systems-approach-security_masters-thesis_Halla_2016-08-10

Applying a Systems Approach to Security in a Voice Over IP System
Case Study: IP PBX System in a Small Company
Antti Halla
Helsinki University of Technology
Supervisor: Professor N. Asokan
Instructor: M.Sc. Juha Sääskilahti
10th
August 2006

HELSINKI UNIVERSITY OF TECHNOLOGY
Department of Computer Science and
Engineering
ABSTRACT OF
MASTER’S THESIS
Author Date
10th August 2006
Antti Halla Pages
68
Title of thesis
Applying a Systems Approach to Security in a Voice over IP System
Professorship Professorship Code
Telecommunications Software T-110
Supervisor
Professor N. Asokan
Instructor
M.Sc. Juha Sääskilahti
The objective of this work is to evaluate security in parts of a system in
relation to security of a whole system. The focus is on Voice over IP (VoIP)
systems. VoIP systems have recently been discussed widely, and their
security aspects have received much of criticism.
This work is also an attempt to combine different areas of security into a
coherent whole. The method of research used is systems methodology.
Systems approach itself is directed towards entities, which might make it
useful for studying security of a whole system.
In this thesis a method for studying security in a system is outlined. A case
study about security in a VoIP system of a small company applies this
method, and at the same time demonstrates VoIP and security concepts.
Systems methodology is a general methodology for understanding specific
systems in a specific environment. It begins to look at a system with little or
no assumptions at all. In security context this means that there are no
assumptions for example about security requirements for the system, but
they are discovered through the process of systematic inquiry.
Keywords:
Security, Voice over IP, Systems Methodology, Risk Management, System
Development
TEKNILLINEN KORKEAKOULU DIPLOMITYÖN TIIVISTELMÄ
2

Tietotekniikan osasto
Tekijä Päiväys
10.8.2006
Antti Halla Sivumäärä
68
Työn nimi
Applying a Systems Approach to Security in a Voice over IP System
Professuuri Koodi
Tietoliikenneohjelmistot T-110
Työn valvoja
Professori N. Asokan
Työn ohjaaja
DI Juha Sääskilahti
Työn tavoitteena on järjestelmän yksittäisten osien turvallisuuden arvioiminen
osana systeemin kokonaisturvallisuutta. Tarkastelun kohteena on Voice Over
IP (VoIP) systeemit. Ne ovat olleet viimeaikoina keskustelun kohteena, ja
niiden turvallisuusominaisuudet ovat saaneet osakseen arvostelua.
Tämä työ on samalla myös yritys yhdistää eri tietoturvallisuuden osa-alueita
yhteen yhtenäiseksi kokonaisuudeksi. Tutkimuskeinona on käytetty
systeemimetodologiaa. Systeemilähestymistapa jo itsessään korostaa
kokonaisuuksia, joten se voisi soveltua myös kokonaistietoturvan
tutkimiseen.
Tutkimuksessa hahmotellaan metodi järjestelmän tietoturvan
analysoimiseksi. Tapaustutkimus turvallisuudesta pienyrityksen VoIP-
järjestelmästä soveltaa hahmoteltua metodia ja kokoaa samalla yhteen Voice
over IP:n ja tietoturvallisuuden käsitteitä.
Systeemimetodologia on yleinen methodologia yksittäisten systeemien
ymmärtämiseen yksittäisessä ympäristössä. Se lähtee tutkimaan
järjestelmää mahdollisiman vähin alkuoletuksin. Turvallisuuskontekstissa
tämä tarkoittaa, että esimerkiksi turvallisuusvaatimuksia ei oleteta, vaan ne
etsitään systemaattisen tutkimusmetodin avulla.
Avainsanat
Turvallisuus, Voice over IP, Systeemiajattelu, Riskinhallinta,
Järjestelmäkehitys
3

Contents
Contents...................................................................................4
List of Figures..........................................................................6
List of Tables...........................................................................7
Glossary of Terms...................................................................8
Acknowledgements...............................................................10
1 Introduction..................................................................11
1.1 Motivation..............................................................11
1.2 Research Question...............................................12
1.3 Structure of the Thesis..........................................12
2 Voice Over IP Systems.................................................13
2.1 VoIP and Network Convergence...........................13
2.2 Applications of Voice over IP.................................14
2.3 Common Functionality in Voice over IP Systems. .15
2.4 Technological Basis of Voice over IP Systems......16
3 Security.........................................................................21
3.1 Computer Security................................................21
3.2 Risk Management.................................................25
3.3 Security Mechanisms............................................25
4 Voice over IP Security..................................................28
5 Systems Methodology.................................................30
5.1 Systems Theories.................................................31
5.2 System and its Environment..................................31
5.3 Systems Thinking..................................................33
5.4 Systems Approach to Problem Solving.................33
6 Method for Studying Security Aspects of a System..36
6.1 Overview of the Method........................................36
6.1 Iteration 1: System Model.....................................38
6.2 Iteration 2: Security Analysis.................................40
6.3 Further Iterations...................................................42
7 Case Study: IP PBX System Security.........................43
7.1 VoIP System Model...............................................44
7.2 Communication System Model..............................47
7.3 Communication System Security Analysis............49
7.4 VoIP System Security Analysis..............................51
7.5 Intranet Model.......................................................52
7.6 Intranet Security Analysis......................................54
7.7 Home Network Model............................................55
7.8 Home Network Security Analysis..........................56
7.9 Internet Model.......................................................57
7.10 Internet Security Analysis......................................58
7.11 User Terminal Mode..............................................58
7.12 User Terminal Security Analysis............................60
7.13 Case Study Summary...........................................61
4

8 Conclusions..................................................................62
8.1 Evaluation of Systems Methodology.....................62
8.2 Further study.........................................................63
9 Summary.......................................................................65
10 References....................................................................66
5

List of Figures
Figure 1: Migration from vertical to horizontal service architecture (source[12])13
Figure 2: Simplified network overview.................................................................17
Figure 3: TCP/IP protocol stack.............................................................................18
Figure 4: Simple VoIP call sequence......................................................................19
Figure 5: Media transfer.........................................................................................20
Figure 6: Security threats (source [22] )................................................................22
Figure 7: Waterfall development model.................................................................23
Figure 8: Security concepts....................................................................................23
Figure 9: Testing in waterfall model......................................................................24
Figure 10: Security division...................................................................................26
Figure 11: System in its environment....................................................................32
Figure 12: Black-box and white-box models.........................................................35
Figure 13: Method overview..................................................................................37
Figure 14: Recursions of the method.....................................................................37
Figure 15: Function model.....................................................................................38
Figure 16: Context model......................................................................................39
Figure 17: Structure model....................................................................................40
Figure 18: Process model.......................................................................................40
Figure 19: IP PBX system overview......................................................................43
Figure 20:Company system hierarchy...................................................................44
Figure 21: VoIP system function............................................................................44
Figure 22: VoIP system context.............................................................................45
Figure 23: VoIP system structure...........................................................................45
Figure 24: System in its physical environment......................................................46
Figure 25: VoIP system process.............................................................................47
Figure 26: Communication system function..........................................................47
Figure 27: Communication system in its organizational environment..................48
Figure 28: Communication system structure.........................................................48
Figure 29: Intranet structure...................................................................................53
Figure 30: Intranet process.....................................................................................53
Figure 31: Home network structure.......................................................................55
Figure 32: Home network process.........................................................................56
Figure 33: Internet function...................................................................................57
Figure 34:User terminal function...........................................................................58
Figure 35: User terminal structure.........................................................................59
Figure 36: User terminal process...........................................................................60
6

List of Tables
Table 1: VoIP system reference points...................................................................46
Table 2: VoIP system process descriptions.............................................................47
Table 3: Communication system process model....................................................49
Table 4: Threats to communication function.........................................................49
Table 5: Threats in communication context...........................................................50
Table 6: Threats to communication system structure.............................................50
Table 7: Threats to VoIP system function...............................................................51
Table 8: Threats to VoIP system context................................................................51
Table 9: Threats to VoIP system structure..............................................................51
Table 10: Interception of VoIP system process......................................................52
Table 11: Intranet reference point descriptions......................................................53
Table 12: Intranet process......................................................................................54
Table 13: Threats to intranet function....................................................................54
Table 14: Intranet threats in context.......................................................................54
Table 15: Intranet threats to structure....................................................................54
Table 16: Intranet, causes of interception..............................................................54
Table 17: Home network reference points.............................................................56
Table 18: Home network process model................................................................56
Table 19: Threats to home network function.........................................................56
Table 20: Home network threats in context...........................................................56
Table 21: Threats to home network structure.........................................................56
Table 22: Home network, causes of interception...................................................57
Table 23: Threats to internet function....................................................................58
Table 24: Internet threats in context.......................................................................58
Table 25: User terminal reference point descriptions............................................60
Table 26: User terminal process descriptions.........................................................60
Table 27: Threats to user terminal function...........................................................60
Table 28: User terminal threats in context.............................................................61
Table 29: Threats to user terminal structure...........................................................61
Table 30: User terminal process interruption.........................................................61
7

