Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Securing IP Fax
A New Standard Approach
James Rafferty
President, Human Communications
SIPNOC 2014 - Securing IP Fax
Copyr...
Overview
• Background
• What does Security mean for Fax?
• What are the Threats?
• IETF proposed solution
• Impact for Cus...
Background
• Facsimile is an immensely popular solution
– Has evolved from an office equipment approach to one which is
wi...
What Does Security Mean for Fax?
• Security solutions typically based on assessment
of threats
• Examples of Threats for R...
How to Address the Threats?
• Often confusion between solutions and
threats
• Common Perception that encryption solves all...
Threat: Breach Confidentiality
• Much of the information conveyed by fax is
private
– Individual’s financial and health in...
Threat: Change the Content
• Faxes are used to send images coded using
particular compression methods
• Not easy to do, bu...
Threat: Spoof Identity
• Internet services are under increased attack
by rogue users who create SPAM, send fake
messages a...
Proposed Standard from IETF
• 3GPP and IP Fax Community wanted to add security for T.38 IP Fax
– Work originated due to de...
Why DTLS?
• Draft uses existing security standard DTLS
• RFC 6347 – Datagram Transport Layer Security
Version 1.2
• DTLS b...
Protocol Stack Layers
T.38 IP Fax Protocol
UDPTL
DTLS
UDP
IP
Adds Transport
Security Layer
to T.38 over UDPTL
SIPNOC 2014 ...
Does New Spec Address the Threats?
Let’s take a closer look
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 201...
Protect Confidentiality
• T.38 over UDPTL provides no protection vs. 3rd
parties that want to eavesdrop on a fax
• DTLS pr...
Protect Integrity
• In T.38 over UDPTL, it is possible to modify the
image content
• Addition of DTLS layer provides data ...
Prevent Identity Spoofing
• In T.38 over UDPTL, there is no protection vs.
spoofed identities
• New draft spec recommends ...
Impact for Customers
• Addition of Security for T.38 IP fax should be
valuable to customers both in the enterprise and
ser...
Accelerating the Rampup
• 3GPP targets adding to IP Multimedia Subsystem / LTE
standards as of Release 12
– This endorseme...
Enterprise to the Cloud and Beyond
• New standard will be an excellent fit for Cloud
implementations, managed within the
E...
Summary
• IETF is close to standardizing a new security standard
for IP Fax
• Should address the most likely threats that ...
About James Rafferty
• Versatile Product Management and
Marketing Leader
• Blog:
http://blog2.humancomm.com
• Twitter: @jr...
Upcoming SlideShare
Loading in …5
×

Securing IP Fax - A New Standard Approach

1,090 views

Published on

Securing IP Fax - A New Standard Approach

Slightly revised version of presentation I made at SIPNOC 2014 in June, 2014

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Securing IP Fax - A New Standard Approach

