardization: R&D leadership Hundreds of patents in security, cryptography, biometrics, firewalls, denial of service and virus detection ITU Standards Visionary (X.805) then ISO 18028 Major player in ITU-T SG 17 – Lead Study Group on Communication System Security CERT-IST operation, FIRST membership since 1999 Bell Labs leadership in: Creation of new cryptography (SHAZAM for CDMA2000, PAK) Breaking of old cryptography (PKCS#1, DSA, SOBER, Clipper) Development of optical-rate encryption ciphers and NSA-certified encryptors Pioneering work in provable security Biometrics (voice authentication with secured models) High-speed encryption hardware (e.g., for SANs) Integration of 802.11 and 3G AAA Watermarking Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  5. 5. Alcatel-Lucent Bell Labs Security FrameworkThe international standard to build secure-by-design communications solutionsBuilding security into the DNA of complex systems Layers Infrastructure Services Applications THREATS End User MODULE 1 MODULE 4 MODULE 7 Destruction Corruption Planes Control / MODULE 2 MODULE 5 MODULE 8 Removal Signaling Disclosure Management MODULE 3 MODULE 6 MODULE 9 Interruption ATTACKS Access Control Non-Repudiation Comms Security Availability (9 modules X 8 cells = 72 security cells) Data Authentication Confidentiality Data Integrity Privacy The Bell Labs Security Framework ITU/X.805 Security Standard ISO 18028 Security Standard Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  6. 6. Security trendsHacker ‘professionalism’ on the rise Viruses are just one part of a greater danger: cybercrime Viruses are now used as ‘tools’ to: Install backdoors Virus Steal identity data Major Targeted attacks attacks Mount major attacks Backdoor (ex: Bugbear.b, Sobig) (ex: Autoproxy, Financial Sobig) SPAM data theft Non-exclusive Major attacksNetwork of 500 Exclusive access for rent 20000 proxy for On-demand access to a bot to a bot bots (= zombies) spam DDOS attack 0.15 €/bot 0.35 €/bot 380 € 75 €/week 38 to 750 € (source CLUSIF) A menacing change in attacker skill and motivation “Virus makers are becoming mercenaries.” Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  7. 7. Security –The Jobs to do Attacks increasing in sophistication and impact External and Increasingly internal threats complexand vulnerabilities technologyOutsourcing and Regulatory Application Requirements Hosting & Homeland Security Operational Need for privacy, challenges, patch reliability and management availability Web-based commerce Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  8. 8. SIP is no Exception Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  9. 9. Tackling SIP Security -General SIP serversExecution phases for all incoming SIP messages: Reception Parsing computationally intensive for SIP! Processing Depend on type of message and SIP element Marshalling & transmission General multi-threaded SIP server Parsing Processing Network socket buffer Network socket buffer Parsing Processing thread Parsing Processing Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  10. 10. Tackling Prioritizing SIP serversModifications: Prioritization mechanism Message priority queue On-demand parsing during prioritization and processing Prioritizing SIP server Remainder parsing & processing Pre-parsing & prioritization Network socket buffer Message priority queue Network socket buffer Remainder parsing & processing Pre-parsing & prioritization Remainder parsing & processing Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  11. 11. Tackling SIP Security-Message processing stages Parse only what is strictly necessary in Measured sojourn time combination with an (excluding network buffer) efficient header field recognition algorithm General SIP server Parsing Processing SIP server with on-demand parsing Parsing on-demand during processing Prioritizing SIP server with efficient parsing Queuing Parsing on-demand during processing Parsing on-demand during prioritization Prioritization policies based on message characteristics, system state, and statistics Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  12. 12. Tackling SIP Security-Prioritizing SIP server SIP messages Service Provider SIP devices Pre-parsing Policy definition Prioritizing Policy Drop Processing Dynamic adaptation to real-time conditions Bell Labs Java SIP stack SIP SIP server1 servern Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  13. 13. All Corners Of Security Challenges Regulatory requirements Need to boost Market Pressure of reducingconfidence in security of SIP operational costs &VoIP, XoIP transactions Competition Hacking & other attacks Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  14. 14. Introducing SIP CIA Model Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  15. 15. Keys, Values & Codes CIA model for SIP Security The CIA Triad is a widely used information assurance model. It consists of: Confidentiality Integrity AvailabilityConfidentiality Ensuring that information is accessible only by those who are authorized.Integrity Ensuring that information is pristine/unaltered/complete.Availability Ensuring that the Information is available as per the needs. Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  16. 16. Keys, Values & Codes CIA model for SIP Security Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  17. 17. Session Universe-People, Processes and EnablewharePeople SIP/IMS Technology• Awareness about • Adaptive Messages for importance of SIP data gathering & analysis Security compliance • Platforms, Subsystems• Convergence mind set • Databases Te ple chn Peo olo gy SIP AS Process Process • Feedback loops with automated and interactive web based solutions to tie people, process and technologies together Alcatel-Lucent – Proprietary - 17 - All Rights Reserved © Alcatel-Lucent 2007