Glossary of Terms
ADSL Asymmetric Digital Subscriber Line
Availability The property of a system or a system resource being
accessible and usable upon demand by an
authorized system entity, according to performance
specifications for the system. [4]
Data confidentiality The property that information is not made available
or disclosed to unauthorized individuals, entities, or
processes. [4]
Data integrity The property that information has not been changed,
destroyed, or lost in an unauthorized or accidental
manner. [4]
DMZ DeMilitarized Zone
DNS Domain Name Service
DoS Denial of Service
Environment of a
System
A set of elements and their relevant properties, which
elements are not part of the system, but a change in
any of which can cause or produce a change in the
state of the system. [8]
GPRS General Packet Radio Service
IDS Intrusion Detection System
IMS IP Multimedia Subsystem
IP Internet Protocol
ISDN Integrated Services Digital Network
LAN Local Area Network
NIDS Network Intrusion Detection System
PBX Private Branch Exchange
PSTN Public Switched Telephone Network
RTCP Real-Time Control Protocol
RTP Real-Time Transport Protocol
SDP Session Description Protocol
SIP Session Initiation Protocol
System A set of interrelated elements, each of which is
related directly or indirectly to every other element,
and no subset of which is unrelated to any other
subset. [8]
8

System integrity The quality that a system has when it can perform its
intended function in an unimpaired manner, free from
deliberate or inadvertent unauthorized manipulation.
[4]
TCP Transmission Control Protocol
TLS Transport Layer Security
UDP User Datagram Protocol
UMTS Universal Mobile Telecommunications System
VLAN Virtual Local Area Network
VoIP Voice over IP
WLAN Wireless Local Area Network
9

Acknowledgements
I want to thank my supervisor professor N. Asokan for advice and
encouragement, and my instructor Juha Sääskilahti for guiding me through
the whole work. Thanks to Antti Alinen for review and professor
Teemupekka Virtanen for instructions in the beginning of the work.
Thanks to my employer Ericsson for making this thesis work possible, and
especially all the people at NetworkSecurity department. Finally thanks to
each and all of you who supported me along the way in any way.
10

1 Introduction
1.1 Motivation
Security as a basic need has always been there. In contrast, security as a
field of study has got a new dimension during the last few decades along
with new technological innovations. The number and the capacity of
computers and networks has been growing rapidly, and at the same time
people are learning more about using, and abusing these new
technologies.
One of the current trends in technology is called network convergence. A
main technological aspect of this course of development is that the
traditional telephone networks, mobile telephone networks and the Internet
are gradually merging into one global communication system.
The Internet was mainly designed for data transfer. It is now facing new
challenges, especially regarding availability and quality of service, as it is
required to provide increased support for transport of real-time media such
as audio and video. The traditional telephone networks are also facing
new challenges as they are migrating into using Internet technologies.
Assuring high level of quality and availability in the telephone service is
one issue. Another major issue is security. The internet is notorious for its
security problems. Virus attacks, unauthorized use of computer systems,
denial of service attacks and website incidents have become a
commonplace in the internet today [11]. Voice over IP (VoIP) systems
have to be prepared to meet these threats.
Security in communication networks is a complex issue. There are large
numbers of interconnected networks that are owned and controlled by
different parties. These networks often span large areas and connect large
numbers of computers and other network nodes together. In principle, a
security breach in any part of the network could endanger the security of
the whole network.
The field of computer security began with a focus on single computer
systems. Over time the focus shifted from individual computers to
computer networks [1]. Focusing only on either one will not bring us
secure communication systems. We need to develop the security in both
of them and to understand how they are interrelated to each other.
Systems methodologies give us conceptual tools for understanding
systems in relationship with their environment. They help us to understand
and to improve existing systems and to develop altogether new systems
that are better adapted for specific purposes and specific environments.
They help us first to find, and then to concentrate on the most essential
aspects of systems while avoiding unnecessary details, depending on the
situation and the environment.
11

1.2 Research Question
The main research question of this thesis is:
What are the main benefits of systems methodology in
studying security aspects of Voice over IP systems?
We start with the hypothesis that systems methodology will help us to
combine different aspects of a VoIP system, and the security in them
together in a way that would provide practical information for developing
security in real-world VoIP systems. We expect the systems approach to
provide us with means to find a balance that optimizes the cost of security
measures and achieved decrease of risk in the whole system. The
resulting method should include both technological and social dimensions
to the VoIP system. It should also provide a high-level conceptual
framework for managers with sufficient details for engineers to facilitate
understanding and communication of security aspects of VoIP systems.
To answer the research question we first need to gather some background
knowledge on the subject. The background study tries to answer the
following five questions:
What are VoIP systems? What is their technological basis?
What are the security aspects of a system in general?
What are the security aspects of VoIP systems in particular?
What is systems methodology?
How to apply systems methodology in practice?
Each of these five questions is discussed in their own chapters. A case
study is then performed to provide a basis for evaluating the methodology,
whether it is feasible for this purpose, and whether it brings new aspects to
security in Voice over IP systems.
1.3 Structure of the Thesis
Chapter 2 gives an overview of Voice over IP Systems and their
technological basis.
Chapter 3 discusses computer security in the context of risk management
and system development.
Chapter 4 discusses security aspects of VoIP systems.
Chapter 5 is an introduction to systems thinking and systems
methodology.
Chapter 6 describes a method for studying security aspects of a system.
Chapter 7 demonstrates the use of the method that is described in
Chapter 6. The method is applied to an VoIP system of a small company.
12

2 Voice Over IP Systems
In this chapter we will look at the general overview of Voice over IP and its
uses. We will discuss example applications of VoIP and the common
functionality in them. Finally we will look at the basics of Voice over IP
technology.
2.1 VoIP and Network Convergence
The technology environment in the Internet is very different from that of the
traditionally closed telephone systems. Traditional telephone companies
used to have separate networks for fixed, mobile, and data
communication, each of which had their own set of services. The
architecture of the internet is fundamentally different. Internet technology
supports provision of both data and voice services. It does that
independent of access method, whether one connects from a fixed or
mobile terminal. In traditional networks the operator could control the
provision of services, in the internet basically anyone can set up a service
for anyone else to use. This difference between traditional vertical
architecture and internet technology’s horizontal architecture is illustrated
in Figure 1 [12].
Figure 1: Migration from vertical to horizontal service architecture (source[12])
In general, Voice over IP means transmitting telephone calls using internet
technologies. The current trend is to replace the traditional circuit switched
telephone networks with more general purpose and relatively low cost
packet switched infrastructure. As with traditional telephone networks VoIP
consists of technologies for signaling and transfer of voice. In the case of
VoIP, the voice might be combined with video or data transfer as well.
VoIP can be found in many different kinds of applications. Internet access
providers and independent service providers have offerings for VoIP
services. Corporations are migrating to VoIP in their internal telephone
systems. VoIP is also used in the internal networks of the operators. [9]
Users can access VoIP applications from fixed, wireless or mobile
terminals. Most of the VoIP terminals today are fixed, but the number of
mobile and wireless terminals is increasing. Although mobility is a trend in
13

user terminals and on the last mile of the connection, practically all the
transport networks use fixed lines. [12]
The overall trend is for the current circuit switched, fixed telephone
network, the mobile networks and the Internet to merge into a single global
communication system, which is built mostly upon internet technologies.
2.2 Applications of Voice over IP
IP Multimedia Subsystem – IMS
IMS is a standardized platform for multimedia services that has been
developed as a joint effort of various technology vendors, tele operators
and public representatives. It is planned to gradually replace the current
circuit switched telephone systems. The architecture has been designed
for multiple access methods, that is, it can be accessed from any access
network, either fixed or mobile. The IMS is a way to gradually execute a
controlled migration from vertical service architecture to a horizontal one
by those who own the physical networks.
Service providers in IMS systems can be independent third parties. The
platform has defined interfaces to facilitate fast development of value-
added services. IMS provides users with multimedia calls and multimedia
services. IMS provides operators a means to charge the users for
services using different charging schemes. This is a feature that Internet
has been lacking. IMS also facilitates roaming, quality of service, and
interconnection with PSTN. Having support for legacy networks, the
services developed for GSM and PSTN networks are compatible with the
IMS system. [2]
VoIP as Extension to Instant Messaging
Instant messaging systems like MSN Messenger, Yahoo Messenger,
Google Talk or online-gaming systems have added voice capability to their
chat services. Registered users can set up a voice connection with other
users of the system. The service is essentially free of charge for the users.
Services typically facilitate user mobility: a person can log in to the system
from any terminal connected to the Internet. Other services include
presence service and directory service. The caller finds the network
address of the callee through the system, after which a point-to-point call
connection is created between the caller and the callee.
Skype
Skype is a VoIP application that has become very popular in a very short
time. Skype users can call other Skype users in the internet as well as
make calls to PSTN and receive calls from PSTN to their terminal in the
internet. The protocols used are proprietary, and there is little information
available of the actual implementation details of Skype.
The idea behind Skype is very different from that of the traditional
telephone networks. It uses peer-to-peer networks in routing the calls.
14