  1. 1. Securing IP Fax A New Standard Approach James Rafferty President, Human Communications SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 1
  2. 2. Overview • Background • What does Security mean for Fax? • What are the Threats? • IETF proposed solution • Impact for Customers • Summary SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 2
  3. 3. Background • Facsimile is an immensely popular solution – Has evolved from an office equipment approach to one which is widely distributed on networks using computer-based solutions – Network rapidly migrating to IP and the Cloud – T.38 IP fax over UDPTL is the widely deployed, standard solution • Issues: – UDPTL is specific to fax; missing security tools found for RTP • T.38 over RTP is also standard, but has minimal implementation – Previous attempts to adopt security for fax not adopted in the marketplace • Annexes found in ITU-T T.30 created in 1996, but not used – Realization of need for security now much more obvious • Real time fax now often going over IP networks • Concern by IT managers and service providers about securing all of their message traffic, including fax SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 3
  4. 4. What Does Security Mean for Fax? • Security solutions typically based on assessment of threats • Examples of Threats for Real Time Fax: – Preserve Confidentiality • Stop 3rd parties from being able to decode the contents of a fax if intercepted on the network – Maintain Integrity • Prevent 3rd parties from manipulating the contents of fax messages – Confirm Identity • Ensure that the identity of the fax sender can be verified SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 4
  5. 5. How to Address the Threats? • Often confusion between solutions and threats • Common Perception that encryption solves all security problems, but it’s more complicated than that – There’s no one single “magic bullet” that solves all security issues • Encryption useful, but threat model still needs to be understood to meet security goals SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 5
  6. 6. Threat: Breach Confidentiality • Much of the information conveyed by fax is private – Individual’s financial and health information – Business financial or other proprietary data • A confidentiality solution needs to keep the fax data confidential while it traverses the network Eavesdrop or steal content SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 6
  7. 7. Threat: Change the Content • Faxes are used to send images coded using particular compression methods • Not easy to do, but pages could be intercepted in route and then changed • Example: – Provide disinformation to disrupt competitor Inject New ContentSIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 7
  8. 8. Threat: Spoof Identity • Internet services are under increased attack by rogue users who create SPAM, send fake messages and impersonate identities • We’ve all received emails that say they’re from somebody we know, but are really SPAM • How? The intruders are spoofing identities. Spoof Identity SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 8
  9. 9. Proposed Standard from IETF • 3GPP and IP Fax Community wanted to add security for T.38 IP Fax – Work originated due to demand from service providers for secure fax solutions • MMUSIC working group of IETF has been working on related draft since Summer, 2013 – draft-ietf-mmusic-udptl-dtls-07.txt • Co-authors Christer Holmberg, Ivo Sedlacek and Gonzalo Salgueiro • Wide variety of comments from both fax and Internet communities • Also vetted by the Fax over IP working group of the SIP Forum • Approval Status • Has passed working group last call; now being reviewed for approval (IESG) • Potential for publication as standards track document later this year • 3GPP will also reference in their upcoming specifications (Release 12) SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 9
  10. 10. Why DTLS? • Draft uses existing security standard DTLS • RFC 6347 – Datagram Transport Layer Security Version 1.2 • DTLS builds on well-known practices in the Transport Layer Security protocol (TLS) – TLS suitable for session protocols running over TCP – DTLS extends TLS concepts, but is adapted for use with datagram protocols (such as UDP) • DTLS can be used to secure media centric protocols such as RTP and UDPTL SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 10
  11. 11. Protocol Stack Layers T.38 IP Fax Protocol UDPTL DTLS UDP IP Adds Transport Security Layer to T.38 over UDPTL SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 11
  12. 12. Does New Spec Address the Threats? Let’s take a closer look SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 12
  13. 13. Protect Confidentiality • T.38 over UDPTL provides no protection vs. 3rd parties that want to eavesdrop on a fax • DTLS provides strong encryption; messages can’t be decoded without access to keys used in the selected Cipher Eavesdrop or steal content XSIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 13
  14. 14. Protect Integrity • In T.38 over UDPTL, it is possible to modify the image content • Addition of DTLS layer provides data integrity – DTLS computes Message Authentication Codes (MACs) using hashing algorithms to protect against changes to message content – If message content changes, hash totals will be invalid Inject New Content XSIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 14
  15. 15. Prevent Identity Spoofing • In T.38 over UDPTL, there is no protection vs. spoofed identities • New draft spec recommends using PKIX Certificates to authenticate the two sides (per RFC 5280) – checks name on certificate vs. domain name Spoof Identity X SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 15
  16. 16. Impact for Customers • Addition of Security for T.38 IP fax should be valuable to customers both in the enterprise and service provider markets • But: – Often slow rampup from standardization to deployment • Can be jumpstarted through support by industry groups • Vendors can gain an edge by deploying the standard solution early • Later, vendors will need to have interworking implementations of the standard SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 16
  17. 17. Accelerating the Rampup • 3GPP targets adding to IP Multimedia Subsystem / LTE standards as of Release 12 – This endorsement will help drive additional deployment on IMS / VoLTE networks, notably for service providers – Fax and SIP Trunking service providers are also likely adopters • Adoption Acceleration Opportunities via Forums – SIP Forum supports early adoption of standards via: • SIPit – Interop activities for SIP protocol in general • SIPConnect – interop and compliance activities for SIP Trunking • Fax over IP Working Group – members can monitor status of early implementations – Other forums such as I3 may also be interested SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 17
  18. 18. Enterprise to the Cloud and Beyond • New standard will be an excellent fit for Cloud implementations, managed within the Enterprise or via managed service providers • Will also have value for enterprise networks which interconnect premises, or hybrid networks between premise and the Cloud • Should also fit SIP Trunking use cases for IP Fax • Could result in future extensions to agreements such as SIP Connect SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 18
  19. 19. Summary • IETF is close to standardizing a new security standard for IP Fax • Should address the most likely threats that would compromise fax use over IP networks • Likely first implementers will be back to back deployments by single vendor • Endorsement by 3GPP will help drive mid to longer term deployments on IMS / LTE networks • New standard should also be good fit for Enterprise uses such as SIP Trunking and the Cloud • Participation in Forums can help accelerate the adoption rampup once the standard is approved SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 19
  20. 20. About James Rafferty • Versatile Product Management and Marketing Leader • Blog: http://blog2.humancomm.com • Twitter: @jrafferty11 • Email: jayAthumancommDotcom • LinkedIn: https://www.linkedin.com/pub/ja mes-rafferty/0/917/474 SIPNOC 2014 - Securing IP Fax Copyright - James Rafferty - 2014 20

×