3. VoIP security in the news
VoIP Security Alert: Hackers Start
Attacking For Cash (June 2006)
Two Men Charged With Hacking Into
VoIP Networks (June 2006)
The Internet's a Scary Place for Voice
(May 2006)
Is Your VoIP Phone Vulnerable?
(June 2006)
Are Hackers Eyeing your VoIP Network?
(Sept. 2006)
VoIP Security: It's More Than Data Security
(Aug. 2006)
4. 4
Security Concerns
• Everyone worries
about security
• DoS attacks and
overloads are biggest
worry
Source: Service Provider Plans for Next Gen Voice 2006 (July 2006)
29%
75%
75%
63%
79%
54%
42%
33%
0% 20% 40% 60% 80%
Trade performance
for security
SPIT
Illegal wiretapping
Service topology exposure
Service fraud
User privacy and confidentiality
User/device authentication
and authorization
DoS attacks and overloads of
next gen voice service
infrastructure
Percent of Next Gen Voice
Respondents Rating 6 or 7
6. IMS: Is Missing Security
DoS/DDoS
attacks
Traffic
overloads
Viruses &
malware
Service
fraud
Identity
theft
Eves -
dropping
SPIT
Security feature requirement IMS function/feature
Access control - static IP address list Core IMS functions, not applicable for UE
Access control - dynamic IP address list Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII x
Topology hiding (NAPT at L3 & L5) I-BCF only, THIG sub-function IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Authentication - subscriber & CSCF IPSec, SIP digest IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Authorization - subscriber HSS function IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Signaling encryption IPSec IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Media encryption Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Admission control - I/S-CSCF constraints Not addressed
Admission control - network bandwidth constraints PDF/RACS function
Admission control - user limits: sessions (#) Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Admission control - user limits: bandwidth Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
SIP message & MIME attachment filtering/inspection Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Signaling rate monitoring & policing Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Bandwidth monitoring & policing Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Call gapping - destination number Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
Call gappping - source/destination CSCF or UE Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
QoS marking/mapping control Not addressed IIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIII
7. Internet
Types
_ Malicious attacks
_ Non-malicious – poor behaving
endpoints, power outages
Solution requirements
_ SBC DoS self-protection
• Access control - static & dynamic
• Trusted & untrusted paths with policed
queues
• IDS capabilities
_ Service infrastructure DoS prevention
• Access control - static & dynamic
• Topology hiding
• Signaling rate plicing
• Bandwidth policing
DoS/DDoS attacks threaten
subscriber retention and revenue
PSTN
Transit
& O&T
HIP IC
Services
O&T
HIP IC
Services
1
2
4
3
8. Viruses & malware can threaten IC
endpoints and service infrastructure
SIP MIME attachments are powerful tool for richer call ID
- vcard text, picture or video
Potential Trojan horse for viruses and worms to general-
purpose server-based voice platforms
_ SIP softswitch, IMS CSCF, SIP servers, app servers
_ SIP PBX
_ SIP phones & PCs
New endpoint vulnerabilities
_ Embedded web servers - IP phones
_ Java apps – liability or asset?
Solution requirements
_ Authentication
_ SIP message & MIME attachment filtering
_ Secure OS environment
SQL
Slammer
Melissa
Code Red
Nimda
Sobig
Love
Bug
Klez
Michelangelo
9. Internet
Service fraud risk
is business model dependant
Business model dimensions
_ Internet vs. managed network
_ Free vs. fee based
_ Anonymous vs. not anonymous
Types of fraud
_ Service theft
_ QoS theft
_ Bandwidth theft
Solution requirements
_ Access control
_ Authentication – subscriber
& SIP signaling elements
_ Authorization – subscriber
_ Admission control – subscriber
limits - # sessions & bandwidth
_ QoS marking/mapping control
_ Bandwidth policing
PSTNMPLS
NONE
NONE
DiffServ-3
1
2
4
3
A B
10. Identity theft can’t be
prevented entirely by technology
How do you know you are talking to Bank of America?
Web site techniques don’t work for IC
- work for many-one, not many-many
Solution requirements
– Authentication, access control
– Trust chains - pre-established technical & business relationships
11. Eavesdropping threat is over hyped
Less risk than email, who encrypts email?
_ Email is information rich (attachments), voice not
_ Email always stored on servers, only voice mail
_ Email always stored on endpoints, voice not
Who is at risk?
_ Bad guys - Osama, drug cartels,
pedophiles, etc.
_ Law enforcement
_ Money, love, & health-related
– insider trading, adultery, ID theft,
Solution requirements
_ Authentication – subscriber
_ End-to-end encryption (EXPENSIVE)
• Signaling (TLS, IPSec)
• Media (SRTP, IPSec)
12. SPIT will be annoying,
& possible tool for ID theft
Will anonymous, cheap Yahoo subscriber (aka SPITTER)
be able to call money-paying Verizon subscriber to solicit
- phone sex, penis enlargement, Viagra pill purchase?
Techniques that won’t work
_ Access control – static
_ Content filtering
_ Charging - $/call
_ Regulation
Solution requirements
_ Access control
– dynamic, IDS-like
_ Authentication
_ Admission control
– subscriber limits (#)
_ Trust chains - pre-established
technical & business relationships
14. The future IC net?
The Internet
I
The Federnet
F
F
F
F F
15. Net-Net
Security issues are very complex and multi-dimensional
Security investments are business insurance decisions
_ Life – DoS attack protection
_ Health – SLA assurance
_ Property – service theft protection
_ Liability – SPIT & virus protection
Degrees of risk
_ Internet-connected ITSP ` High
_ Facilities-based HIP residential services
_ Facilities-based HIP business services
_ Peering Low
_ NEVER forget disgruntled Malcom, OfficeSpace
Session border controllers enable service providers
to insure their success
16. Monitor, report & record
attacks & attackers;
provide audit trails
Net-SAFE – security requirements
framework for session border control
Protect against SBC DoS attacks & overloads
(malicious & non-malicious)
Session-aware
access control
for signaling
& media
Prevent DoS
attacks on service
infrastructure &
subscribers
Complete
service
infrastructure
hiding & user
privacy support
Support for L2 and L3 VPN
services and security
Prevent misuse & fraud;
protect against
service theft
17. Acme Packet Net-Net SD “flawlessly passed
all of CT Labs’ grueling attack tests”
Total of 34 different test cases, using over 4600 test scripts
No failed or dropped calls, even for new calls
made during attacks
No lost RTP packets during attacks
Protected the service provider equipment – did not
allow flood attacks into core, stopped packets at edge
SD performance not impacted during attack
– SD CPU utilization - only
10% increase
– Signaling latency - only
2 ms average increase
– RTP jitter – less
than 1 ms increase
(not measurable by
test equipment)