Central servers are used for users to initiate and authenticate their client
software. Supernodes are used by clients to bypass network devices that
limit connectivity, such as Network Address Translators (NAT) and
firewalls. Skype traffic is encrypted in some unknown way and the route
through network to reach other clients in the P2P network is unspecified.
[20]
IP Private Branch Exchange – PBX
Large organizations often have their own internal telephone networks that
are implemented using a Private Branch Exchange system. These
systems are typically connected to the PSTN to allow calls to and from
other telephone networks. The main reason for PBX deployment is cost
savings for the company. [13]
IP PBX systems that use VoIP technologies are gradually widening their
user base. The IP based PBX systems can utilize the often already
existing IP network infrastructure resulting in cost savings. This makes it
attractive for both new customers and existing owners of circuit switched
PBX systems that want to migrate into IP based systems.
In addition to phone calls, a PBX might provide additional services such as
call forwarding, voice-mail or teleconferencing. The service can also be
centralized and operated by an external service provider. It is then called a
centrex service.
2.3 Common Functionality in Voice over IP Systems
The different types of VoIP systems have their own special characteristics,
and they are used for many different purposes. They still have much in
common and often need to address same kinds of needs of the users.
Incoming and Outgoing Calls
The most basic service is of course the phone call. It still is also the most
important one. In addition to stand-alone calls, the call service is becoming
more often integrated into computer applications such as instant
messaging applications and computer games. From the user point of view,
incoming and outgoing calls function as in traditional telephone systems.
From the network point of view the Internet, for example, brings special
asymmetry to VoIP systems. Some solution is needed to contact network
nodes and user terminals that reside behind restricting firewalls or
Network Address Translators (NAT).
Mobility
Mobility in communication systems can be divided into three categories:
user mobility, terminal mobility, and service mobility. User mobility is the
user’s capability to connect to the services from any terminal connected to
the system. Terminal mobility is the mobile user terminal that allows the
user to move around freely. When a user of a mobile phone uses a
network of another service provider, for example in a foreign country, it is
15

called roaming. If the user is then able to utilize the same services as in
the home network, it is called service mobility. [14]
Interworking
There is a need for communication between networks that use different
technologies. Interworking refers to the case where for example a call is
made from the Internet to a phone in the public switched telephone
network (PSTN). It requires technical arrangements for converting the
signaling data and the media stream to a suitable form for the other
network. Standardized and open protocols, and interfaces have been
developed to facilitate interworking. It also often requires special
arrangements and contracts to be made between the network operators or
owners.
Other Services and Functionality
Other services that VoIP systems might provide are services such as the
value-added services in the traditional telephone networks: voice-mail,
call-forwarding, and conference calls. One service that has been common
for instant messaging applications in the Internet is the presence service.
It provides real-time information about the current availability status of the
system users.
2.4 Technological Basis of Voice over IP Systems
The technological basis of VoIP systems is that of the internet and
telephone networks. Figure 2 shows a simplified example of a network. A
user can connect to the network using different kinds of equipment. The
service network can provide routing of a phone-call to the receiver
somewhere in the network, or there can be a voice-mail box for the user.
Transport networks mediate the traffic between users, and between users
and services.
16

Figure 2: Simplified network overview
User Terminals
A user terminal is the physical device that the user needs to connect to the
network. The terminals are often divided into softphones and hardphones.
Softphone is basically a PC installed with VoIP software, and a hardphone
is a piece of hardware dedicated to be used in a VoIP network. At the
moment most of the terminals use fixed line connections, but the number
of terminals with mobile or wireless access is increasing. The terminals are
used both to connect with people and to access various information
resources.
Service Infrastructure
Service infrastructure is often built on PC platforms, using common
operating systems like Windows, Linux, Unix or Solaris. There are servers
for handling the call logic, subscriber databases, gateways that handle
connectivity with neighboring networks, proxies and relay servers to
facilitate routing of the calls, operation and management nodes and
security related components. In large networks the functionality is
distributed across many network nodes, but in a small office setup a single
node can perform most of the required functionality.
17

Transport Networks
Transport networks can be dived into access and trunk networks [23].
User terminals, home networks, or company intranets connect to access
networks. Connection can be fixed, as in a modem, ISDN, ADSL or cable
modem connection. It can use wireless links such as WLAN, or mobile
connection such as GPRS or UMTS. Different connection types have
different characteristics regarding bandwidth, response time, cost, and
terminal mobility.
Trunk networks connect access networks and other trunk networks
together. They often span large geographical distances and transport large
amounts of data. This is the least visible part of the network to the users.
Internet Technology
VoIP applications utilize the same technologies that are commonly used in
the Internet. The networks are built using Ethernets, switches, routers,
Domain Name Servers (DNS), firewalls that are the building blocks in any
IP network. They are used in a same way as in data communication,
although VoIP might bring some additional requirements to them
concerning quality of service, connectivity and security.
TCP/IP protocol suite is the core of the Internet technology. The
characteristics of TCP/IP give raise to many of the issues in VoIP. TCP/IP
was originally designed for data transmission in packed switched
networks. Transmission of real-time media on the other hand has been
found out to be a challenge in the Internet.
Figure 3: TCP/IP protocol stack
The layer model in Figure 3 depicts how the protocols in TCP/IP are build
one on another to form a stack. For example, a computer application can
send audio signal to another application on a different computer over the
network. This signal can be transported inside Real-time Transport
Protocol (RTP) packets. These RTP packets are then encapsulated inside
18

a User Datagram Protocol (UDP) packet that in turn is encapsulated inside
an IP packet. The IP (Internet Protocol) packets can be transported over a
variety of different networks such as local area networks (LAN), wireless
LANs (WLANS) or Universal Mobile Telecommunication System (UMTS)
that have utilize some specific data link protocols. There the information is
carried in electric, electromagnetic or optical form to the receiver.
TCP/IP provides two protocols for applications to use at transport layer:
TCP and UDP. TCP is used to establish reliable connections between
applications in separate network nodes. UDP on the other hand is a
connectionless protocol. The packets travel independent of each other and
there is no guarantee for their delivery. [18]
In principle, both UDP and TCP can be used to deliver signaling and
media in VoIP applications. TCP is often used in session management and
UDP in transferring real-time media because of their different
characteristics.
VoIP Protocols
VoIP systems can utilize many different protocols as any application in the
internet does today. By VoIP protocols we mean the protocols that are
common and specific to all VoIP applications. The protocols can be divided
into signaling protocols and media transfer protocols.
Session Management.
Signaling protocols are needed to set up and manage call sessions and
other VoIP services. The most significant signaling protocol in the Internet
today is Session Initiation Protocol (SIP) that is defined in RFC 3261 [3]. It
is accompanied with Session Description Protocol (SDP) that is used to
actually describe the content of SIP communication. SDP is defined in
RFC 2327 [6].
RTP Traffic
BYE
OK
INVITE
ACK
OK
Figure 4: Simple VoIP call sequence
19

Figure 4 shows a simplified phone call using SIP and RTP. Alice calls Bob
by sending him a SIP INVITE message. Bob answers the call by replying
with an OK message. Alice confirms by sending and ACK message. Now
the session is open and the conversation is transferred using RTP
protocol. After the conversation is over, Alice hangs up by sending a BYE
message, and Bob confirms with an OK message. In practice there is
likely to be other nodes in between facilitating the call process.
Media Transfer
SIP and SDP are first used to set up the sessions. The media protocols
are then used to transport the actual content of the communication in the
networks. The most used of these is Real-time Transport Protocol (RTP)
that is defined in RFC 3550 [5]. RTP is a connectionless protocol that is
carried on top of the UDP protocol.
Figure 5: Media transfer
The phases of the media transfer are illustrated in Figure 5. The speaker
talks to a microphone that is connected to an analogue to digital converter
such as a sound-card in a computer. The digital audio signal is then
encoded and compressed before it is encapsulated into RTP packets for
transport in the IP network. The receiving end then has to decode the
media signal back to digital waveform, convert it back to analogue signal
and finally in a loudspeaker into sound waves that the receiver can hear.
20