  18. 18. CIA model for SIP Security Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  19. 19. The Model is ‘Always ON’ Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  20. 20. Two Parts to the Security Strategy• Part One: Security Inside Value Prop - Enhance the Brand a. Different from the competition b. Creates a foundation for “trustworthiness” Value Prop – Create Revenue Part Two: Keeping IT Secure a. Enhances the Trust Model Protect the network, keep it “trustworthy” 1. End-to-end security approach in NGN Integrated to lower the opex of security 2. A solution – not more point products Centralized 3. Centralize management for response Security Management b. Lower the Opex of Security Management 1. Central event correlation manager 2. Central resource manager Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  21. 21. Enterprise Security Solutions User Aware Key Business Critical Mobile Users Security Network Security Application SecurityPre/post Web Nonstop Laptopadmission Services guardiancontrol Gateway Data/Converged Network service Systems Integrators VARS providers SIP is perhaps the latest and effective digital bridge of all known bridges Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  22. 22. Enterprise Applications PECaBoo Personal Call Manager Allege – WorkTrack/ Field Supervisor Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  23. 23. iLocator FeaturesA location-based track application / platform A Location-based Service Product from A Location-based Service Product from Bell Labs Research & Mobility/IN Bell Labs Research & Mobility/IN Tracks people/events/places on a map People: Track buddies within a vicinity Events: Track if there is a sale or a traffic-jam nearby Places: Display preferred shops, ATMs, gas stations, and restaurants in the user’s vicinity Enables custom services targeting enterprises, families, govt. For example, TeenTracker, FleetTracker, DirectionFinder Supports SMS’ing from within the application Works across network types, location techniques, handsets Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  24. 24. Consumer Applications >> Data MessagingPhonePages PeCaBoo A phonepage is a light-weight home page added to your phone number Displays in connection with phone calls Subscribers push their pages to Different features at different callers and receive pages on calls events (for example, calling, rejected, busy) from other subscribers Displays in multiple formats (for Drives data session usage by letting example, WAP, SMS, e-mail, etc.) subscribers surf during and after callsServicesused Multiparty Call Control User Interaction (WAP Push, SMS) Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  25. 25. Enterprise Applications >> Data MessagingEWay Provides remote and secure access to enterprise networks for mobilizing and telecom-enabling enterprise IT applications and systems Supports communication capabilities such a messaging, call management, content Mobile internet and IVR access to MS charging, presence and availability Exchange and Outlook management, and universal service access Outbound call management with click- to-dial and voice activated through, web, WAP and interactive voice dialing from contact listsServicesused Call Control User Interaction Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  26. 26. Consumer & Enterprise ApplicationsFuzion End-users specify personal preference to manage their communication needs. Ability to define personal profile (at home, office, travel, can be reached at, etc) and instruct the system to handle incoming calls for call routing, call screening and notification treatment Supports Personal communication portal (PCP) for personal address book, calendar, messages storage via Web, WAP and Voice interfacesServicesused Call Control User Interaction Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  27. 27. Edge Protection • Deployed at the edge of your network as your first line of defense • Provides Multi and Blended threat security along with securing VOIP • Protects critical VOIP (H.323, SIP) resources from attacks Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  28. 28. SIP Security and Value Focused approach on key areas where SIP Value Security can bring value through: Flexibility Innovation By virtue of being a open Your Text here Your Text here protocol, it paves way for innovation Your Text here Innovation Your Text here Flexibility of deployment choices, modularity and openness (ecosystem) User Aware Key Business Critical Mobile Users Security Network Security Application Security Most flexible Unique solution Industry first to solution to allow solving the mobile provide stateful user pre and post blind spot policy enforcement admission control across organization Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  29. 