3 Security
Security is a broad subject that encompasses all the different aspects of a
system, both technological and social. Our concentration here is on
securing communication systems, such as a Voice over IP system, and the
information transferred over them.
We will look at the security from point of view of system development, how
we build secure systems and how can we be sure that they really are
secure. Then we consider the security in a larger context, as part of risk
management: how much security do we need and how much we are ready
to pay for it? Finally we discuss some security mechanisms that ensure
that the system fulfills their security requirements.
3.1 Computer Security
Confidentiality, Integrity, Availability
There are three aspects that are commonly used to describe computer
security: confidentiality, integrity and availability. Confidentiality refers to
protecting from unauthorized access to information. Integrity refers to
protecting the information from unauthorized modification. Availability is
about assuring authorized parties access to information or services. [1]
Access control mechanisms and cryptography are typically used to protect
confidentiality and integrity in computer systems. The information is made
unreadable by unauthorized users by encrypting it. The integrity of
information can be verified utilizing cryptographic signatures. Availability in
general is often improved designing systems according to statistical
models of user traffic. [1]
Threats to Communication
Threats can be seen from the point of view of information flow between
two communicating entities. Instead of a desired normal flow,
communication can be interrupted, intercepted, modified or fabricated
(Figure 6). Interrupted flow means that the message that is sent is not
delivered to the recipient, interception means that the message is
delivered to a third party in addition to the legitimate recipient. Modification
refers to a case where a third party is able to get a hold on the message
and modify its content before it is delivered to the recipient. Fabrication
means that a third party is able to act on behalf of a legitimate message
sender. [22]
21

Figure 6: Security threats (source [22] )
System Development
System development is a large subject containing all the phases in the life
cycle of a system, from the drawing board to eventual disposal. We need
to know what kind of a system we need, to know how to build it, and then
build it.
The waterfall model (Figure 7) is a top-down model of system
development. It defines seven development phases: requirements,
specifications, design, implementation, integration, and operation and
maintenance. Requirements define what is wanted from the system, and
they are typically defined by the customer. Specification defines the
system in more technical terms and in detail. Design phase describes how
the system is going to be built. In the implementation phase the
components of the systems are built based on the design, and in the
integration phase the single components are combined together to form
the complete system. The system can then be deployed and put into use
in the maintenance phase. [33]
22

Figure 7: Waterfall development model
The waterfall model is selected here for simplicity. It is only one of many
different development models, but it presents the essential aspects of
development and it suffices for our study.
Building Secure Systems
It is one thing to build systems that work. The next level is to build systems
that are reliable in case of accidents and unexpected events. Building
secure systems means the system can defend against malicious attacks
that are intended to cause the system to behave in unexpected ways. [16]
Figure 8: Security concepts
23

Figure 8 illustrates some essential security concepts. Secure systems
have protection for the information and services that are valued, assets.
The attacks, and accidents as well, that might happen in the future are
called threats. A security policy defines requirements for protection of the
assets against the threats. [1]
Security mechanisms enforce the security policy of a system in practice.
The functions of security mechanisms can be divided into three classes:
prevention, detection, and recovery. Prevented attacks never succeed in a
first place. Those attacks that get through have to be detected, before
actions to recover from the situation can be taken. [1]
Security mechanisms may also have other functions as side effects. One
that is not that desirable is the effect of the mechanisms to reduce the
usability of the system. On the other hand, in a business context security
mechanisms can also be used as competitive advantage, and to build trust
with customers.
Testing and Assurance
Testing is an essential part of system development. By testing we build
assurance for the quality of the system. To do that properly in the waterfall
model, we need to test the whole chain of development phases.
Verification refers to finding out whether we are building the system right,
and validation to the process of finding out whether we are building the
right system [33]. The implementation is verified against the design, and
design is validated against the system specifications. If the specification is
an accurate description of the implemented system, the system satisfies
the specification [1].
Figure 9: Testing in waterfall model
Security assurance in turn refers to the testing of security aspects of the
system. Its objective is to determine how much we can trust the system
[1]. Security development of a system can be treated analogously to
functional development. Security policy defines the requirements, and the
24

other phases are related to development of the security mechanisms in
the system.
Specifications can be validated against the requirements defined by the
customer. This applies both for functional and security requirements. How
do we validate these requirements? The requirements, define what the
customer wants, but it often fail to define what the customer really
needs[33]. We will present some perspectives into solving this problem
when developing our method in Chapter 6 and Chapter 7.
3.2 Risk Management
Security in a company is essentially part of the risk management process.
In risk management the protected assets are identified and their value
estimated, and the probability and potential damages of threats are
estimated. Some of the identified risks can then be eliminated, some can
be minimized, and the rest of them have to be accepted. From risk
management point of view, the security mechanisms are justified only to
the degree that the costs of implementing them is lower than the expected
loss through realized threats [16].
Risks related to computer security are just one aspect of risk
management. There are also other risks such as accidents, violence, and
natural disasters. When looking at an organization as a whole, we have to
evaluate the risks to information in the context of the other risks. To be
able to compare the risks they need to be quantified first. A simplistic way
to do this is to define a probability for a threat to actualize and the impact
of exploited vulnerability. By multiplying these together we get an expected
value for the loss. Probability of threat x Impact Value = Risk. This
way we can compare different threats decide which ones demand the
most attention. In practice the task of determining the probability and the
impact value is often far from trivial.
3.3 Security Mechanisms
Security mechanisms are the means to fulfill the security requirements for
a system by enforcing the security policy. We have divided the
mechanisms in four groups. The first three groups, network, network node,
and application security, discuss mechanisms on different scales of
computer systems. The fourth, communication security, discusses
mechanisms to protect the communication process between two end-
points, as it starts from one application on one network node and travels
through the network to another application on another node. The division
is illustrated in Figure 10.
25

Application
1
Network Node 1
Network 1
Application
2
Network Node 2
Network 2
Communication
Figure 10: Security division
The following is not an exhaustive listing of existing security mechanisms,
but it rather gives examples of them.
Network Security
Network level security mechanisms protect whole networks or parts of
them. Security mechanisms are built on the border of the network where it
connects to external networks through gateways. The first protection is
typically a firewall that filters incoming and outgoing traffic.
The topology of the network is designed to support security, and often
special security zones with different levels of protection are defined. One
such a zone is De-Militarized Zone (DMZ) that is used for services that
are provided to the external network. This arrangement allows stronger
protection for other nodes such as user terminals or intranet servers.
Other mechanisms include virus protection, Network Intrusion Detection
systems (NIDS) that monitor network traffic for suspicious patterns of
behavior, and NAT that effectively hides the topology of the internal
network and prevents incoming access requests.
Network Node Security
Node level security protects individual computers or other network
elements.
In addition to firewalls protecting whole networks, individual nodes can
also have a firewall, and they can filter incoming and outgoing traffic. They
have different types of access control mechanisms depending on whether
they are mainly designed to be client or server nodes and whether they
are single-user or multi-user systems.
In multi-user and multi-application systems access to data of other users is
limited with access control mechanisms. Applications also need to be
protected from each other as well. Especially the integrity of the operating
system is important as all the applications in the system rely on its
functionality.
Node level Intrusion Detection Systems (IDS) typically monitor and detect
abnormal user behavior and changes in important files. Other mechanisms
include for example virus protection and log files.
26

Application Security
Applications have certain access rights to resources such as files or data
in the memory of the computer they are running on. With communication
applications the application actually has two users: the one who owns the
computer and the person at the other end of the communication.
Local user can often send files or other information from the computer to
the remote party for example during a conversation. The communication
application is rarely intended to allow the remote party access to the local
resources unless the local user explicitly wants that to happen. Poorly
written applications can be tricked to malfunction and allow a remote party
access to confidential data. In a conversation between two mobile phones
this could mean that the other person could get access to the telephone
directory or text message storage of the other person.
Communication Security
Communication security here means the protection of connections, and
the data transferred between two end-points. Protection of
communications can happen at different layers of the TCP/IP protocol
stack (see subsection ). Examples of security mechanisms at different
layers are S/MIME[31] at application layer, Transport Layer Security
TLS[29], and IPSec[30] at network layer, and VLANs[32] at data link layer.
Cryptography is a typical means to protect data. It can protect the
confidentiality of the data, and detect a breach of integrity in it. It also
provides means for authentication of the end-points of the communication,
whether they are computers or people.
Other Aspects
In addition to securing the software side of the information systems, there
is a need for physical protection as well. Physical security is protection of
physical assets with locks, walls, doors, buildings, surveillance cameras,
alarms, guards and other physical means. If we consider computer
security as a whole we have to take into account also the physical space
around the computers and networks. Even though the access controls and
firewalls in software would be in good condition, someone might just steal
the computer and the valuable information in it. Cryptography might
protect voice communication between two terminals, but it does little to
counter eavesdropping of the physical space around the terminal.
In order to get the define security policies and implement security
mechanisms that enforce them in practice, we need an organization that
manages and coordinates the security processes. Important questions to
take into account include division of power and responsibilities, and
allocation of resources [1].
27

4 Voice over IP Security
In this chapter we will look at security from the point of view of VoIP
systems, and consider expectations towards security in VoIP systems. The
presentation in this section is brief and general. The case study in Chapter
7 will give us deeper understanding of security in a VoIP system.
VoIP systems are computer communication systems, so basically all the
security principles presented in Chapter 3 apply to VoIP systems as well.
The function of security is to prevent, detect, and recover from attacks
against the VoIP system.
Voice over IP security alliance has divided threats to VoIP security and
privacy into six categories in its threat taxonomy. Social threats include
threats such as misrepresentation, theft of services, and unwanted
contact. Eavesdropping threats target the signaling and media, and
includes traffic capture, number harvesting, and call pattern tracking.
Interception and modification threats are those where the attacker has
access to complete control or media stream and is able to alter it. Service
abuse category includes different forms of identity theft, methods for
concealing fraud, and methods to bypass billing functions of a system. All
the forms of denial of service attacks are included in intentional
interruptions of service. There are also other interruptions such as power
outages and resource exhaustion. [34]
The security mechanisms for VoIP systems are mostly the same ones that
can be used to protect any computer system. Special attention is required
in any case. VoIP systems place additional requirements for the
components regarding performance and security. Performance
requirements might restrict the use of some security mechanisms as well.
[17]
As we saw in Chapter 2, there are many different types of applications of
VoIP. In these different systems, the technology, and security mechanisms
are similar to each other. The purposes of these systems vary from
application to application. What actually makes the difference from the
security viewpoint is the difference in requirements and expectations for
the security of these systems. These are defined by the different parties
that are affected by the level of security of the system.
There are many different parties that have a stake in the quality of VoIP
Systems. Depending on their interests, they in general value different
security aspects of the system more than others. These interests then
have to be combined together to satisfy all the parties. We now look at the
expectations of some of the main interest groups, namely the users, the
service providers, and the governments.
Users are the main target group of VoIP services. After all, a service
without users does not make much sense. Users can roughly be divided
into home users, business users, and government users. Home users
main security interest is typically availability of service. Privacy is another
28

issue of concern for many people. The integrity of call detail records
collected by a service provider is important if the services are charged for.
Governments, in the user role, often have strict requirements for
confidentiality in their activities (military, health care). Public services such
as police and fire departments may have their own dedicated
communication networks which are separate from the ones open for
public. Business organizations utilize public communication networks in
the same manner as home users, while they often have higher
requirements for confidentiality. They may have their own internal
communication networks.
Service providers’ main interest is in protecting the integrity and availability
of the service system. The service system produces value to the owners
and users only when it is available and working. The systems also contain
sensitive data such as subscriber information, charging information, and
details about made calls that need to be protected from unauthorized
access. Service providers typically have to fulfill various amounts of
regulatory requirements, the extent of which depends on the type of the
provided service.
In addition to the user role, governments participate in many ways in VoIP
system development. They pose regulatory requirements, which try to
balance between needs of society, needs of business, and political
agendas. The regulations are not very negotiable after they have been set
and therefore usually have to be taken as given. Lawful interception,
emergency calls, privacy protection, and retention and protection of call
detail records are examples of such regulatory requirements. Some
requirements are conflicting. For example the requirement for lawful
interception is based on public or national safety, and it actually restricts
the amount of privacy and confidentiality protection that is allowed for the
users. The national public communication systems are in the main interest
of governments. On the other hand, the regulators have little interest in
PBX systems used inside companies, and VoIP systems that are used
internally in transport networks of the operators.
29

5 Systems Methodology
Systems methodology is a means to generate understanding on existing
systems and to design new systems. Systems methodology gives tools for
simplifying the emerging complexities and interdependencies between and
within technological and social systems. This chapter presents background
for systems methodology, and defines and describes essential concepts
related to it.
We will use the systems methodology as the basis for a specific method
that will be described in Chapter 6. We can use this method to build
various kinds of system models. A model of an existing system can be
used for analyzing that system, for example to discover problems in it. We
can also design new models that we can later implement into reality.
The term system is used very broadly here. Basically it can mean any
subject under study. For example our system can be a network of
computers. If we need to look into the details, a single specific computer in
that network can be seen as subsystem that we can concentrate on and
take as the new system under study. On the other hand we can look at the
bigger picture and see how the network is a subsystem of an even larger
system such as a business organization or a society.
Systems methodology is very general in the sense that it basically can be
applied to any problem. The target in contrast is specific. Every situation is
regarded as more or less unique. This allows for customized treatment for
each problem that in systems perspective appears to become a set of
interrelated problems. Even with an initial focus on a technical system,
systems methodology draws the attention quickly towards organizational
and human issues. Systems methodology measures the technological
system by the value it produces to the people in its environment. In this
way systems methodology is beneficial in filling the gap between technical
and management issues in security.
The method begins with as little assumptions about the system under
study as possible. In the security context this means that for example the
security requirements of the systems are not given, but they should be
discovered through the process of inquiry. This would mean discussions
and interviews with different stakeholders about their security
requirements for the specific system in questions whenever it is possible.
In principle systems methodology allows examining systems on different
scales using the same concepts and methods. The same iterative
approach can be repeated for subsystems as for the larger whole. The
results differ from each other because on different levels of the system and
in different parts of the system different aspects and properties are
relevant. The organizational, physical, and software dimensions to
systems and security can be treated analogously too. The methodology
facilitates structuring of knowledge. We can explicitly define different levels
of system abstraction which helps us to effectively hide unnecessary
30

details out of the way. Still it allows maintaining of clear connections
vertically between the different abstraction levels.
The methodology enables us to build system models that quickly show us
how different details of the system are linked together in the big picture. It
enables us to spot the places where security breaches might occur. It
facilitates understanding both the user end-to-end perspective and the
technological end-to-end perspective to the system. In the user
perspective we can leave out all the technical details of the system and
consider what the system and its security aspects look like from the user
perspective. On the other hand we can build models that span the whole
communication path through the network from node to node.
5.1 Systems Theories
Systems theories are a relatively new addition to our body of knowledge.
Although their roots date back millennia, the systematic formalization
started in the beginning of the 20th
century[28]. The theories and
methodologies are constantly evolving and there is not any single right
systems approach. Systems approach has been used in fields such as
physics[25] biology[25], cybernetics[27], social sciences[8], and
organizational management & development[24].
While there are many different schools of systems thinking around, we will
mostly follow a systems methodology called interactive management,
using its terminology and concepts related to systems. Interactive
management aims to understanding of purposeful systems such as
business companies and the society. Computer systems can be
considered as subsystems for them, as we are going to see in the case
study in Chapter 7.
In this study we concentrate on technological systems. But while the
system itself is technological, people form an essential part of its
environment. Technological systems don’t have purpose of their own but
they serve the purposes of their environment.
5.2 System and its Environment
First we have to define two important concepts: system and its
environment.
- System: a set of interrelated elements, each of which is related
directly or indirectly to every other element, and no subset of which
is unrelated to any other subset. [8]
The definition of system implies that one cannot fully understand the
behavior of one part of the system without understanding of the whole
system since all parts of a system are interrelated. A change in one part of
the system can affect any other part of that system.
- Environment of a system: a set of elements and their relevant
properties, which elements are not part of the system, but a change
31

in any of which can cause or produce a change in the state of the
system. [8]
In order to understand behavior of a system, one needs to understand its
relationship with the environment too. Systems do not exist in isolation:
they are inseparable from their environment. Every system is here
considered to be an open system.
System’s Environment
System
Figure 11: System in its environment
Figure 11 shows a system, its environment, and interactions between
them. The arrows going into the system are its inputs, and the arrows
coming from the system are its outputs. The relationship between the
inputs and the outputs define the function of the system, and the
relationship between the function and the environment defines the
system’s purpose in that environment.
We can identify different dimensions in a system and its environment. For
example a computer system may be seen from the point of view of the
software system, the physical system (hardware) and the organizational
system.
Organizational dimension defines the main purpose or purposes of the
system. For example a communication system can be part of
organization’s support functions, or it can be a product or service that a
company is providing. Typical terminology for organizational context might
include value, responsibility, power, influence, control, ownership, trust,
agreement, and other concepts describing social relationships.
The software dimension looks at the system from the point of view of
computer networks and software. The starting point is the software
communication channel and related applications such as operating
systems, databases, and network protocols. Typical terminology for
describing network context includes connection, interface, node,
application, data, access, throughput, response time and other computer
software related terminology.
The physical dimension looks at the physical objects, and space, and their
mechanics. In a communication system its starting point is the physical
communication channel and related equipment such as the computers,
network cables and radio links. Typical terminology might include location,
32