29. The Alcatel-Lucent VPN Firewall - Made forGlobal Scalability Managed Service Clients VLAN 100 VLAN 200 VLAN 300 VLAN 400 Extranet Server SAP Server Mail ServerPublic Server Existing Router Existing Router VPN Firewall Existing Router Brick® 50-150 Data Center Existing Router Services Existing Router Existing VPN Firewall VPN Firewall Router Brick® 1100 Brick® 1100 ALSCS ALSMS Existing IP Network Router Existing Router Existing VPN Firewall Core A Router Existing Brick® 700 Active/Active Router Existing Management Router Existing ALSMS Router Core B Existing ALSCS Router Existing VPN Firewall Centralized Management VPNRouterExisting Brick® 1200 Firewall Existing Brick®RouterExisting 20 Router With ALSMS Existing Router Router Existing Existing Router Router Existing Router Existing Router Existing Customer A Router Existing Customer Router B Customer C Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  30. 30. The Alcatel-Lucent Security Portfolio in the Enterprise Technology • ALVF with SRM/PDG/RBR Global Offices • Evros Headquarters • CloudControl Alternate Data Center • Vital ISA (SEM) Network Cloud • Vital AAA/QIP/Endforce • AWARE • Identity Management • Security Prof Services Primary Manufacturing • Managed Security ServicesData Center Center Consultants Mobile Workforce SOC - 24X7 Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  31. 31. www.alcatel-lucent.com Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  32. 32. Security inCall Scenarios Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  33. 33. Applications - Reach Me “AnyWare” Jacques owns a Real Estate Agency and wants to be reachable for Jacques owns a Real Estate Agency and wants to be reachable for (important) clients any time, anywhere – independent of the network (important) clients any time, anywhere – independent of the network he is connected to. he is connected to. He wants to use his convenient, high-quality wireline phones whenever he is in the office or at home He uses his mobile phone when he is Home in Evry traveling He wants to be reached at his current location, whether the caller dialed his office, home, or mobile number Jacques He sometimes must change his regular (Owner) schedule/preferences to serve important Office in Sorbonne clients (1pm – 5pm)Main Office in Concorde Jacques’ Mobile Pierre - less Michelle - (8am – 12pm) Phone important client important client Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  34. 34. EncryptionSymmetric Symmetric Encryption used for Encryption and decryption use the Payload encryption (ESP) same key Packet authentication (AH & ESP) Key must be secret (secret key) Best known: DES, AES, IDEA, Blowfish, RC5Asymmetric Asymmetric Encryption used for Also known as Public Key Encryption Initial peer authentication in IKE Encryption and decryption keys are Key exchange in IKE different One key is public the other is private Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  35. 35. Conventions Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  36. 36. Symmetric Encryption Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  37. 37. Asymmetric EncryptionTwo complementary keys Private key (kept secret – usually protected by passphrase) Public key (published) – Problem: AuthenticityBasic Premises Keys are not computable from each other Encryption with one key can only be reversed with the other keyBest known examples RSA & ECC, DSA for signaturesUsed in (Open)PGP (Pretty Good Privacy) for digital signatures and encryption PKI (Public Key Infrastructure) – e.g. certificates for web servers & SMIME RSA Rivest Shami Adleman, ECC – Eliptic Curve Cryptography, DSA – Digital Signature Algorithm Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  38. 38. Asymmetric Encryption cont’d Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  39. 39. Hash FunctionsHash Functions Produce hash values for data access or security Hash value: Number generated from a string of text Hash is substantially smaller than the text itself and typically fixed lengthBasic Premises: Unlikely that other text produces the same hash value (collision resistance) Unidirectional (cannot calculate text from hash)Provides: Integrity & AuthenticationBest known: SHA-1 & MD5 •Example: •$ echo The quick brown fox jumps over the lazy dog. | md5sum •0d7006cd055e94cf614587e1d2ae0c8e *- •$ echo The quick brown fox jumps over the lazy dog! | md5sum •54828ad41cf232a5c374689e2f06d3af *- SHA – Secure Hash Algorithm, MD5 – Message Digest Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  40. 40. Hash Functions cont’d Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  41. 41. Hash Functions cont’d Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  42. 42. Certificate creation Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  43. 43. SSH-2 Protocol Stack & Connection establishmentSSH-2 comprises of multiple flexible hierarchical protocols. SSH SSH Connection SSH File Transfer Authentication Protocol Protocol (SSH-SFTP) Protocol (SSH-CONN) (SSH-AUTH) SSH Transport Layer Protocol (SSH-TRANS) TCP/IP Connection Establishment 1. SSH-TRANS – Authenticates host and does the initial key negotiations 2. SSH-AUTH – Authenticates user via flexible methods - Optional 3. SSH-CONN – Channel based services layer for – multiple channels simultaneously 4. SSH-SFTP – For remote file operations – Specific applications Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  44. 44. Summing UP1. Security is Ever Pervasive2. SIP is no exception3. SIP CIA Model4. The ‘Always ON’ Model at Work5. Call Flow Scenarios with built in SIP Security Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007
  45. 45. www.alcatel-lucent.com Alcatel-Lucent – Proprietary All Rights Reserved © Alcatel-Lucent 2007

×