distance, movement, speed, weight, material, and other mechanical
concepts.
5.3 Systems Thinking
If we look inside a system we will find it is composed of components and
their relationships: the system has an internal structure. There is also a
specific way, a process, how the system converts the inputs into outputs.
This output is the function of the structure and the process.
Each of these concepts, function, process, and structure, has been
considered to be the most important aspect of a system by different people
at different times. People who stress analysis are been concerned with the
structure, those who stress synthesis with the function and process
orientated people with the process of a system. In systems thinking each
of the three concepts are considered equally essential, and inseparable of
each other. They are basically different views to the same system. [21]
According to Ackoff[19] a main difference between analytical and systemic
approach is the concept of interdependence. In analytical approach it is
assumed that one can understand a system as a whole by taking it to
parts and analyzing these parts independently. It is therefore a
reductionistic approach. In systems approach, we assume that we can
understand the parts of the system only by understanding their
relationships to the whole. All the parts of a system are considered to be
interdependent of each other.
Another difference between analytical and systemic approach is the
starting point of inquiry. If analytical approach to understand computers
starts from dividing it to parts and analyzing them, systems approach
starts from looking at the networks the computers are part of and the
individuals who use them. Analytical approach to studying human behavior
would start from finding out what can be found inside human beings,
systemic approach would first look at their relationships with other people
and the society. Analytical thinking begins by looking into the system.
Systems thinking begins by looking out of the system. [19]
5.4 Systems Approach to Problem Solving
Systemic Problems and Their Treatment
An aim of systems methodology is problem solving. We encounter
problems, and try to look solutions to them. We can develop new systems
to solve problem, or we can change and develop the existing ones.
Systemic problems are problems that require systemic treatment, that is, a
view on the larger whole and understanding of the interrelationships of the
system with its environment. A typical example of systemic problem is the
tragedy of commons.
33

Tragedy of commons means a situation where many parties compete over
a limited amount of shared resources. In addition, every party’s own
interest is to consume as much resources as possible, but everyone’s
consuming as much as possible results in a disaster for everyone. [16],
[24]
These kinds of situations are unlikely to be solved without a systemic
approach that can appreciate the situation as a part of a larger whole.
Problem treatments can be divided into four classes: absolution,
resolution, and dissolution. We can ignore, or absolve, the problem. We
can resolve a problem by finding something that works. We can solve the
problem by finding an optimal answer to the problem. Finally we can
dissolve the problem by redesigning the system so that the original
problem disappears. Dissolving problems is a target of systems approach.
[19]
Context, Problem, Ideal, and Solution
Ackoff and Gharajedaghi suggest making a clear separation between the
problem, the ideal, and the solution. Most importantly, the problem that
describes the current state of affairs should be separated from the ideal
that describes our wanted ideal state of affairs. The actual solution that is
to be implemented is then designed based finding a practical solution
between the problem system and the ideal system. [19], [21]
Defining problems and designing solutions are core targets of systems
methodology. It proposes an alternative way for approaching these
activities. Defining problems in terms of existing solutions is very common
in other approaches. This is typical for disciplinary approach, where
problems are called for example technical, social, economic or political
problems, often depending on the field of expertise of the person solving
the problem. [21]
For example a company might have a problem with employees visiting
suspicious websites and increasing the risk of computer virus infections.
One person says it is a firewall problem and is resolved with a more
restrictive firewall, while another says it is a leadership problem and is
resolved by giving the employees more motivating tasks to direct their
attention elsewhere. By defining problems in terms of existing solutions
poses unnecessary limitations on our choices to solve that problem.
On the other hand, defining solutions based only on the current reality, i.e.
the problem, readily defines unnecessary constraints for the possible
solutions. Designing an ideal design from the scratch, thinking out of the
box, allows for much greater creativity and increases our possibilities.
Defining the problem gives us understanding on the current reality. An
ideal gives us something we can move towards. Based on these models
we can then proceed by planning and implementing changes and
improvements to the current system that in an ideal case dissolves the
original problems altogether.
34

Black-Box and White-Box
An approach to gaining understanding on a system can be described as
either a black-box or a white-box approach. In black-box approach, we
consider only inputs and outputs of a system and hide the details about
the internal structures and processes of a system. Black-box approach
can be used to simplify complex systems and allows us to study ever
larger systems. The white-box approach on the other hand inspects the
internal parts of the system. We need white-box approach to simulate
behavior of real-world systems. These two views are complementary to
each other, and are both useful in understanding systems. [15]
Figure 12: Black-box and white-box models
In practice, a white-box model contains black-box models inside it. The
model is an approximation of the reality. We can look deeper and deeper
into the system by continuing to look inside the black-box models. This
way we can develop more and more accurate approximations of the
system under study. In addition to going deeper into details we can also
continue looking out of the system at ever larger entities that the system is
part of.
35

6 Method for Studying Security Aspects of a
System
This chapter describes a method for studying security of a system. It is
built based on the concepts presented in the previous chapter. It both
combines different systems approaches and simplifies them to better suit
the scope of this study. In the next chapter, a case study is presented
which demonstrates the use of this method in practice.
Systems methodology draws attention to the security in the system as a
whole. The security in subsystems is only secondary. A secure system can
be built with components that would be described insecure if analyzed
independently. The security is not treated as an absolute, but it is rather
evaluated relative to the environment and other parts of the system.
The systems methodology enables us to systematically build models from
many different perspectives at many different levels of scale and detail.
This kind of systematic inquiry enables us to point out those things about
the system that we have too little knowledge about. Executing the inquiry
to ever smaller subsystems while at the same time keeping the models of
different subsystem synchronized is tedious, but at the same time it forces
us to understand the system better. The model grows only by linking
different levels and parts of the system together incrementally. That means
the result is a whole body of interlinked knowledge rather than individual
snapshots of the system. This makes the resulting models also attractive
for use in education and explaining large complex systems to others.
6.1 Overview of the Method
We will concentrate on security evaluation, but the method is also a logical
part of developing security of a system in a given environment (Figure 13).
The method is targeted for an existing real-world system in a specific
environment. An assumption is that a statement about the security of a
system is meaningful only when its environment is defined (section 5.2).
Figure 13: Method overview
36

In a broader context we can see the study method as part of risk
management of an organization or part of a method for system
development. The need and benefits for improving security in different
parts of the system is first identified relative to all the other risks in an
organization. After that improvements to the system are designed and
implemented in the development process.
The method has two main dimensions: recursion and iteration. Recursion
is used to create a hierarchy of systems, to chunk the problem up to larger
supersystems and down to smaller subsystems that are easier to manage
(Figure 14). Each of these subsystems is treated in analogous, iterative
way. Iterative approach is practical for gathering information in cases,
where there is a high level of interconnection between systems. Studying
one part often results in knowledge about other parts. Each of the
successive iterations develops our models and understanding of part of
the system further.
Figure 14: Recursions of the method
Each of the iterations considers four dimensions of the subsystem under
study: function, context, structure and process. Function looks at the
system as a black box, context is about the environment or environments
of the system, structure deals with components, and process with their
interactions (see 5.3).
The first iteration identifies the system and builds a model out of it. The
second iteration is a security analysis, and it utilizes the information
gathered during the first iteration. In third iteration an ideal model of the
subsystem is designed and in fourth it is implemented in practice. We
consider here the two first iterations due to time constraints. Each of the
iterations can be repeated as well. As we study the details or the context
of a subsystem further, we are likely to encounter new information that
affects our models of other parts of the whole system.
Recursion takes a component of the system, and considers it as the new
subsystem under study. The same iterative process is applied for each
subsystem. By recursion we will create a hierarchy of system models,
each of which is directly or indirectly related to each other. A system is
related vertically to the containing larger systems through its context and
to its subsystems through its structure. It is also related horizontally to
systems in the same hierarchical level through its context. (Figure 14)
37

The gathering of information about the system can have many forms,
depending on the level of detail and part of the system, or whether we are
interested for example in the organizational, physical or software
dimension of the system. Ways to get organizational information include
interviews and surveys. Information about software can be achieved by
studying documentation such as technical specifications and design
documents, and source code. In some cases black-box testing is the only
way of inquiry. Physical dimension can be studied from documentation
such as floor plans and by visiting the actual sites.
It is worthwhile to notice that we don’t assume much about the system we
are studying. We for example do not assume any certain set of (security)
requirements, but they should be discovered during the process of inquiry
as we consider the role of the system relative to its context. The case
study in Chapter 7 provides examples for understanding the following
description of the method.
6.1 Iteration 1: System Model
System Model – Function
The functional view is a general description what the system does.
Basically only the the inputs and outputs of the system are identified as in
Figure 15 that corresponds to a black-box model of a system (Section )
The details about internal structures and processes of the system are left
out. The system is also studied out of context. The result might even be
trivial, but the functional view is often the most relevant one when
considering the relationship of the system to its larger containing system. A
system may have multiple functions. Functions can be found by
considering different combinations of inputs and outputs of the system.
Figure 15: Function model
System Model – Context
If the function describes in general what the system does, the context
explains why the system does that. The context looks out of the system
under study. The containing larger system is identified as well as other
interrelating systems as in Figure 16. In the recursive hierarchy these
systems typically are on the same level or above as the system under
study. We then consider the objectives of that containing system as the
reason why the system should perform in a certain way or have certain
38

properties. The context can be looked from the organizational, physical,
and software perspectives (see section 5.2).
Figure 16: Context model
As we consider the organizational dimension of the system and its
environment we reach the actual stakeholders, individual persons and
organizations, for whom the system is built and who are affected by it.
When studying a technological system, context inquiry is therefore also a
link between the functionality of the system, and the purposes of the
people using it. In a communication system context also defines the
content of the information passed through it.
The stakeholders define the expectations and requirements for the system
based on their understanding of the environment and the importance of
the system. The interests of the stakeholders regarding the system under
study may not be aligned, in fact, they may well be contradictory. The
same goes for security related requirements.
System Model – Structure
Structure describes the internal static organization of the system.
Identifying system components means defining a partitioning of the
system, and boundaries of components. Figure 17 that illustrates the
structural view corresponds to a white-box model of a system (Section ),
and is also similar to the context view. The components can be software
structures, mechanical objects, or people, and they are related to each
other through an interface. We can define reference points in between the
components. In these points we can take snapshot views of the processes
of the system. The information might include the interaction medium, the
structure of the information, and amount of traffic. A single structure can be
associated with multiple processes resulting in multiple functions.
39

Figure 17: Structure model
The structures are considered as static components. We don’t assume
anything of their inner workings, but rather treat them functionally,
considering only their inputs and outputs. If we want to gain more
knowledge of the inner structures and processes of a specific component,
we consider it as a subsystem, and then execute the iterative process on
that subsystem again. The other components then become as part of the
context of the new subsystem.
System Model – Process
The process is the dynamic part of the system model. It describes how the
different structures are combined together in order to produce the desired
total function. They describe the interactions of the system components.
Processes combine components through interfaces.
Figure 18: Process model
We can describe the processes with the use of the reference points that
are defined in the structural view. The process has a path through the
system structure where it passes different reference points in some order.
As it moves from one point to another it passes components and results in
a function.
6.2 Iteration 2: Security Analysis
Security analysis uses the system model and analyzes it from the security
perspective. To do that we need a threat model. The choice of the model
should reflect the security requirements for the system. For example in a
40

communication system the information flow can bee seen as a main asset.
The requirements might then be stated in terms of confidentiality, integrity
and availability of this flow. The threat model containing the generic threats
of interruption, interception, modification, and fabrication described in
section corresponds to these requirements.
Security Analysis – Function
The first iteration identified the functionality of the system. That
functionality of the system under study is now analyzed against the threat
model. The result is a general description of the possible malfunctions of
the system. This in practice is a list of potential vulnerabilities in the input
or output dimensions. There might for example be illegitimate inputs or
outputs to the system or the input or output might be modified.
In this phase the details about how exactly the system can be broken is
irrelevant. These aspects are considered later in the structural and
process views to security. The further implications of the malfunctions are
irrelevant as well. They are considered in the context view.
Security Analysis – Context
The functional view on security considered the ways in which the system
in general might malfunction. In contextual view these malfunctions are
then considered in relation to the environment of the system. In this phase
we come up with a list of implications of possible malfunctions to the larger
system, and we can evaluate the severity of their impact. By looking at the
environment we can identify possible sources of attacks too.
One of our aims is to connect together different system levels from the
smallest details to the big picture. This would ideally allow for example to
explain why a software fault in a certain part of a communication system is
harmful for customer relationships of a company. Context is the link
between the system under study and the larger system also in security
aspects.
Security Analysis – Structure
In the structural view the static properties, and logical, physical, and social
relationships are in focus. We try to find out where the security breaches
could occur on the basis of the structural model of the system.
Complementarities and redundancies in structure often provide useful
information when considering the impact of an attack against a specific
component.
Security Analysis – Process
For a single process we can consider how the process can be attacked in
different reference points. If we have multiple processes, we can consider
their interrelationships, such as how a failure in one process could lead to
a failure in another process.
41

6.3 Further Iterations
We could still go further and start planning changes for improvement of the
system under study, and actually start implementing these plans. We limit
our study into the first two iterations. The last two iterations are shortly
introduced but their development is left for further study.
Idealized design is designing a system from the scratch, based on the
requirements defined by the context. The objective is a model of the
system that would best serve the interests of the environment. This phase
is executed independent of the analysis of the existing system. That is, the
design of the current system is not taken as a starting point.
Successive approximation takes the results of system analysis and
idealized design, to combine them into a real world solution. Here the
limitations of the current reality are taken into account and compromises
between the ideal and actual improvements are made. We can decide to
run all the improvements we can at once, or decide to have a continuous,
iterative process, where we gradually approach the ideal we have defined
in the idealized design phase.
42

7 Case Study: IP PBX System Security
A study of VoIP System security is described in this chapter. It is based on
a scenario rather than an existing real-world situation. The used method is
described in detail in the previous chapter. We are going to show
examples of execution of the first two iterations of the method, the system
model and the security analysis, on different levels of recursion. The
models we build are not going to be complete, and in many cases they
wouldn’t pass critical inspection. Their primary function is to demonstrate
the use of the methodology and to show what kinds of results would be
expected from its applications.
Figure 19: IP PBX system overview
Figure 19 shows an overview of the situation. A company has an intranet
that provides access to internet and to services such as VoIP calls, e-mail,
and world wide web. Users connect to the network using laptop
computers. Some users access the company intranet from their homes
using encrypted virtual private network connections directly from their
laptop to the intranet firewall.
43

Figure 20:Company system hierarchy
Figure 20 shows an overview of the system hierarchy related to the Voice
over IP system under study. Our study first begins from the VoIP system
(4b in the figure), then looks out at the larger system, the communication
system, and then goes on to study the details of the VoIP system. The
above figure is a result of the study, not a starting point. It is presented
here as a map for the following case study.
7.1 VoIP System Model
VoIP System Function Model
VoIP system is an audio communication channel. It basically allows talking
and exchange of information over a distance. Figure 21 shows the
simplified function of the system. In practice the system usually is
bidirectional, but we only consider one direction here.
Figure 21: VoIP system function
The control of the system and feedback from the system are omitted as
well for simplicity in this demonstration as they can be considered as
means to achieve the function.
44

VoIP System Context Model
The VoIP system is considered to be a part of the communication systems
for the company. A main purpose of the system is to support business by
improving communication inside the company. The cost for maintenance
of the intranet infrastructure and for the internet connection is fixed. The
system allows essentially free phone calls inside the company building
and with a remote location through Internet.
Figure 22: VoIP system context
Figure 22 depicts the four main communication channels in the company.
People either communicate directly by meeting each other, through
internet using VoIP or e-mail, or by mobile phones. These channels have
their own distinct security, usability, and cost properties.
VoIP System Structure Model
VoIP system consists of three essential components, the company
intranet, the internet and a home network (Figure 23). The reference point
A and D are user interfaces, B and C are network interfaces. These are
described in Table 1. Figure 24 shows the physical view of the system that
depicts the physical network cable connection between the intranet and
the home network. The reference point X is a potential unknown entry
point to the network.
Figure 23: VoIP system structure
45

Figure 24: System in its physical environment
The exact path of TCP/IP communication through the network is
unspecified. Two consecutive IP packets might in fact take a different
route. The path shown in Figure 24 is therefore merely suggestive. The
main idea in the physical model is to show that the VoIP traffic travels
through networks owned and controlled by unknown third parties.
Reference
point
Description
A User interface(s) in company intranet, air, audible
sound waves.
B Network-network connection. Electric signal. Encoded
audio signal carried in encrypted IP packets.
C As in B.
D User interface in home network, air, audible sound
waves.
X Additional unknown interfaces to the network.
Table 1: VoIP system reference points
VoIP System Process Model
Figure 25 shows a direct end-to-end media transfer process. The phases
are described in Table 2.
46

Figure 25: VoIP system process
Process Description
1. Sound to VoIP
over IPSec
conversion
Audible sound waves are converted into VoIP stream. The
content is encrypted.
2. Routing The VoIP stream is routed through the network to the
correct recipient based on the IP address in the packets.
3. VoIP over
IPSec to sound
conversion
The procedure 1 is done in reverse.
Table 2: VoIP system process descriptions
7.2 Communication System Model
We found out in VoIP system model, that the system is a part of a larger
communication system inside the company. In risk management
perspective the threats against the VoIP system are very closely related to
the other communication systems. Therefore we take a closer look at the
context of the VoIP system to gain better understanding about why we
need protection and what we actually are protecting in the end.
Communication System Function Model
The communication system basically allows exchange of information over
a distance. Figure 26 shows the simplified function of the communication
system. In practice the system usually is bidirectional, but we only
consider one direction here.
Figure 26: Communication system function
The content of the communication can be for example data, audio or video
stream depending on the specific communication system.
Communication System Context Model
The communication systems are seen as being part of support functions of
the company (Figure 27). They bring value to the company indirectly
47

through the business functions. And finally, the company’s value is defined
by its stakeholders who have different interests and value different kinds of
results.
Figure 27: Communication system in its organizational environment
The communication system is considered to be successful to the degree in
which it is able to provide the right and only the right people with right
information when they need it.
Communication System Structure Model
Figure 28 depicts a simplified high-level model of the communication
system. The picture is the same as in the context view of VoIP system
(Figure 22). A user of the system has four primary choices of
communication channels for delivering a message to a specific
destination: a meeting, VoIP, E-mail, and mobile phone. The delivered
information or parts of it has been received from some source, and the
receiver can send the information forward.
Figure 28: Communication system structure
48

Communication System Process Model
Communication processes are described in Table 3.
Process Description
1. Selection of
party
The user selects the person or system she wants to contact.
2. Selection of
method
The user selects the communication system she wants to
use.
3. Message
passing
The user sends a message to the other party.
Table 3: Communication system process model
7.3 Communication System Security Analysis
We could continue looking out of the system or traverse up the system
hierarchy in Figure 20. Due to limited time frame we have to limit the
expansion of the model. The security analysis of the communication
system is expected to give us direction and a reference frame for further
analysis of the VoIP system.
The main asset in the system is the information flow. The general security
requirements for the flow are confidentiality, integrity and availability. The
analysis of the threats of interruption, interception, and fabrication to the
information flow is considered sufficient to evaluate the system’s ability to
fulfill these requirements.
Communication System Function – Security
The malfunctions to the communication system are identified in Table 4.
Threat Description
Interruption A message sent through the system is not received in the
other end.
Interception There are other recipients to the information flow in
addition to the legitimate recipient.
Fabrication The legitimate recipient receives information that was not
sent through the system by the legitimate sender.
Modification A message is altered on its way through the system.
Table 4: Threats to communication function
Communication System Context - Security
The threats to the function described in the previous subsection are
interpreted within the context in Table 5.
Threat Description Impact
Interruption A person is not able to
deliver a message to a
desired destination.
Delay in operations.
Interception A third party receives
confidential data about the
company, its customers,
Potential loss of competitive
advantage, and deterioration of
image as a reliable business partner.
49

and ongoing projects.
Fabrication Bad information source. A
third party has injected
(false/harmful)
information into the
company communication
system.
Potential harmful influence on
decision making processes.
Modification Information has been
modified on its way from
its source to the intended
destination.
Potential harmful influence on
decision making processes.
Table 5: Threats in communication context
Communication System Structure – Security
The four communication systems are parallel to each other. In some cases
they complement each, such as when VoIP is used to discuss about
material sent by e-mail. In some other cases they are interchangeable. If a
users need to talk with each other, they can choose between VoIP and
mobile.
Threat Requires
Interruption Total interruption of communications would require the
interruption of both the mobile, and the e-mail system in
addition to the VoIP system.
Interception Interception in any part of the communication system.
Fabrication Fabrication in some part of the system.
Modification Modification in any part of the system.
Table 6: Threats to communication system structure
In VoIP and mobile systems users recognize each other by voice and a
fabrication of content, a third party speaking, would most likely be
detected. When talking with an unrecognized person employees are
expected to follow caution and to be aware of the possibility of social
engineering attacks. Replay attacks are theoretically possible. The use of
voice-mail system is very rare and the system is used mostly for exchange
of information rather than for example giving orders. Replay attacks are
considered unlikely based on these facts. The risk is acknowledged but
accepted. Modification is unlikely as well. It is more likely that fabrication
or modification happens for example in the e-mail system. In the case of
VoIP system, interception is the only one of these four threats that
demands for closer analysis.
Communication System Process – Security
Selection of a party and selection of method are decision making
processes of an individual. They can be influenced by attacker for example
by giving false information or by pretending to be an authority that the user
trusts. This can be used to trick a person to send classified information to
50

wrong recipient or to select an insecure communication channel where the
communication can be intercepted.
7.4 VoIP System Security Analysis
We now continue with security analysis of the VoIP system. The analysis
of the communication system has already affected how we estimate the
relative importance of various threats to the VoIP system.
VoIP System Function - Security
In the previous section when analyzing the communication system, we
decided that the threats of interruption, fabrication, and modification are
not a top priority in case of VoIP system. We will therefore concentrate
only on the threat of interception that we consider being the most relevant
here. The threat is described in Table 7.
Threat Description
Interception There are other recipients to the information flow in
addition to the legitimate recipient.
Table 7: Threats to VoIP system function
VoIP System Context - Security
The threats to VoIP system context are described in Table 8.
Threat Description Impact
Interception A third party has access to
the media stream.
Interception in the communication
system.
Table 8: Threats to VoIP system context
VoIP System Structure – Security
Threats to VoIP system structures are described in Table 9.
Threat Requires
Interception Interception in any of the networks
Table 9: Threats to VoIP system structure
VoIP System Process – Security
Threats to VoIP system process is described in Table 9.
Reference
point
Description
A Eavesdropping of the physical space of user-terminal
medium by a person or a microphone
B Interception of encrypted VoIP traffic would reveal the IP
address of the remote user terminal.
C Interception of encrypted VoIP traffic would reveal the IP
address of the remote user terminal.
51

D Unlocked room in a locked building. Family members and
visitors have physical access to the room.
Eavesdropping of the physical space of user-terminal
medium by a person or a microphone
Table 10: Interception of VoIP system process
7.5 Intranet Model
We continue down the system hierarchy (Figure 20) to understand its
internal structure and processes in more detail. We first look at the
intranet, then the internet and finally the home network. This way we get a
network level end-to-end view of the VoIP system.
Intranet Function Model
In the VoIP system the intranet has two main functions that we can identify
in Figure 29 by looking at the combinations of reference points. First, it can
mediate conversations between two intranet end-points. Second it can
convert the audible sound to VoIP traffic, and encrypt it to be sent forward
out of the network.
Intranet Context Model
The intranet is connected to the internet and through it to employees’
home networks (Figure 23). The network is physically located inside one
building and it spans several rooms. All employees have access to the
network. The users use it mainly to communicate with people and access
information and services in the network.
Intranet Structure Model
The intranet is a simple switched local area network that is connected to
external networks through a firewall (Figure 29). There are several similar
user terminals connected to it. The reference points are described in Table
11.
52

Figure 29: Intranet structure
Reference
point
Description
A User-terminal medium. Air, audible sound waves.
B Terminal-network connection. Ethernet, electric signal.
Encoded audio signal carried in RTP packets on UDP on IP
on Ethernet.
C Ethernet. Essentially the same properties as in point B
(probably larger amount of traffic).
D Connecting the home network and the internet. The VoIP
payload is encrypted.
Table 11: Intranet reference point descriptions
Intranet Process Model
Figure 30 shows that part of a direct end-to-end media transport that takes
place in the intranet. The depicted process is for VoIP connections to
outside of the intranet. The phases are described in Table 12.
Figure 30: Intranet process
Process Description
1. VoIP
conversion
Audible sound waves are converted into VoIP stream.
2. Routing The VoIP stream is routed through the network to the
correct recipient based on the IP address in the packets.
3. Routing + The stream is encapsulated in encrypted packets and routed
53

systems-approach-security_masters-thesis_Halla_2016-08-10

systems-approach-security_masters-thesis_Halla_2016-08-10

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (19)

Similar to systems-approach-security_masters-thesis_Halla_2016-08-10

Similar to systems-approach-security_masters-thesis_Halla_2016-08-10 (20)

systems-approach-security_masters-thesis_Halla_2016-08-10